Profile information Member settings
Logout
Sign up Sign in

Make your Appropriate policy document (APD)

Get started

What is a DPIA?

A DPIA is a process designed to help organisations identify and minimise the data protection risks of a project. Where the processing (eg obtaining or recording) of personal data (eg names, addresses and information about racial or ethnic origin) is likely to result in a high risk to individuals, a DPIA needs to be completed. For more information, read Data protection impact assessments.

What is an appropriate policy document?

An Appropriate policy document (APD) is a document outlining the organisation’s compliance measures and retention policies for special category 'sensitive' personal data (eg information about racial/ethnic origin, physical/mental health, sexual life and biometrics) and criminal offence data (eg criminal convictions and offences or related security measures). For more information, read Compliance for DPIAs.

What does an APD cover?

An APD covers:

  • the condition(s) for processing the organisation is relying on - setting out the specific condition for processing as set out in the Data Protection Act 2018

  • the organisation’s procedures for complying with data protection principles - these principles are set out in the UK GDPR and must be complied with by all organisations who process personal data. Read Data protection principles for more information

  • the organisation’s data retention and deletion policies - these are the policies the organisation has in place regarding the processing of such data. Any such policies should be made available to the individuals whose data is being processed 

  • a retention period for the specific data - this is how long the data in question will be kept for by the organisation

You can create your APD with Rocket Lawyer.

Do I need an APD?

Organisations will need to have an APD in place when they process special category 'sensitive' personal data or criminal offence data under certain specified conditions, as a specific accountability and documentation measure. Where an APD is required, it must be in place at the time of processing

Special category 'sensitive' personal data

An APD is needed when an organisation processes special category data under the ‘employment, social security and social protection’ condition or the ‘substantial public interest’ condition (depending on the ‘associated conditions’ relied on, which organisations need to demonstrate to show that they have a substantial public interest in the processing).

An APD must always be in place under the employment, social security and social protection condition.

For the substantial public interest condition, an APD must be in place for all associated conditions, apart from the journalism, academia, art and literature condition

An APD is not needed where data is being disclosed (or prepared to be disclosed) to the relevant authorities for the associated conditions of preventing or detecting unlawful acts and anti-doping in sport. For all other processing activities relating to these associated conditions, an APD must be in place.

Criminal offence data

An APD must be in place when an organisation is authorised to process criminal offence data by UK law under one of the following conditions:

  • employment, social security and social protection

  • statutory and government purposes

  • administration of justice and parliamentary purposes

  • protecting the public against dishonesty

  • regulatory requirements

  • preventing fraud

  • suspicion of terrorist financing or money laundering

  • counselling

  • safeguarding of children and individuals at risk

  • elected representatives responding to requests

  • disclosure to elected representatives

  • informing elected representatives about prisoners

  • publication of legal judgments

  • standards of behaviour in sport

  • administration of accounts used in the commission of indecency offences involving children

  • insurance

As with special category personal data above, an APD is not needed where data is being disclosed (or prepared to be disclosed) to the relevant authorities for the associated conditions of preventing or detecting unlawful acts and anti-doping in sport. However, for all other processing activities relating to these associated conditions, an APD must be in place.

Do I need multiple APDs?

Where an organisation processes special category or criminal offence data for various different purposes, they don’t generally need separate APDs for each processing activity or condition for processing. Instead, they can use one APD to cover their processing, provided that they provide the data subject with sufficient information to understand how the organisation is processing the data in question and how long they will keep the data for.

What is the retention period?

An APD should be kept by the organisation for the duration of the processing and until 6 months after the processing has stopped. During this time, the organisation should keep the APD under review, to ensure that it continues to remain relevant and so that the organisation continues to have a lawful basis for processing. 

While an APD does not need to be published and made available to the public, doing so is considered good practice. If the ICO asks for a copy of an organisation's APD, this must be provided free of charge.

Do other documents need to be updated?

Where an APD is completed, the organisation will also need to include further details in its general documentation of processing activities. For more information, read the ICO’s guidance.

Where relevant, organisations will specifically need to set out:

  • the lawful basis for processing (and how this is satisfied) 

  • the conditions for processing special category or criminal offence data

  • if the data retention and deletion policies are followed and, if not, why this is the case

If you have any questions or require assistance, Ask a lawyer.


Ask a lawyer

Get quick answers from lawyers, easily.
Characters remaining: 600
Rocket Lawyer On Call Solicitors

Try Rocket Lawyer FREE for 7 days

Get legal services you can trust at prices you can afford. As a member you can:

Create, customise, and share unlimited legal documents

RocketSign® your documents quickly and securely

Ask any legal question and get an answer from a lawyer

Have your documents reviewed by a legal pro**

Get legal advice, drafting and dispute resolution HALF OFF* with Rocket Legal+

Your first business and trade mark registrations are FREE* with Rocket Legal+

**Subject to terms and conditions. Document Review not available for members in their free trial.