TfL Ref: 1434-2425
Thank you for your request received by Transport for London (TfL) on 2 August 2024 asking for information about data sharing.
Your request has been considered in accordance with the requirements of the Freedom of Information Act and our information access policy. I can confirm that we hold the information you require. Your specific questions and our replies are as follows:
1. Whether you have a dedicated Data Sharing Advisory and Guidance central team or department that gives advice to your organisation about the organisation's Data Sharing responsibilities, relating to both personal and corporate data sharing agreements (DSAs) and Memoradum of Understanding (MOU's) for the sharing of bulk and individual data?
TfL’s Privacy and Data Protection team is responsible for giving advice to the organisation on all matters relating to personal data, which includes data sharing.
1.1. If so what is the name of the team or department?
Privacy and Data Protection Team
1.2. Please clarify whether it is a team or department?
It is a team, which sits within the TfL Information Governance Department, which is part of the General Counsel directorate.
2. If the answer to question 1 is yes, how many staff members are part of the Data Sharing team or department, including senior staff members, such as Director level and heads of departments?
There are 10 members of the Privacy and Data Protection team providing advice to all of TfL, any of whom may advise on data sharing as part of their role. This number includes the Head of Privacy and Data Protection.
3. If the answer to question 1 is yes, how much does it cost to run the team or department (please breakdown the costs into categories, such as an aggregate amount for salaries, IT costs etc)?
The gross cost of remuneration for the team is £832,609 per annum. This includes employer pension and national insurance contributions. Information on the other costs of the team is not held separately and cannot be disaggregated.
4. What type of data sharing mechanism does your organisation use to share data with external organisations when sending data under a DSA or MOU? Such as via encrypted email, dedicated data sharing platform ( please name this if applicable).
The mechanisms used to share data with external organisations are determined on a case by case basis, taking into account factors such as the frequency, subject matter, type and volume of data to be shared.
5. If the answer to question 1 is yes, how long has the team been in situ?
Resources have been dedicated by TfL to privacy and data protection compliance since shortly after its inception in 2000.
6. If the answer to question 1 is NO, do you have plans to put in place a designated data sharing advice team for your organisation in the future?
Please see our answer above.
7. If the answer to question 6 is yes, please explain what has prompted the decision?
Please see our answer above.
8. If the answer to question 6 is yes, within what time frame do you anticipate setting up the data sharing team or department? A. Within 3 - 6 months, 6 - 9 months or 9 months +?
Please see our answer above.
9. Does your organisation routinely conduct audits of the DSAs and MOUs within the organisation to ensure they are compliant with the organisation's regulatory and legal duties?
All data sharing agreements contain provisions for audit and review which includes ensuring the data sharing continues to be compliant with TfL’s regulatory and legal duties. Additional or exceptional audits or reviews may also take place where a specific need is identified on a case by case basis.
10. If the answer to question 9 is yes, a. How often are the audits conducted? And b. Are the auits conducted i. Internally, ii. externally or iii. both internally and externally?
Audits and reviews are conducted as required, by the data sharing agreement concerned or otherwise. Audits conducted by TfL are done using internal resource.
10. 1 . if the answer is no to question 9, what policy has dictated this or why not?
Please see our answer above.
If this is not the information you are looking for, or if you are unable to access it for any reason, please do not hesitate to contact me.
Please see the attached information sheet for details of your right to appeal as well as information on copyright and what to do if you would like to re-use any of the information we have disclosed.
Yours sincerely
Sara Thomas
FOI Case Management Team
General Counsel
Transport for London
