MOPAC Data Protection policy and compliance

Request

1. A copy of your organisation's Records of Processing Activity (ROPA) as defined in Article 30 of the UK General Data Protection Regulation (UK GDPR).

2. A copy of all legitimate interest assessments conducted by your organisation where you rely on Article 6(1)(f) legitimate interests as your lawful basis for processing.

3. A copy of all privacy impact assessments conducted by your organisation.

4. A copy of all data protection impact assessments conducted by your organisation.

5. A copy of all international transfer risk assessments conducted by your organisation.

6. A recent copy of your organisation's data protection compliance assessment using the Information Commissioner's Office (ICO)'s accountability framework template. If you are using your own standards to monitor compliance with the Data Protection 2018, please provide me with copy  of it.

7. A copy of your organization's data protection policy.

8. A copy of your organization's subject access request policy, procedures, and processes, including any guidance material such as folder structure, naming conventions, and redaction guides.

9. A copy of your organisation's privacy notices, including but not limited to employees, customers, ministers, special advisors (SPADs), complaints, NEDS, visitors, and CCTV.

10. A copy of your organisation's due diligence questions for vendor management such as independent data controllers or processors.

Response

After careful consideration of your request, we are unable to provide this information under Section 14(1) of the Freedom of Information Act 2000 (Vexatious by virtue of burdensome). The application of this exemption requires detailed explanation and consideration of public interest for which I outline below.

Unfortunately, it is judged that the work required to assess the volume of information covered by the search criteria of your 10 requests would impose a significant burden on the organisation.

As your request covers a considerable amount of information across all of the criteria requested, each of these documents would need to be independently reviewed for release and we would be unable to advise on how long this process would take. Due to the volume of information requested across multiple areas, we would also not be confident that all information could be found within the 18hr limit.

Additionally, some of the information requested is of a sensitive nature, and assessment of its suitability for release would take a significant amount of work and time which would be of great burden to the organisation.  This sensitive information is likely to be included across several of the criteria requested. This makes it more difficult to isolate as the information will be difficult to identify. The complexities that arise from identifying this information mean that MOPAC can have little confidence in whether all covert and sensitive information relating to data protection has been adequately assessed for release. To achieve this confidence would take a significant amount of time and work for which would put an unreasonable burden on the organisation.

A significant proportion of this information would also require extensive stakeholder engagement. The assessment on whether this consultation is needed would need to be assessed on a document by document basis, with the results of this engagement also needing appropriate consideration. Due to the amount of information we would need to follow this process for, it is likely to cause further burden to the organisation and take a disproportionate amount of time in comparison to public interest.

MOPAC has considered the public interest in transparency and openness in relation to data processes. The public are entitled to know that there data is managed in a safe and secure way and some assurance of this can be found amongst the information requested. However, upon consideration of this against the factors outlines, we believe that the significant burden the fulfilment of this request would place on MOPAC outweighs this public interest and as such have applied this Section 14(1) exemption.

Please note that some information relating to your request is already published on our website . A copy of our organisations data protection policy can be found here https://www.london.gov.uk/who-we-are/governance-and-spending/privacy-po….