Horse passports: Minimum Operating Standards (MOpS) for Passport Issuing Organisations (PIOs)

Guide to minimum operating standards for Scottish approved passport issuing organisations (PIOs).


Data Handling

127. The new EU General Data Protection Regulation (GDPR) now forms part of the data

protection regime in the UK, together with the new Data Protection Act 2018 (DPA

2018). They have applied since 25 May 2018 and PIOs should make their own arrangements to comply with both in regards to passport issuing activities.

128. PIOs are responsible for making their own privacy notices available to customers on their website.

129. All PIOs must register with the Information Commissioners Office (ICO) unless they meet ICO exemption criteria.

130. It is a legal requirement to report serious breaches to the Information Commissioner’s Office (ICO) within 72 hours. Breaches of the regulation are subject to a potential fine of up to 20 million Euros. The PIO should also inform the Scottish Government within 24 hours of a suspected breach. Please mark the subject line as “urgent” in any emails sent and if you do not get a response within 24 hours (of a working day) please contact the CA’s equine ID team directly or via their Departmental switchboard (see page 2 for contact details).

131. Not all breaches have to be reported to the ICO – only the ones where the individual is likely to suffer some form of damage, such as through identity theft or a confidential breach. However, PIOs should notify any loss, corruption or theft of passport data to the Scottish Government within 24 hours so they can decide/advise what further action needs to be taken to comply with data protection requirements.

132. PIOs must ensure they have the right procedures in place to detect, report and investigate a personal data breach.

133. PIOs should also have procedures in place to handle new requirements under the GDPR including data subject requests. Guidance on the ICO webpages

Contact

Email: HorseID@gov.scot

Back to top