Table of Contents
If your business handles sensitive types of personal data, such as health records or criminal conviction information, you must remember the need to comply with strict UK data protection laws. A lot of businesses may need to process this personal data in practice. For instance, employers may need to use this information about their staff. An essential requirement under these laws is the need for an Appropriate Policy Document. This article explores critical aspects of an Appropriate Policy Document and when it is necessary under data protection law rules.
What Is the UK Data Protection Law Regime?
The Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 (DPA 2018) set the rules and principles your business must follow when processing personal data.
The DPA 2018 supplements the UK GDPR and adds additional provisions, notably concerning processing special categories of personal data and data related to criminal convictions and offences.
What Is an Appropriate Policy Document?
Processing criminal offence data requires both a lawful basis under Article 6 of the UK GDPR and a condition under Schedule 1 of the DPA 2018.
If your business uses certain types of sensitive data as a data controller, the DPA 2018 requires you to implement an Appropriate Policy Document.
Under the DPA 2018, an Appropriate Policy Document is mandatory when your business processes special categories of personal data or data related to criminal convictions and offences. This document acts as a critical accountability tool, showing that your business has implemented the necessary safeguards and processes sensitive data in compliance with the law.
This factsheet sets out how your business can become GDPR compliant.
Your Appropriate Policy Document requires regular reviews and updates to reflect any changes in your data processing activities or legal requirements. You must also keep this document readily available for the Information Commissioner’s Office (ICO), on their request, to help demonstrate your commitment to data protection compliance.
An Appropriate Policy Document should explain your business’s policies on retaining and erasing special category data and data concerning criminal convictions and offences. This document should cover clear guidelines on how long you will keep this data and the criteria for determining when you will erase it.
Continue reading this article below the formCall 0808 196 8584 for urgent assistance.
Otherwise, complete this form and we will contact you within one business day.
What Key Points Should You Know About an Appropriate Policy Document?
Understanding the purpose and requirements of an Appropriate Policy Document is crucial to ensuring compliance with UK data protection laws.
Specifically, it should explain how your business complies with the legal requirements when dealing with these types of sensitive data. You will need to identify which condition under Schedule 1 of the DPA 2018 you are relying on, in addition to having a lawful basis under Article 6 of the UK GDPR.
The document should detail the steps you take to meet the UK GDPR’s core principles, such as being fair, transparent, and secure with the personal data you process. Being transparent about how long you retain this data and under what circumstances you’ll delete it is also essential. Transparency is key here, so make sure your document explains to individuals how their data is being handled, especially regarding criminal offence data.
Once your relevant processing activities are finished, you must keep this document on file for at least six months. Regularly reviewing and updating it is essential to stay compliant, and while not mandatory, publishing it can be a sensible way to demonstrate your compliance.
Advantages of Legal Advice
Remember that the ICO may request a copy of your document, which you must provide. As such, ensure you get this right. If you need help preparing an Appropriate Policy Document, you can seek legal advice from a data protection solicitor who can support you.
A business may struggle with understanding the grounds on which to process special categories of personal data and how to tailor their documentation. However, special category data is high risk, and you should follow the applicable rules. If you need support with this and understanding your obligations, you should seek advice from a data protection lawyer.
Key Takeaways
An Appropriate Policy Document is a crucial requirement for businesses that process special category data or data related to criminal convictions under UK data protection law. The document ensures that your data processing activities comply with the UK GDPR and DPA 2018, particularly when handling sensitive personal data. This is a vital document for compliance, and you must provide it to the ICO upon request. As such, you should ensure your document is always accurate and up to date.
If you need help drafting an Appropriate Policy Document, LegalVision’s experienced data privacy lawyers can assist as part of our LegalVision membership. For a low monthly fee, you gain unlimited access to lawyers who can answer your questions and draft or review your documents. Call us today on 0808 196 8584 or visit our membership page.
Frequently Asked Questions
1. What is the UK Data Protection Law Regime?
The UK GDPR and the Data Protection Act 2018 govern the UK data protection law regime. These laws set out how businesses must handle personal data to protect individuals’ privacy rights.
2. What Key Points Should You Know About an Appropriate Policy Document?
An Appropriate Policy Document should outline your steps for compliance with data protection laws regarding the legal conditions for processing special categories and criminal offence data. You should regularly review the document, retain it for at least six months after processing ends, and make it available to the ICO on their request.
We appreciate your feedback – your submission has been successfully received.