Transparency data
Annex C - Data Handling SLA
Updated 21 July 2021
| Annex C 鈥� Data Handling SLA | |||||
|---|---|---|---|---|---|
| Not set | Not set | Not set | Not set | Not set | Not set |
| No. | Service Area | Measure | New / Existing / Amended | Target | Comment |
| 1 | Security breaches | Reporting | New | 6 hours following identification of issue. | 路聽聽聽聽 Notification to the OTC SIROwill be made within this time period following identification. |
| Not set | Not set | Not set | Not set | Not set | 路聽聽聽聽 Notification can come from any member of the DVSA IMS team or OTC staff. |
| 2 | Security Breaches | Reporting | New | Defined at point of initial report. | 路聽聽聽聽 OTC SIRO will indicate further level of reporting at time of first review. |
| Not set | Not set | Not set | Not set | Not set | 路聽聽聽聽 Incident dependent. |
| 3 | Personal Data Breaches (GDPR / Data Protection Act) | Reporting | New | Immediately on discovery, but not later than 24 hours after discovery | 路聽聽聽聽 DVSA to notify the TC Information Access Team |
| Not set | Not set | Not set | Not set | Not set | 路聽聽聽聽 OTC Information Access Team and TC Data Protection Officer to advise and recommend to TCs if personal data breach notifications should be sent to the UK Information Commissioner鈥檚 Office (ICO) and / or to the individuals affected. |
| Not set | Not set | Not set | Not set | Not set | 路聽聽聽聽 DVSA to cooperate with the OTC and TC Data Protection Officer to gather information, investigate, report to ICO within 72 hours of discovering the personal data breach (where required) and implement remedies. |
| 4 | Audit Reports | Sharing | New | 5 working days following receipt of findings | 路聽聽聽聽 Only applicable where IMS audits identify issues related to Traffic Commissioner data processing. |
| 5 | Assurance Reporting | GDPR Compliance | New | In line with each OTC Audit and Risk Committee submission date | 路聽聽聽聽 DVSA will compile a data protection report for the ARC to be agreed at ARC and then submitted to the TC Board for their information. |
| 6 | Data Protection / GDPR Training | Delivery | New | Annually for all OTC staff | 路聽聽聽聽 Training plan to be agreed with the OTC SIRO after consultation with the TC Data Protection Officer at the start of the financial year |
| Not set | Not set | Not set | Not set | Not set | 路聽聽聽聽 Face to face training for staff once a year |
| Not set | Not set | Not set | Not set | Not set | 路聽聽聽聽 Location appropriate to the staff locations |
| Not set | Not set | Not set | Not set | Not set | 路聽聽聽聽 Subject matter covering data protection elements including security practices related to Traffic Commissioners鈥� activities. |
| Not set | Not set | Not set | Not set | Not set | 路聽聽聽聽 鈥淎ll staff鈥� excludes staff who are on long-term sick absence or maternity/paternity leave or equivalent. |
| 7 | System Assurance | Testing | New | Annually | 路聽聽聽聽 Independent security testing of systems processing Traffic Commissioner data. |
| Not set | Not set | Not set | Not set | Not set | 路聽聽聽聽 Vulnerabilities identified shared with the OTC SIRO following report received by DVSA IMS. |