Dear Care Quality Commission

1. Can you please provide the number of Data Protection Impact Assessments conducted by CQC in 2023?

2. Can you please advise if these were a full assessment or a screening?

3. Can you please disclose a brief description of each assessment, for example the title and any reasonable explanation to assist the reader?

4. Can you please disclose a copy of your internal guidance and the template for your assessment?

5. Can you please disclose a copy of any training you have given to internal colleagues about assessments, for example the slides in any training session.

Thank you

Warwick Clark

Information Access, Care Quality Commission

Dear Mr Clark

 

I acknowledge receipt of your correspondence dated 3 March 2024, in which
you made a request for information.

 

Your request is as follows:

 

“1. Can you please provide the number of Data Protection Impact
Assessments conducted by CQC in 2023?

 

2. Can you please advise if these were a full assessment or a screening?

 

3. Can you please disclose a brief description of each assessment, for
example the title and any reasonable explanation to assist the reader?

 

4. Can you please disclose a copy of your internal guidance and the
template for your assessment?

 

5. Can you please disclose a copy of any training you have given to
internal colleagues about assessments, for example the slides in any
training session.”

 

CQC will consider your request in accordance with the Freedom of
Information Act 2000 (FOIA).

 

Our statutory deadline for response is 2 April 2024, but we will in any
event endeavour to respond as soon as possible.

 

We will write to you if we are unable to meet this deadline.

 

The information you have requested may be subject to an exemption from the
right to know. Should this occur, we will explain the reasons why when we
respond.

 

Regards

 

On behalf of:

Information Access Team

 

For information about CQC, including contact details, information about
how we use and protect personal data, and how to request information from
us, go to [1]https://www.cqc.org.uk/contact-us

 

-------------- The contents of this email and any attachments are
confidential to the intended recipient. They may not be disclosed to or
used by or copied in any way by anyone other than the intended recipient.
If this email is received in error, please notify us immediately by
clicking "Reply" and delete the email. Please note that neither the Care
Quality Commission nor the sender accepts any responsibility for viruses
and it is your responsibility to scan or otherwise check this email and
any attachments. Any views expressed in this message are those of the
individual sender, except where the sender specifically states them to be
the views of the Care Quality Commission. Information on how the Care
Quality Commission processes personal data is available here
http://www.cqc.org.uk/about-us/our-polic...

References

Visible links
1. https://www.cqc.org.uk/contact-us

Dear Information Access,

In your acknowledgment you advised you would reply by the 3 April. Can you please advise why your response is delayed and when I can expect a reply?

Yours sincerely,

Warwick Clark

Information Access, Care Quality Commission

2 Attachments

Dear Warwick Clark

I write in response to your correspondence of 3 March 2024 in which you
requested the following:

“1. Can you please provide the number of Data Protection Impact
Assessments conducted by CQC in 2023?

2. Can you please advise if these were a full assessment or a screening?

3. Can you please disclose a brief description of each assessment, for
example the title and any reasonable explanation to assist the reader?

4. Can you please disclose a copy of your internal guidance and the
template for your assessment?

5. Can you please disclose a copy of any training you have given to
internal colleagues about assessments, for example the slides in any
training session.”

I have responded to each point in turn below.

The statutory deadline for responding to an FOIA request is 20 working
days from the date when CQC received the request therefore you should have
received a response no later than close of business 2 April 2024.

The Information Access team is currently experiencing a higher than usual
workload coupled with a lower than usual staff complement. This has
created a backlog of work that we are working hard to clear, and therefore
regrettably our response to your request has been delayed.

We take our responsibilities under FOIA very seriously and in normal
circumstances respond to over 90% of requests within the statutory
deadline of 20 working days. We are sorry that we were unable to do so on
this occasion.

Please accept our sincere apologies on behalf of CQC for the delay in
responding to your request. Thank you for your patience in this matter.

 1. Can you please provide the number of Data Protection Impact
Assessments conducted by CQC in 2023?

91 DPIAs were submitted in 2023

The DPIA process is initiated upon receipt of the form

 2. Can you please advise if these were a full assessment or a screening?

For 2023:

• 72 were required to go through the full assessment

◦ Of these 59 were Approved or categorised as No personal data
processing – DPIA not required

• 16 only required a partial assessment as they answered no to the
screening questions
• 3 were to be confirmed, this means that the business needed to provide
further information before we could establish whether a full
assessment was required or not.

 3. Can you please disclose a brief description of each assessment, for
example the title and any reasonable explanation to assist the reader?

Please find attached a spreadsheet containing the information requested

 4. Can you please disclose a copy of your internal guidance and the
template for your assessment?

Please see attached PDF document

 5. Can you please disclose a copy of any training you have given to
internal colleagues about assessments, for example the slides in any
training session.”

We have a link to the DPIA process and form from our intranet for
colleagues to review as required.

The requirement for DPIAs are also sign-posted in a number of processes
across CQC including contract management, IT project management, and IT
architecture.

We are currently developing two e-learning modules focused specifically on
the DPIA process. The first will be a high level summary of the process
and why it is important. The second will provide a more detailed
understanding of the form.

Colleagues can request meetings as needed to go through their individual
requirements.

Advice and assistance

Under section 16 of the Freedom of Information Act 2000 (and in accordance
with the section 45 code of practice) we have a duty to provide you with
reasonable advice and assistance.

If you need any independent advice about individual’s rights under
information legislation you can contact the Information Commissioner’s
Office (ICO).

The ICO is the UK’s independent authority set up to uphold information
rights in the public interest, promoting openness by public bodies and
data privacy for individuals.

The contact details for the ICO are detailed below.

There is useful information on the ICO website explaining the rights of
individuals:

[1]www.ico.org.uk/your-data-matters

CQC Complaints and Internal Review procedure

If you are not satisfied with our handling of your request, then you may
request an internal review.

Please clearly indicate that you wish for a review to be conducted and
state the reason(s) for requesting the review.

Please note that it is usual practice to accept a request for an internal
review within 40 working days from the date of this response. The [2]FOIA
code of practice advises that public authorities are not obliged to accept
internal reviews after this date.

Please be aware that the review process will focus upon our handling of
your request and whether CQC have complied with the requirements of the
Freedom of Information Act 2000. The internal review process should not be
used to raise concerns about the provision of care or the internal
processes of other CQC functions.

If you are unhappy with other aspects of the CQC's actions, or of the
actions of registered providers, please see our website for information on
how to raise a concern or complaint:

[3]www.cqc.org.uk/contact-us

To request a review please contact:

Information Access

Care Quality Commission

Citygate

Gallowgate

Newcastle upon Tyne

NE1 4PA

E-mail: [4][CQC request email]

Further rights of appeal exist to the Information Commissioner’s Office
under section 50 of the Freedom of Information Act 2000 once the internal
appeals process has been exhausted.

The contact details are:

Information Commissioner's Office

Wycliffe House

Water Lane

Wilmslow

SK9 5AF

Telephone: 0303 123 1113

Website: [5]www.ico.org.uk

Yours sincerely

Information Access Team

Care Quality Commission

Contact via email [6][CQC request email]

National Customer Service Centre 03000 616161
 
For information about CQC, including contact details, information about
how we use and protect personal data, and how to request information from
us, go to [7]https://www.cqc.org.uk/contact-us

-------------- The contents of this email and any attachments are
confidential to the intended recipient. They may not be disclosed to or
used by or copied in any way by anyone other than the intended recipient.
If this email is received in error, please notify us immediately by
clicking "Reply" and delete the email. Please note that neither the Care
Quality Commission nor the sender accepts any responsibility for viruses
and it is your responsibility to scan or otherwise check this email and
any attachments. Any views expressed in this message are those of the
individual sender, except where the sender specifically states them to be
the views of the Care Quality Commission. Information on how the Care
Quality Commission processes personal data is available here
http://www.cqc.org.uk/about-us/our-polic...

References

Visible links
1. http://www.ico.org.uk/your-data-matters
2. https://assets.publishing.service.gov.uk...
3. http://www.cqc.org.uk/contact-us
4. mailto:[cqc%20request%20email]
5. http://www.ico.org.uk/
6. mailto:[cqc%20request%20email]
7. https://www.cqc.org.uk/contact-us

Dear Care Quality Commission,

Thank you for your reply.

For point 5, I cannot locate the intranet information you refer to. Please disclose a PDF print out of this information.

Thank you

Yours faithfully,

Warwick Clark

Information Access, Care Quality Commission

1 Attachment

Good morning Warwick Clark

 

Thank you for your email of 19 April 2024

 

Regarding point 5 of your request – “Can you please disclose a copy of any
training you have given to internal colleagues about assessments, for
example the slides in any training session.”

 

The attached PDF (provided in our response of 16 April 2024) is the
totality of the information CQC holds regarding our DPIA process. This
document is available internally to all colleagues via our internal
intranet.

 

We do not currently hold any training materials regarding the DPIA
process. The e-learning modules mentioned are in development and not yet
complete, we are therefore unable to consider releasing these at this
time.

 

I trust this email provides you with the information you expected to
receive.

 

Yours sincerely

 

Information Access Officer

Contact via email [1][CQC request email]

National Customer Service Centre 03000 616161
 
For information about CQC, including contact details, information about
how we use and protect personal data, and how to request information from
us, go to [2]https://www.cqc.org.uk/contact-us

 

 

 

-------------- The contents of this email and any attachments are
confidential to the intended recipient. They may not be disclosed to or
used by or copied in any way by anyone other than the intended recipient.
If this email is received in error, please notify us immediately by
clicking "Reply" and delete the email. Please note that neither the Care
Quality Commission nor the sender accepts any responsibility for viruses
and it is your responsibility to scan or otherwise check this email and
any attachments. Any views expressed in this message are those of the
individual sender, except where the sender specifically states them to be
the views of the Care Quality Commission. Information on how the Care
Quality Commission processes personal data is available here
http://www.cqc.org.uk/about-us/our-polic...

References

Visible links
1. mailto:[CQC request email]
2. https://www.cqc.org.uk/contact-us

Thank you for clarifying

Yours sincerely,

Warwick Clark