A guide to RoPA
At 8fold, we’re passionate about good governance. We believe it’s the bedrock of any successful healthcare innovation. That’s why we want to guide you through creating and maintaining a crucial document: your Record of Processing Activities (RoPA). Think of it as your organisation’s data processing roadmap. It might seem daunting, but don’t worry, we’re here to help you navigate the process.
Key Definitions
- Personal Data: Personal data is any information that can be used to identify an individual (also known as a ‘data subject’). This includes things like your first name, last name, and contact details.
- Data Controller: This is the individual, organisation, or body that decides why and how the personal data is going to be processed.
- Special Category Data: Special category data is sensitive information that needs extra protection. This type of data can reveal things like your health information, religious or philosophical beliefs, trade union membership, or your racial or ethnic origin.
- Information Asset: An information asset is any collection of information that’s managed as a single unit. This could be anything from a customer database to a set of research documents, so it can be easily understood, shared, protected and used effectively
A Record of Processing Activities (RoPA) is an organisational record of all its data processing activities. Article 30 of the UK/EU General Data Protection Regulation (GDPR) mandates that organisations maintain a RoPA if their processing of personal data is likely to result in a risk to the rights and freedoms of data subjects. Organisations must also make the RoPA available to the relevant supervisory authority, such as the Information Commissioner’s Office (ICO) in the UK, upon request.
Organisations operating in health and social care frequently process data that is likely to result in a risk to the rights and freedoms of data subjects, including special category data like health data. Consequently, these organisations are legally required to maintain an up-to-date RoPA.
A RoPA enables organisations to effectively understand their data flows, identify the applicable lawful basis, implement appropriate security measures, and support overall compliance with the GDPR.
This record should include the following information, where relevant, as outlined in Article 30 of the GDPR:
- Contact Details of the controller and, where applicable, the joint controller, the controller’s representative and the data protection officer (DPO)
- The purpose of the processing
- Description of the categories of data subjects and the categories of personal data
- The categories of the recipients of the personal data, including those in third countries or international organisations
- Document suitable safeguards to support compliant transfers of personal data to a third country or an international organisation
- Retention Periods – the expected time limits for the erasure of the different categories of data.
- Security Measures- general description of the technical and organisational security measures in place as referred to in UK GDPR.
The process of creating and maintaining a RoPA involves several key steps:
1. Auditing Processing Activities
The first step is to conduct a thorough audit of all data processing activities within the organisation, including looking at what type of personal data is being processed. An audit should capture how all personal data is collected, used, stored, and shared by your organisation.
2. Documenting Purpose and Lawfulness
For each processing activity, the organisation must document the specific purpose for which the data is being processed and the legal basis for that processing. The purpose, lawful basis and condition for processing personal data and special category data must be identified to ensure the data processing activities are legally compliant.
3. Developing Data Flow Maps
An important part of a RoPA is the data flows. Understanding how data flows in your organisation allows you to understand the risks associated with each processing activity. Completing a data flow mapping exercise enables you to detail what data is being collected, where it originates, how it’s being used and where it is stored. The data flows also need to include details about who will access the data and who the data is being shared.
4. Considering Storage and Security Measures
The organisation must also document where and how personal data is stored, as well as the security measures implemented to protect it from unauthorised access, loss, or damage. This will help your organisation understand how long data can be kept and what to do when data reaches its defined retention period.
5. Ensuring Regular Updates
The RoPA should be regularly reviewed and updated to reflect any changes in data processing activities or legal requirements. Whenever a change occurs in your organisation, the introduction of a new information asset, or changes in data collection or processing methods, the RoPA must be promptly updated.
Why do you need a RoPA?
- A clear and accurate RoPA supports transparency and builds trust with individuals whose data is being processed.
- By mapping data flows and identifying risks, an organisation can implement safeguards to reduce risks related to data breaches and the processing of personal and special categories of data.
- The development of a RoPA supports the effectiveness of data subject rights request management. In particular, with data subject access, rectification and deletion requests.
- A RoPA can reveal inefficiencies and lead to cost savings through better management of data processing activities, as well as identifying any information assets the organisation no longer needs. This supports the effectiveness of an organisation’s supply chain management.
The DSPT’s first section requires organisations to create a framework for the lawful, fair, and transparent handling of personal confidential data. Organisations can comply with the DSPT requirement to keep an up-to-date list of how they hold and share personal and sensitive information by completing RoPA.
Organisations are required to have an Information Asset Register (IAR), detailing the secure storage of information and a RoPA specifying the types of personal data shared with others, such as needs assessments, payslips, and care plans. The IAR and RoPA may be maintained as a single document or as separate documents, provided they provide the requisite information on how the organisation securely stores, shares, and receives data. Furthermore, to comply with DSPT, the management team must review and approve the IAR and RoPA at a minimum of annually.
We’re the experts that have your back.
Creating and maintaining a RoPA is a critical undertaking for any organisation’s data protection framework. While it presents its challenges, the benefits in terms of transparency, risk management, and regulatory compliance are undeniable.