Freedom of Information Act / Environmental Information Regulations Request

Reference: ECC2503911 05 17
Response: 08 June 2017

Question 1 -

1. DATA MAPPING

A. COPIES OF THE TOOLS USED TO CAPTURE DATA FOR THE PERSONAL DATA MAPPING EXERCISE (E.G. QUESTIONNAIRES/SPREADSHEETS ETC.).

B. THE RECORDS OF PROCESSING ACTIVITIES AND DATA FLOW MAPS/DIAGRAMS AND ANY OTHER PRODUCTS/OUTPUTS OF THE DATA MAPPING EXERCISE.

I can confirm that Essex County Council does hold this information.

A.  COPIES OF THE TOOLS USED TO CAPTURE DATA FOR THE PERSONAL DATA MAPPING EXERCISE (E.G. QUESTIONNAIRES/SPREADSHEETS ETC.).

Essex County Council has developed its own internal system and templates for Data Lifecycle Mapping, including turning these into a Register of Processing Activities (ROPA) database for GDPR compliance purposes. The IG Service is currently using these templates and designs as part of its traded activity and is therefore copyrighted information.

I can confirm that Essex County Council do hold this information, however the information is exempt from disclosure to you under Section 43 of the Freedom of Information Act 2000 (Commercial Interests). Release of these templates would otherwise prejudice or be likely to prejudice the commercial interests of the IG Service within ECC (S.43(2)).

This exemption carries a public interest test, and I have set out below the factors I have considered when applying the exemption:

Factors in favour of disclosure = The efficiency and effectiveness of the Authority in implementing GDPR

In favour of non-disclosure = There is a public interest in ensuring that any trading activities undertaken by ECC are able to compete fairly, in an open market along with being able to trade competitively.

ECC cannot technically provide the templates used in a ‘restricted format’ therefore the templates would be open to re-use and access without charge. Having considered the above factors I believe the public interest is in favour of upholding this exemption. This is our refusal notice in respect of this aspect of your request.

B.  THE RECORDS OF PROCESSING ACTIVITIES AND DATA FLOW MAPS/DIAGRAMS AND ANY OTHER PRODUCTS/OUTPUTS OF THE DATA MAPPING EXERCISE.

Our DLM is merged into the ROPA database. No maps or diagrams have been created from this information therefore the information requested is not held by the Council.

Attached is an extract of the information contained within the ROPA/DLM database.

Question 2 –

2. GAP ANALYSIS

A. COPIES OF ANY TOOLS USED TO ASSESS ANY SHORTFALL OR GAPS IN PROCESSING VIS A VIS GDPR.

B. THE GAP ANALYSIS REPORT AND ANY OTHER PRODUCTS/OUTPUTS OF THE GAP ANALYSIS EXERCISE.

I can confirm that Essex County Council does not hold this information.

A.  COPIES OF ANY TOOLS USED TO ASSESS ANY SHORTFALL OR GAPS IN PROCESSING VIS A VIS GDPR.

No tools have been used to determine any shortfall or gaps in processing personal data under the GDPR, therefore this information is not held.

B.  THE GAP ANALYSIS REPORT AND ANY OTHER PRODUCTS/ OUTPUTS OF THE GAP ANALYSIS EXERCISE.

The information requested is not held by the authority.

Due to the timeframes and the nature of the GDPR (for example, the need for further supporting UK legislation) the GDPR project will be analysing gaps as the project progresses under each workstream. This also means that as the project progresses and new supporting legislation is announced we can amend what we have implemented to accommodate these changes rather than wait for the full set of requirements.

Question 3 –

3. PROJECT PLAN

A. A COPY OF YOUR GDPR PROJECT PLAN AND GANTT CHART OR EQUIVALENT.

B. ANY FORMAL REPORTS (BE THAT TO MANAGEMENT, YOUR IG STEERING GROUP AND SENIOR GDPR OVERSIGHT GROUP OR EQUIVALENT AND COMMITTEE/EXECUTIVE) ON GDPR.

I can confirm that Essex County Council does hold this information.

A.  A COPY OF YOUR GDPR PROJECT PLAN AND GANTT CHART OR EQUIVALENT.

The GDPR project plan can be found in the Project Initiation document, a copy of which is attached accordingly.

B.  ANY FORMAL REPORTS (BE THAT TO MANAGEMENT, YOUR IG STEERING GROUP AND SENIOR GDPR OVERSIGHT GROUP OR EQUIVALENT AND COMMITTEE/EXECUTIVE) ON GDPR.

There have been 2 meetings of the Project Board to date for which we hold records. I therefore enclose copies of the highlight reports provided to both as well as the minutes. I also include a copy of the training presentation given to senior managers in July 2016.

Question 4 –

4. OUTSOURCING

A. COPIES OF UPDATED STANDARD GDPR COMPLIANT CONTRACTS AND WRITTEN INSTRUCTIONS FOR PROCESSING.

We do not hold this information therefore cannot provide it to you under the provisions of GDPR. As you will see from the project plan, work is underway to review ECC contracts but currently no contracts have been refreshed and signed to be fully GDPR compliant.

Question 5 -

5. SOLUTIONS

A. DETAILS OF OTHER POTENTIAL PROCESSING SOLUTIONS DEVISED OR IDENTIFIED EITHER BY ESSEX OR IN COLLABORATION WITH OTHER PARTNERS.

No information is held with regards to this requirement.

Your Right to Know

Information Services

Essex County Council

Telephone: 033301 38989

Email: | www.essex.gov.uk