Profile information Account settings
Logout
Help Contact us
Sign up Log in
Help Contact us

Appropriate policy documents

When an organisation handles certain special category 'sensitive' personal data or criminal offence data, they will need to comply with the relevant data protection laws. This includes completing a data protection impact assessment (DPIA) which sets out a lawful basis for the processing of the data. For some of these lawful processing conditions, an appropriate policy document needs to be in place. Read this guide to find out more.

Make your Appropriate policy document
Get started
Answer a few questions. We'll take care of the rest

A DPIA is a process designed to help organisations identify and minimise the data protection risks of a project. Where the processing (eg obtaining or recording) of personal data (eg names, addresses and information about racial or ethnic origin) is likely to result in a high risk to individuals, a DPIA needs to be completed. For more information, read Data protection impact assessments.

An Appropriate policy document (APD) is a document outlining the organisation’s compliance measures and retention policies for special category 'sensitive' personal data (eg information about racial/ethnic origin, physical/mental health, sexual life and biometrics) and criminal offence data (eg criminal convictions and offences or related security measures). For more information, read Compliance for DPIAs.

An APD covers:

  • the condition(s) for processing the organisation is relying on - setting out the specific condition for processing as set out in the Data Protection Act 2018

  • the organisation’s procedures for complying with data protection principles - these principles are set out in the UK GDPR and must be complied with by all organisations who process personal data. Read Data protection principles for more information

  • the organisation’s data retention and deletion policies - these are the policies the organisation has in place regarding the processing of such data. Any such policies should be made available to the individuals whose data is being processed 

  • a retention period for the specific data - this is how long the data in question will be kept for by the organisation

You can make your APD with Rocket Lawyer.

Organisations will need to have an APD in place when they process special category 'sensitive' personal data or criminal offence data under certain specified conditions, as a specific accountability and documentation measure. Where an APD is required, it must be in place at the time of processing

Special category 'sensitive' personal data

An APD is needed when an organisation processes special category data under the ‘employment, social security and social protection’ condition or the ‘substantial public interest’ condition (depending on the ‘associated conditions’ relied on, which organisations need to demonstrate to show that they have a substantial public interest in the processing).

An APD must always be in place under the employment, social security and social protection condition.

For the substantial public interest condition, an APD must be in place for all associated conditions, apart from the journalism, academia, art and literature condition

An APD is not needed where data is being disclosed (or prepared to be disclosed) to the relevant authorities for the associated conditions of preventing or detecting unlawful acts and anti-doping in sport. For all other processing activities relating to these associated conditions, an APD must be in place.

Criminal offence data

An APD must be in place when an organisation is authorised to process criminal offence data by UK law under one of the following conditions:

  • employment, social security and social protection

  • statutory and government purposes

  • administration of justice and parliamentary purposes

  • protecting the public against dishonesty

  • regulatory requirements

  • preventing fraud

  • suspicion of terrorist financing or money laundering

  • counselling

  • safeguarding of children and individuals at risk

  • elected representatives responding to requests

  • disclosure to elected representatives

  • informing elected representatives about prisoners

  • publication of legal judgments

  • standards of behaviour in sport

  • administration of accounts used in the commission of indecency offences involving children

  • insurance

As with special category personal data above, an APD is not needed where data is being disclosed (or prepared to be disclosed) to the relevant authorities for the associated conditions of preventing or detecting unlawful acts and anti-doping in sport. However, for all other processing activities relating to these associated conditions, an APD must be in place.

Where an organisation processes special category or criminal offence data for various different purposes, they don’t generally need separate APDs for each processing activity or condition for processing. Instead, they can use one APD to cover their processing, provided that they provide the data subject with sufficient information to understand how the organisation is processing the data in question and how long they will keep the data for.

An APD should be kept by the organisation for the duration of the processing and until 6 months after the processing has stopped. During this time, the organisation should keep the APD under review, to ensure that it continues to remain relevant and so that the organisation continues to have a lawful basis for processing. 

While an APD does not need to be published and made available to the public, doing so is considered good practice. If the ICO asks for a copy of an organisation's APD, this must be provided free of charge.

Where an APD is completed, the organisation will also need to include further details in its general documentation of processing activities. For more information, read the ICO’s guidance.

Where relevant, organisations will specifically need to set out:

  • the lawful basis for processing (and how this is satisfied) 

  • the conditions for processing special category or criminal offence data

  • if the data retention and deletion policies are followed and, if not, why this is the case

If you have any questions or require assistance, Ask a lawyer.

Make your Appropriate policy document
Get started
Answer a few questions. We'll take care of the rest

We use cookies to provide the best experience