What is an appropriate policy document (“APD”) and when is it needed?

What is an APD?

An APD is a policy that relates to the processing of special category personal data or personal data relating to criminal convictions or offences (and related security measures). By way of explanation, special category personal data is personal data revealing the type of information we usually consider to be more private and/or sensitive and includes race or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data for the purpose of uniquely identifying someone, data relating to physical or mental health or relating to sex life or sexual orientation.

In terms of personal data relating to criminal convictions, this is information about the offences an individual has been convicted of. However, criminal offence data and related security measures have a much wider definition. The former includes allegations and investigations relating to criminal activity and it even includes information about the absence of criminal offences.  The latter includes cautions, restraining orders and bail conditions, as well as numerous other items. For further detail on this see the ICO’s guidance on criminal offence data.

When is an APD needed?

In some circumstances, it is a legal requirement under the Data Protection Act 2018 (“DPA 2018”) for an APD to be in place when an organisation is processing the types of personal data referred to above. However, it is not mandatory in every case. In order to ascertain when an APD is required, it is necessary to consider which lawful basis is relied upon under Article 6 of the UK GDPR for the processing, together with which of the conditions under Article 9 of the UK GDPR and Schedule 1 to the DPA 2018 are relied upon.

An example of this would be in relation to an organisation collecting health data from a disabled employee for the purposes of making reasonable adjustments for them and providing them with a safe place to work. As employers have a legal obligation to do this, the relevant lawful basis for this processing would be ‘legal obligation’ under Article 6(c) of the UK GDPR and the most appropriate Article 9 condition would be the ‘employment condition’ under Article 9 (2) (b) of the UK GDPR. This particular Article 9 condition must be supported by a condition under Schedule 1 to the DPA 2018 and the most relevant condition can be found within section 1 of Part 1 of Schedule 1 to the DPA 2018. This condition specifically states that an APD is required. Therefore, in these circumstances, it is important that the organisation has an APD in place.

There is no particularly easy way to remember which processing activities involving the above types of personal data require an APD and which don’t, except that it’s worth noting that if you are relying on the ‘substantial public interest’ condition under Article 9(2)(g) of the UK GDPR, it is likely that you will need an APD to support your processing. This is because most of the ‘substantial interest conditions’ require an APD.

What needs to be included in an APD?

An APD is a key document that must contain the following, as a minimum:

• A description of each type of special category personal data and criminal conviction and offence data and related security measures that will be processed;
• Details of which conditions under Schedule 1 to the DPA 2018 will be relied upon;
• An explanation of how the data protection principles under Article 5 of the UK GDPR will be complied with and;
• Details of the retention periods and erasure actions that will be implemented (a link to a retention and erasure policy could be included).

In preparing the APD, organisations will find it useful to refer to their Record of Processing Activities (ROPA), which is a document many organisations are required to have in place in accordance with Article 30 of the UK GDPR. The ROPA sets out an organisation’s processing activities including the purpose of processing, the categories of data subjects and of personal data, the recipients of that data, the retention periods, the security measures and details of transfers. Some of this information can be used and developed for the purpose of drafting an APD.

What’s the point of an APD?

As mentioned above, the type of personal data we are concerned with here is more sensitive than ‘regular’ personal data and, as such, it is appropriate that extra precautions are taken when processing it. The key aims of an APD are to outline how an organisation will protect the data, as well as how it will comply with its obligations under the UK GDPR and DPA 2018 in relation to this processing.  It will also provide individuals with reassurance that this very private data is being processed with the utmost care and attention.

In addition to this, an APD has an important role to play in relation to an organisation’s obligations under the ‘accountability principle’. Under this principle, organisations are required to, not only comply with the data protection legislation but prove that they comply. See our blog on the ‘accountability principle’ for further information. Guide to Demonstrating GDPR Accountability – evalian®

One element which helps to demonstrate compliance is having relevant documentation in place, such as an APD, when this is required. The APD will sit within an organisation’s suite of policies and procedures and documents, complementing others such as its ROPA, data protection policy, privacy notices and data handling policy, bolstering its compliance posture.

Once in place, the APD must be reviewed on a regular basis to ensure that it is still necessary and fit for purpose and must be updated, as and when necessary. It must also be produced to the Information Commissioner’s Office (ICO) upon request and without charge. If circumstances change such that an organisation ceases to carry out the processing activities for which an APD is required, the APD must still be retained but only for a further 6 months following the end of such processing.

Other important considerations

An appropriate policy document will help employees to better understand their obligations when dealing with this type of data, provided they are required to read the documents and/or have training on them and are encouraged to ask questions about any aspects they need clarification on.

Indeed, whilst drafting an APD and adding it to the compliance file is an important step, what is more important, is ensuring that all members of staff that are involved in this type of processing have had data protection awareness training and know how to appropriately handle the data, in accordance with the APD. Therefore, initial and refresher training sessions are vital, whether that training is provided on a more practical level during the course of learning a role or more classroom based. Providing employees responsible for handling this type of data with clear instructions on what they can and cannot lawfully do when processing relevant personal data, will help ensure the data protection legislation is adhered to and the data remains secure.

If an organisation is processing the type of data referred to above, there is a possibility that it will be required, by law, to have an APD in place. As such, it is important that organisations:

• Check their processing activities to ascertain whether they need an APD;
• If necessary, prepare an APD, ensuring it contains the minimum requirements set out above;
• Implement the APD by ensuring all employees are made aware of it, are given relevant training on the particular processing and are comfortable with adhering to the contents of the APD;
• Review the APD on a regular basis;
• Retain the APD for 6 months after the relevant processing stops; and
• Be prepared to provide the ICO with a copy of the APD, upon request.

Need help?

If you need further guidance on implementing an APD, we can help. Please contact us for an informal chat or advice.

​

Image by upklyak on Freepik