WA04135 – Data protection compliance

Request Received: 15 June 2023

Responded: 19 July 2023

Q: I kindly request that you provide me with the following information:

1. A copy of your organisation’s Records of Processing Activity (ROPA) as defined in Article 30 of the UK General Data Protection Regulation (UK GDPR).
2. A copy of all legitimate interest assessments conducted by your organisation where you rely on Article 6(1)(f) legitimate interests as your lawful basis for processing.
3. A copy of all privacy impact assessments conducted by your organisation.
4. A copy of all data protection impact assessments conducted by your organisation.
5. A copy of all international transfer risk assessments conducted by your organisation.
6. A recent copy of your organisation’s data protection compliance assessment using the Information Commissioner’s Office (ICO)’s accountability framework template. If you are using your own standards to monitor compliance with the Data Protection 2018, please provide me with copy of it.
7. A copy of your organization’s data protection policy.
8. A copy of your organization’s subject access request policy, procedures, and processes, including any guidance material such as folder structure, naming conventions, and redaction guides.
9. A copy of your organisation’s privacy notices, including but not limited to employees, customers, ministers, special advisors (SPADs), complaints, NEDS, visitors, and CCTV.
10. A copy of your organisation’s due diligence questions for vendor management such as independent data controllers or processors.

A: Please see below responses to your initial enquiry made on 15th June 2023:

1. Please see attached ROPA.
2. No information held.
3. DPIA for electronic case management system
4. DPIA for electronic case management system
5. No Information held.
6. See attached GDPR audit.
7. See attached Data Protection policy.
8. See attached Data Protection and Requests for Information policy, along with Subject Access guidance, request form.
9. See attached Privacy notices for Website and Staff and full Privacy Notice.
10. Exempt due to commercial sensitivity s43 (2) Commercial Interests.

Attachments

• Record of Processing Activity (ROPA)
• Record of Processing Activity (ROPA) DPIA – OPCC Casework System – FINAL v.1.1
• Audit Report – GDPR Information Governance (PWAINM_2023)
• OPCC (2020) Data Protection Policy
• Data Protection and Requests for Personal Information Policy July 2018
• Subject Access Requests Form (25.07.18)
• OPCC Privacy Notice for Staff 20.05.21 FINAL
• Full Privacy Notice (Update 10.09.20)
• Public Website Privacy Notice (Update 13.08.20)