Information Retention and GDPR
| Authority | Office of the Clerk of Tynwald |
|---|---|
| Date received | 2020-06-01 |
| Outcome | Not upheld |
| Outcome date | 2020-09-10 |
| Case ID | 1310011 |
Summary
The request sought details on information retention schedules and GDPR compliance progress for the Office of the Clerk of Tynwald, which was disclosed through a self-assessment table and milestone statements. The response indicated that while many data protection measures were complete, several key areas regarding training, auditing, and incident management were still underway or under review as of 2018 and 2019.
Key Facts
- The FOI request outcome was 'Not upheld' by the Office of the Clerk of Tynwald on 2020-09-10.
- A self-assessment dated 12/01/2018 shows 17 standards as 'Green' (Complete/No change), 9 as 'Amber' (Underway/Review), and 0 as 'Red'.
- Specific areas marked 'Amber' include data protection training, auditing, fair processing notices, and breach reporting procedures.
- A GDPR Compliance Self-Assessment Milestone Statement was submitted on 11/01/2019.
- The response documents 22 pages and 5 documents covering data protection officer responsibilities and subject access request procedures.
Data Disclosed
- 2020-06-01
- 2020-09-10
- 22
- 5
- 12/01/2018
- 11/01/2019
- 25th may 2018
- 31st March 2016
- 31st March 2017
- 31st March 2018
- 31st March 2019
- 31st March 2020
- 17
- 9
- SA 1
- SA 30
Original Request
What are the versions and version dates of the information retention schedule, is any version available online, what assessments with reports and discussions with filenotes exist in relation to GDPR strategy and compliance, what documents are available, in order of preference, unredacted or redacted or summarised, what was firstly the percentage progress with the relevant information retention schedule and secondly the percentage compliance with data protection legislation and subsequent GDPR legislation as at 31st March 2016, 2017, 2018, 2019 and 2020?
Data Tables (13)
| URN | Ref | Standard | Self- Assessment | Action | Owner | RAG |
|---|---|---|---|---|---|---|
| Self-Assessment 12/01/2018 | ||||||
| 1 | SA 1 | Senior Manager lead on data protection matters identified | Complete | DPO | Green | |
| 2 | SA 2 | Data protection officer appointed or nominated and responsibilities documented. | Complete | DPO | Green | |
| 3 | SA 3 | Information asset owners formally identified for key systems and tasked. | No change | DPO | Green | |
| 4 | SA 4 | Effective reporting lines established. | No change | DPO | Green | |
| 5 | SA 5 | Data protection training provided for all staff. | Underway | eLearn Vannin | DPO | Amber |
| 6 | SA 6 | Data protection guidance published. | Complete | DPO | Green | |
| 7 | SA 7 | Data protection auditing and monitoring carried out in accordance with the ICO guidelines | Underway | DPO | Amber | |
| 8 | SA 8 | COT has considered the need for ‘fair processing notices’ | Underway | DPO | Amber | |
| 9 | SA 9 | COT has updated the privacy policy on website | Complete | DPO | Green | |
| 10 | SA 10 | COT has established a process to resolve fair and lawful processing disputes and complaints | No change | DPO | Green | |
| 11 | SA 11 | COT has adopted measures to ensure that any personal data processed is adequate, relevant, not excessive, accurate, and kept up-to-date. | Complete | Review | DPO | Green |
| 12 | SA 12 | COT has adopted procedures to ensure that personal data is reviewed and disposed/retained/de- personalised when no longer required | Underway | Project - IM | DPO | Amber |
| 13 | SA 13 | COT has established a process to resolve data quality disputes/complaints | No change | DPO | Green | |
| 14 | SA 14 | The subject access request form is freely available to enquirers/requestors. | No change | DPO | Green | |
| 15 | SA 15 | COT has adequate procedures in place to inform subject access requestors with ‘unsatisfactory’ requests of that fact in a timely manner. | No change | DPO | Green | |
| 16 | SA 16 | COT has adequate procedures in place to handle ‘local’ subject access requests. | No change | DPO | Green | |
| 17 | SA 17 | COT has sound procedures to update or augment existing records, or create new records, with information obtained from subject access applications. | No change | DPO | Green | |
| 18 | SA 18 | COT has established a subject access appeals/complaints process. | No change | DPO | Green | |
| 19 | SA 19 | COT has robust procedures in place to ensure subject access application information is retained only as long as necessary. | No change | DPO | Green | |
| 20 | SA 20 | COT has adopted measures to respond to subjects’ rights as per DPA sections 10, 11 12, 13, 14 of the Act and requests/orders made by the Information Commissioner. | REVIEW | DPO | Amber | |
| 21 | SA 21 | COT has developed procedures for the resolving data protection related disputes and complaints. | No change | DPO | Green | |
| 22 | SA 22 | COT has effective procedures in place to ensure that force information security boards (or their equivalents) consult with data protection officers when considering the security of personal data. | Underway | DPO | Amber | |
| 23 | SA 23 | COT has effective procedures in place to ensure data processing contracts are developed where required. | Underway | Project - GDPR | DPO | Amber |
| 24 | SA 24 | COT has effective measures in place to ensure that data protection and information security requirements are considered during the procurement or development of systems processing personal data. | No change | DPO | Green | |
| 25 | SA 25 | COT has effective procedures in place to ensure that data protection/information system operating rules are subject to regular revision, and are amended to reflect significant changes to the information system | No change | DPO | Green | |
| 26 | SA 26 | COT has effective procedures in place to ensure that breaches of data protection principles are reported to the data protection officer and information system owner. | No change | DPO | Green | |
| 27 | SA 27 | COT has effective measures in place which ensure that the data protection officer is notified of any breach | REVIEW | Training | DPO | Amber |
| 28 | SA 28 | COT has reactive measures in place for recognising and managing data loss incidents | REVIEW | Training | DPO | Amber |
| 29 | SA 29 | COT has measures in place to for reporting incidents to Senior Managers | REVIEW | DPO | Amber | |
| 30 | SA 30 | COT has measures in place to for reporting incidents to ICO | No change | DPO | Green |
| 1 10 Awareness | Yes |
|---|---|
| 1 20 Awareness | Yes |
| 1 30 Awareness | Yes |
| 1 40 Awareness | Yes |
| 1 50 Awareness | Yes |
| 1 Zz Awareness Info | |
| 2 10 Held Info | No |
| 2 20 Held Info | Yes |
| 2 30 Held Info | Yes |
| 2 40 Held Info | Yes |
| 2 50 Held Info | Yes |
| 2 Zz Held Info Comments | Draft retention policy and plan is progressing but the implementation of retention periods is not BAU |
| 3 10 DPDesign | Yes |
| 3 20 DPDesign | Yes |
| 3 30 DPDesign | Yes |
| 3 40 DPDesign | Yes |
| 3 50 DPDesign | Yes |
| 3 Zz DPDesign | |
| 4 10 DPOs | Yes |
| 4 20 DPOs | Yes |
| 4 30 DPOs | Yes |
| 4 40 DPOs | Yes |
| 4 50 DPOs | Yes |
| 4 Zz DPOs Comments | |
| 5 10 Lawful Basis | Yes |
| 5 20 Lawful Basis | Yes |
| 5 30 Lawful Basis | Yes |
| 5 Zz Lawful Basis Comment | |
| 6 10 Consent | Yes |
| 6 20 Consent | Yes |
| 6 30 Consent | Yes |
| 6 Zz Consent Comment | |
| 7 10 Children | Yes |
| 7 20 Children | Yes |
| 7 30 Children | Yes |
| 7 Zz Children Comments | |
| 08 10 Communicating | Yes |
| 08 20 Communicating | Yes |
| 08 30 Communicating | Yes |
| 8 Zz Communicating Comment | |
| 9 10 Individuals Rights | Yes |
| 9 20 Individuals Rights | Yes |
| 9 30 Individuals Rights | Yes |
|---|---|
| 9 Zz Individuals Rights Comment | |
| 10 10 SARs | Yes |
| 10 20 SARs | Yes |
| 10 30 SARs | Yes |
| A 10 Zz SARs Comments | |
| 11 10 Data Breaches | Yes |
| 11 20 Data Breaches | Yes |
| 11 30 Data Breaches | Yes |
| 11 40 Data Breaches | Yes |
| B 11 Zz Data Breach Comment | |
| 12 01 International | Yes |
| 12 02 International | Yes |
| 12 03 International | Yes |
| 12 04 International Comment | |
| 1 60 Awareness | Yes |
| 11 50 Data Breaches | Yes |
| Version 0.1 | 11/11/2019 |
|---|---|
| Whose personal data is processed? | Where is personal data processed? | |
|---|---|---|
| Staff | Current Potential Former Relatives of staff – emergency contacts | Manual locked cupboard in 3rd clerks room Line manager cupboards Basement Visitors Book Electronic email shared network restricted network drive e-Learn Vannin Third party: o Google analytics o IOMG Systems PIP Payroll FOI |
| Members | Current Potential Former | |
| Committee | Evidence Witnesses Reporting | |
| Website | Visitors | |
| Correspondents | Complaints Compliments | |
| Associates | Grainne Malachy | |
| Visitors | Transient Potential Official |
| STAFF (inc TCA) • Personal details linked to employment name, address, email, telephone, date of birth, emergency contact, • Financial details linked to employment bank account, NI, Tax reference etc. • Health information linked to employment • Criminal convictions/offences linked to employment • IP address linked to employment • Education & training linked to employment • Employment details (CV, references, annual appraisals, employment status, work permit, leave, sickness etc.) | • Individual themselves • Third party individual • Third party corporate • Criminal record check | Performance of a contract Legitimate interests of the data controller Consent |
|---|---|---|
| MEMBERS (inc former) • Personal details linked to role name, address, email, telephone, date of birth, emergency contact, passport details • Financial details linked to pay bank account, NI, Tax reference etc. • Health information linked to role • Voice recordings | • Individual themselves | Lawful function of public body Legitimate interests of the data controller Consent |
| RECRUITMENT • CV details – tel, address, references, leave, sickness etc.) | • Individual themselves • Third party individual • Third party corporate | Consent |
| COMMITTEE/WITNESS • Voice recordings • Evidence | • Individual themselves • Third party individual • Third party corporate • Internet • Social media | Consent |
| ALL • CCTV Images • Website | • Automated • Individual themselves | Consent |
| Lawfulness, fairness and transparency |
|---|
| Individuals' rights |
| Accountability and governance |
| Data security, international transfers and breaches |
| Response Yes/No/Being implemented | |||
|---|---|---|---|
| A quick review – what is the current | |||
| position | |||
| Senior management awareness Regularly discuss data protection GDPR has been recognised as a challenge to the business | Yes - BAU Yes - BAU | ||
| Data protection policies and procedures (including retention and disposal schedules) in place compliance is monitored compliance can be evidenced regularly reviewed communicated to staff | Yes - BAU Yes - BAU Yes - BAU Yes - BAU Yes - BAU | ||
| Information security Policies and procedures: in place compliance is monitored compliance can be evidenced regularly reviewed communicated to staff Formal mechanisms in place to identify breaches and handle incidents in place compliance is monitored compliance can be evidenced regularly tested & reviewed communicated to staff | Yes – reviewed as part of IM project Yes | ||
| Clear and accessible fair processing information given to individuals | Yes | ||
| New projects and initiatives “privacy-proofed” at the planning stage Reviewed during development, testing and delivery stage, i.e. pre- and post-implementation ‘Privacy impact assessments’ are conducted when necessary | Review at next project |
| Response |
| Yes/No/Being implemented |
| WHY is personal data processed? List the reasons for processing | ||
| The following are the defined functions in COT. Personal data is captured for each function. | ||
| CoT Corporate | ||
| CoT Short Term Value Correspondence | ||
| Building & Asset Management | ||
| Conferences, Events & Visits | ||
| External & Visitor Services | ||
| Finance | ||
| Hansard | ||
| H&S | ||
| HR | ||
| Information Management | ||
| Legislature & Committees | ||
| Member Services & Standards |
| CoT Corporate | WHOSE personal data is processed? | ||||
|---|---|---|---|---|
| Reason for processing: | Business Engagement | |||
| Communications | ||||
| Complaints | ||||
| Compliance | ||||
| Insurance | ||||
| Legal | ||||
| Organisational Development | ||||
| Planning & Strategy | ||||
| Policies | ||||
| Procedures & Guidance Notes | ||||
| Project Work | ||||
| Publications | ||||
| Reporting | ||||
| Risk Management | ||||
| Website | ||||
| Staff | Current Potential Former Relatives of staff – emergency contacts | |||
| Members | Current Potential Former | |||
| Correspondents | Official Unofficial | |||
| Associates | Grainne TCA Tynwald Day | |||
| Visitors | General public Visitors Official (planning and actual) | |||
| Chamber | Government Representatives Witnesses Press Public Gallery | |||
| Committee | Witnesses (public / private) | |||
| Website | Official with login credentials General public |
| WHAT personal data is processed? | ||
|---|---|---|
| Types of personal data: | Source of the data | Legal basis |
| STAFF (inc TCA) • Personal details linked to employment name, address, email, telephone, date of birth, emergency contact, • Financial details linked to employment bank account, NI, Tax reference etc. • Health information linked to employment • Criminal convictions/offences linked to employment • IP address linked to employment • Education & training linked to employment • Employment details (CV, references, annual appraisals, employment status, work permit, leave, sickness etc.) MEMBERS (inc former) • Personal details linked to role name, address, email, telephone, date of birth, emergency contact, passport details • Financial details linked to pay bank account, NI, Tax reference etc. • Health information linked to role • Voice recordings RECRUITMENT • CV details – tel, address, references, leave, sickness etc.) COMMITTEE/WITNESS • Voice recordings • Evidence (SEPARATE) ALL • CCTV Images/ Voice recordings | • Individual themselves • Third party individual • Third party corporate • Other sources, for example: - Criminal record check - Internet - Social media | • Legal obligation (specify) | Lawful function of public body (specify) | Protection of vital interests of that person | Performance of a contract | Legitimate interests of the data controller (specify) | Consent – (can you evidence that consent has been given?) |
Full Response Text
URN Ref Standard Self- Assessment Action Owner RAG 1 SA 1 Senior Manager lead on data protection matters identified Complete DPO Green 2 SA 2 Data protection officer appointed or nominated and responsibilities documented. Complete DPO Green 3 SA 3 Information asset owners formally identified for key systems and tasked. No change DPO Green 4 SA 4 Effective reporting lines established. No change DPO Green 5 SA 5 Data protection training provided for all staff. Underway eLearn Vannin DPO Amber 6 SA 6 Data protection guidance published. Complete DPO Green 7 SA 7 Data protection auditing and monitoring carried out in accordance with the ICO guidelines Underway DPO Amber 8 SA 8 COT has considered the need for ‘fair processing notices’ Underway DPO Amber 9 SA 9 COT has updated the privacy policy on website Complete DPO Green 10 SA 10 COT has established a process to resolve fair and lawful processing disputes and complaints No change DPO Green 11 SA 11 COT has adopted measures to ensure that any personal data processed is adequate, relevant, not excessive, accurate, and kept up-to-date. Complete Review DPO Green 12 SA 12 COT has adopted procedures to ensure that personal data is reviewed and disposed/retained/de- personalised when no longer required Underway Project - IM DPO Amber 13 SA 13 COT has established a process to resolve data quality disputes/complaints No change DPO Green 14 SA 14 The subject access request form is freely available to enquirers/requestors. No change DPO Green 15 SA 15 COT has adequate procedures in place to inform subject access requestors with ‘unsatisfactory’ requests of that fact in a timely manner. No change DPO Green 16 SA 16 COT has adequate procedures in place to handle ‘local’ subject access requests. No change DPO Green 17 SA 17 COT has sound procedures to update or augment existing records, or create new records, with information obtained from subject access applications. No change DPO Green 18 SA 18 COT has established a subject access appeals/complaints process. No change DPO Green 19 SA 19 COT has robust procedures in place to ensure subject access application information is retained only as long as necessary. No change DPO Green 20 SA 20 COT has adopted measures to respond to subjects’ rights as per DPA sections 10, 11 12, 13, 14 of the Act and requests/orders made by the Information Commissioner. REVIEW DPO Amber 21 SA 21 COT has developed procedures for the resolving data protection related disputes and complaints. No change DPO Green 22 SA 22 COT has effective procedures in place to ensure that force information security boards (or their equivalents) consult with data protection officers when considering the security of personal data. Underway DPO Amber 23 SA 23 COT has effective procedures in place to ensure data processing contracts are developed where required. Underway Project - GDPR DPO Amber 24 SA 24 COT has effective measures in place to ensure that data protection and information security requirements are considered during the procurement or development of systems processing personal data. No change DPO Green 25 SA 25 COT has effective procedures in place to ensure that data protection/information system operating rules are subject to regular revision, and are amended to reflect significant changes to the information system No change DPO Green 26 SA 26 COT has effective procedures in place to ensure that breaches of data protection principles are reported to the data protection officer and information system owner. No change DPO Green 27 SA 27 COT has effective measures in place which ensure that the data protection officer is notified of any breach REVIEW Training DPO Amber 28 SA 28 COT has reactive measures in place for recognising and managing data loss incidents REVIEW Training DPO Amber 29 SA 29 COT has measures in place to for reporting incidents to Senior Managers REVIEW DPO Amber 30 SA 30 COT has measures in place to for reporting incidents to ICO No change DPO Green Self-Assessment 12/01/2018
Page 1 GDPR Compliance Self-Assessment Milestone Statements
Source:
IOMG Treasury GDPR Compliance Self-Assessment Milestone Statements
Location:
http://edrm/sites/Treasury/RA/SIC/GDPR/
Submission Date:
11/01/2019
Page 2
1. Awareness
Decision Makers and key people in the organisation are aware that the law is changing and
appreciate the impact that it is likely to have. Areas that may cause compliance issues under
GDPR have been identified and logged.
There is a GDPR Project plan in place with allocated responsibilities and
milestones set
The risks that relate to the GDPR legislation have been assessed and
documented
The changes that are required to systems/processes have been identified
and documented.
All key staff were made aware that GDOR became law on 25th may 2018
Suitable training is in place for the relevant staff where it is required
Where staff training needs have been identified, this is being rolled out
2. Held Information
The organisation has documented what personal data is held, where it has come from
and who it is shared with. The organisation has planned to conduct an information audit
across the business to map data flows.
There is a retention policy in place for documents and records.
Policies / Procedures have been reviewed and updated to reflect the new
changes under GDPR.
Methods of sharing data with 3rd parties have been reviewed in line with GDPR
requirements.
Contracts with data processors been reviewed and updated where required.
The reasons for processing and grounds for further processing been established.
(Information Governance Register)
3. Data Protection by Design & Data Privacy Impact Assessments
(DPIA)
The organisation has documented appropriate technical and organisational measures to
show it has considered and integrated data protection into its processing activities
Data owners are aware of when a privacy impact assessment is required.
There is a process in place to determine if a privacy impact assessment is
needed. (5W’s / screening questionnaires).
Page 3
The DPIA framework links to existing risk management and project
management processes.
A Data Privacy Impact Assessment template has been developed for new
projects.
Privacy solutions have been implemented (Passwords/Site
Security/Encryption).
4. Data Protection Officers (DPO’s)
The business has a designated responsibility for data protection compliance to a suitable
person within the organisation.The organisation supports the data protection lead
through provision of appropriate training and reporting mechanisms to senior
management.
A Data Protection Officer has been appointed
The DPO has direct access to Senior Management
The DPO is supported in terms of Training / Resources / Management
Backing
There is a data protection audit plan in place (data mapping)
The DPO is free from conflict of interest. (Is not involved in the decision
making process for the processing of data)
5. Lawful Basis for Data Processing
The organisation has reviewed the various types of processing that is carried out.
The lawful basis of data processing has been established by the organisation
Privacy Notices have been updated with the lawful basis requirement of GDPR
Privacy Notices are in place for all forms of data collection (e.g. CCTV, online &
manual forms, emails etc)
6. Consent
The organisation has reviewed the systems currently used to record consent and
implemented appropriate mechanisms in order to ensure an effective audit trail
All operations have been identified where consent will be required from the
data subject.
Methods of gaining consent been reviewed and updated in line with GDPR
requirements.
Page 4
There is a mechanism in place for identifying the need for additional consent
if data needs to be processed further
7. Children
If the organisation offers a service to children, it communicates privacy information
in a way that a child will understand. There is an age verification process in place and
there are systems in place for when ‘parental’ consent is required
There is an age verification process in place which would identify children
There are mechanisms in place for when ‘parental’ or ‘guardian’ consent is
required
Privacy Notices are written in a way so that a child would understand them
8. Communicating Privacy information
The organisation has reviewed its Privacy notices and has made any necessary changes
to meet the requirements of GDPR
Privacy Notices have been updated to meet the requirements of GDPR
Privacy Notices are free from excess terminology and legal jargon
There are appropriate Privacy Notices in place for the difference forms of
data collection such as CCTV, Online Forms, Manual Forms, E-mails etc.
9. Individuals Rights
The organisation has checked it’s procedures to ensure that it can deliver the new rights
and changes to existing rights of individuals under GDPR
All existing data collection activities which may breach subjects rights under
GDPR have been identified
Procedures relating to data subjects rights have been updated to reflect the
new changes under GDPR (including new timescales)
Activities which may breach subjects rights under GDPR have now ceased, or
have changed so that rights are not compromised
10.
Subject Access (SAR’s)
The organisation has reviewed its processes and has a procedure in place to handle
requests from individuals to access their data within the new timescales outlined in
GDPR
Page 5
There are defined procedures in place for the management and completion of
Subject Access requests
These procedure(s) reflect the new timescales and proposed changes for
carrying out these requests
There is a central register in place for recording all requests that are made,
which also includes details of outcomes
11.
Data Breaches
The organisation has implemented appropriate procedures to ensure personal data
breaches are detected, reported and investigated effectively.
There are processes / procedures in place to detect, report and investigate data
breaches
Awareness training has been given to staff in relation to data breaches
Internal security measures been reviewed in line with the proposed new
legislation
There is a mechanism in place that determines whether a breach needs to be
reported to the lead Supervisory Authority
There is a process in place for notifying individuals in the event of a breach.
12.
International Data Transfer
If the business operates in more than one EU member state, it has determined who the
business’s lead supervisory authority is and this has been documented
The lead Supervisory Authority has been identified. (Information Commissioners
Office (ICO) for IOM).
There is a process in place that ensures that any transfer of data to a 3rd Country
only occurs after consultation with the ICO.
There is a procedure in place that relates to 3rd Country or International Data
transfers.
Page 6 SUBMISSION 1 10 Awareness Yes 1 20 Awareness Yes 1 30 Awareness Yes 1 40 Awareness Yes 1 50 Awareness Yes 1 Zz Awareness Info
2 10 Held Info No 2 20 Held Info Yes 2 30 Held Info Yes 2 40 Held Info Yes 2 50 Held Info Yes 2 Zz Held Info Comments Draft retention policy and plan is progressing but the implementation of retention periods is not BAU 3 10 DPDesign Yes 3 20 DPDesign Yes 3 30 DPDesign Yes 3 40 DPDesign Yes 3 50 DPDesign Yes 3 Zz DPDesign
4 10 DPOs Yes 4 20 DPOs Yes 4 30 DPOs Yes 4 40 DPOs Yes 4 50 DPOs Yes 4 Zz DPOs Comments
5 10 Lawful Basis Yes 5 20 Lawful Basis Yes 5 30 Lawful Basis Yes 5 Zz Lawful Basis Comment
6 10 Consent Yes 6 20 Consent Yes 6 30 Consent Yes 6 Zz Consent Comment
7 10 Children Yes 7 20 Children Yes 7 30 Children Yes 7 Zz Children Comments
08 10 Communicating Yes 08 20 Communicating Yes 08 30 Communicating Yes 8 Zz Communicating Comment
9 10 Individuals Rights Yes 9 20 Individuals Rights Yes Page 7 9 30 Individuals Rights Yes 9 Zz Individuals Rights Comment
10 10 SARs Yes 10 20 SARs Yes 10 30 SARs Yes A 10 Zz SARs Comments
11 10 Data Breaches Yes 11 20 Data Breaches Yes 11 30 Data Breaches Yes 11 40 Data Breaches Yes B 11 Zz Data Breach Comment
12 01 International Yes 12 02 International Yes 12 03 International Yes 12 04 International Comment
1 60 Awareness Yes 11 50 Data Breaches Yes
Processing Personal Data
Page 1 of 6 \COTS7\General Office\Information Service - Live\Plan Projects\GDPR\Information Audit\High Level Information Audit.docx High Level Information Audit – Processing Personal Data
Version 0.1 11/11/2019
Related Docs \COTS7\General Office\Information Service - Live\Plan Projects\GDPR\03012019 REVIEW Where are we at.docx
Processing Personal Data
Page 2 of 6 \COTS7\General Office\Information Service - Live\Plan Projects\GDPR\Information Audit\High Level Information Audit.docx
The following are the defined functions in COT. Personal data may be captured for each function. CoT Corporate CoT Short Term Value Correspondence Building & Asset Management Conferences, Events & Visits External & Visitor Services Finance Hansard H&S HR Information Management Legislature & Committees Member Services & Standards
Retention periods defined for all data types (DRAFT)
Personal data is processed due to the nature of running a parliamentary office:
Business as usual
Communications
Complaints
Compliance
Engagement
Human Resources
Insurance
Legal
Publications
Website
Information is gathered for other business purposes that may not contain personal data but will be
reviewed as part of the wider Information Audit:
Organisational development
Planning and strategy
Policies
Procedures and guidance notes
Risk management
Project work
Reporting
Processing Personal Data
Page 3 of 6 \COTS7\General Office\Information Service - Live\Plan Projects\GDPR\Information Audit\High Level Information Audit.docx
How do we manage personal data?
The following data groups have been identified for whose data we manage. The location of where
personal data is processed is standard across all data groups.
Whose personal data is processed?
Where is personal data processed?
Staff
Current
Potential
Former
Relatives of staff – emergency contacts
Manual
locked cupboard in 3rd clerks
room
Line manager cupboards
Basement
Visitors Book
Electronic
email
shared network
restricted network drive
e-Learn Vannin
Third party:
o Google analytics
o IOMG Systems
PIP
Payroll
FOI
Members
Current Potential Former Committee Evidence Witnesse
[Response truncated — full text is 31,734 characters]