Dashboard
Dashboard Make a document Ask a lawyer Get guidance Home
Profile information Member settings
Logout
Help
Help Contact us
Explore
Make documents Ask a lawyer Start a business new Sign documents Get guidance About us Pricing
Sign up Sign in
Help
Help Contact us

Appropriate policy documents (APDs) for data protection

5 min read

Last reviewed or updated 22/01/2024

Make your Appropriate policy document (APD)

Get started

What are DPIAs?

DPIAs are processes designed to help organisations identify and minimise the data protection risks of projects. Where the processing of personal data (eg names, addresses, or health information) is likely to result in a high risk to individuals, a DPIA needs to be completed. For more information, read Data protection impact assessments.

What are appropriate policy documents?

Appropriate policy documents (APDs) are documents outlining organisations’ compliance measures (ie actions and strategies an organisation puts in place to adhere to data protection laws) and retention policies for special category 'sensitive' personal data (eg information about racial/ethnic origin, physical/mental health, sexual life and biometrics) and criminal offence data. APDs can be fairly short as they supplement longer DPIAs.

The Data Protection Act 2018 (DPA) sets out conditions under which special category 'sensitive' personal data (often simply referred to as ‘special category personal data’ or ‘sensitive personal data’) and criminal offence data can be processed. Some of these conditions for processing require an APD to be carried out. For more information, read Compliance for DPIAs.

What does an APD cover?

An APD covers:

  • the condition(s) for processing the organisation is relying on - setting out the specific condition for processing as identified in the DPA

  • the organisation’s procedures for complying with data protection principles - these principles are set out in the UK General Data Protection Regulation (GDPR) and must be complied with by all organisations who process personal data

  • the organisation’s data retention and deletion policies - these are the policies the organisation has in place regarding the processing of personal data. Any such policies should be made available to the individuals whose data is being processed

  • retention period for the specific data - this is how long the data in question will be kept for by the organisation

You can make your appropriate policy document with Rocket Lawyer’s APD template and FAQs.

Does my organisation need an APD?

Organisations need to have an APD in place when they process special category personal data or criminal offence data under certain specified conditions, as a specific accountability and documentation measure. Where an APD is required, it must be in place at the time of processing.

Special category 'sensitive' personal data

An APD is needed when an organisation processes special category data under the employment, social security and social protection’ condition or the ‘substantial public interest’ condition.

An APD must always be in place under the employment, social security and social protection condition. 

For the substantial public interest condition, whether an APD is required depends on the ‘associated conditions’ relied on, (ie the conditions that organisations need to demonstrate to show that they have a substantial public interest in the processing). An APD must be in place for all associated conditions except for the journalism, academia, art and literature condition. An APD is not needed where data is being disclosed to (or prepared for disclosure to) the relevant authorities for the associated conditions of preventing or detecting unlawful acts and anti-doping in sport. For all other processing activities relating to these 2 associated conditions, an APD must be in place.

For more information on these conditions, read Compliance for DPIAs and Substantial public interest for DPIAs.

Criminal offence data

An APD must be in place when an organisation is authorised to process criminal offence data by UK law under one of the following conditions:

  • employment, social security and social protection

  • statutory and government purposes

  • administration of justice and parliamentary purposes

  • protecting the public against dishonesty

  • regulatory requirements

  • preventing fraud

  • suspicion of terrorist financing or money laundering

  • counselling

  • safeguarding of children and individuals at risk

  • elected representatives responding to requests

  • disclosure to elected representatives

  • informing elected representatives about prisoners

  • publication of legal judgments

  • standards of behaviour in sport

  • administration of accounts used in the commission of indecency offences involving children

  • insurance

As with special category personal data above, an APD is not needed where data is being disclosed to (or prepared for disclosure to) the relevant authorities for the associated conditions of preventing or detecting unlawful acts and anti-doping in sport. However, for all other processing activities relating to these associated conditions, an APD must be in place. 

For more information on these conditions, read Criminal offence data for DPIAs.

Does my organisation need multiple APDs?

Where an organisation processes special category or criminal offence data for multiple different purposes, they don’t generally need separate APDs for each processing activity or condition for processing. Instead, they can use one APD to cover their processing, provided they provide the data subjects (ie the individuals the data relates to) with sufficient information to understand how the organisation is processing the data in question and for how long they will keep the data.

What is the retention period for APDs?

An APD should be kept by the organisation for the duration of the processing and for 6 months after the processing has stopped. During this time, the organisation should keep the APD under review to ensure that it remains relevant and so that the organisation continues to have a lawful basis for processing. 

While an APD does not need to be published and made available to the public, doing so is considered good practice. If the Information Commissioner’s Office (ICO) asks for a copy of an organisation's APD, this must be provided free of charge. 

For more information on data retention in general, read Data retention and document destruction.

Do other documents need to be updated when an APD is conducted?

When an APD is completed, the organisation also needs to include further details in its general documentation of processing activities. For more information, read the ICO’s guidance on documentation.

Where relevant, organisations will specifically need to set out:

  • the lawful basis for processing (and how this is satisfied) 

  • the conditions for processing special category or criminal offence data

  • if Data retention and deletion policies are followed and, if not, why this is the case

 

If you have any questions or require assistance, Ask a lawyer. Consider using our GDPR compliance service to ensure your business complies with all relevant data protection laws. 

Related Guides

Data protection principles

7 min read

Data retention and document destruction

10 min read

Processing high-risk personal data and DPIAs

9 min read

Ask a lawyer

Get quick answers from lawyers, easily.
Characters remaining: 600
Rocket Lawyer On Call Solicitors

Try Rocket Lawyer FREE for 7 days

Get legal services you can trust at prices you can afford. As a member you can:

Create, customise, and share unlimited legal documents

RocketSign® your documents quickly and securely

Ask any legal question and get an answer from a lawyer

Have your documents reviewed by a legal pro**

Get legal advice, drafting and dispute resolution HALF OFF* with Rocket Legal+

Your first business and trade mark registrations are FREE* with Rocket Legal+

Try it free for 7 days
*Learn more about Rocket Legal+

**Subject to terms and conditions.

Follow us