Data Protection Act 2018 compliance
Dear Sir/Madam,
I am writing to make a formal request for information under the provisions of the Freedom of Information Act 2000. I kindly request that you provide me with the following information:
1. A copy of your organisation's Records of Processing Activity (ROPA) as defined in Article 30 of the UK General Data Protection Regulation (UK GDPR).
2. A copy of all legitimate interest assessments conducted by your organisation where you rely on Article 6(1)(f) legitimate interests as your lawful basis for processing.
3. A copy of all privacy impact assessments conducted by your organisation.
4. A copy of all data protection impact assessments conducted by your organisation.
5. A copy of all international transfer risk assessments conducted by your organisation.
6. A recent copy of your organisation's data protection compliance assessment using the Information Commissioner's Office (ICO)'s accountability framework template. If you are using your own standards to monitor compliance with the Data Protection 2018, please provide me with copy of it.
7. A copy of your organization's data protection policy.
8. A copy of your organization's subject access request policy, procedures, and processes, including any guidance material such as folder structure, naming conventions, and redaction guides.
9. A copy of your organisation's privacy notices, including but not limited to employees, customers, ministers, special advisors (SPADs), complaints, NEDS, visitors, and CCTV.
10. A copy of your organisation's due diligence questions for vendor management such as independent data controllers or processors.
I understand that under the Freedom of Information Act, you are required to respond within 20 working days. To stay within section 12 - cost limits, I suggest asking your Data Protection Officer for the information. If this is not possible, I suggest a search of your compliance platform and your Microsoft estate for the following search terms (not case sensetive):
1. "records of processing activity" OR "ropa"
2. "legitimate interest assessment" OR "LIA"
3. "privacy impact assessment" OR "privacy impact assessments" OR "PIA"
4. "data protection impact assessment" OR "DPIA"
5. "transfer risk assessment" AND "personal data"
6. "accountability framework"
I would prefer to receive the requested information in electronic format via email.
Should you require any clarification or further details in order to process this request, please do not hesitate to contact me. I would be grateful if you could confirm receipt of this request and provide a reference number for future correspondence.
Thank you for your attention to this matter. I look forward to receiving the requested information within the statutory timeframe.
Yours faithfully,
Jay Bhanji
Jay,
Please see attached acknowledgement of receipt of your request.
Kind Regards
Adele
Adele Gray
Information Management Branch
Department of Health (NI)
Jay
I refer to your request below. Following our initial assessment we believe that there will be a considerable amount of information to search through to ascertain relevance which will involve a number of business areas within the Department and I would therefore ask you to confirm what time frame you are seeking this information for?
Regards
Jeff
Jeff Burns
Information Management Branch
Department of Health (NI)
Dear Burns, Jeff,
Thank you for your email seeking further clarification.
Please provide a copy of your most recent Records of Processing Activity and any Legitimate Interest Assessments and Data Protection Impact Assessments for the last 2 financial years.
Yours sincerely,
Jay Bhanji
Jay
Many thanks for your email below.
However the returns from our initial searches for DPIAs/PIAs within the
timeframe you have indicated below are still likely to exceed the cost
limits afforded to the Department under FOI legislation (s12) when
deciding relevance to your request. Consequently, can I ask again if there
is anything in particular you wish us to search for in respect of Q3 and
Q4 of your original request. Any indication of what you might be looking
for specifically, would help us when compiling our response to you. For
example, areas of work within the Department where we may have carried out
DPIAs and which you have an interest in would help us to refine and target
our searches and retrieval of information.
A limited number of the DPIAs produced by the Department are already
published on websites and typical of this are the DPIAs for the
[1]COVIDCert NI Mobile App and the [2]CovidCert Check verifier App (both
at the bottom of the respective pages).
Regards
Jeff
Jeff Burns
Information management Branch
Department of Health (NI)
Jay,
Please see attached response to your request.
Regards,
Joyce
Joyce McGrattan
Information Management Branch
Department of Health (NI)
Jay,
We should have advised in our response, which issued to you on Friday,
that this response does not include input as yet from the Department’s
Strategic Planning & Performance Group(SPPG), formerly the Health & Social
Care Board (HSCB).
The Department still awaits SPPG input to all questions bar 3 and 4, for
which we await clarification from you.
SPPG input is expected to be with us on or before 26 July 2023 and once
received will be forwarded on to you.
Regards,
Joyce
Joyce McGrattan
Information Management Branch
Department of Health (NI)
From: DoH FOI
Sent: Tuesday, July 11, 2023 5:29 PM
To: '[FOI #991145 email]'
<[FOI #991145 email]>
Subject: RE: Freedom of Information request - Data Protection Act 2018
compliance
Jay,
Please see attached response to your request.
Regards,
Joyce
Joyce McGrattan
Information Management Branch
Department of Health (NI)
Jay,
Further to our previous response, the Strategic Planning and Performance
Group (SPPG) within the Department has now provided the remaining
information, attached above.
Regards,
Joyce
Joyce McGrattan
Information Management Branch
Department of Health (NI)
We work to defend the right to FOI for everyone
Help us protect your right to hold public authorities to account. Donate and support our work.
Donate Now