Requirements of Implementing and Developing an Appropriate Policy Document (APD) for UK Data Protection Compliance

GDPR requires companies processing special categories of data and criminal offense data to always protect that data and to respect the rights of the data subjects.  There is little known requirement defied in the Data Protection Act which requires companies to complete a very specific document to demonstrate compliance with these requirements. Failure to comply will mean you are in breach of GDPR and may face legal claims from data subjects and worst still, fines and enforcement action from Regulators.

Background:

The Data Protection Act 2018 (DPA 2018) outlines the requirement for an Appropriate Policy Document (APD) to be in place when processing special category (SC) and criminal offence (CO) data under certain specified conditions.

The Appropriate Policy Document (APD) have arisen under the auspices of Schedule 1 of the Data Protection Act 2018. Schedule 1, in fact, requires organizations to have an APD in place when there is processing of special category of data, as well as criminal offence data under certain conditions.

The UK GDPR underlines the special categories of data, such as:

• personal data revealing racial or ethnic origin
• personal data revealing political opinions
• personal data revealing religious or philosophical beliefs
• personal data revealing trade union membership
• genetic data
• biometric data (where used for identification purposes)
• data concerning health
• data concerning a person’s sex life, and
• data concerning a person’s sexual orientation

In terms of Schedule 1 of the Data Protection Act 2018, the special categories (SC) of personal data and criminal offense (CO) data, are divided in number of parts [see below]:

Part 1 – Conditions relating to employment, health and research etc.

Within the above-mentioned conditions, the subparts of SC/CO data are divided into data that relates to:

• Employment, social security and social protection
• Health or social care purposes
• Public health
• Research

Part 2 – Conditions relating to substantial public interest

Within the above-mentioned conditions, the subparts of SC/CO data are divided into data that relates to:

• Statutory etc and government purposes
• Administration of justice and parliamentary purposes
• Equality of opportunity or treatment
• Racial and ethnic diversity at senior levels of organisations
• Preventing or detecting unlawful acts
• Protecting the public against dishonesty etc
• Preventing fraud
• Suspicion of terrorist financing or money laundering
• Support for individuals with a particular disability or medical condition
• Counselling etc
• Safeguarding of children and of individuals at risk
• Safeguarding of economic well-being of certain individuals
• Insurance purposes
• Occupational pensions
• Political parties, elected representatives responding to requests, disclosure to elected representatives, informing elected representatives about prisoners
• Publication of legal judgments
• Anti-doping in sport and Standards of behaviour in sport

Part 3 – Additional conditions relating to criminal convictions

Within the above-mentioned conditions, the subparts of SC/CO data are divided into data that relates to:

• Consent
• Protecting individual’s vital interests
• Processing by not-for-profit bodies
• Personal data in the public domain
• Legal claims
• Judicial acts
• Administration of accounts used in commission of indecency offences involving children
• Extension of conditions in Part 2 of this Schedule referring to substantial public interest and Extension of insurance conditions

Part 4 – Appropriate policy document and what does this mean for you?

Part 4 covers the Appropriate policy document requirements and the additional safeguards of applying an APD.

Within this segment, regarding the requirement to have an appropriate policy document in place, The controller has an appropriate policy document in place in relation to the processing of personal data in reliance on Part 1, 2 or 3 of the Schedule 1, if the controller has produced a document which:

• explains the controller’s procedures for securing compliance with the principles in Article 5 of the GDPR (principles relating to processing of personal data) in connection with the processing of personal data in reliance on the condition in question, and
• explains the controller’s policies as regards the retention and erasure of personal data processed in reliance on the condition, giving an indication of how long such personal data is likely to be retained.

In terms of the additional safeguards that are set out in this particular instance of processing SC/CO data, the ones that mentioned within the Schedule 1 relates to Retention of appropriate policy document and Record of processing.

• Retention of appropriate policy document

Where personal data is processed in reliance on a condition described under Part 1, 2 or 3 of the Schedule 1, the controller must during the relevant period:

• Retain the appropriate policy document, review and (if appropriate) update it from time to time, and make it available to the Commissioner, on request, without charge.

• As a relevant period of time, it is outlined a period which begins when the controller starts to carry out processing of personal data in reliance on that condition and ends at the end of the period of 6 months beginning when the controller ceases to carry out such processing.

• Record of processing

A record maintained by the controller, or the controller’s representative, under Article 30 of the GDPR in respect of the processing of personal data in reliance on a condition described under Part 1, 2 or 3 of the Schedule 1, must include the following information:

• Which condition is relied on.
• How the processing satisfies Article 6 of the GDPR (lawfulness of processing)
• Whether the personal data is retained and erased in accordance with the controller’s policies as regards the retention and erasure of personal data processed in reliance on the condition, giving an indication of how long such personal data is likely to be retained, and if it is not, the reasons for not following those policies.

Back to first principles:

The foundational basis of the APD document relies under the fact the SC/CO data needs to be processed within the UK GDPR principles, as outlined in Article 5, which include: Lawfulness, fairness and transparency, Purpose limitation, Data minimization, Accuracy, Storage limitation, Integrity and confidentiality (security), and Accountability. Therefore, the document needs to contain the adequate information in terms of how the data that is processed is relatable to the previously mentioned principles of data protection.

Why is this important:

As we mention at the beginning, failure to comply will mean you are in breach of GDPR and may face legal claims from data subjects and worst still, fines and enforcement action from Regulators, however creating the APD is a relatively simple process and should become part of your standard approach to compliance.  What’s more, this is a useful way of assessing the risk associated with processing this data and avoiding any further issues.  Don’t delay – talk to your GDPRLocal Account Manager now.

How can we help?

In case you find your organization affected for implementing an Appropriate Policy Document or you feel concerned about the way your organization is processing special category (SC) and criminal offence (CO) data under certain specified conditions, talk to a GDPR Local account manager now, access a world of data protection advice here, or contact GDPRLocal at [email protected]