General Data Protection Regulation (GDPR)

#ThinkData

Information Asset Audit

An Information Asset is a body of information, defined and managed as a single unit so that it can be understood, shared, protected and exploited effectively. Information assets have recognisable and manageable value, risk, content and lifecycles.

Under the new General Data Protection Regulations 2016, Council needs to know when the asset contains personal data and it must know and recordit in a register, where it holds it and how it is used. Further it must know and record the lawful basis for processing the data and to tell the data subject. This will include personal information in any assets e.g. project files, CCTV systems, apps, social media accounts, web-based systems which includespersonal data. So if you manage a facebook account, Council holds personal data of those who like/ follow the account.

Therefore in the first instance, Council is mapping personal datainformation held in databases (both electronic and paper), the basis for processing, where we share information with other partners or where it is processed by third parties or via software providers. This includes web based, social media data, CCTV systems, portable devices etc.

For processing to be lawful there must be a legal basis. These are often referred to as the "conditions for processing" and there are 6 conditions and GDPR states public authorities cannot usecondition 6, although new domestic law may permit in certain circumstances. These are:

(a)the data subject has given consent

(b)necessary for the performance of a contract to which the data subject is party

(c)necessary for compliance with a legal obligation to which the controller is subject

(d)necessary to protect the vital interests of the data subject or another natural person

(e)necessary for the performance of a public task carried out in the public interest of in the exercise of official authority vested in the controller

(f) necessary for the purposes of the legitimate interests pursued by the controller or a third party …

This will assist Council to understand the data it holds and to manage the associated risks. There is an obligation to have a privacy notice in all documentation at the point of collection. Where Council uses a data processor to process information on our behalf, relevant clauses will need to be inserted into the associated contracts. Likewise, where data is shared with third parties, there will need to be a data sharing agreement / service level agreement / memorandum of understanding which has clauses which are fit for purpose.

Attached is:

  • a spreadsheet to capture information assets containingpersonal datais attached for completion by each business unit. Guidance notes are on a separate worksheet with the spreadsheet.
  • guidance on “lawfulness of processing” which will assist with completing column K.

In completing the spreadsheet:

  • give consideration to info held in Tascomi, Total, HealthSafety or other similar software packages or processed by data processors e.g. while names may not be in a list or typical database, all food business are registered, staff undertake display screen training, etc.
  • consider where you manage a social media account or website and indirectly hold the names and / or IP addresses.

If you have any questions speak with Linda McKee, IGOext3170.

Returnsshould be completed by 22 December 2017.

GDPR legislation

National Archives - What is an Information Asset Register

Further reading

A series of Council guidance notes is available on the staff portal

ICO’sOverview of the General Data Protection Regulation (GDPR)

Privacy notices, transparency and control

GDPR consent guidance

Causeway Coast and Glens Borough CouncilPage 1