The Information Commissioner's advice is that the following information is required to be included:
- your organisation's name and contact details
- if applicable, the name and contact details of your data protection officer – a person designated to assist with GDPR compliance under Article 37
- if applicable, the name and contact details of any joint controllers – any other organisations that decide jointly with you why and how personal data is processed
- if applicable, the name and contact details of your representative – another organisation that represents you if you are based outside the European Union (EU), but you monitor or offer services to people in the EU
- the purposes of the processing – why you use personal data, for example, customer management, marketing, recruitment
- the categories of individuals – the different types of people whose personal data is processed, for example, employees, customers, members
- the categories of personal data you process – the different types of information you process about people, for example, contact details, financial information, health data
- the categories of recipients of personal data – anyone you share personal data with, for example, suppliers, credit reference agencies, government departments
- if applicable, the name of any third countries or international organisations that you transfer personal data to – any country or organisation outside the EU
- if applicable, the safeguards in place for exceptional transfers of personal data to third countries or international organisations - an exceptional transfer is a non-repetitive transfer of a small number of people's personal data, which is based on a compelling business need, as referred to in the second paragraph of Article 49(1) of the GDPR
- if possible, the retention schedules for the different categories of personal data – how long you will keep the data for. This may be set by internal policies or based on industry guidelines, for instance
- if possible, a general description of your technical and organisational security measures – your safeguards for protecting personal data, for example, encryption, access controls, training
We have 5 registers in place as a consequence of our GDPR preparation activities. These are as follows;
- information audit register
- contracts (personal data) register
- data sharing agreements register
- privacy impact assessments register
- corporate and departmental risk registers
Each of our departments has also adopted a series of retention schedules.
We consider that taken collectively these registers and schedules provide the information that is required to be documented under Article 30. For the avoidance of any doubt however, we wish to respond to the bulleted paragraphs as follows:
- the data controller is Derbyshire County Council, County Hall, Matlock, Derbyshire
- our Data Protection Officer is Jane Lakin, Assistant Director of Legal
- any joint control of data is shown in the register of data sharing agreements
- the categories of personal data and individuals are contained within the registers
- we do not presently operate outside of the EU
- the purposes of processing are contained within the information risk register and carry out only very limited marketing activity
- the categories of recipients of personal data are indicated with in the information risk register, the data sharing agreement register and the contracts register
- we do not transfer data to outside of the EU
- were we to do so, we would follow the safeguards set out by the Information Commissioner's Office (ICO)
- we have retention schedules in place
- we have extensive provisions in place for data security, and for compulsory training of all staff - the arrangements for this are overseen by our information governance group chaired by the senior information risk owner (SIRO), Peter Handford