Agenda item

Report of the Deputy Chief Executive (Place)

The Committee considered a report of the Director of Finance and Corporate Services, which set out the Council’s performance in relation to handling requests for information, managing data protection security incidents and completing data protection training demonstrating the Council’s commitment to the strategy and compliance with relevant legislation.

Data Protection and transparency legislation were identified as important factors in the Council’s Information Management Strategy.  Compliance and performance had improved from the previous year’s position, following the Information Commissioner’s Office (ICO) audit report received in 2016.  Recommendations from that audit report had been implemented.  However, the Committee noted that there was still work to be done to embed these actions within the Council in order to gain full compliance.  The General Data Protection Regulation (GDPR) would come into force on 25th May 2018 and would introduce major changes to the Data Protection Act 1998 (DPA).  This would be an additional challenge that would introduce stricter rules around the way the Council captured, used and retained personal information and would attract higher financial penalties for non-compliance.

Under the Freedom of Information Act 2000 (FOIA) the Council were required to respond to requests from members of the public for information it holds, subject to any exemptions that may apply. The Environmental Information Regulations 2004 (EIR), require Public Authorities to consider disclosure of environmental information under EIR rather than FOIA.  Both FOIA and EIR encourage proactive publication of information, however, the EIR provides fewer grounds for public authorities to withhold information.

The DPA required the authority to process personal data in accordance with the principles of the Act, which included providing access to information the Council processed about them, subject to any exemptions.  These were also known as Subject Access Requests (SARs).  DPA security breaches occur when there is unlawful or unauthorised processing of personal data, or where there is accidental loss, damage or destruction to personal data. The Council was required to report serious breaches to the ICO. It was also required to have in place technical and organisational measures to minimise occurrence of such incidents. DPA training was one of the organisational measures the Council was required to have in place.

The Information Commissioner’s Office (ICO) oversees FOIA, EIR and DPA compliance, promotes good practice and deals with complaints from members of the public who are not satisfied with the response they receive. The ICO also investigates data protection breaches reported to them and can exercise enforcement powers that include civil monetary penalties.

During 2016/17, 1,374 FOI/EIR requests were received.  The Council responded to 68% of requests within 20 working days.  There were 15 requests for internal review and 3 complaints were referred to the ICO.  The Council also received 144 SARs during 2016/17, with 68% completed within 40 calendar days.  There were 3 requests for internal review and 3 complaints were referred to the ICO.  The report provided details on the outcome of these reviews and complaints and also provided comparative data over a 3 year period.

There were 138 information security incidents reported during 2016/17, with most as a result of information disclosed in error or lost as a result of stolen hardware.  Whilst it was not a requirement under the current legislation to report breaches to the ICO, this was recommended where there was a likelihood of significant harm to the individuals or a large number of individuals were affected.  Under the GDPR the Council were required to report breaches to the ICO with 72 hours from the time the Council was made aware of the incident.  2 incidents were reported to the ICO during the period, with both being concluded with no enforcement action due to sufficient remedial measures taken by the Council.

The Committee were also advised that DPA mandatory e-learning training was launched on 4^th November 2016, with all staff with access to computers expected to completed it on an annual basis.  By the end of 2016/17, 57% of the Council’s employees had completed the training.  It was acknowledged that a number of staff did not have access to computers as part of their work role and alternative training was being considered for those employees. The Committee were informed that these staff had also been including in the training figures and it was the intention to bring a revised updated figure to the next meeting. To support the training, there had also been a “Data-Day” event and a communications campaign held to raise Data Protection awareness. Completion of Data Protection training had also now been included in the appraisal document.

The Committee asked about the actions which could be taken to reduce the number of FOI requests; enquired about the Data Protection training and asked for further information on the information security incidents. The Committee also asked about the current Data Protection training for Members and recommended that annual mandatory training be introduced for all members.

RESOLVED that the Audit and Procurement Committee:-

1.  Note the Council’s performance on Freedom of Information, Subject Access and other Data Protection Act requests, covering the number of responses within statutory time limits, outcome of internal reviews and number and outcome of complaints made to the Information Commissioner’s Office.

2.  Note the data security incidents reported, including the number, nature and risk level.

3.  Note the Data Protection Act training completed, including the number of employees that have completed the training.

4.  Request that arrangements be made for annual mandatory training on Data Protection for all members.