Alert close - icon Fill 1 Copy 10 Untitled-1 tt copy 3 Untitled-1 Untitled-1 tt copy 3 Fill 1 Copy 10 menu Group 3 Group 3 Copy 3 Group 3 Copy Page 1 Group 2 Group 2
Search toggle
Menu
     
close menu
Home Your council UK General Data Protection Regulation (GDPR) Record of data processing activities

Record of data processing activities

Article 30 of the General Data Protection Regulation (GDPR) requires us to have a record of data processing in place.

The Information Commissioner's advice is that the following information is required to be included:

  • your organisation’s name and contact details, whether it is a controller or a processor (and where applicable, the joint controller, their representative and the Data Protection Officer)
  • the purposes of the processing
  • a description of the categories of individuals and of personal data
  • the categories of recipients of personal data
  • details of transfers to third countries, including a record of the transfer mechanism safeguards in place
  • retention schedules
  • a description of the technical and organisational security measures in place

We have 5 registers in place as a consequence of our GDPR preparation activities. These are as follows;

  1. information audit register
  2. contracts (personal data) register
  3. data sharing agreements register
  4. data protection impact assessments
  5. corporate and departmental risk registers

Each of our departments has also adopted a series of retention schedules.

We consider that taken collectively these registers and schedules provide the information that is required to be documented under Article 30. For the avoidance of any doubt however, we wish to respond to the bulleted paragraphs as follows:

  • the data controller is Derbyshire County Council, County Hall, Matlock, Derbyshire
  • our Data Protection Officer is Jane Lakin, Assistant Director of Legal 
  • any joint control of data is shown in the register of data sharing agreements
  • the categories of personal data and individuals are contained within the registers
  • the categories of recipients of personal data are indicated with in the information risk register, the data sharing agreement register and the contracts register
  • personal data is sometimes transferred to third countries. Where this happens, we follow the safeguards set out by the Information Commissioner's Office (ICO)
  • we have retention schedules in place
  • we have extensive provisions in place for data security, and for compulsory training of all staff - the arrangements for this are overseen by our information governance group chaired by the senior information risk owner (SIRO)

Related documents