Create an appropriate policy document (APD) to outline your compliance measures and retention policies when processing special category or criminal offence personal data. Depending on why personal data is being processed, an APD may be required under a DPIA.
Recently reviewed by Lauren Delin, Solicitor.
This APD was last reviewed on 3 March 2022.
An APD is a document outlining your compliance measures and retention policies for special category 'sensitive' personal data (eg information about racial/ethnic origin, physical/mental health, sexual life and biometrics) and criminal offence data (eg criminal convictions and offences or related security measures).
An APD is needed such personal data is processed under a Data protection impact assessment (DPIA), to comply with your data protection obligations under the UK General Data Protection Regulations (GDPR) and Data Protection Act 2018.
For more information, read Compliance for DPIAs.
A DPIA is a process designed to help organisations identify and minimise the data protection risks of a project. Where the processing (eg obtaining or recording) of personal data (eg names, addresses and information about racial or ethnic origin) is likely to result in a high risk to individuals, a DPIA needs to be completed. For more information, read Data protection impact assessments.
Use this APD:
if you have carried out a DPIA
if you are processing special category personal data and/or criminal offence data
where you and the data subjects (ie the individuals the data relates to) are based in the UK
This APD covers:
the types of personal data
why you want to process the data (ie the purpose for processing)
the further conditions for processing special category personal data
the further conditions for processing criminal offence data
how data protection principles are complied with
your data retention and deletion policies
You need to have an APD when you process special category personal data or criminal offence data under certain specified conditions (as set out in a DPIA), as a specific accountability and documentation measure. Where an APD is required, it must be in place at the time of processing.
For example, an APD is always needed if you process special category data under the ‘employment, social security and social protection’. If you process special category data under the ‘substantial public interest’ condition, an APD is only needed in certain circumstances, depending on the ‘associated conditions’ relied on (eg an APD is not needed for the journalism, academia, art and literature condition).
For criminal offence data, an APD must only be in place if you are processing criminal offence data by UK law in reliance on certain further conditions for processing (eg statutory and government purposes and administration of accounts used in the commission of indecency offences involving children).
For more information on when an APD is needed, read Appropriate policy documents.
Personal data is information relating to individuals only who can be personally identified from that data (on its own or with other data held). Personal data includes names, addresses, telephone numbers, birthdates, job titles and online identifiers (eg IP addresses).
There is a further 'special category’ of 'sensitive personal data' which is awarded greater protection under the law and includes information about:
racial or ethnic origin
political opinions
religious or similar beliefs
trade union membership
physical or mental health or condition
sexual life
biometrics (eg fingerprint data/facial images) and genetics
While criminal offence data (personal data relating to criminal convictions and offences or related security measures) is treated separately from personal data and special category special data, it is subject to even tighter controls.
For more information on personal data, read Data protection.
You need to comply with the data protection principles whenever you process personal data. These principles include:
Your APD should cover these principles and set out your procedures for complying with them. For more information on the principles and how to comply with them, read Data protection principles.
If your purpose for processing personal data changes over time (or you want to process data for a new purpose), you can only do this if:
the new purpose is compatible with your original purpose (eg because the processing is for archiving purposes in the public interest or because there is a clear connection between your original and new purpose)
you obtain the data subject’s specific consent for the new purpose, or
you have a clear legal basis requiring (or allowing) the new processing in the public interest (eg if the new processing is for a public authority function)
For more information, read Data protection principles.
What policies you should have in place will depend on the specifics of your situation. However, you should generally consider having at least some of the following in place:
Data retention policy - setting out what data should be stored or archived, where that should happen and for how long
Information security policy - outlining security and other related matters (eg access to equipment and business continuity arrangements identifying how any personal data will be protected and recovered)
Privacy policy - outlining your practices about the collection, storage and use of personal data gathered on a website
Privacy notice - informing data subjects about the ‘what, how, where, why and when?’ regarding how you process their personal data
Ask a lawyer if you require a bespoke policy drafted.
Ask a lawyer for advice if:
you have any questions about APDs
this document doesn’t meet your specific needs
This APD is governed by the law of England, Wales and Scotland.
Answer a few simple questions to make your Appropriate policy document (APD) in minutes
Make document