Home > FOI 25/26 – 047: Data protection documentation

FOI 25/26 – 047: Data protection documentation

FOI Request

  1. A copy of your organisation’s Records of Processing Activity (ROPA) as defined in Article 30 of the UK General Data Protection Regulation (UK GDPR).
  2. A copy of all data protection impact assessments conducted by your organisation which relate to the police complaint handling & review process and any data controller / data processor involved in that process.
  3. A copy of your organisation’s data protection compliance assessment using the Information Commissioner’s Office (ICO)’s accountability framework template. If you are using your own standards to monitor compliance with the data protection legislation & regulations, please provide me with a copy of it.
  4. A copy of your organisation’s data protection policy.
  5. A copy of your organisation’s subject access request and data protection complaint policy, procedures, and processes, including any guidance material.
  6. A copy of your organisation’s due diligence questions (and answers) for vendor management such as independent data controllers or processors (e.g. Sancus).
  7. A copy of any and all documents which document the formal working relationship between your office and any other organisation involved in the processing and sharing of data & information during the police complaint handling & review process, as required by Article 28 of the GDPR. Please note that your office has already confessed that there is no ‘contract’ or ‘data sharing agreements’ that would normally be expected to be in place.
  8. A copy of your office’s staff Code of Conduct.
  9. This request was handled outside of the FOI process
  10. A copy of the Standard Operating Procedure (SOP) or Policy that illustrates the full process of, and dictates the criteria for when, a complaint file is transferred to Sancus, including the requirement for a valid application under Regulation 29 of the Police (Complaints and Misconduct) Regulations 2020.
  11. A copy of any internal or external data protection audits, compliance checks, or ‘spot check’ reports etc conducted by (or on behalf of) the OPCC within the last 24 months, relating specifically to any audits of third-party controllers / processors (such as Sancus) to ensure their adherence to the data security requirements of the Data Protection Act, and relating to the police complaint handling & review process.”

FOI Response

As per Section 1(1) of the Freedom of Information Act, the Office of the Police and Crime Commissioner can confirm it does hold some of the information requested.

Each point has been responded to separately as below:

  1. Please see attached ‘Item 1 – Records of Processing Activity (ROPA)’
  2. Please see attached ‘Item 2 Data Protection Impact Assessment relating to the introduction of complaints model 3’ and ‘Item 2a Complaints Model 3 – Process Flow’.
  3. No information held.
  4. See attached ‘Item 4 – Data Protection Policy’.
  5. Within data protection policy – attached as above.
  6. No information held.
  7. Please see attached ‘Item 7a – Data Processing Contract between OPCC and Cleveland Police’ and ‘Item 7b – Information Sharing Agreement between OPCC and Cleveland Police’
  8. Please see attached ‘Item 8 – Police Staff Code of Conduct’
  9. This has been handled outside of the FOI process.
  10. No data held.
  11. No data held.