Scribd Logo
Upload

Welcome to Scribd!

  • Appropriate Policy Documents

    Uploaded by

    anukshalallchand13
    1 views4 pages
    appropriate policy documentation

    Original Title

    Appropriate policy documents

    Copyright

    © © All Rights Reserved

    Available Formats

    DOCX, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    appropriate policy documentation

    Copyright:

    © All Rights Reserved
    Download as DOCX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    1 views4 pages

    Appropriate Policy Documents

    Uploaded by

    anukshalallchand13
    appropriate policy documentation

    Copyright:

    © All Rights Reserved
    Download as DOCX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 4

    Appropriate policy

    documents
    5 min read

    What you'll learn:

     What is a DPIA?
     What is an appropriate policy document?
     What does an APD cover?
     Do I need an APD?
     Do I need multiple APDs?
     What is the retention period?
     Do other documents need to be updated?

    When an organisation handles certain special category 'sensitive' personal data or criminal
    offence data, they will need to comply with the relevant data protection laws. This includes
    completing a data protection impact assessment (DPIA) which sets out a lawful basis for the
    processing of the data. For some of these lawful processing conditions, an appropriate policy
    document needs to be in place. Read this guide to find out more.

    Make your Appropriate document policy (APD)


    Get started

    What is a DPIA?
    A DPIA is a process designed to help organisations identify and minimise the data protection
    risks of a project. Where the processing (eg obtaining or recording) of personal data (eg
    names, addresses and information about racial or ethnic origin) is likely to result in a high
    risk to individuals, a DPIA needs to be completed. For more information, read Data
    protection impact assessments.

    What is an appropriate policy document?


    An Appropriate policy document (APD) is a document outlining the organisation’s
    compliance measures and retention policies for special category 'sensitive' personal data (eg
    information about racial/ethnic origin, physical/mental health, sexual life and biometrics) and
    criminal offence data (eg criminal convictions and offences or related security measures). For
    more information, read Compliance for DPIAs.
    What does an APD cover?
    An APD covers:
     the condition(s) for processing the organisation is relying on - setting out the
    specific condition for processing as set out in the Data Protection Act 2018
     the organisation’s procedures for complying with data protection principles -
    these principles are set out in the UK GDPR and must be complied with by all
    organisations who process personal data. Read Data protection principles for more
    information
     the organisation’s data retention and deletion policies - these are the policies the
    organisation has in place regarding the processing of such data. Any such policies
    should be made available to the individuals whose data is being processed
     a retention period for the specific data - this is how long the data in question will be
    kept for by the organisation
    You can create your APD with Rocket Lawyer.

    Do I need an APD?
    Organisations will need to have an APD in place when they process special category
    'sensitive' personal data or criminal offence data under certain specified conditions, as a
    specific accountability and documentation measure. Where an APD is required, it must be in
    place at the time of processing.

    Special category 'sensitive' personal data

    An APD is needed when an organisation processes special category data under the
    ‘employment, social security and social protection’ condition or the ‘substantial public
    interest’ condition (depending on the ‘associated conditions’ relied on, which organisations
    need to demonstrate to show that they have a substantial public interest in the processing).
    An APD must always be in place under the employment, social security and social protection
    condition.
    For the substantial public interest condition, an APD must be in place for all associated
    conditions, apart from the journalism, academia, art and literature condition.
    An APD is not needed where data is being disclosed (or prepared to be disclosed) to
    the relevant authorities for the associated conditions of preventing or detecting unlawful
    acts and anti-doping in sport. For all other processing activities relating to these associated
    conditions, an APD must be in place.

    Criminal offence data

    An APD must be in place when an organisation is authorised to process criminal offence data
    by UK law under one of the following conditions:
     employment, social security and social protection
     statutory and government purposes
     administration of justice and parliamentary purposes
     protecting the public against dishonesty
     regulatory requirements
     preventing fraud
     suspicion of terrorist financing or money laundering
     counselling
     safeguarding of children and individuals at risk
     elected representatives responding to requests
     disclosure to elected representatives
     informing elected representatives about prisoners
     publication of legal judgments
     standards of behaviour in sport
     administration of accounts used in the commission of indecency offences involving
    children
     insurance
    As with special category personal data above, an APD is not needed where data is being
    disclosed (or prepared to be disclosed) to the relevant authorities for the associated
    conditions of preventing or detecting unlawful acts and anti-doping in sport. However,
    for all other processing activities relating to these associated conditions, an APD must be in
    place.

    Do I need multiple APDs?


    Where an organisation processes special category or criminal offence data for various
    different purposes, they don’t generally need separate APDs for each processing activity or
    condition for processing. Instead, they can use one APD to cover their processing, provided
    that they provide the data subject with sufficient information to understand how the
    organisation is processing the data in question and how long they will keep the data for.

    What is the retention period?


    An APD should be kept by the organisation for the duration of the processing and until 6
    months after the processing has stopped. During this time, the organisation should keep the
    APD under review, to ensure that it continues to remain relevant and so that the organisation
    continues to have a lawful basis for processing.
    While an APD does not need to be published and made available to the public, doing so is
    considered good practice. If the ICO asks for a copy of an organisation's APD, this must be
    provided free of charge.

    Do other documents need to be updated?


    Where an APD is completed, the organisation will also need to include further details in its
    general documentation of processing activities. For more information, read the
    ICO’s guidance.
    Where relevant, organisations will specifically need to set out:
     the lawful basis for processing (and how this is satisfied)
     the conditions for processing special category or criminal offence data
     if the data retention and deletion policies are followed and, if not, why this is the case
    If you have any questions or require assistance, Ask a lawyer.

    You might also like