Appropriate Policy Document (APD) — Special Category & Criminal‑Offence Data

Reviewed: 29 January 2026

Purpose & scope

This APD documents how UK Postbox Limited complies with the requirements of the Data Protection Act 2018 (DPA 2018) and UK GDPR when processing special category data and, where applicable, criminal-offence data.

This document sets out the lawful bases relied upon, the conditions under Schedule 1 of the DPA 2018, and the safeguards we apply to protect the rights and freedoms of individuals.

Lawful bases & conditions

Article 6 (UK GDPR):

Processing is carried out under legal obligation (e.g. Money Laundering Regulations 2017) and/or legitimate interests (e.g. fraud prevention, service security).

Article 9 (special category data):

We rely on substantial public interest conditions under Schedule 1 of the DPA 2018, including where applicable:

  • Paragraph 6 — statutory and government purposes
  • Paragraph 10 — preventing or detecting unlawful acts
  • Paragraph 14 — protecting the public against dishonesty or serious improper conduct
  • Paragraph 18 — safeguarding of children and individuals at risk

Where appropriate for specific processing activities, explicit consent may also be used.

For each processing activity relying on substantial public interest conditions, we document:

  • Why the processing is necessary for the relevant condition
  • Why the processing is proportionate to the aim pursued

Processing is limited to what is necessary to meet legal obligations under the Money Laundering Regulations 2017, prevent fraud, and protect the integrity and security of our services.

Article 10 (criminal-offence data):

Where we process criminal-offence data, we do so in accordance with Article 10 and Schedule 1, Part 2 of the DPA 2018, including Paragraph 10 (preventing/detecting unlawful acts) or other applicable conditions.

Records relating to such processing include:

  • The specific condition relied upon
  • Categories of data subjects
  • Retention periods
  • Access controls applied

Categories of data processed

Special category data processed may include:

  • Biometric data used for identity verification (e.g. liveness checks)

Criminal-offence data may include:

  • Fraud indicators
  • Sanctions or screening results where applicable

Principles & safeguards

We apply the UK GDPR principles of:

  • Lawfulness, fairness and transparency
  • Purpose limitation
  • Data minimisation
  • Accuracy
  • Storage limitation
  • Integrity and confidentiality
  • Accountability

We ensure that the use of special category and criminal-offence data does not override the rights and freedoms of individuals, and we apply additional safeguards where processing may have a higher impact.

Safeguards include:

  • Data minimisation: Use of templates, scoring, or verification outcomes rather than retaining raw biometric data wherever possible
  • Security (Article 32): Encryption in transit and at rest, role-based access controls, MFA, logging and monitoring
  • Access controls: Only specifically authorised personnel with a documented business need may access such data; access is reviewed at least annually
  • Audit logging: Access to special category data is logged and auditable; logs are retained for at least 12 months and longer where required for investigations or legal obligations
  • Retention controls: See retention section below
  • Transparency: Clear notices are provided to individuals
  • Automated decision-making: No solely automated decisions with legal or similarly significant effects without human review
  • DPIAs: Conducted where processing is likely to result in a high risk to the rights and freedoms of individuals, or where processing changes materially
  • Training: Mandatory training for relevant roles handling sensitive data
  • Vendors/processors: Subject to strict contractual controls, DPAs and international transfer safeguards (e.g. IDTA/UK Addendum and transfer risk assessments where required)

Retention

We retain special category and criminal-offence data only for as long as necessary to meet legal, regulatory and operational requirements:

  • Biometric data (raw captures): Retained by verification providers only for as long as required to complete verification and support audit/anti-fraud processes (typically days or weeks)
  • Verification results and logs: Retained for 5 years after the end of the business relationship, or longer where required by the Money Laundering Regulations 2017 or ongoing investigations

Erasure & destruction

Special category and criminal-offence data is securely deleted or anonymised when no longer required for the stated purpose or legal obligation.

Deletion includes:

  • Removal from live systems
  • Scheduled removal from backups in accordance with our Data Retention & Deletion Policy

Physical materials are securely destroyed in line with recognised standards (e.g. BS EN 15713).

Data subject rights

Individuals may exercise their rights under UK GDPR Articles 15–22, including access, rectification, erasure, restriction, objection and portability.

Requests involving special category or criminal-offence data are handled with:

  • Additional identity verification
  • Oversight by the Data Protection Officer

We ensure that processing does not unjustifiably override individual rights and freedoms.

Accountability & review

The Data Protection Officer (DPO) is responsible for maintaining this APD.

We:

  • Keep Records of Processing Activities (ROPA) up to date
  • Maintain DPIAs where required
  • Review this APD at least annually and following any material change

This APD and supporting records are retained for:

  • The duration of the processing
  • Plus 6 years thereafter, or longer where required by law

Any actual or suspected breach involving special category or criminal-offence data is escalated immediately and handled in accordance with our Incident Response & Breach Notification Policy.

UK Postbox Limited

13 Freeland Park, Wareham Road, Lytchett Matravers, Poole, Dorset, BH16 6FH, United Kingdom

Support: support@ukpostbox.com

Security: security@ukpostbox.com

Legal notices: legal@ukpostbox.com

Data protection: dpo@ukpostbox.com

Complaints: complaints@ukpostbox.com

Accessibility: accessibility@ukpostbox.com

Website: www.ukpostbox.com

Registered in England and Wales Company Number: 06723381

MLR registration no: XLML00000192390

ICO registration no: ZA038907