Ian Fisher
University Secretary and Legal Officer
University of Central Lancashire
Preston
PR1 2HE
Telephone: 01772 894003
Email:
By email only:
10th July 2017
Ref: FOI 1366
Dear Ms Smythe,
I am writing in response to your request for information regarding our GDPR Compliance Plan (Ref FOI 1366).
In your request, you asked for the following information:
1. Data Mapping
a. Copies of the tools used to capture data for the personal data mapping exercise (e.g. questionnaires/spreadsheets etc.).
b. The records of processing activities and data flow maps/diagrams and any other products/outputs of the data mapping exercise.
2. Gap Analysis
a. Copies of any tools used to assess any shortfall or gaps in processing vis a vis GDPR.
b. The gap analysis report and any other products/outputs of the gap analysis exercise.
3. Project Plan
a. A copy of your GDPR project Plan and Gantt chart or equivalent.
b. Any formal reports (be that to management, your IG steering group and senior GDPR oversight group or equivalent and Committee/Executive) on GDPR.
4. Outsourcing
a. Copies of updated standard GDPR compliant contracts and written instructions for processing.
5. Solutions
a. Details of other potential processing solutions devised or identified either by Essex or in collaboration with other partners.
In answer to all parts of questions 1, 2, 4 and 5, we do not yet have these processes and supporting documents defined and as such are unable to provide you with this information.
In answer to question 3 (a) please find attached our GDPR Action Log. Please note that the names of some individuals have been removed. It will be clear where this has occurred. These details have
been removed as they relate to individuals at the University and are exempt under section 40(2) of the Freedom of Information Act 2000 (FOIA). The names of senior members of University employees have not been removed.
Section 40(2) FOIA states that information which constitutes personal data as defined by the Data Protection Act 1998 is exempt from disclosure if its release would contravene one or more of the data protection principles. The information you requested is personal data because it relates to and identifies a living individual. Disclosure of this personal data would be unfair, as the data subjects would not expect their details to be released into the public domain and have not given consent; therefore it would contravene the first data protection principle which requires the University to process personal data fairly. This means that the information is exempt and will not be provided.
In answer to question 3 (b), please find attached a copy of the presentation provided to our Senior Executive Team: “GDPR Presentation to SET.ppt”. No other formal reports have been produced as yet and so no further information has been provided.
If you are unhappy with the way we have handled your request for information, you are entitled to ask for an internal review; however you must do so within 40 working days of the date of this response. Any internal review will be carried out by a senior member of staff who was not involved with your original request. To ask for an internal review, contact in the first instance.
If you are unhappy with the outcome of any internal review, you are entitled to complain to the Information Commissioner. To do so, contact:
Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
01625 545 745
Yours sincerely,
Kimberly Ralph
Corporate Records Manager
University of Central Lancashire
Email: