News and Information

Do you need an Appropriate Policy Document

Do you need an Appropriate Policy Document?

The ICO recently conducted an audit to assess the processing of personal data held by a local authority, and to understand how the organisation is complying with data protection legislation.

The subsequent report provided areas of improvement, with one recommendation based on the organisation’s Appropriate Policy Document (APD).

“The Appropriate Policy Document (APD) does not set out the specific Schedule 1 or Schedule 8 conditions for processing. ** should update its APD to ensure it incorporates the relevant conditions for processing, to ensure sufficient consideration has been given to their bases for processing of special category data.”

 

What is an Appropriate Policy Document (APD)?

An APD is a document that outlines the legal basis for processing special category data and any safeguards an organisation has put in place to protect said data.

Schedule 1 of the Data Protection Act 2018 requires organisations to have an APD in place when processing special category and criminal offence data under certain conditions.

Special category data relates to information that requires enhanced protection because it is sensitive. The UK GDPR defines special category data as:

  • personal data revealing racial or ethnic origin;
  • personal data revealing political opinions;
  • personal data revealing religious or philosophical beliefs;
  • personal data revealing trade union membership;
  • genetic data;
  • biometric data (where used for identification purposes);
  • data concerning health;
  • data concerning a person’s sex life; and
  • data concerning a person’s sexual orientation.

See more on this from the ‘Guide to the general data protection regulation’ on the ICO website.

In order for organisations to lawfully process special category data they must identify both a lawful basis under article 6 of the UK GDPR and a separate condition for processing under article 9. Some of the reasons for lawful basis under article 6 include consent, vital interests and legitimate interest, amongst others whilst under article 9, some conditions for processing special category data include for legal claims or judicial acts, reasons of substantial public interest and areas of health and social care.

Some of these also require associated conditions to be met as set out under Schedule 1 Part 1 of the Data Protection Act (DPA) 2018.

Another area of special category data which falls under the appropriate policy document requirement includes the processing of criminal offence data, such as data of victims and witnesses, information relating to convictions and any allegations made against an individual.

To ensure lawful processing of criminal offence data, organisations must again identify a lawful basis for processing under article 6 of the UK GDPR.

Criminal offence data can only be processed if the processing is either:

  • under the control of official authority; or
  • authorised by domestic law which means organisations need to meet one of the conditions set out under schedule 1 of the DPA 2018 and therefore may require an APD.

 

What should be included in an APD?

Each document should demonstrate that, when an organisation processes special category and/or criminal offence data under the conditions highlighted above, the processing is compliant against the principles under article 5 of the UK GDPR:

  • Lawfulness, fairness and transparency
  • Purpose limitation
  • Data minimisation
  • Accuracy
  • Storage limitation
  • Integrity and confidentiality (security)
  • Accountability

 

An APD does not have to follow any particular format but should include the following points, paying particular reference to a retention schedule:

  • the Schedule 1 condition (or conditions) that an organisation is relying on;
  • procedures for complying with each of the principles above; and
  • retention and deletion policies.

 

 

An APD is an important document for many organisations involved in data processing and data controlling – and certainly should be in place if your organisation is involved in special category data. The ICO offers an APD template you can find here.

If you believe your organisation might benefit from an APD and would like our expertise to help create one, please get in touch.

Share this post