Awdurdod annibynnol y Deyrnas Unedig a sefydlwyd i gynnal hawliau gwybodaeth er budd y cyhoedd, annog cyrff cyhoeddus i fod yn agored a hybu preifatrwydd data i unigolion.

Good practice for ROPAs

Your organisation’s ROPA includes links to other relevant documentation, such as contracts or records as a matter of good practice.

Ways to meet our expectations:

  • The ROPA also includes, or links to, documentation covering:
    • information required for privacy notices, such as the lawful basis for the processing and the source of the personal data;
    • records of consent;
    • controller-processor contracts;
    • the location of personal data;
    • DPIA reports;
    • records of personal data breaches;
    • information required for processing special category data or criminal conviction and offence data under the Data Protection Act 2018 (DPA 2018); and
    • retention and erasure policy documents.

Can you answer yes to the following questions?

  • Are staff aware of the need to identify a lawful basis for processing personal data?
  • Can they identify an appropriate lawful basis?
  • Are they aware of the additional requirements to protect special category and criminal offence data?