Of all the documents UK data protection law asks for, the Appropriate Policy Document is probably the least known. It is short, it is specific to the UK, and if you employ people there is a good chance you are supposed to have one and do not.
What it is
An Appropriate Policy Document, usually shortened to APD, is a short policy required by Schedule 1 of the Data Protection Act 2018. It explains two things: how you comply with the data protection principles when handling certain sensitive data, and what your retention and deletion approach is for that data.
The trigger is processing special category data (health, ethnicity, beliefs, and so on) or criminal offence data under one of the conditions in Schedule 1. Sensitive data always needs a lawful basis plus an extra condition; many of the Schedule 1 conditions come with a further string attached, which is the APD.
It is not a privacy notice, and it is not your general data protection policy. It is a focused internal document about one slice of your processing: the sensitive data you handle under a Schedule 1 condition.
Why it is needed
The APD is a UK addition on top of the UK GDPR, and it exists as an accountability measure. Sensitive data carries higher risk, so Parliament attached an extra safeguard to the conditions that permit processing it: you must be able to show, in writing, that you have thought about how the principles apply and how long you will keep the data.
It also has teeth in one specific way: the ICO can ask to see your APD, and you must provide it free of charge. If you are relying on a Schedule 1 condition that requires an APD and you do not have one, the lawfulness of that processing is on shaky ground, which is an uncomfortable place for payroll or HR data to be.
Who needs it
Anyone relying on a Schedule 1 condition that carries the APD requirement. In practice the big one for small businesses is the employment, social security and social protection condition. That is the condition nearly every employer relies on to process health data in HR and payroll: sick notes and sickness absence records, statutory sick pay, maternity pay, occupational health referrals, and reasonable adjustments.
In other words, if you have employees and you handle sick leave, you almost certainly need an APD. The same requirement attaches to most of the substantial public interest conditions, and to processing criminal records data, for example DBS checks during recruitment.
When it is needed
- Before the processing happens. The APD must be in place at the time you carry out the processing, not written after the fact.
- For as long as the processing runs, plus six months. You must keep it until six months after the relevant processing ends, and keep it under review during that time.
- Whenever the ICO asks. It must be produced on request, without charge.
There is a related record-keeping duty too: your ROPA should say which Schedule 1 condition you rely on, and whether the data is being kept and deleted in line with your policy.
How it is done
The good news: this is one of the shortest documents in data protection. A page or two is normal. It needs to cover:
- Which condition you rely on. Name the Schedule 1 condition, and describe the processing it covers (for example, health data processed for sickness absence and statutory pay).
- How you comply with each principle. Walk through the Article 5 principles (lawfulness and fairness, purpose limitation, minimisation, accuracy, storage limitation, security, accountability) and say briefly how your handling of this data satisfies each one.
- Retention and deletion. How long you keep the data, why that period, and how it is deleted when the time comes. If you follow a retention schedule, point to it.
Keep it honest and specific. “Access is limited to the two people who run payroll” is worth more than a paragraph of boilerplate. The document is meant to describe what you actually do, so writing it is often the moment you discover a gap worth fixing, such as sick notes sitting in a shared inbox.
Where to start
Start from the facts: which of your activities touch special category or criminal offence data, and under what condition. If you have mapped your processing activities, that list already exists, and the APD largely writes itself from it. If you have not, that mapping is the first job, and our free GDPR check will show you where you stand in a couple of minutes.