Data protection and re-use regulations

Guidance on general principles of the data protection act can be found on the Information Commissioner’s Office website.

Transfer of functions may require revision of either organisation’s notification of personal data to the Information Commissioners Office (ICO) so current notifications should be checked with this in mind. When a function has been transferred but the records have not, the transferring organisation becomes the data processor and the receiving organisation becomes the data controller.

Data processor duties and obligations should be specified in an agreement on storage and should cover secure storage under Principle 7. Protocols should cover action required of the data processor in response to subject access requests. Any records that are being transferred to The National Archives should undergo a sensitivity review for personal data, to determine if an application for closure under s 40 of the FOI Act should be made.