Data Protection- ROPA/IAR and DPIA

Join this webinar if you want to learn more about your legal obligations as a care provider under The General Data Protection Regulation (GDPR), particularly how you manage personal and sensitive data.

GDPR came into force on 25 May 2018. Although the UK has left the EU since then, The GDPR is retained in domestic law as the UK GDPR, which sits alongside an amended version of the DPA 2018.

It is a requirement of the Data Protection Act (2018) and the General Data Protection Regulation (GDPR) that all personal and sensitive data has a legal basis for being held and being shared.

This means as a care provider, you are legally obliged to keep a record of all the personal data you hold for staff, residents and families/carers, and what data they share with others.

To meet this requirement, it is easiest to have two lists:

· Record of Processing Activities (ROPA) – contains where data is received from, where it is sent to and the legal basis for doing this.

· Information Asset Register (IAR) – contains what type of information is held, where it is stored and how it is protected.

A Record of Processing Activities (ROPA) is a list of confidential data, where it is received from or where it is sent to and the legal basis for doing this. All data in the IAR marked as being received from or shared with external organisations needs to be included in your ROPA.

An Information Asset Register (IAR) is a list of all the places where information is stored, whether the information in that place is special category information, and how that information is kept safe

What is a DPIA? A DPIA is a process designed to help you systematically analyse, identify, and minimise the data protection risks of a project or plan. It is a key part of your accountability obligations under the UK GDPR, and when done properly helps you assess and demonstrate how you comply with all of your data protection obligations.

Why are DPIAs important? DPIAs are an essential part of your accountability obligations. Conducting a DPIA is a legal requirement for any type of processing, including certain specified types of processing that are likely to result in a high risk to the rights and freedoms of individuals. Under UK GDPR, failure to carry out a DPIA when required may leave you open to enforcement action, including a fine of up to £8.7 million, or 2% global annual turnover if higher.

A DPIA must assess the level of risk, and in particular whether it is ‘high risk’. The UK GDPR is clear that assessing the level of risk involves looking at both the likelihood and the severity of the potential harm.

Rather than spending hours thinking what you should include, our trainer can guide you to step by and answer any specific questions you may have.

This event is part of the Better Security, Better Care programme, funded by NHS Transformation Directorate to support data and cyber security across the adult social care provider sector.

Examples of data threats, breaches and fines:

How safe is your data?

https://www.youtube.com/watch?v=_YRs28yBYuI

HIV Scotland fined £10,000 for email data breach

https://www.bbc.co.uk/news/uk-scotland-59008366

How your personal data is being scraped from social media

https://www.bbc.co.uk/news/business-57841239