SPPA records of processing activity: FOI release

Information requested

A copy of SPPA’s Records of Processing Activity (ROPA) as defined in Article 30 of the UK General Data Protection Regulation (UK GDPR).

A copy of all legitimate interest assessments conducted by SPPA where you rely on Article 6(1)(f) legitimate interests as your lawful basis for processing.

A copy of all privacy impact assessments conducted by SPPA.

A copy of all data protection impact assessments conducted by SPPA

A copy of all international transfer risk assessments conducted by SPPA

A recent copy of SPPA’s data protection compliance assessment using the Information Commissioner's Office (ICO)'s accountability framework template. If you are using your own standards to monitor compliance with the Data Protection 2018, please provide me with copy of it.

A copy of SPPA’s data protection policy.

A copy of SPPA’s subject access request policy, procedures, and processes, including any guidance material such as folder structure, naming conventions, and redaction guides.

A copy of SPPA’s privacy notices, including but not limited to employees, customers, ministers, special advisors (SPADs), complaints, NEDS, visitors, and CCTV.

A copy of SPPA’s due diligence questions for vendor management such as independent data controllers or processors.

Response

I enclose a copy of some of the information you requested. Please refer to the document list attached which outlines which documents are relevant to each question.

While our aim is to provide information whenever possible, in this instance we are unable to provide some of the information you have requested because the following exemptions under FOISA apply:

17 - Information not held 25(1) - Otherwise accessible 30(c) - Substantial prejudice to effective conduct of public affairs 38(1)(b) - Third party personal data

SPPA do not hold some of the information requested as some assessments have not been required. Links have been provided in the document list to information that is otherwise accessible. Certain impact assessments have not been disclosed as doing so would compromise the security of the SPPA, substantially prejudicing the effective conduct of public affairs. Colleagues' names below executive team level have been redacted from documents to keep their data private.

About FOI

The Scottish Government is committed to publishing all information released in response to Freedom of Information requests. View all FOI responses at http://www.gov.scot/foi-responses.

Detected exemption language

While our aim is to provide information whenever possible, in this instance we are unable to provide some of the information you have requested because the following exemptions under FOISA apply: 17 - Information not held 25(1) - Otherwise accessible 30(c) - Substantial prejudice to effective conduct of public affairs 38(1)(b) - Third party personal data SPPA do not hold some of the information requested as some assessments have not been required.

Attachments

• 202300362264_1 92 page PDF 1.4 MB
• 202300362264_2 92 page PDF 1.4 MB
• 202300362264_3 92 page PDF 1.4 MB

Similar releases

• Correspondence discussing the response to FOI request 202600503390: FOI release 2026-05-15 · partially withheld · 2 files
• Perth and Kinross broadband queries: FOI release 2026-05-14 · not held · 0 files
• Crown Office and Procurator Fiscal Service funding query: FOI release 2026-05-14 · unclear · 0 files
• Scottish Government documentation regarding the procurement of Oracle: FOI release 2026-05-14 · not held · 0 files
• Brand Scotland marketing spend information: FOI release 2026-05-13 · unclear · 0 files
• Number of Freedom of Information requests which have proceeded to a review: FOI release 2026-05-13 · unclear · 0 files
• Sensitive and routine Freedom of Information request statistics: FOI release 2026-05-12 · unclear · 0 files
• Correspondence regarding Information Commissioner decision notices: FOI release 2026-05-12 · partially withheld · 2 files