Report Summary
Issued 30 June 2023, this FOI response provides Data Protection and GDPR information.
Note: Attachments have not been uploaded with this response due to the number and file size. These can be requested by contacting FOI@spa.police.uk
Response
The Authority has provided information in every category, except for point three regarding ‘Privacy Impact Assessments (PIA)’, and point five regarding ‘International Data Transfer Assessments (IDTA)’. The table below details the information held in relation to each point, or provides a notice of information not held, where applicable.
1. Two Information Asset Registers are provided – see attachments referenced 1. |
2. One Legitimate Interests Assessment (LIA) is provided – see attachments referenced 2. |
3. The Authority was formed in 2013. There were no Privacy Impact Assessments completed between 2013 and 2018 when these assessments were replaced by Data Protection Impact Assessments. Therefore, this represents a notice in terms of Section 17 of the Freedom of Information (Scotland) Act 2002 - Information not held. |
4. Nine Data Protection Impact Assessments are provided – see attachments referenced 4. |
5. The vast majority of information processed by the Authority is ‘Law Enforcement Data’ and as such subject to the controls in Part 3 of the Data Protection Act 2018. As per Section 73 of Part 3, the Authority is not permitted to transfer personal data processed for a Law Enforcement purpose outside the UK, other than to another Law Enforcement body. Thus, we have no International data transfer assessments (IDTA). In respect of processing conducted under UK GDPR, the Authority processes on premise and does not share information out-with the UK. Therefore, this represents a notice in terms of Section 17 of the Freedom of Information (Scotland) Act 2002 - Information not held. |
6. Please see the Executive Summary of the Information Commissioner’s last data protection audit of the Authority from 2018/19 - Scottish Police Authority Data protection audit report The full Data protection audit report is also provided and one Accountability framework self-assessment report – see attachments referenced 6. |
7. Two Data Protection Policies are provided – see attachments referenced 7. |
8. One Data Subject Review Requests Standard Operating Procedure and one Naming Conventions aide memoire is provided – see attachments referenced 8. |
9. Seven Privacy Notices are provided – see attachments referenced 9. |
10. Three vendor management documents are provided – see attachments referenced 10. The Authority has provided information, but to supplement that the Authority requires that all contracts involving personal data must be checked by the Information Management Lead, a qualified Data Protection Officer. The contracts specify as a matter of routine that vendors must either have ISO 27001 or the capability to demonstrate proficiency in each of the standards areas. Vendors are further required to have Cyber Essentials or Cyber Essentials Plus, or commit to gaining this award. Where personal data is being processed on the vendors premises there is an assertion that processing must remain of premise. Vendors must also either have or agree to a Police Assured Secure Facilities (PASF) assessment. Their employees with access to the data must also be vetted. |