CO
Viewing as
National Administrator · All 47 counties · Cabinet briefings
national view
Regulator-ready
Compliance & ODPC Centre
Data Protection Officer console — DPIA, registers, retention, breach drills, lawful basis, transfers, and audit.
ODPC readiness
Composite score
86
Score
DPIA78%
Retention92%
Breach drills100%
Access reviews64%
DSR SLA88%
Training74%
Open risks
11
DSR pending
8
Access violations
2
Sharing agreements
9
Compliance task register
| Ref | Task | Risk | Status |
|---|---|---|---|
| C-01 | DPIA — Iris biometric processing DPIA · Owner DPO Office | High | In progress |
| C-02 | Children's data processing register update Register · Owner DPO Office | Medium | Done |
| C-03 | Retention policy — biometric templates Retention · Owner Legal | High | Pending |
| C-04 | Breach notification drill Q2 Drill · Owner SOC | Medium | Done |
| C-05 | Data sharing agreement — MoH Agreement · Owner Legal | Low | Done |
| C-06 | Data sharing agreement — MoE Agreement · Owner Legal | Medium | In progress |
| C-07 | Access review — privileged roles Access · Owner Security | High | Overdue |
| C-08 | Consent / lawful basis register refresh Register · Owner DPO Office | Medium | In progress |
| C-09 | Cross-border transfer assessment DPIA · Owner DPO Office | High | Pending |
| C-10 | Vendor due diligence — iris device OEMs Vendor · Owner Procurement | Medium | In progress |
| C-11 | Privacy notice review Notice · Owner DPO Office | Low | Done |
| C-12 | Subject access response template Rights · Owner DPO Office | Low | Done |
| C-13 | Encryption key rotation Security · Owner Security | High | In progress |
| C-14 | Audit log immutability verification Audit · Owner Security | Medium | Done |
| C-15 | Officer privacy training Training · Owner HR | Medium | In progress |
Privacy notice
Processing of children's data and iris biometrics is governed by the Births & Deaths Registration Act, Data Protection Act 2019, and ODPC guidance. Lawful basis is primarily legal obligation / public task with consent recorded for ancillary contact channels. All sensitive decisions require human approval, with immutable audit trails. Cross-border transfer is not permitted without a transfer impact assessment.