14 July 2023 - Data protection


09 August 2023

Your request:

You asked for answers to the following questions in relation to the Scottish Housing Regulator (SHR).

  1. A copy of your organisation's Records of Processing Activity (ROPA) as defined in Article 30 of the UK General Data Protection Regulation (UK GDPR).
  2. A copy of all legitimate interest assessments conducted by your organisation where you rely on Article 6(1)(f) legitimate interests as your lawful basis for processing.
  3. A copy of all privacy impact assessments conducted by your organisation. 
  4. A copy of all data protection impact assessments conducted by your organisation.
  5. A copy of all international transfer risk assessments conducted by your organisation.
  6. A recent copy of your organisation's data protection compliance assessment using the Information Commissioner's Office (ICO)'s accountability framework template. If you are using your own standards to monitor compliance with the Data Protection 2018, please provide me with copy of it.
  7. A copy of your organization's data protection policy.
  8. A copy of your organization's subject access request policy, procedures, and processes, including any guidance material such as folder structure, naming conventions, and redaction guides.
  9. A copy of your organisation's privacy notices, including but not limited to employees, customers, ministers, special advisors (SPADs), complaints, NEDS, visitors, and CCTV.
  10. A copy of your organisation's due diligence questions for vendor management such as
    independent data controllers or processors.

Response to your request:

The answers to your questions are detailed below.

  1. A copy of SHR’s current record of processing activity can be found here.
  2. SHR does not rely on legitimate interests as a lawful basis for processing therefore can confirm under Section 17 of FOISA that it does not hold any information within scope of this part of your request.
  3. and
  4. We have combined the response to these two questions as SHR uses the same process and template for conducting privacy/data protection impact assessments. The records of impact assessments carried out by SHR can be found here.
  5. SHR has not conducted any international transfer assessments therefore can confirm under Section 17 of FOISA that it does not hold any information within scope of this part of your request.
  6. A copy of SHR’s latest data protection compliance report can be found here.
  7. You can find a copy of SHR’s Data Protection Policy on our website at: Scottish Housing Regulator Data Protection Policy 2023-25 | Scottish Housing Regulator
  8. A copy of SHR’s subject access request policy and guidance can be found here.
  9. SHR’s main privacy policy can be found on our website at: Privacy Policy | Scottish Housing Regulator
    SHR also has a specific privacy notice for members of the National Panel of Tenants and Service Users which can be found here.
  10. SHR does not have a standard list of data protection related questions for vendor management, however the procurement policy advises “Where the successful contractor’s role will involve processing personal data staff must consult our Information Asset Owners (IAOs) for advice on how to proceed.” All contracts with third parties that involves the processing of personal data must include the mandatory Data Protection clauses as set out in the ICO guidance.