MAKE YOUR FREE Appropriate Policy Document
What we'll cover
What is an Appropriate Policy Document?
An Appropriate Policy Document (APD) outlines your compliance measures and retention practices used when processing special category or criminal offence personal data. Appropriate Policy Documents are sometimes required when this data is processed under a Data protection impact assessment (DPIA).
This document is GDPR compliant.
When should I use an APD?
Use this Appropriate Policy Document:
-
if you have carried out a DPIA for a specific project
-
if you are processing special category ‘sensitive’ personal data (eg information about racial/ethnic origin, physical/mental health, sexual life, or biometrics) and/or criminal offence data (eg information about criminal convictions and offences), and
-
when you and the data subjects (ie the individuals the data relates to) are based in the UK
Sample Appropriate Policy Document
The terms in your document will update based on the information you provide
APPROPRIATE POLICY DOCUMENT
PART 1. ABOUT THIS POLICY
This Appropriate Policy Document (APD) sets out how (we or our) will protect personal data.
We have this APD in place to explain the basis on which personal data is processed and to demonstrate that such processing is compliant with principles set out in data protection legislation, specifically the Data Protection Act 2018 and the UK General Data Protection Regulation.
PART 2. DESCRIPTION OF DATA PROCESSED
We process
We process personal data for the following purpose:
PART 3. SCHEDULE 1 CONDITION(S) FOR PROCESSING
PART 4. PROCEDURES FOR ENSURING COMPLIANCE WITH THE PRINCIPLES
Accountability principle The data processor is responsible for complying with data protection laws and must be able to demonstrate this compliance. | |
What measures and records relating to our processing activities do we implement and maintain? | We implement and maintain the following measures and records relating to our processing activities: |
Do we have appropriate data protection policies? | No |
Do we carry out data protection impact assessments for uses of personal data that are likely to result in a high risk to individuals’ interests? | Yes |
Principle (a) - lawfulness, fairness and transparency Personal data shall be processed lawfully, fairly and in a transparent manner in relation to the data subject. | |
Have we identified an appropriate lawful basis for the processing of personal data? | We have identified the following appropriate lawful ground(s) for the processing of personal data: |
Have we identified a further Schedule 1 condition for the processing of personal data? | Yes
See ‘PART 3. SCHEDULE 1 CONDITION FOR PROCESSING’ for more details on the further conditions for processing. |
Do we make appropriate privacy information available with respect to personal data and are we open and honest when we collect personal data, ensuring that we do not deceive or mislead people about its use? | |
Principle (b) - purpose limitation Personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes. | |
Have we clearly identified our purpose for processing personal data? | Yes
See ‘PART 2. DESCRIPTION OF DATA PROCESSED’ for more detail on the purpose for processing. |
Have we included appropriate details of the purpose in our privacy information for individuals? | Yes |
If we plan to use personal data for a new purpose, do we check that this is compatible with our original purpose or get specific consent for the new purpose? | We will not use personal data for new, different or incompatible purposes from those disclosed when the data was first obtained unless:
|
Principle (c) - data minimisation Personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed. | |
Are we satisfied that we only collect personal data we actually need for our specified purpose and that we have sufficient personal data to properly fulfil this purpose? | |
Do we periodically review this particular personal data, and delete anything we don’t need? | |
Principle (d) - accuracy Personal data shall be accurate and, where necessary, kept up to date. | |
Do we have appropriate processes in place to check the accuracy of the personal data we collect and identify when we need to update the personal data? | Yes |
Who is the source of the personal data? |
|
Do we have a policy (or procedure) outlining how we keep records of mistakes and opinions? | Yes
|
Do we have a policy (or procedure) outlining how we deal with challenges to the accuracy of data and how we ensure compliance with individuals’ rights to rectification? | Yes
|
Principle (e) - storage limitation Personal data shall be kept in a form that permits identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed. | |
Do we carefully consider how long we keep the personal data and can we justify this amount of time? | |
How often do we review our information and erase or anonymise this personal data when we no longer need it? | |
Do we need to keep any personal data for public interest archiving, scientific or historical research, or statistical purposes? | We need to keep personal data for: More information can be requested from the at . |
Principle (f) - integrity and confidentiality (security) Personal data shall be processed in a manner that ensures appropriate security of the data (including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage) using appropriate technical or organisational measures. | |
Have we analysed the risks presented by our processing and used this to assess the appropriate level of security we need for this personal data? | Yes
We have analysed the risks presented by our processing and assessed, and put in place the security measure outlined below. |
Do we have an information security policy regarding this personal data in place? | No |
What organisational and/or technical measures or controls have we put in place because of the circumstances and the type of personal data we are processing? |
PART 5. RETENTION AND ERASURE POLICIES
We take the security of personal data very seriously and have physical and technical safeguards in place to protect this data against unlawful or unauthorised processing, accidental loss or damage.
We will ensure that when personal data is processed:
- we explain how the personal data will be handled, including any time period for which the personal data will be stored.
the processing is recorded and that any such records set out, where possible, a suitable time period for the safe and permanent erasure of the different categories of personal data.
the personal data will be deleted or permanently anonymised as soon as possible when the data is no longer required for the purpose for which it was collected.
any destroyed records will be permanently disposed of.
PART 6. REVIEW
We will retain this APD for the duration of the data processing and for a minimum of 6 months after the processing ceases.
This APD will be regularly reviewed by , with the next review date being .
For further information or if you have questions about the handling of personal data, please contact at .
About Appropriate Policy Documents
Learn more about making your Appropriate Policy Document
-
How to make an Appropriate Policy Document
Making your Appropriate Policy Document online is simple. Just answer a few questions and Rocket Lawyer will build your document for you. When you have all the information about your organisations’ data processing prepared in advance, creating your document is a quick and easy process.
You’ll need the following information:
The organisation
-
What is the name of the data controller (ie the organisation that determines how the data is processed)?
The personal data
-
Which types of special category personal data are being processed?
-
Who is the source of the data (ie from whom was it obtained)?
Reasons and bases for data processing
-
What is the purpose (ie aim) of the data processing?
-
Will collecting the data help you to achieve the intended outcomes of your project?
-
What’s the lawful basis for your data processing? For example, is it necessary to comply with the law or to perform a task in the public interest?
-
Which DPIA condition for processing makes it necessary for you to process special category personal data? This question isn’t relevant if you’re only processing criminal offence data.
-
If for reasons of substantial public interest, why is the data processing in the public interest? For example, to protect the public or to safeguard children and individuals at risk?
-
-
If you’re processing criminal offence data, why is this necessary? For example, to prevent fraud or to provide counselling services?
Documents and procedures
-
Does your organisation have data protection policies in place? If so, which policies?
-
If you have an Information security policy, how frequently is this reviewed?
-
If you have a Privacy policy and/or a privacy notice, where can these be found?
-
-
Does your organisation have a data protection officer (DPO)?
-
Does your organisation keep a record of its data processing activities? If so, where can these records be found?
-
Do you have any other data protection measures or records in place?
Data protection compliance measures
-
If your organisation doesn’t have a privacy policy or privacy notice in place, how do you explain to individuals how and why you process their personal data?
-
If your organisation doesn’t have a Data retention policy in place:
-
Why does the purpose of your project mean that the length of time data is stored for is reasonable?
-
How regularly will data be erased or anonymised if no longer needed?
-
-
Do you regularly review the data being processed to ensure it meets the purpose of your project?
-
How do you check that your data is accurate?
-
How do you record mistakes and opinions?
-
What’s your process for handling challenges to the accuracy of data?
-
Will any data be stored for statistical, scientific or historical research, or archiving (in the public interest) purposes?
-
What security measures does your organisation have in place to protect data?
The APD
-
Who is responsible for keeping the APD under review?
-
What is the APD’s next review date?
-
-
Common terms in an Appropriate Policy Document
Appropriate Policy Documents set out how special category personal data subject to a DPIA will be processed. To do this, this APD template includes sections covering:
Part 1. About this policy
This introductory section sets out the purpose of the APD and specifies whether it deals with special category personal data, criminal offence data, or both.
Part 2. Description of data processed
If special category personal data is being processed, this section sets out which types (eg genetic data or data concerning people’s sex lives). If criminal offence data is being processed, this is also identified here.
This section then sets out the purposes of the data processing.
Part 3. Schedule 1 condition(s) for processing
‘Schedule 1’ refers to the list of conditions for processing set out in the Data Protection Act 2018, which allow special category personal data to be processed.
If you’re processing special category personal data, this section of the APD sets out which condition(s) for processing allow this and, if you’re relying on the ‘reasons of substantial public interest’ condition, which associated conditions are being relied on.
If you’re processing criminal offence data, this section sets out which conditions for processing allow this.
Part 4. Procedures for ensuring compliance with principles
This section contains information about how your organisation ensures adherence to key data protection principles when processing the relevant personal data. It contains a table divided up by different data protection principles, with each section containing information about measures taken to ensure adherence to that principle.
For example, if you have a DPO and keep records of your data processing activities, this will be identified under the ‘accountability principle’ heading. Similarly, the lawful basis (or bases) of your processing will be set out under the ‘lawfulness, fairness and transparency’ heading. The other principles that are dealt with here in a similar fashion are:
-
purpose limitation
-
data minimisation
-
accuracy
-
storage limitation
-
integrity and confidentiality
Part 5. Retention and erasure policies
This section of the APD sets out some of the procedures and rules related to data retention and deletion that the organisation follows to ensure that relevant personal data is protected.
For example, it explains that appropriate storage time periods are adhered to and that data that’s no longer needed will be anonymised or destroyed as soon as reasonably possible. It makes references to various data protection policies, if you have these in place.
Part 6. Review
This final section identifies who will be responsible for regularly reviewing the APD, the next review date, and who can be contacted for more information about it. It also sets out the organisation’s commitment to keeping the APD for as long as necessary (eg for a minimum of 6 months after the processing stops).
If you want your APD to include further or more detailed provisions, you can edit your document. However, if you do this, you may want a lawyer to review the document for you (or to make the changes for you) to make sure that your modified APD complies with all relevant laws and meets your specific needs. Use Rocket Lawyer’s Ask a lawyer service for assistance.
-
-
Legal tips for organisations
Put other data protection policies in place to help with data protection compliance
This APD sets out certain key data protection measures relevant to data processing of specific data for a specific project. It’s important that your organisation follows good data protection practices in all areas of its operations. Having various data protection policies in place can help you to do this. You can also refer to these policies in documents like the APD, saving you time and ensuring your organisation’s data protection practices are cohesive. You should consider making:
-
a data retention policy - setting out what data should be stored or archived, where this should happen, and for how long
-
an Information security policy - outlining security and other related matters (eg how access to equipment will be secured, business continuity arrangements, and how personal data can be protected and recovered)
-
a Privacy policy - outlining your practices for the collection, storage, and use of personal data gathered on a website
-
a privacy notice - informing data subjects about the ‘what, how, where, why and when?’ of how you process their personal data
Ask a lawyer if you need any bespoke policies drafted.
Make sure you comply with data protection law in practice
Having the right policies and documents in place is important, but this won’t in itself enable your organisation to comply with data protection law. You must make sure you actually carry out the practices you’ve committed to in your data protection documents, like APDs. For example, by deleting data when it’s no longer needed and regularly reviewing documents.
For more information, read Data protection. If you need help you can use our Data protection compliance advice service.
Understand when to seek advice from a lawyer
In some circumstances, it’s good practice to Ask a lawyer for advice to ensure that you’re complying with the law and that you are well protected from risks. You should consider asking for advice if:
-
you have any questions about APDs
-
this document doesn’t meet your specific needs
-
Appropriate Policy Document FAQs
-
What should an APD include?
This APD template covers:
-
the types of personal data being processed
-
why you want to process the data (ie the purpose of the processing)
-
the further conditions for processing special category personal data
-
the further conditions for processing criminal offence data
-
how data protection principles are complied with
-
which data protection policies you have in place
-
-
Why do I need an APD?
APDs are required to add transparency and accountability to an organisation’s data processing practices if they are processing special category personal data or criminal offence data. This additional measure is often required when an organisation is making a Data protection impact assessment (DPIA), due to the high risk associated with these types of data processing.
Having an APD can help your organisation to comply with data protection laws (eg the UK General Data Protection Regulations (GDPR) and Data Protection Act 2018) and can reassure your customers (or similar) that their data is being handled in a safe and competent manner.
-
Which DPIA conditions do I need an APD for?
You need to have an Appropriate Policy Document when you process special category personal data or criminal offence data under certain specified conditions (as set out in a DPIA). For example:
-
an APD is always needed if you process special category data under the DPIA condition ‘employment, social security and social protection’
-
if you process special category data under the ‘substantial public interest’ condition, an APD is only needed in certain circumstances, depending on the ‘associated conditions’ relied on (eg an APD is not needed for the journalism, academia, art and literature associated condition)
For criminal offence data, an APD needs to be in place if you are processing criminal offence data as authorised by UK law in reliance on certain further conditions for processing (eg statutory and government purposes or administration of accounts used in the commission of indecency offences involving children).
When an APD is required, it must be in place at the time of processing.
For more information on when an APD is needed, read Appropriate policy documents.
-
-
What is a DPIA?
A data processing impact assessment (DPIA) is a process designed to help organisations identify and minimise the data protection risks posed by a project. When the processing (eg obtaining or recording) of personal data (eg names, addresses, and information about racial or ethnic origin) is likely to result in a high risk to individuals, a DPIA needs to be completed.
For more information, read Data protection impact assessments. You can use our template to complete your DPIA.
-
What is personal data?
Personal data is information relating to individuals only who can be personally identified from that data (on its own or in conjunction with other data held). Examples of personal data include names, addresses, telephone numbers, birth dates, job titles, and online identifiers (eg IP addresses).
There is a further 'special category’ of 'sensitive personal data' which is awarded greater protection under the law. Special category personal data includes information about:
-
racial or ethnic origin
-
political opinions
-
religious or similar beliefs
-
trade union membership
-
physical or mental health conditions
-
sexual life
-
biometrics (eg fingerprint data/facial images) and genetics
Criminal offence data (eg personal data relating to criminal convictions and offences or related security measures) is treated separately from personal data and special category special data. It is subject to even tighter controls.
For more information about personal data, read Data protection.
-
-
What are the data protection principles?
Part of compliance with data protection law is compliance with the key data protection principles, which represent the foundational purposes of data protection. Organisations need to comply with the data protection principles whenever they process personal data. These principles include:
-
the accountability principle - you are responsible for and must be able to demonstrate compliance with the law on data protection
-
lawfulness, fairness and transparency - any personal data collected must be processed fairly, lawfully and in a transparent manner
-
purpose limitation - personal data should only be collected for specified, explicit and legitimate purposes
-
data minimisation - personal data must be adequate, relevant and limited to what is necessary for the purposes for which it is processed
-
accuracy - any personal data processed must be accurate and kept up to date
-
storage limitation - personal data must not be kept for longer than necessary
-
integrity and confidentiality (security) - personal data must be processed in a way that ensures the appropriate security of the data
Your APD should cover these principles and set out your procedures for adhering to them. For more information on the principles and how to comply with them, read Data protection principles.
-
-
Can personal data be used for a new purpose?
If your purpose for processing personal data changes over time (or if you want to process data for a new purpose), you can only do this if:
-
the new purpose is compatible with your original purpose (eg because the processing is for archiving purposes in the public interest or because there is a clear connection between your original purpose and your new purpose)
-
you obtain the data subjects’ specific consent for the new purpose, or
-
you have a clear legal basis requiring (or allowing) the new processing in the public interest (eg if the new processing is for a public authority function)
For more information, read Data protection principles.
-
Our quality guarantee
We guarantee our service is safe and secure, and that properly signed Rocket Lawyer documents are legally enforceable under UK laws.
Need help? No problem!
Ask a question for free or get affordable legal advice from our lawyer.