Skip to main content
Guidance

Appropriate Policy Document (APD)

Updated 24 June 2026

1. SCOPE & DEFINITIONS

The Data Protection Act 2018 (DPA 2018) requires data controllers to have an appropriate policy document in place when carrying out the processing of Special Category data (SC) and Criminal Offence data (CO). This policy will document the lawful basis, conditions for processing and safeguards SLC have in place to conduct such processing.

1.1 DEFINITION OF PROCESSING:

Processing means any operation or any set of operations, performed on personal data, or sets of personal data (whether or not by automated means), such as collection, recording, organisation, structuring, storage, alteration, retrieval, consultation, use, disclosure, dissemination, restriction, erasure or destruction.

1.2 SPECIAL CATEGORIES OF PERSONAL DATA:

  • personal data revealing racial or ethnic origin;
  • personal data revealing political opinions;
  • personal data revealing religious or philosophical beliefs;
  • personal data revealing trade union membership;
  • genetic data;
  • biometric data (where used for identification purposes);
  • data concerning health;
  • data concerning a person’s sex life; and
  • data concerning a person’s sexual orientation.

1.3 DEFINITION OF CRIMINAL OFFENCE DATA:

Section 11(2) of the DPA 2018 confirms that criminal offence data includes personal data relating to:

(a) the alleged commission of offences by the data subject, or

(b) proceedings for an offence committed or alleged to have been committed by the data subject or the disposal of such proceedings, including sentencing.

Acquittal statements or statements which affirm the absence of a conviction are still CO data because their processing still ‘relates’ to criminal convictions.

Article 10 of the UK GDPR defines CO as personal data relating to criminal convictions and offences or related security measures. Related security measures can include personal data about penalties, conditions or restrictions placed on an individual as part of the criminal justice process, or civil measures which may result in penalties.

2. CONDITIONS FOR PROCESSING SC DATA AND CO DATA

2.1 WHAT CONDITIONS MUST BE MET TO PROCESS SC DATA:

In order to lawfully process  SC data, SLC must identify a lawful basis under Article 6 (1) of the UK GDPR and an exception under Article 9 (2). There are 10 exceptions for processing SC data, 5 of these require an organisation to meet additional conditions and safeguards and these are set out in Schedule 1 of the DPA 2018.

The conditions which most closely reflect SLC’s purpose for processing will be identified in Section 3.

2.2 WHAT CONDITIONS MUST BE MET TO PROCESS CO DATA:

Article 10 of UK GDPR restricts the processing of CO data. Processing such data must therefore have a lawful basis under Article 6 (1) of UK GDPR and either official authority[1] or a Schedule 1 condition for processing criminal offence data as an exception to Article 10.

There are 28 conditions which are available for the processing of criminal offence data in Schedule 1 of the DPA 2018, these are found under Parts 1, 2 and 3, namely paragraphs 1-4; 6&7; 10-15; 17&18; 23-35 and 37.

2.3 LAWFUL BASES FOR PROCESSING;

The lawful bases for processing are set out in Article 6(1) of UK GDPR. At least one of these must apply whenever SLC processes personal data, special category data and criminal offence data:

(a) Consent: the individual has given clear consent for you to process their personal data for a specific purpose.

(b) Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.

(c) Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations).

(d) Vital interests: the processing is necessary to protect someone’s life.

(e) Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.

(ea) Recognised legitimate interest: the processing is necessary for one of the pre-approved purposes. These are: 

  • safeguarding “vulnerable” people; 
  • responding to emergencies; 
  • preventing or investigating crime; 
  • national security, public security and defence; and 
  • sharing personal information with an organisation that needs it for their public task or function at their request.

This basis can’t apply if you’re a public authority processing personal information to perform your official tasks. 

(f) Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party, unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. (This cannot apply if you are a public authority processing data to perform your official tasks.)

2.4 EXCEPTIONS FOR PROCESSING SC DATA:

Article 9 (2) of UK GDPR sets out the following:

  • Explicit consent
  • Employment, social security and social protection (if authorised by law)
  • Vital interests
  • Not-for-profit bodies
  • Made public by the data subject
  • Legal claims or judicial acts
  • Reasons of substantial public interest (with a basis in law)
  • Health or social care (with a basis in law)
  • Public health (with a basis in law)
  • Archiving, research and statistics (with a basis in law)

Schedule 1, Part 1 of the DPA 2018 provides conditions which qualify 9 (2) (b), (h), (i) and (j) which all require a specific basis in UK law. Schedule 1 Part 2 then provides 23 conditions for the purpose of Article 9(2)(g) - reasons of substantial public interest. If using 9(2)(g) only conditions under Part 2 can apply.

3. SLC CONDITIONS FOR PROCESSING SC AND CO DATA

3.1 JOB APPLICANT DATA:

Personal data revealing racial or ethnic origin; religious or philosophical beliefs, data concerning a person’s sexual orientation. Lawful Basis:Article 6(1)(c) Legal obligation: Processing is necessary for compliance with a legal obligation to which the controller is subject.

Exception: Article 9(2)(g) Substantial Public Interest.
Condition:Schedule 1. 8(1) Equality of opportunity or treatment. …is necessary for the purposes of identifying or keeping under review the existence or absence of equality of opportunity or treatment between groups of people specified in relation to that category with a view to enabling such equality to be promoted or maintained
Data which allows SLC to make reasonable adjustments (eg. details of any disabilities). 1.Lawful Basis: Article 6(1)(c) Legal obligation:Processing is necessary for compliance with a legal obligation to which the controller is subject.

Exception: Article 9(2)(b) Employment, social security and social protection law.
Condition:Schedule 1.1 (1) Employment, social security and social protection; and the processing is necessary for the purposes of performing or exercising obligations or rights which are imposed or conferred by law on the controller or the data subject in connection with employment, social security or social protection
  2.Lawful Basis: Article 6(1)(c) Legal obligation: Processing is necessary for compliance with a legal obligation to which the controller is subject.

Exception: Article 9(2)(g) Substantial Public Interest.
Condition:Schedule 1. 8(1) Substantial public interest conditions. …is necessary for the purposes of identifying or keeping under review the existence or absence of equality of opportunity or treatment between groups of people specified in relation to that category with a view to enabling such equality to be promoted or maintained
Data which allows SLC to complete pre-employment screening checks such as right to work checks. 1. Lawful Basis:
Article 6(1)(c) Legal obligation
: Processing is necessary for compliance with a legal obligation to which the controller is subject.

Exception: Article 9(2)(b) Employment, social security and social protection law.
Condition: Schedule 1.
1(1) Employment, social security and social protection; and
… is necessary for the purposes of performing or exercising obligations or rights which are imposed or conferred by law on the controller or the data subject in connection with employment, social security or social protection
Data which allows SLC to complete pre-employment screening checks, such as disclosure and criminal offence checks. 2. Lawful Basis: 6(1)(f) Legitimate interest: processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party. Condition: Schedule 1.29
Additional conditions relating to criminal convictions etc.
This condition is met if the data subject has given consent to the processing.
In very limited circumstances, SLC may approach applicants for explicit consent to process certain particularly sensitive data. Full details of the reason for processing will be provided. Lawful Basis: Article 6(1)(a). Consent: the data subject has given consent to the processing of his or her personal data for one or more specific purposes;

Exception:Article 9(2)(a) The data subject has given explicit consent to the processing of those personal data for one or more specified purposes.
No Condition Schedule 1 required. As per UK GDPR standard for consent… it must be freely given, specific, affirmative (opt-in) and unambiguous, and able to be withdrawn at any time.

3.2 EMPLOYEE DATA

Personal data revealing racial or ethnic origin; religious or philosophical beliefs, data concerning a person’s sexual orientation. Lawful Basis:Article 6(1)(c)
Legal obligation: Processing is necessary for compliance with a legal obligation to which the controller is subject.

Exception:
Article 9(2)(g)
Substantial Public Interest.
Condition: Schedule 1.
8(1)
Equality of opportunity or treatment.
…is necessary for the purposes of identifying or keeping under review the existence or absence of equality of opportunity or treatment between groups of people specified in relation to that category with a view to enabling such equality to be promoted or maintained
Data relating to health including; sickness absence, or family related leave; information relevant to health & safety policy, fitness for work and appropriate workplace adjustments. 1. Lawful Basis:Article 6(1)(c)
Legal obligation: Processing is necessary for compliance with a legal obligation to which the controller is subject.

Exception:
Article 9(2)(b)
Employment, social security and social protection law.
Condition: Schedule 1.1(1) Employment, social security and social protection; and the processing is necessary for the purposes of performing or exercising obligations or rights which are imposed or conferred by law on the controller or the data subject in connection with employment, social security or social protection
  2. Lawful Basis:Article 6(1)(b) Contract: Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.

Article 9(2)(a) The data subject has given explicit consent to the processing of those personal data for one or more specified purposes.
No Condition Schedule 1 required. As per UK GDPR standard for consent… it must be freely given, specific, affirmative (opt-in) and unambiguous, and able to be withdrawn at any time.
Data concerning criminal convictions, offences or related security measures, including those required to carry out basic or enhanced employee security screening. Lawful Basis: Article 6(1)(f) Legitimate interest
: processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party.
Condition: Schedule 1.29 Additional conditions relating to criminal convictions etc. This condition is met if the data subject has given consent to the processing.
Data required for the administration of employee benefits and statutory obligations such as maternity or sick pay. Lawful Basis: Article 6(1)(c) Legal obligation: Processing is necessary for compliance with a legal obligation to which the controller is subject.

Exception: Article 9(2)(b): Employment, social security and social protection law.
Condition: Schedule 1.1(1) Employment, social security and social protection. the purposes of performing or exercising obligations or rights which are imposed or conferred by law on the controller or the data subject in connection with employment, social security or social protection
Data required to administer employee Life Insurance or Occupational Pension Scheme, including death and survivorship information. Lawful Basis: Article 6(1)(f) Legitimate interest: processing is necessary for the purposes of the legitimate interests pursued by the controller.

Exception:Article 9(2)(g) Substantial Public Interest.
Condition: Schedule 1.21(1) Occupational pensions. …is necessary for the purpose of making a determination in connection with eligibility for, or benefits payable under, an occupational pension scheme

3.3 CUSTOMER DATA:

Personal data revealing racial or ethnic origin; religious or philosophical beliefs, a person’s sexual orientation Lawful Basis:Article 6(1)(e) Public Task: Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

Exception:Article 9(2)(g) Substantial Public Interest.
1. Condition: Schedule 1. 8(1) Equality of opportunity or treatment; and …is necessary for the purposes of identifying or keeping under review the existence or absence of equality of opportunity or treatment between groups of people specified in relation to that category with a view to enabling such equality to be promoted or maintained
  As above… 2. Condition: Schedule 1.6(1) & (2) Statutory etc and government purposes; and (1) is necessary for a purpose listed in sub-paragraph (2), and (b) is necessary for reasons of substantial public interest.(2) Those purposes are –(b) the exercise of a function of the Crown, a Minister of the Crown, or a government department.
  As above… 3. Condition: Schedule 1.4 Research etc. This condition is met if the processing—(a) is necessary for archiving purposes, scientific or historical research purposes or statistical purposes,
(b) is carried out in accordance with Article 84B of the UK GDPR, and (c) is in the public interest.
Health or Disability Data related to both Disabled Students’ Allowance (DSA) and Distance Learning. Lawful Basis:Article 6(1)(a) Consent: the data subject has given consent to the processing of his or her personal data for one or more specific purposes;

Lawful Basis:Article 6(1)(e) Public Task: Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

Exception:Article 9(2)(g) Substantial Public Interest.
Condition: Schedule 1.6(1) & (2) Statutory etc and government purposes DSA and Consent to Share only:
As per UK GDPR standard for consent… it must be freely given, specific, affirmative (opt-in) and unambiguous, and able to be withdrawn at any time.

(1) is necessary for a purpose listed in sub-paragraph (2), and
(b) is necessary for reasons of substantial public interest.

(2) Those purposes are –
(b) the exercise of a function of the Crown, a Minister of the Crown, or a government department.
Data concerning criminal convictions, offences or related security measures. Lawful Basis: Article 6(1)(e) Public Task: Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

Exception:Article 9(2)(g) Substantial Public Interest.
Condition: Schedule 1.10(1) Preventing unlawful acts (a) is necessary for the purposes of the prevention or detection of an unlawful act,
(b) must be carried out without the consent of the data subject so as not to prejudice those purposes, and
(c) is necessary for reasons of substantial public interest.

4. SAFEGUARDING THE UK GDPR PRINCIPLES

4.1 SLC POLICY DOCUMENTS:

SLC maintains multiple policies which demonstrate our compliance with UK GDPR and its principles. These are published externally and/or internally and are regularly updated in line with any stated review cycle. The below links can be accessed in conjunction with, and as a  supplement to, this APD.

Published on the Gov.uk website, the charter provides a user-friendly summary of our data processing with easy access to information including SLC contact details, factsheets and links to our Customer Privacy Notice and Records Management Policy.

4.2 COMPLIANCE WITH UK GDPR ACCOUNTABILITY PRINCIPLE:

SLC confirm that the following technical and organisational measures exist and are adhered to:

  • SLC have a Data Protection Officer (DPO), a Deputy Data Protection Officer (DDPO) and a Senior Information Risk Owner (SIRO)
  • SLC have a dedicated 2nd line of defence Data Protection Office (DP Office).
  • The DP Office regularly report UK GDPR compliance MI to SLC’s senior management.
  • SLC take a risk-based approach to the DP Office carrying out 2nd line of defence compliance testing of Data Protection controls.
  • SLC take a Data Protection by Design and By Default (DPDD) approach, which is embedded into the change programme/project activity.
  • SLC have implemented a DPIA Framework and a Security/Information Framework, embedded in the change programme.
  • The DP Office maintain a suite of Data Protection procedural and guidance documents covering Individual Rights, DPIAs and DPDD which are updated regularly and available to all SLC staff on Connect Documents.
  • SLC take risk based organisational security measures to protect personal information, evidenced via the Annual Departmental Security Health Check, in line with government security standards ie. Government Functional Standards 005 and 007, along with Security and HMG Minimum Security Standards for: Cyber security, Physical security, Personnel security and Incident management.
  • SLC have a dedicated team for reporting and investigating potential Data Breaches.
  • SLC have a Security Education and Awareness Manager who manages a Security Champions Network of SLC employees.
  • SLC have a suite of mandatory Data Protection and Protecting Information/Data Breach Elearning for employees to complete on an annual basis.
  • SLC can demonstrate that we have appropriate processes in place to ensure that SLC only collects and holds the personal data necessary to fulfil its duties on behalf of UK Government and the Devolved Administrations.

4.3 COMPLIANCE WITH PRINCIPLE (a): LAWFULESS, FAIRNESS AND TRANSPARENCY:

  • SLC has identified the lawful bases for processing personal data, special category data and criminal offence data within both this APD and SLC’s three Privacy Notices.
  • SLC ensures that we do not do anything with data in breach of any other laws.
  • SLC uses personal data in a way that is fair ie. we do not process data in a way that is unduly detrimental, unexpected or misleading to the individuals concerned.
  • SLC is clear, open and honest with both Customers and Employees from the start, about how SLC will use their personal data.
  • SLC makes appropriate guidance and contact information available to external stakeholders, customers, applicants and staff on Government UK webpages and SLC’s internal intranet site Connect.
  • SLC has a dedicated Individual Rights team who action both DSAR and Erasure requests, in adherence to regulatory timeframes.
  • SLC has a dedicated Freedom of Information (FOI) team.

4.4 COMPLIANCE WITH PRINCIPLE (b): PURPOSE LIMITATION:

  • SLC has a Customer Privacy Notice and an Employee Privacy Notice, which both include:

    • SLC being clear about why they are collecting their personal information/data and what SLC intends to do with it.
    • SLC’s purpose for collecting/processing their information/data. 
    • Why SLC is collecting their information/data. 
    • SLC will only reuse personal information/data for a new purpose if this is compatible with the original purpose.
    • If SLC’s original lawful basis is not sufficient, then SLC will find a new lawful basis. 

4.5 COMPLIANCE WITH PRINCIPLE (c): DATA MINIMISATION:

  • SLC have identified the adequate/minimum amount of personal data needed to fulfil our purposes, through both our Master Retention Schedule and Records Management Policy.
  • This is the first of three principles about data standards, along with accuracy and storage limitation (see below).
  • SLC can demonstrate that we have appropriate processes in place, to ensure that SLC only collects and holds the relevant/necessary amount of personal data (see Accountability above).
  • SLC has processes in place which allow our customers/employees to complete any incomplete data, which is inadequate for SLC’s purpose ie. the right to rectification.
  • SLC has processes in place which allows our customers/employees to request the deletion of any information/data, which is not necessary for SLC’s purpose ie. the right to be forgotten/erasure.

4.6 COMPLIANCE WITH PRINCIPLE (d): ACCURACY:

  • SLC takes all reasonable steps to ensure the accuracy of personal data ie. personal data is not incorrect or misleading.
  • SLC takes all reasonable steps to ensure that we keep personal data updated, although this will depend on what SLC are using it for.
  • If SLC discovers that personal data is incorrect or misleading, then we take all reasonable steps to correct or erase it as soon as possible.
  • SLC carefully considers any challenges to the accuracy of personal data being held.

  • SLC ensures that the source and status of personal data is clear and transparent.
  • SLC considers whether it is necessary to periodically update the data being held.

4.7 COMPLIANCE WITH PRINCIPLE (e): STORAGE LIMITATION:

  • SLC does not keep personal data for any longer than needed (see Data Minimisation above).
  • Depending on the purposes for holding data, SLC is able to justify how long we keep personal data.
  • SLC has a Records Management Policy which sets out SLC’s standard retention periods wherever possible.
  • SLC periodically reviews the data being held, and either erases or anonymises the data when it is no longer needed.
  • SLC carefully considers any challenges to its retention of data, and individuals have a right to erasure if we no longer need their data.
  • SLC may keep personal data for longer if we are only keeping it for public interest archiving, scientific or historical research, or statistical purposes.

4.8 COMPLIANCE WITH PRINCIPLE (f): INTEGRITY AND CONFIDENTIALITY (SECURITY):

  • SLC undertakes regular analysis of the risks presented by its processing and uses this to assess the appropriate level of security needed to be put in place.
  • When deciding what measures to implement, SLC takes account of the state of the art and costs of implementation, taking a risk-based approach with cognisance to specific cost/benefit analysis.
  • SLC has an Information Security Policy in place, which is reviewed on a regular basis.
  • SLC takes steps to ensure that the policy is implemented, and where necessary, has additional policies and documentation to ensure that controls are in place to enforce them.
  • Where appropriate, SLC looks to use measures such as pseudonymisation and encryption.
  • SLC has measures in place to enable SLC to restore access and availability to personal data in a timely manner in the event of a physical or technical incident.
  • SLC has appropriate processes in place to test the effectiveness of Security measures and would then undertake any required improvements.

4.9 RETENTION AND ERASURE:

  • SLC has a retention policy, and this can be found at Records Management Policy
  • SLC retains personal information for varying periods of time. A general guidance follows as below:

    1. Unsuccessful job applicant information is kept for 3 months, with the exception of CO data which is held for 12 months.
    2. SLC employee information is held for 6 years from the end of the employment, with the exception of occupational pensions which are held for 100 years from DOB.
    3. SLC customer information is governed by key stages in the customer journey eg. DSA related health data is held until 6 years post study, whilst data relating to racial/ethnic origin, religious or philosophical beliefs and data concerning sexual orientation are held until 6 years post loan repayment/write-off.
    4. Customer CO data is held up to 6 years from the closure of the case/complaint with serious counter fraud case files being retained for 70 years from DOB.
    5. Lapsed or abandoned customer application information is retained for between 12 and 24 months from the date the course would have commenced.
    6. Minimisation of some personal information/data takes place when a customer reaches the 6 years post study point/trigger.
    7. Further Minimisation of some personal information/data takes place when a customer reaches the 6 years post repayment/write off point/trigger.
    8. The remaining customer lifetime record is then fully deleted when the customer reaches the 70 years from DOB point/trigger.

5. POLICY REVIEW CYCLE

This document will be reviewed every 2 years unless substantive changes are made to supporting artefacts or to UK Data Protection Legislation.


[1] public bodies, or private bodies vested with public sector tasks, may have ‘official authority’ laid down by law to process criminal offence data. This official authority may derive from either common law or statute.