FOI Request - Data Protection Policies

Request 101003615651

I am writing to make a formal request for information under the provisions of the Freedom of Information Act 2002.
1. A copy of all data protection impact assessments held by your organisation as the controller, redacted of any sensitive data.
2. A copy of your organization's subject access request policy, procedures, and processes.
3. A copy of all information and data sharing agreements held by your organization.
4. A copy of your organization's data protection policy.
5. A copy of your organization’s data protection structure.

Response 23-08-2024

1. Data Protection Impact Assessments (DPIAs) are living documents and there needs to be free and frank discussion between the relevant department(s) and the information governance team to discuss any and all risks to the data processed. As such, Section 30 of FOISA: Prejudice to effective conduct of public affairs – free and frank provision of advice, is applicable. The public interest test has been considered, however, the Council believes that protecting the working relationship between departments and the information governance team, as well as any sensitive 3rd party data, means that these living documents should not be released.

2. The Council has a Subject Access Request (SAR) Procedure Guide, which is attached.

3. Data Sharing Agreements contain commercially sensitive information, often covering how information assets will be handled during a contract, as such this information is exempt under Section 33: Commercial interests and the economy.

4. The Council’s Data Protection Policy is attached, please note that it is scheduled to be reviewed and updated this year.

5. The Information Governance Team sit within Governance, Strategy and Performance and comprise:
• Information Governance Manager and Data Protection Officer (for both the Council, and, MIJB)
• Information Governance Officer
• Information Co-ordinator (0.7 FTE)