It is a requirement of the Data Protection Act (2018) and the General Data Protection Regulation (GDPR) that all personal and sensitive data has a legal basis for being held and being shared.This means as a care provider, you are legally obliged to keep a record of all the personal data you hold for staff, residents and families/carers, and what data they share with others.To meet this requirement, it is easiest to have two lists:· Record of Processing Activities (ROPA) – contains where data is received from, where it is sent to and the legal basis for doing this.· Information Asset Register (IAR) – contains what type of information is held, where it is stored and how it is protected.A Record of Processing Activities (ROPA) is a list of confidential data, where it is received from or where it is sent to and the legal basis for doing this. All data in the IAR marked as being received from or shared with external organisations needs to be included in your ROPA.An Information Asset Register (IAR) is a list of all the places where information is stored, whether the information in that place is special category information, and how that information is kept safe.
This event is part of the Better Security, Better Care programme, funded by NHS Transformation Directorate to support data and cyber security across the adult social care provider sector.
