Skip to main content
Search
HomePoliciesPrivacy PoliciesMemorandum on Joint Data Controllers’ Responsibilities

Memorandum on Joint Data Controllers’ Responsibilities

The Civil Service Commission collects, holds and uses personal data in discharging its responsibilities. This data can relate to members of the public, civil servants, staff members and office holders. Civil Service Commission provides shared secretariat support to two independent offices – Civil Service Commission (‘the Commission’) and Office of Commissioner for Public Appointments (OCPA) who also share HR finance and IT functions.

The Commission uses Cabinet Office IT systems, therefore all of its personal data is held by the Cabinet Office, a separate data controller. The Commission also relies upon the Cabinet Office for HR and finance services, which requires sending personal data to and from the Cabinet Office.

It is the view of the Cabinet Office, the Commission and OCPA that they are acting as joint data controllers in relation to all personal data processed by the Commission.

The Cabinet Office, the Commission and OCPA will:

  • comply with the data protection principles, and with all relevant data protection legislation
  • properly involve their Data Protection Officer in a timely manner in issues that relate to data protection
  • ensure an appropriate level of technical and organisational security for the personal data
  • publish a summary of this memorandum

The Cabinet Office will be the responsible lead data controller for processing of staff personal data pursuant to carrying out HR or finance functions on behalf of the Commission and OCPA, and in relation to the administration of IT services provided to the Commission and OCPA. These responsibilities include:

  • the provision of Privacy Notices to staff about how their personal data are being handled
  • the maintenance of processing records under Article 30 GDPR
  • reporting data breaches that relate to the processing of HR or finance related staff or office holder data, or which relate to the IT infrastructure provided
  • carrying out any Data Protection Impact Assessments required by law
  • responding to data subject requests relating to staff or office holders HR/finance data, or the administration of IT services
  • manage any contracts of data processors as part of the Cabinet Office IT provision to the Commission or OCPA

In relation to any personal data which is processed by the Commission in carrying out its duties on behalf of the Commission and OCPA, the Commission will be responsible for:

  • the provision of Privacy Notices to data subjects setting out how the Commission uses their personal data
  • the maintenance of processing records under Article 30 GDPR relating to how the Commission uses personal data to carry out its duties
  • reporting data breaches which occur as a result of the actions of the staff of the Commission, including their usage of the IT systems provided to the Commission
  • carrying out any Data Protection Impact Assessments required by law for activities of the Commission
  • responding to data subject requests that relate to the carrying out of the tasks of the Commission. The Cabinet Office will provide reasonable required assistance to the Commission in responding to data subject requests.
  • managing any data processor contracts in relation to additional IT services procured by the Commission