6.1 Additional Information on evidence item 1.1.2

Further information to support NHS Trusts, CCGs, CSUs, OES Independent Providers, IT Suppliers and DHSC ALBs to complete evidence item 1.1.2

1.1.2 Record of Processing activities and Information Asset registers.

Evidence item: Provide details of the record or register that details each use or sharing of personal information.

In the 2020-21 DSP Toolkit several evidence items have been merged into a single evidence item as there was an overlap between them.

What should be included is taken from the tooltips from 1.4.1, 1.4.3 and 2.1.1 from the 19-20 evidence items and is listed below.

This is the minimum items required to demonstrate that the organisations meets the standard required. Feel free to include additional information to meet your organisations requirements.

This could be a table with the records in row and the below forming the column headings. It could be held in separate documents or a single document. Further details from the ICO are available https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/documentation/how-do-we-document-our-processing-activities/

- Purpose of processing

- Legal basis relied on from GDPR Article 6 and Article 9

- Categories of data subject/personal data,

- Categories of recipients,

- Where it is held and whether information is transferred overseas,

- whether data is retained and disposed of in line with policies, or if not, why not.

- Whether a written data-sharing agreement or contract is in place and when it ends.

- What sensitive information is held or processed and why,

- Which systems or services process it

- The impact of its loss, compromise or disclosure.

- Software used to manage the data (if applicable)

- Information asset owner or person with overall responsibility for the data

- Support and maintenance arrangements