Good practice for ROPAs
-
Due to the Data (Use and Access) Act coming into law on 19 June 2025, this guidance is under review and may be subject to change. The Plans for new and updated guidance page will tell you about which guidance will be updated and when this will happen.
Good practice for ROPAs
Your organisation’s ROPA includes links to other relevant documentation, such as contracts or records as a matter of good practice.
Ways to meet our expectations:
- The ROPA also includes, or links to, documentation covering:
- information required for privacy notices, such as the lawful basis for the processing and the source of the personal data;
- records of consent;
- controller-processor contracts;
- the location of personal data;
- DPIA reports;
- records of personal data breaches;
- information required for processing special category data or criminal conviction and offence data under the Data Protection Act 2018 (DPA 2018); and
- retention and erasure policy documents.
Can you answer yes to the following questions?
- Are staff aware of the need to identify a lawful basis for processing personal data?
- Can they identify an appropriate lawful basis?
- Are they aware of the additional requirements to protect special category and criminal offence data?