Skip to content

What Is an Appropriate Policy Document Under Data Protection Law?

Table of Contents

If your business handles sensitive types of personal data, such as health records or criminal conviction information, you must remember the need to comply with strict UK data protection laws. A lot of businesses may need to process this personal data in practice. For instance, employers may need to use this information about their staff. An essential requirement under these laws is the need for an Appropriate Policy Document. This article explores critical aspects of an Appropriate Policy Document and when it is necessary under data protection law rules.

What Is the UK Data Protection Law Regime?

The Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 (DPA 2018) set the rules and principles your business must follow when processing personal data. 

The DPA 2018 supplements the UK GDPR and adds additional provisions, notably concerning processing special categories of personal data and data related to criminal convictions and offences.

What Is an Appropriate Policy Document?

Processing criminal offence data requires both a lawful basis under Article 6 of the UK GDPR and a condition under Schedule 1 of the DPA 2018.

If your business uses certain types of sensitive data as a data controller, the DPA 2018 requires you to implement an Appropriate Policy Document.

Under the DPA 2018, an Appropriate Policy Document is mandatory when your business processes special categories of personal data or data related to criminal convictions and offences. This document acts as a critical accountability tool, showing that your business has implemented the necessary safeguards and processes sensitive data in compliance with the law.

Front page of publication
GDPR Essentials Factsheet

This factsheet sets out how your business can become GDPR compliant.

Download Now

Your Appropriate Policy Document requires regular reviews and updates to reflect any changes in your data processing activities or legal requirements. You must also keep this document readily available for the Information Commissioner’s Office (ICO), on their request, to help demonstrate your commitment to data protection compliance.

An Appropriate Policy Document should explain your business’s policies on retaining and erasing special category data and data concerning criminal convictions and offences. This document should cover clear guidelines on how long you will keep this data and the criteria for determining when you will erase it.

If you do not have an Appropriate Policy Document in place when you need one, your business risks being subject to enforcement action for non-compliance.

Continue reading this article below the form
Need legal advice?
Call 0808 196 8584 for urgent assistance.
Otherwise, complete this form and we will contact you within one business day.

What Key Points Should You Know About an Appropriate Policy Document?

Understanding the purpose and requirements of an Appropriate Policy Document is crucial to ensuring compliance with UK data protection laws.

When your business handles special category data or information related to criminal convictions, it is crucial to have an Appropriate Policy Document in place. This document is essential for demonstrating that you comply with UK data protection laws.

Specifically, it should explain how your business complies with the legal requirements when dealing with these types of sensitive data. You will need to identify which condition under Schedule 1 of the DPA 2018 you are relying on, in addition to having a lawful basis under Article 6 of the UK GDPR

The document should detail the steps you take to meet the UK GDPR’s core principles, such as being fair, transparent, and secure with the personal data you process. Being transparent about how long you retain this data and under what circumstances you’ll delete it is also essential. Transparency is key here, so make sure your document explains to individuals how their data is being handled, especially regarding criminal offence data.

Once your relevant processing activities are finished, you must keep this document on file for at least six months. Regularly reviewing and updating it is essential to stay compliant, and while not mandatory, publishing it can be a sensible way to demonstrate your compliance. 

Remember that the ICO may request a copy of your document, which you must provide. As such, ensure you get this right. If you need help preparing an Appropriate Policy Document, you can seek legal advice from a data protection solicitor who can support you.

A business may struggle with understanding the grounds on which to process special categories of personal data and how to tailor their documentation. However, special category data is high risk, and you should follow the applicable rules. If you need support with this and understanding your obligations, you should seek advice from a data protection lawyer. 

Key Takeaways

An Appropriate Policy Document is a crucial requirement for businesses that process special category data or data related to criminal convictions under UK data protection law. The document ensures that your data processing activities comply with the UK GDPR and DPA 2018, particularly when handling sensitive personal data. This is a vital document for compliance, and you must provide it to the ICO upon request. As such, you should ensure your document is always accurate and up to date.

If you need help drafting an Appropriate Policy Document, LegalVision’s experienced data privacy lawyers can assist as part of our LegalVision membership. For a low monthly fee, you gain unlimited access to lawyers who can answer your questions and draft or review your documents. Call us today on 0808 196 8584 or visit our membership page.

Frequently Asked Questions

1. What is the UK Data Protection Law Regime?

The UK GDPR and the Data Protection Act 2018 govern the UK data protection law regime. These laws set out how businesses must handle personal data to protect individuals’ privacy rights.

2. What Key Points Should You Know About an Appropriate Policy Document?

An Appropriate Policy Document should outline your steps for compliance with data protection laws regarding the legal conditions for processing special categories and criminal offence data. You should regularly review the document, retain it for at least six months after processing ends, and make it available to the ICO on their request. 

Register for our free webinars

Protecting and Enforcing Your Brand

Online
Protect your brand from misuse and infringement. Register for our free webinar.
Register Now

Deal Structures 101: Understanding Equity, ASAs and Convertible Notes

Online
As a startup founder, understand your capital raising options. Register for our free webinar today.
Register Now

Common Legal Pitfalls for SaaS and Online Businesses

Online
Protect your online or SaaS business from common legal pitfalls. Register for our free webinar.
Register Now

GDPR Compliance Essentials for SMEs

Online
Ensure our business is compliant with GDPR and build trust with customers. Register for our free webinar.
Register Now
See more webinars >
Sej Lamba

Sej Lamba

Read all articles by Sej

About LegalVision

LegalVision is an innovative commercial law firm that provides businesses with affordable, unlimited and ongoing legal assistance through our membership. We operate in Australia, the United Kingdom and New Zealand.

Learn more

We’re an award-winning law firm

  • Award

    2024 Law Company of the Year Finalist - The Lawyer Awards

  • Award

    2024 Law Firm of the Year Finalist - Modern Law Private Client Awards

  • Award

    2023 Economic Innovator of the Year Finalist - The Spectator

  • Award

    2023 Law Company of the Year Finalist - The Lawyer Awards

  • Award

    2023 Future of Legal Services Innovation - Legal Innovation Awards