Record of processing activities (ROPA)

The HSE is legally required under Article 30 GDPR to retain a record of processing activities (ROPA) under its responsibility.

To comply with this regulation, we must be able to:

  • demonstrate how we comply with data protection regulations
  • amend incorrect data or track all third party disclosures

HSE staff responsible for data collection and processing personal data for a particular service must complete the ROPA. Use the ROPA template to assist with collecting data. You can get support from data protection staff.

Tips for completing your local ROPA

Complete a data-mapping exercise to create an inventory of the personal data your department holds, and where it is held. Staff across your department (including senior management) must be engaged so nothing is missed when mapping the data you process.

Devise a questionnaire and distribute it to the areas of your department that process personal data. Use simple questions that will prompt answers to the areas requiring documentation, for example:

  • who do you hold personal data about?
  • what data do you hold about them?
  • why was the data collected and how is it used?
  • who do you share the data with?
  • how long do you retain the data for?
  • how secure is the data, in terms of encryption and accessibility?
  • is the data shared with third parties, and why?

Review your local and HSE policies, procedures, contracts and agreements to compare data processing activities, for example

  • HSE data retention policies
  • HSE IT security policies
  • Relevant contracts/data sharing agreements.

Fill in the ROPA template on behalf of your department, using the ‘guidance’ tab for clarification on terms. Update your ROPA annually, or when there are significant processing changes.

Contact

Data protection staff