RoPA Process Guide
A USG record of processing activity (RoPA) is a comprehensive inventory of all the processing activities that a process manager or sub-processor at the direction of the process manager performs. USG organizations and institutions are requested to develop a RoPA Process.
The development of a RoPA Process by all USG organizations and institutions is in accordance with BPM Sections 12.4.2, 12.6.2 and 12.6.5. In order for a RoPA Process to be in place, USG organizations and institutions must provide a way to inventory all the processing activities and submit to the USG on an annual basis.
The RoPA process shall include the following six-step process.
Step One: Determine who will own the organization’s RoPA process and maintain it.
Step Two: Determine the management and records platform for the RoPA.
Step Three: Create a list of the organization’s divisions and departments that process data.
Step Four: This step has three tasks, to include: a) interview lead personnel within each identified division and/or department; b) create a RoPA and list each system identified as a mission-critical system processing PII; and, c) identify the system and data owners for each system in the RoPA.
Step Five: Analyze the RoPA systems, documenting the data usage activities for each system, particularly referencing the purpose for collecting any PII.
Step Six: Develop a reporting and maintenance schedule through updating, adding or deleting systems and their owners annually.