The College must keep records of its personal data processing activities, including:

• the contact details of the controller/representative/DPO in each case (in most cases, the controller will be the College but there may be cases where the College is a processor or where there are other controllers too);
• the purposes of the processing;
• the categories of data subjects and personal data processed;
• the categories of recipients with whom the data may be shared;
• information regarding cross-border data transfers;
• the applicable data retention periods; and
• a description of the security measures implemented in respect of the processed data.

Upon request, these records must be disclosed to the Information Commissioner’s Office.

To help comply with these record keeping requirements, the College is rolling out a central online register called the Information Asset Register (or in short, IAR) where information assets (including those that contain personal data) will have to be registered by their designated Information Asset Owner i.e. a member of staff who will take responsibility for the management of the information asset, for procuring that it is kept securely, deleted or archived when appropriate etc. The College’s ICT team will be organising training sessions on the IAR in due course. 

Staff should also retain any records that evidence their consideration of data protection aspects e.g. risk assessments, consideration of security measures, considerations about the legal basis for processing of any personal data etc. Upon request, these records must also be disclosed to the Information Commissioner’s Officer or, the College may wish to volunteer their disclosure if appropriate in order to demonstrate compliance with the GDPR.

Find information on training for Information Asset Owners.