Information regarding controller / processor relationship(s) for PiP
| Authority | [[cabinet-office |
| Date received | 2025-08-13 |
| Outcome | Some information sent but part exempt |
| Outcome date | 2025-09-23 |
| Topic | [[employment-workforce |
Summary
The request sought the Data Protection Impact Assessment (DPIA) and documents identifying controller/processor relationships for the PiP payroll system. The authority provided a partial response containing risk assessments and mitigation strategies from the DPIA, though some information was withheld under exemptions.
Key Facts
- The PiP system stores sensitive employment data including trade union membership, bank details, and special categories like ethnicity and religion.
- Access to special category data is restricted to employees and limited OHR system administration accounts.
- Document attachment functionality was switched off pending assessment to prevent excessive data collection.
- Redirection features are currently disabled until technical and organizational controls can be implemented.
- Bespoke user access roles are attached to individuals rather than posts, creating a risk of incorrect access if not revoked upon role changes.
Data Disclosed
- 2025-08-13
- 2025-09-23
- 83
- 2
Exemptions Cited
- Part exempt
Original Request
Please could you provide a copy of the DPIA which was undertaken in order to implement PiP being implemented by OHR /Cabinet Office.
Please could you provide any documents which would identify which Departments, Boards or Offices are listed as either A. Controller B. Processor or C. Joint Controller.