Data Protection Network | Policies | Data Protection Impact Assessment

Data Protection Basics: The 7 data protection principles Understanding the key principles of data protection Let’s get back to basics. There are seven core principles which form the foundation of data protection law. Understanding and applying these principles is the cornerstone for good practice and key to complying with UK / EU GDPR. Here’s our quick guide to the data protection principles. 1. Lawfulness, fairness and transparency This principle covers 3 key areas. a) Lawfulness – We must identify an appropriate ‘lawful basis’ for collecting and using personal data. In fact, we need to decide on a lawful basis for each task we use personal data for, and make sure we fulfil the specific conditions for that lawful basis. There are 6 lawful bases to choose from. We need to take special care and look to meet additional requirements when using what’s termed ‘special category’ data or data which relates to minors or vulnerable people. We should also be sure not do anything which is likely to contravene any other laws. b) Fairness – We must only use people’s data only in ways that are fair. Don’t process data in a way which might be unexpected, discriminatory or misleading. This means evaluating any adverse affects on individuals. c) Transparency – We must be clear, open and honest with people about how we use their personal information. Tell people what we’re going to do with their personal information. Routinely this is achieved by providing relevant privacy information at the point data is collected, and by publishing a complete and up to date privacy notice and making this easy to find. Transparency requirements apply right from the start, when we collect or receive people’s data. 2. Purpose limitation This is all about only using personal details in the ways we told people they’d be used for. We must be clear about what our purposes for processing are and specify them in the privacy information we provide to individuals. Sometimes we might want to use personal data for a new purpose. We may have a clear legal obligation to do it, but if not we should check the new purpose is compatible with the original purpose(s) we had for that data. If not, then we may need to secure the individual’s consent before going ahead. Remember, if we surprise people, they ‘ll be more likely to complain. 3. Data minimisation We must make sure the personal data we collect and use is: Adequate – necessary for our stated purposes. Only collect the data we really need. Don’t collect and keep certain personal information ‘just in case’ it might be useful in future. Relevant – relevant to that purpose; and Limited to what is necessary – don’t use more data than we need for each specific purpose. 4. Accuracy We should take ‘all reasonable steps’ to make sure the personal data we gather and hold is accurate, up-to-date and not misleading. It’s good practice to use data validation tools when data is captured or re-used. For example, validate email addresses are in the right format, or verify postal addresses when these are captured online. If we identify any of the personal information we hold is incorrect or misleading, we should take steps to correct or delete it promptly. Data accuracy can decline over time. For example, people change their email address, move house, get married or divorced, their needs and interests change. And of course some people on your database may pass away. So we need to consider ways to keep our data updated and cleansed. Perhaps find ways to give people the opportunity to check and update their personal details? 5. Storage limitation Don’t be a hoarder! We must not keep personal data longer than necessary for the purposes we have specified. Certain records need to be kept for a statutory length of time, such as employment data. But not all data processing has a statutory period. Where the retention period is not set by law, the organisation must set an appropriate data retention period for each purpose, which it can justify. The ICO would expect us to have a data retention policy in place, with a schedule which states the standard retention period for each processing task. This is key step to making sure you can comply with this principle. When the data is no longer necessary, we must destroy or anonymise it, unless there’s a compelling reason for us to keep it for longer. For example, when legal hold applies. For more information see our Data Retention Guidance. 6. Security This is the ‘integrity and confidentiality’ principle of the GDPR – often known as the security principle. This requires organisations to make sure we have appropriate security measures in place to protect the personal data we hold. UK / EU GDPR talks about ‘appropriate technical and organisational measures’ (known as TOMs). These includes things like physical and technical security measures, conducting information security risk analyses, having information security policies & standards in place to guide our staff. Our approach to security should be proportionate to the risks involves. The ICO advises us to consider available technology and the costs of implementation when deciding what measures to take. Some of the basics include transferring data securely, storing it securely, restricting access to only those who need it and authenticating approved data users. Cyber Essentials or Cyber Plus can be helpful as an assurance framework to carry out a review of your data security arrangements. Controllers should consider information security standards when appointing and managing relationships with processors, i.e. service providers handling personal data on your behalf to provide their services. Are your processors securely handling their processing of the data you control? Carry out appropriate due diligence to make sure. 7. Accountability The accountability principle makes organisations responsible for complying with the UK / EU GDPR and says they must be able to evidence how they comply with the above principles. This requires data governance across the organisation. Think of accountability as a collective responsibility, flowing from the Executive team and down through to the teams that process personal data. To demonstrate how we comply, we need to have records in place. For many organisations this will include a Record of Processing Activities (RoPA). The ICO provides a useful ‘Accountability Framework’ we can use to benchmark performance against their expectations. In summary, identify the lawful bases you’re relying on and be fair and be open about what you do. Minimise the data you collect and make sure it remains accurate over time. Always keep it secure and don’t keep it for longer than you need it. Take care if you want to use personal data for a new purpose. Keep records and be ready to justify your approach. The ICO has published more detailed guidance on the seven principles.

Privacy Notices Quick Guide The right to be informed All businesses need an external facing Privacy Notice, aka Privacy Policy, if collecting and handling people’s personal information. Data protection law tells us we must provide people with easily accessible and specific privacy information when we collect their data. This guide sets out the key considerations and core requirements our Privacy Notices.

The Little Book of Data Protection Nuggets

When is it okay to record and transcribe meetings? Key considerations when using AI-enabled tools It’s increasing common for online meetings and phone calls to be recorded and/or transcribed. A plethora of AI-enabled tools have popped up to make this very easy to do. Transcriptions can be really helpful to provide a written record, a short summary of the key points, or even to automate key actions. Often handy for those who can’t attend or for people with certain disabilities. Some apps can combine words with recorded video or audio content for reference. However, while we rush to take advantage of these apps, we should be mindful of some privacy risks and be sure to have some measures and controls in place. Unauthorised use and data leakage Are people in your organisation going ahead with a ‘free trial’ and using recording or transcription services which have not been properly vetted or approved? This could result in poor controls on the outputs and data leakage to third parties. People need to know what they’re permitted to do, and what is not company policy. The safest bet is to go with an Enterprise version, so you can make sure there’s sufficient control and oversight of its use. Does it turn on automatically? Some apps are set to ‘on’ by default, so the settings may need editing to stop them automatically recording or transcribing when you don’t want them to. Do you have permission? It’s important to make sure everyone’s happy for the meeting to be recorded and/or transcribed. Good practice would be to let participants know in advance when there will be a recording and/or transcription made and ask them to let you know if they object. Also remind them at the start of the meeting, before you actually click ‘start’. Is it accurate? AI transcription tools can be extremely accurate, often better than humans. But even so, AI can still make mistakes. For example, AI can misinterpret certain nuances in the human voice or behaviours, or fail to grasp the context. This could affect the accuracy of the written output, or even its meaning. What we say isn’t always what we mean! Take different forms of humour, such as sarcasm, which might not come across well in raw text. Human oversight is key – don’t assume everything you read is 100% accurate to the words or the context. Data minimisation and retention Do we really need both a video recording and a transcription? Depending on the nature of meetings, this could create a significant volume of personal data, or perhaps commercially sensitive data. One of the first things we should think about is deleting anything we don’t need at the earliest opportunity. Sharing transcripts and recordings Have we set any restrictions on who the outputs are shared with an in what form? We should take particular care to prevent unauthorised disclosure of sensitive information – either of a personal, confidential or commercial nature. Sensitive meetings Just because a meeting is of a sensitive nature, doesn’t necessarily mean it can’t be recorded or transcribed. We know of circumstances where both parties have been in agreement on this, for example in grievance proceedings meetings. However, in such cases all the other points above can become even more important – is it an approved app? is the output accurate? who should have access to it? And so on. Can we handle privacy rights requests? If recording and transcription tools are not set up and managed well, they may cause an unwelcome headache further down the line. Recordings and transcriptions may all be in scope if you receive a DSAR or erasure request. It’s therefore good to nail down, how long materials will be kept for, where they will be saved, and making sure they are searchable. 5 Quick Tips 1. DPIA: Depending on your planned use and how sensitive the personal data captured is likely to be, consider if a DPIA is required (or advisable). 2. Internal policy / guidelines for usage: Set guidelines on when and how recording and transcription services should and should not be used. Include expected standards such as telling people in advance, giving them an opportunity to object, rules on sharing, deletion etc 3. Access controls: Update your access controls to make sure only authorised individuals can access recordings and transcriptions. 4. Retention: Update your data retention policy/schedule to confirm retention periods. Clearly there may be exceptions to the rule, if there is information which needs to be kept longer. 5. DSARs: Update your DSAR procedure to reflect personal data captured in recordings and transcriptions may be within scope.

AI Risk, Governance and Regulation The Artificial Intelligence landscape’s beginning to remind me of a place Indiana Jones might search for hidden treasure. The rewards are near-magical, but the path is littered with traps. Although, in the digital temple of ‘The New AI’, he’s not going to fall into a pit of snakes or be squished by a huge stone ball. No, Indy is more likely to face other traps. Leaking sensitive information. Litigation. Loss of adventuring advantage to competing explorers. A new, looming regulatory environment, one even Governments have yet to determine. And the huge stone ball? That will be when the power of the Lost AI goes awry, feeding us with incorrect information, biased outcomes and AI hallucinations. Yes, regulation is important in such a fast-moving international arena. So is nimble decision-making, as even the European Commission considers pausing its AI Act. Nobody wants to be left behind. Yet, as China and the US vie for AI supremacy, are countries like the UK sitting on the fence? AI has an equal number of devotees and sceptics, very broadly divided along generational lines. Gen Z and X are not as enamoured with AI as Millennials (those born between 1981 and 1996). A 2025 Mckinsey report found Millennials to be the most active AI users. My Gen Z son, says of AI, ‘I’m not asking a toaster a question.’ He also thinks AI’s insatiable thirst for energy will make it unsustainable in the longer term. Perhaps he has a point, but I think every industry will somehow be impacted, disrupted and – perhaps – subsumed by AI. And as ever, with transformational new technologies, mistakes will be made as organisations balance risk versus advantage. How, in this ‘Temple of the New AI,’ do organisations find treasure… without falling into a horrible trap? How to govern your organisation’s use of AI While compliance with regulations will be a key factor for many organisations, protecting the business and brand reputation may be an even bigger concern. The key will be making sure AI is used in an efficient, ethical and responsible way. The most obvious solution is to approach AI risk and governance with a clear framework covering accountability, policies, ongoing monitoring, security, training and so on. Organisations already utilising AI may have already embedded robust governance. For others, here are some pointers to consider: ■ Strategy and risk appetite Senior leadership needs to establish the organisation’s approach to AI; your strategy and risk-appetite. Consider the benefits alongside the potential risks associated with AI and implement measures to mitigate them. ■ AI inventory Create an inventory to record what AI systems are already in use across the business, the purposes they are used for, and why. ■ Stakeholders, accountability & responsibilities Identify which key individuals and/or departments are likely to play a role in governing how AI is developed, customised and/or used in your organisation. Put some clear guard rails in place. Determine who is responsible and accountable for each AI system. Establish clear roles and responsibilities for AI initiatives to make sure there’s accountability for all aspects of AI governance. ■ Policies and guidelines Develop appropriate policies and procedures, or update existing policies so people understand internal standards, permitted usage and so on. ■ Training and AI literacy Provide appropriate training. Consider if this needs to be role specific, and factor in ongoing training in this rapidly evolving AI world. Remember, the EU AI ACT includes a requirement for providers and developers of AI systems to make sure their staff have sufficient levels of AI literacy. If you don’t know where to start, Use AI Securely provide a pretty sound free introductory course. ■ AI risk assessments Develop and implement a clear process for identifying potential vulnerabilities and risks associated with each AI system. For many organisations who are not developing AI systems themselves, this will mean a robust method for assessing the risks associate with third-party AI tools, and how you intend to use those tools. Embedding an appropriate due diligence process when looking to adopt (perhaps also customise) third-party AI SAAS solutions is crucial. Clearly not all AI systems or tools will pose the same level of risk, so having a risk-based methodology to enable you to prioritise risk, will also prove invaluable. ■ Information security Appropriate security measures are of critical importance. Vulnerabilities in AI models can be exploited, input data can be manipulated, malicious attacks can target training datasets, unauthorised parties may access sensitive, personal and/or confidential data. Data can be leaked via third party AI solutions. We also need to be mindful of how online criminals exploit AI to create ever more sophisticated and advanced malware. For example, to automate phishing attacks. On this point, the UK Government has published a voluntary AI cyber security code of practice. ■ Transparency and explainability Are you being open and up front about your use of AI? Organisations need to be transparent about how AI is being used, especially when it impacts on individuals or makes decisions that affect them. A clear example here is AI tools being used for recruitment – is it clear to job seekers you’re using AI? Are they being fairly treated? Using AI Tools in Recruitment Alongside this there’s the crucial ‘explainability’ piece – the ability to understand and interpret the decision-making processes of artificial intelligence systems. ■ Audits and monitoring Implement a method for ongoing monitoring of the AI systems and/or AI tools you are using . ■ Legal and regulatory compliance Keep up to date with latest developments and how to comply with relevant laws and regulations in different jurisdictions relevant for your operations. My colleague Simon and I recently completed the IAPP AI Governance Professional training, led by Oliver Patel. I’d highly recommend his Substack which is packed with tips and detailed information on how to approach AI Governance. Current regulatory landscape European Union The EU AI Act was implemented in August 2024, and is coming into effect in stages. Some people fear this comprehensive and strict approach will hold back innovation and leave Europe languishing behind the rest of the world. It’s interesting the European Commission is considering pausing its entry into application, which DLA Piper has written about here. On 2nd February this year, rules came into effect in relation to AI literacy requirements, definition of an AI system and a limited number of prohibited AI use cases, which the EU determines pose an unacceptable risk. Like GDPR, the AI Act has extra-territorial scope, meaning it applies to organisations based outside the EU (as well as inside) where they place AI products on the market or put them into service in the EU, and/or where outputs produced by AI applications are used by people within the EU. We’ve already seen how EU regulation has led to organisations like Meta and Google excluding the EU from use of its new AI products for fear of enforcement under the Act. The European Commission has published guidelines alongside prohibited practices coming into effect. Guidelines on Prohibited Practices & Guidelines on Definition of AI System UK For the time being it looks unlikely the UK will adopt a comprehensive EU-style regulation. A ‘principles-based framework’ is supported for sector specific regulators to interpret and apply. Specific legislation for those developing the most powerful AI models looks the most likely direction of travel. The Information Commissioner’s Office published a new AI and biometrics strategy on 5th June with a focus on promoting compliance with data protection law, preventing harm but also enabling innovation. Further ICO activity will include: ■ Developing a statutory code of practice for organisations developing or deploying AI. ■ Reviewing the use of automated decision making (ADM) systems for recruitment purposes ■ Conducting audits and producing guidance on the police’s use of facial recognition technology (FRT) ■ Setting clear expectations to protect people’s personal information when used to train generative AI foundation models v Scrutinising emerging AI risks and trends. The soon to be enacted Data (Use and Access) Act will to a degree relax current strict rules in relation to automated decision making which produces legal or similarly significant effects. The ICO for it’s part is committed to producing updated guidance on ADM and profiling by Autumn 2025. DUA Act: 15 key changes ahead Other jurisdictions are also implementing or developing a regulatory approach to AI, and it’s worth checking the IAPP Global AI Regulation Tracker. AI is here. It’s transformative and far-reaching. To take the fullest advantage of AI’s possibilities, keeping abreast of developments along with agile and effective AI governance will be key.

Why record keeping is the cornerstone of data protection Records of Processing Activities No one ever wrote a thriller about record keeping. Denzel, Keanu, Keira and Brad are not required on set. But here’s why we should give it due attention. Put simply, without adequate records it’s difficult to demonstrate compliance with data protection legislation (GDPR and UK GDPR). Records are core to meeting the accountability principle, i.e. being ready and able to demonstrate evidence of compliance. Let’s step back for a moment. Each organisation needs to know what personal data they hold, where it’s located and what purposes it’s being used for. Only then can you be sure what you’re using it for is fair and lawful, and gain confidence you’re meeting other GDPR obligations. To put it another way, how confident is your organisation in answering the following questions? Do we know what personal data we hold, it’s sensitivity and all the systems it’s sitting on – including data shared with third parties? Do we know all purposes for processing? Have we determined an appropriate lawful basis for each purpose? And are we meeting the specific requirements for that basis? When handling special category data, have we also identified a special category condition? Have we confirmed how long we need to keep the data for each purpose? All of the above feed into transparency requirements, and what we tell people in our privacy notices. In my opinion, you can’t answer these questions with confidence unless you map your organisation’s use of personal data and maintain a central record. This may be in the form of a Records of Processing Activity (RoPA). Okay, so the absence of data protection records might only come to light if your organisation is subject to regulatory scrutiny. But not putting this cornerstone in place could result in gaps and risks being overlooked – which could potentially materialise into a serious infringement. In my view, a RoPA is a sensible and valuable asset for most organisations. I fully appreciate creating and maintaining a RoPA can feel like a Herculean task, especially if resources are overstretched. That’s why we often recommend taking a proportionate and achievable approach, focussing on special category data use and higher risk activities first. Then build on this foundation when you can. RoPA requirements under GDPR & UK GDPR The requirements apply to both controllers and processors and include keeping records covering: the categories of personal data held the purposes of processing any data sharing details of transfers to third countries, including a record of the transfer mechanism safeguards in place; retention periods the technical and organisational measures used to protect the data and more… Do you employ less than 250 people? If so, record keeping requirements may be less stringent. But you’ll still be required to maintain a RoPA if: your processing of personal data is not occasional your processing is likely to result in risk to the rights and freedoms of individuals you process special category data (e.g. health data, ethnicity, trade union membership, biometrics and more) you process personal data relating to criminal convictions and offences. You can read more about the requirements in ICO records of processing guidance. Benefits of Record Keeping (RoPA) Here are just some of the benefits you can get from your RoPA. 1. Understanding the breadth and sensitivity of your data processing. 2. Visibility of where data protection risks lie. This will help establish priorities and focus efforts to tackle key risks. 3. Confidence your activities are lawful and meet specific regulatory requirements. 4. Tackle over retention of data – it’s a common challenge. By establishing your purposes for processing personal data, you can determine how long you need to keep that data. Then you can take practical steps to delete any data you no longer need. 5. Transparency – An up-to-date RoPA feeds into your privacy notice, making sure the information you provide accurately reflects what you are really doing. 6. Data breaches – Your RoPA should be the ‘go to’ place if you suffer a data breach. It can help you to quickly identify what personal data may have been exposed and how sensitive the data is, which processors might be involved and so on. Helping you to make a rapid risk assessment (within 72 hours) and helping you make positive decisions to mitigate risks to protect individuals. 7. Supply chain – Keeping a record of your suppliers (‘processors’) is a key aspect of supplier management along with due diligence, contractual requirements and international data transfers. 8. Privacy rights – If you receive a Data Subject Access Request, your records can help to locate and access the specific data required to fulfil the request. If you receive an erasure request, you can quickly check your lawful basis for processing and see if the right applies, and efficiently locate what systems the data needs to be deleted from. Tips to get started Here are a few very quick tips on how to commence a RoPA project or breathe new life into an outdated spreadsheet you last looked at in 2018! Who? No DPO or data protection team can create and maintain these records their own – they need support from others. Enlist the support of your Senior Leadership Team, as you’ll need them to back you and drive this forward. Confirm who is or should be is accountable for business activities which use personal data within all your key business functions – the data owners. For example, Human Resources (employment & recruitment activities), Sales & Marketing (customer/client activities), Procurement (suppliers), Finance, and so on. Data owners are usually best placed to tell you what data they hold and what it’s currently used for, so get them onside. What? Make sure you’re capturing all the right information. The detail of what needs to be recorded is slightly different if you act as a controller or processor (or indeed both). If you need to check take look at the ICO guidance on documentation. When? There’s always some new system, new activity and/or change of supplier, isn’t there? You should aim to update your records whenever you identify new processing or changes to existing processing – including identifying when you need carry out a Data Protection Impact Assessment or Legitimate Interests Assessment. Good stakeholder relations can really help with this. In conclusion, record keeping might not win many Oscars, but it really is the cornerstone of data protection compliance. Adequate records, even if not massively detailed, can be really beneficial in so many ways, not just if the ICO (or another Data Protection Authority) comes calling.

Data Protection Impact Assessments Guide A quick guide to managing DPIAs This short guide to Data Protection Impact Assessments covers what a DPIA is and when it’s mandatory to conduct one under UK GDPR and EU GDPR. It also includes helpful tips on how to manage the process. DPIAs not only help to protect people’s data, they also help to protect the business.

Understanding and handling Special Category Data Why is it special and what does data protection law tell us we need to do? There is a distinct subset of personal data which is awarded ‘special’ protection under data protection law. This subset includes information for which people have been persecuted in the past, or suffered unfair treatment or discrimination, and still could be. These special categories of personal data are considered higher risk, and organisations are legally obliged to meet additional requirements when they collect and use it. Employees need to be aware special category data should only be collected and used with due consideration. Sometimes there will be a clear and obvious purpose for collecting this type of information; such as a travel firm needing health information from customers, or an event organiser requesting accessibility requirements to facilitate people’s attendance. In other situations it will be more nuanced. What’s special category data? Special Categories of Personal Data under UK GDPR (and it’s EU equivalent), are commonly referred to as special category data, and are defined as personal data revealing: Racial or ethnic origin e.g. diversity and inclusion data Political opinions Religious or philosophical beliefs Trade union membership The definition also covers: Genetic data Biometric data (where this is used for identification purposes) Data concerning health e.g. medical records, sickness records, accessibility requirements and so on. Data concerning a person’s sex life or their sexual orientation. E.g. diversity and inclusion data Inferring special category data Sometimes your teams might not realise they’re collecting and using special category data, but they might well be. It’s likely if you have inferred or made any assumptions based on what you know about someone, for example they’re likely to have certain political opinions, or likely to suffer from a certain health condition, this will mean you are handling special category data. There was an interesting ICO investigation into an online retailer which found it was targeting customers who’d bought certain products, assuming from this they were likely to be arthritis sufferers. This assumption meant the retailer was judged to be processing special category data. If you collect information about dietary requirements these could reveal religious beliefs, for example halal and kosher. It’s also worth noting in 2020 a judge ruled that ethical veganism qualifies as a philosophical belief under the Equality Act 2010. Other ‘sensitive’ data There’s sometimes confusion surrounding what might be considered ‘sensitive’ data and what constitutes special category data. I hear people say “why is financial data not considered as sensitive as health data or ethnic origin?’ Of course, people’s financial details are sensitive and organisations do still need to make sure they’ve got appropriate measures in place to protect such information and keep it secure. However, UK GDPR (and EU) sets out specific requirements for special category data which don’t directly apply to financial data. To understand why, it’s worth noting special protection for data such as ethnicity, racial origin, religious beliefs and sexual orientation was born in the 1950s, under the European Convention on Human Rights, after Europe had witnessed people being persecuted and killed. Special Category Data Requirements In a similar way to all personal data, any handling of special category data must be lawful, fair and transparent. Organisations need to make sure their collection and use complies with all the core data protection principles and requirements of UK GDPR. For example; Do you have a clear purpose and reason for collecting/using special category data? Have you identified a lawful basis? For example: is this data necessary in order for you to fulfil a contract you have with the individual? Are you legally obliged to hold this data? Should you be seeking their consent? Or is there another appropriate lawful basis? Quick Guide to Lawful Bases. Have you told people what their special category data will be used for? What does your Privacy Notice tell people? Have people seen your Privacy Notice? Can you minimise the amount of special category data you are collecting? Have you decided how long this data will be kept for? How will you make sure this data is not used for another different purpose? What security measures will you put in place? e.g. can you limit who has access to this data? What makes special category data unique is it will be considered a higher risk than other types of data, and also requires you to choose a special category condition. Other key considerations and requirements Risk Assessments Confirm whether you need to conduct a Data Protection Impact Assessment for your planned activities using special category data. DPIAs are mandatory for any type of processing which is likely to be high risk. This means a DPIA is more likely to be needed when handling special category data. That’s not to say it will always be essential, it really will depend on the necessity, nature, scale and your purpose for using this data. Special Category Condition Alongside a lawful basis, there’s an additional requirement to consider your purpose(s) for processing this data and to select a special category condition. These conditions are set out in Article 9, UK GDPR. (a) Explicit consent (b) Employment, social security and social protection (if authorised by law) (c) Vital interests (d) Not-for-profit bodies (e) Made public by the data subject (f) Legal claims or judicial acts (g) Reasons of substantial public interest (with a basis in law) (h) Health or social care (with a basis in law) (i) Public health (with a basis in law) (j) Archiving, research and statistics (with a basis in law) Associated condition in UK Law Five of the above conditions are solely set out in Article 9. The others require specific authorisation or a basis in law, and you’ll need to meet additional conditions set out in the Data Protection Act 2018. If you are relying on any of the following you also need to meet the associated condition in UK law. This is set out in Part 1, Schedule 1 of the DPA 2018. Employment, social security and social protection Health of social care Public health Archiving, research and statistics. If you are relying on the substantial public interest condition you also need to meet one of 23 specific substantial public interest conditions set out in Part 2 of Schedule 1 of the DPA 2018. The ICO tells us for some of these conditions, the substantial public interest element is built in. For others, you need to be able to demonstrate that your specific processing is ‘necessary for reasons of substantial public interest’, on a case-by-case basis. The regulator says we can’t have a vague public interest argument, we must be able to ‘make specific arguments about the concrete wide benefits’ of what we are doing. Appropriate Policy Document (APD) Almost all of the substantial public interest conditions, plus the condition for processing employment, social security and social protection data, require you to have an APD in place. The ICO Special Category Guidance in includes a template appropriate policy document. Privacy Notice A privacy notice should explain your purposes for processing and the lawful basis being relied on in order to collect and use people’s personal data, including any special category data. Remember, if you’ve received special category data from a third party, this should be transparent and people should be provided with your privacy notice. Data breach reporting You only have to report a breach to the ICO if it is likely to result in a risk to the rights and freedoms of individuals, and if left unaddressed the breach is likely to have a significant detrimental effect on individuals. Special category data is considered higher risk data, and therefore if a breach involves data of this nature, it is more likely to reach the bar for reporting. It is also more likely to reach the threshold of needing to notify those affected. In summary, training and raising awareness are crucial to make sure employees understand what special category data is, how it might be inferred, and to know that collecting and using this type of data must be done with care.