GDPR Implementation and Preparation

FOI request reference: F0055457
Publication date: January 2019

Request

Please can you disclose information concerning your preparations for, and implementation of, the General Data Protection Regulation (GDPR) and Data Protection 2018?

In particular, I would be grateful if you could focus on the following types of information:
• Reports to the Keeper/directors/senior management on progress and implementation (e.g. updates provided on any implementation project, etc.)
• Advice circulated to National Archives staff
• A copy of your Register of Processing Activities
• Information, including in correspondence, on the designation of your Data Protection Officer
If you require me to refine this request, further please do not hesitate to let me know.

Outcome

Successful

Response

We can confirm that The National Archives (TNA) holds information relevant to your request. We are pleased to be able to provide you with some of the information you have requested in the links below and documents attached to this email.

Some of the information you have requested is exempt under section 40 (2) (Personal Data) of the FOI Act. That means we cannot release those parts and they have been redacted. For further information about why this exemption has been applied, please see the Explanatory Annex at the end of this letter.

To answer your request we have extracted out the relevant information from a number of documents. The documents provided have also been redacted to remove information that is out of scope of your request; this information has not been reviewed or considered for release. The title of the document will indicate whether the redaction is for an exemption (section 40) or to remove out of scope information.

• Reports to the Keeper/directors/senior management on progress and implementation (e.g. updates provided on any implementation project, etc.)

Documents attached

1. Item 6 – Departmental Security Committee (DSC) – DPO’s Report – Feb 2016
https://www.nationalarchives.gov.uk/documents/f0055457-01-item-6-dsc-dpos-report-february-2016-redacted.pdf

2. DSC – DPO’s Report – April 2016
https://www.nationalarchives.gov.uk/documents/f0055457-02-dsc-dpos-report-april-2016-redacted.pdf

3. Board Summary for Executive Team (ET) update – June 2016 (redacted under section 40)
https://www.nationalarchives.gov.uk/documents/f0055457-03-board-summary-for-et-update-june-2016-redacted-s40.pdf

4. GDPR ET briefing – June 2016
https://www.nationalarchives.gov.uk/documents/f0055457-04-gdpr-et-briefing-june-2016.doc

5. Item 6 – DSC 2016/07/19 – DPO’s Report
https://www.nationalarchives.gov.uk/documents/f0055457-05-item-6-dsc20160719-dpos-report-redacted.pdf

6. Item 1 – Minutes – 10 February 2017
https://www.nationalarchives.gov.uk/documents/f0055457-06-item-1-minutes-10th-february-2017-redacted.pdf

7. DSC 2017/08/08 – Item 1 – Minutes – 12 May 2017
https://www.nationalarchives.gov.uk/documents/f0055457-07-dsc20170808-item-1-minutes-12th-may-2017-redacted.pdf

8. DSC 2017/08/08 – Item 9 – DPO GDPR update
https://www.nationalarchives.gov.uk/documents/f0055457-08-dsc20170808-item-9-dpo-gdpr-update.doc

9. Oct. 2017 – Arm’s Length Bodies – Initial GDPR Preparedness Questionnaire
https://www.nationalarchives.gov.uk/documents/f0055457-09-oct-2017-alb-initial-gdpr-preparedness-questionnaire-the-national-archives.doc

10. Preparing for the General Data Protection Regulation (GDPR)
https://www.nationalarchives.gov.uk/documents/f0055457-10-preparing-for-the-general-data-protection-regulation-gdpr.doc

11. DSC 2017/08/08 – Item 1 – Minutes 18 December 2017
https://www.nationalarchives.gov.uk/documents/f0055457-11-dsc20170808-item-1-minutes-18th-december-2017-redacted.pdf

12. Handling of subject access enquiries going forward – Exec Board Paper (redacted under section 40)
https://www.nationalarchives.gov.uk/documents/f0055457-12-handling-of-subject-access-enquiries-supporting-paper-redacted-s40.pdf

13. DPO report – May 2018
https://www.nationalarchives.gov.uk/documents/f0055457-13-dpo-report-may-2018-redacted.pdf

14. Email on Framework contracts (redacted under section 40)
https://www.nationalarchives.gov.uk/documents/f0055457-14-fw-framework-contracts-redacted-s40.pdf

15. GDPR – marketing guidelines final (redacted under section 40) (draft versions also available if required)
https://www.nationalarchives.gov.uk/documents/f0055457-15-gdpr-marketing-guidelines-final-redacted-s40.pdf

16. GDPR guidelines slides (redacted under section 40)
https://www.nationalarchives.gov.uk/documents/f0055457-16-gdpr-guidelines-slides-redacted-s40.pdf

Relevant Links

Executive team minutes 25 April 2018, discussing updated Data Protection Policy, subject access requests for archival material, and TNA’s approach to GDPR implementation, can be found here on our website:

http://www.nationalarchives.gov.uk/documents/executive-team-minutes-2018-04.pdf

On 25 May 2018, TNA published the following on GDPR:

http://www.nationalarchives.gov.uk/about/news/the-national-archives-and-personal-data-under-gdpr/

On 20 August 2018, the final version of the Guide to Archiving Personal Data was published:

http://www.nationalarchives.gov.uk/information-management/legislation/data-protection/

• Advice circulated to National Archives staff

In addition to the above documents and links, which are largely advice to internal stakeholders (and which demonstrates that our approach was very much building on data protection business as usual) the following was circulated to staff via our intranet.

Documents attached

17. CEO Blog to staff – May 2018
https://www.nationalarchives.gov.uk/documents/f0055457-17-ceo-blog-to-staff-may-2018.jpg

18. Data Protection – Intranet Page (redacted under section 40)
https://www.nationalarchives.gov.uk/documents/f0055457-18-data-protection-intranet-page-redacted-s40.pdf

• A copy of your Register of Processing Activities

TNA’s privacy policy was updated in accordance with GDPR, based on our previous Register of Processing Activities. The practice of publishing a Register of Processing Activities on the ICO website was discontinued with the advent of GDPR. Our updated privacy policy can be found here:

http://www.nationalarchives.gov.uk/legal/privacy-policy/

• Information, including in correspondence, on the designation of your Data Protection Officer

TNA already had a DPO in post prior to the introduction of the GDPR. The DPO reports to the Operations Director.

EXPLANATORY ANNEX

Section 40 – Personal Data

Section 40 (2) of the Act exempts personal information about a ‘third party’ (someone other than the requester), if revealing it would breach the terms of Data Protection Legislation.

Data Protection Legislation prevents personal information from release if it would be unfair or at odds with the reason why it was collected, or where the subject had officially served notice that releasing it would cause them damage or distress. Personal information must be processed lawfully, fairly and in a transparent manner as set out by Article 5 of the GDPR.

We are unable to provide you with some of the information you have requested because it would identify junior members of staff. Publishing the names and contact details of junior members of staff is considered an unfair use of personal data. Junior members of staff would have no expectation that information about their positions would be made available in the public domain; to do so would be unfair and contravene the first data protection principle. As such, the names and contact details of junior officials are withheld under section 40 (2) of the FOI Act.

It is standard practice to withhold the names of officials below Senior Civil Service level. However, to aid transparency of how our organisation is structured and run, TNA publishes the names of senior staff members (Heads of Department) on our website. Therefore, we have included the names of all staff whose details are already published, in relation to the role they hold, and all those below senior management have been redacted from the attached documents.

Further guidance on section 40 (2) and guidance on the personal data of public authority employees can be found on the ICO website.

https://ico.org.uk/media/for-organisations/documents/1213/personal-information-section-40-and-regulation-13-foia-and-eir-guidance.pdf

https://ico.org.uk/media/for-organisations/documents/1187/section_40_requests_for_personal_data_about_employees.pdf