Appropriate policy document: special category personal data and criminal offence data
Updated 29 January 2026
Applies to England
© Crown copyright 2026
This publication is licensed under the terms of the Open Government Licence v3.0 except where otherwise stated. To view this licence, visit nationalarchives.gov.uk/doc/open-government-licence/version/3 or write to the Information Policy Team, The National Archives, Kew, London TW9 4DU, or email: psi@nationalarchives.gov.uk.
Where we have identified any third party copyright information you will need to obtain permission from the copyright holders concerned.
This publication is available at https://www.gov.uk/government/publications/defra-appropriate-policy-documents/appropriate-policy-document-special-category-personal-data-and-criminal-offence-data
Scope
This appropriate policy document covers the following organisations:
- Department for Environment, Food and Rural Affairs (Defra)
- Animal and Plant Health Agency (APHA)
- Centre for Environment, Fisheries and Aquaculture Science (Cefas)
- Rural Payments Agency (RPA)
- Veterinary Medicines Directorate (VMD)
When processing personal data, we will comply with the requirements of the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018 (DPA 2018) and any associated laws.
This policy document has been developed for the above organisations to meet the requirement for an Appropriate Policy Document (APD) under of Schedule 1, Part 4 of the DPA 2018. This details the safeguards that we have put in place when we process special category personal data and criminal offence data in accordance with the requirements of Articles 9 and 10 of the UK GDPR and Schedule 1 of the DPA 2018.
Our processing of special category and criminal offence data for law enforcement purposes is not covered in this document. Processing for law enforcement purposes is carried out by us in our capacity as a competent authority and falls under Part 3 of the DPA 2018. For further information please read our appropriate policy document for sensitive processing for law enforcement purposes.
You can find more information about our data protection policies and procedures, including the kind of personal data we hold and what it’s used for, in the following:
- Personal information charter
- Personal information charter (RPA only)
- Department for Environment, Food and Rural Affairs privacy notices
- Animal and Plant Health Agency privacy notices
- Centre for Environment, Fisheries and Aquaculture Science privacy notice
- Rural Payments Agency privacy notices
- Veterinary Medicines Directorate privacy notice
Special category data
Special category data is defined by the UK GDPR Article 9 as personal data which reveals:
- racial or ethnic origin
- political opinions
- religious or philosophical beliefs
- trade union membership
- genetic data
- biometric identification
- health
- sexual life, sexual orientation or both
Criminal offence data
The UK GDPR Article 10 covers processing of criminal convictions and offences or related security measures. Section 11(2) of the DPA 2018 provides that criminal offence data includes information about:
- the alleged commission of offences
- related proceedings
- sentencing
Conditions for processing special category and criminal offence data
We process special categories of personal data under the following UK GDPR Articles.
Article 9(2)(a) – explicit consent
Where we seek consent, we make sure that it is:
- unambiguous
- for one or more purposes
- specific
- given by a positive action
- recorded and refreshed such as when requesting health data from customers to assess the health impact of our policies and operations
Article 9(2)(b) - employment or social protection
Where processing is required by law for employment, social security or social protection purposes, either for us or the data subject. For example processing staff sickness absences and register of interest declarations.
Article 9(2)(c) - vital interests
Where processing is necessary to protect the vital interests of the data subject or of another natural person. For example using health data about a member of staff in a medical emergency.
Article 9(2)(f) - legal claims
For the establishment, exercise or defence of legal claims. For example, processing relating to any employment tribunal or other litigation.
Article 9(2)(g) - substantial public interest
We process special category data in the performance of our statutory and corporate functions which are of substantial public interest, such as the data we seek or receive as part of investigating a complaint.
Reasons of substantial public interest include our responsibility for improving and protecting the environment. We aim to grow a green economy and sustain thriving rural communities. We also support our world-leading food, farming and fishing industries.
Article 9(2)(j) - archiving, research and statistics
For archiving, research and statistics in the public interest with Schedule 1 Part 1 paragraph 4, such as the data transfers we make to the National Archives as part of our obligations under the Public Records Act 1958.
Article 10 – processing of personal data relating to criminal convictions and offences
We process criminal offence data under Article 10 of the UK GDPR as we are exercising official authority within the meaning set out in Section 8 of the DPA 2018. The type of data processed includes pre-employment checks and declarations by staff or apprentices in line with contractual obligations.
DPA 2018 Schedule 1 conditions for processing
All processing is for the first listed purpose and might also be for others, depending on the context.
We process special category data for the following purposes in Part 1 Schedule 1:
- paragraph 1 – employment, social security and social protection
- paragraph 4 – research, archiving, scientific, historical or statistical purposes carried out in accordance with Article 89(1) and is in the public interest
We process special category data for the following purposes in Part 2 Schedule 1:
- paragraph 6 – statutory etc and government purposes which is necessary for the exercise of the function conferred on a person by an enactment or rule of law, or exercise of a function of the Crown, a Minister of the Crown or a government department
- paragraph 7 – administration of Justice and parliamentary purposes
- paragraph 8 – equality of opportunity or treatment
- paragraph 10 – preventing or detecting unlawful acts
- paragraph 12 – regulatory requirements relating to unlawful acts and dishonesty etc
- paragraph 24 – disclosure to elected representatives
We process criminal offence data for the following purposes in Parts 1 and 2 of Schedule 1:
- paragraph 1 – employment, social security and social protection
- paragraph 6 – statutory etc and government purposes which is necessary for the exercise of the function conferred on a person by an enactment or rule of law, or exercise of a function of the Crown, a Minister of the Crown or a government department
Data protection principles
We comply with the principles relating to processing of personal data under the UK GDPR Article 5 as set out below:
Principle 1 – 5(a) – lawfulness, fairness and transparency
To ensure personal data is processed lawfully, fairly and transparently, we will:
- ensure that personal data is only processed where a lawful basis applies, and where processing is otherwise lawful
- only process personal data fairly and will ensure that data subjects are not misled about the purposes of any processing
- ensure that data subjects receive full privacy information so that any processing of personal data is transparent
Principle 2 – 5(b) – purpose limitation
We will only collect personal data for specified, explicit and legitimate purposes and we will not process it in a way that is incompatible with the purposes for which it was collected. We will inform data subjects:
- what the collection purposes are in a privacy notice
- if we use personal data for a new purpose that is compatible
Principle 3 – 5(c) – data minimisation
Personal data shall be adequate, relevant and limited to what is necessary for the purposes it is needed. We will:
- only collect the minimum personal data
- ensure personal data is adequate and relevant
- delete personal data where we can and when data provided to us or obtained by us is not relevant to our purpose(s)
Principle 4 – 5(d) – accuracy
Personal data shall be accurate and, where necessary, kept up to date. We will:
- ensure that personal data is accurate and kept up to date where necessary
- take particular care where our use of the personal data has a significant impact on individuals
- make sure that personal data is deleted or corrected without delay if we become aware that it is inaccurate or out of date
- document our decision if we do not delete or correct inaccurate information, for example when processing the data in line with regulations means these rights do not apply
Principle 5 – 5(e) – storage limitation
We will not keep personal data which identifies data subjects for longer than is necessary. We will:
- only keep personal data in identifiable form as long as is necessary for the purposes it was collected for, or where we have a legal obligation to do so
- delete, put beyond use or permanently anonymise personal data once we no longer need it
Principle 6 – 5(f) – integrity and confidentiality (security)
We will process and store personal data securely, protecting it against unauthorised or unlawful processing, and accidental loss, destruction, or damage. We will:
- ensure that there are appropriate technical and organisational measures in place to protect personal data
- adhere to our strict security standards and procedure
- regularly training staff and third parties who process personal data on our behalf on how to keep personal data safe
- limit access to personal data to those staff, or third parties, who have a business or legal need to access it
Accountability principle
We have put in place appropriate technical and organisational measures to meet the requirements of accountability. These include:
- the appointment of a Data Protection Officer who reports directly to our Permanent Secretary
- taking a ‘data protection by design and default’ approach to our activities
- maintaining documentation of our processing activities
- adopting and implementing data protection policies and ensuring we have written contracts in place with our data processors
- implementing appropriate security measures in relation to the personal data we process
- carrying out data protection impact assessments for our high-risk processing
- regularly reviewing our accountability measures and update or amend them when required
Retention and erasure policies
We have administrative, physical and technical safeguards in place to protect personal data against:
- unlawful processing
- unauthorised processing
- accidental loss or damage
We will ensure, when special category data or criminal offence data are processed, that the processing is recorded. The record sets out, where possible, a suitable timeframe for the safe and permanent deletion of the different data categories in accordance with our retention schedule.
Review
This policy will be kept under review with an additional formal review undertaken in 2 years. It will be retained where we process special category data and criminal offence data and for a period of at least 6 months after we stop carrying out such processing.