Agenda item

Report of the Director of Law and Governance

The Audit and Procurement Committee considered a report of the Director of Law and Governance, that provided a summary of the Council’s performance during 2019/20 in responding to requests for information received under the Freedom of Information Act, Environmental Information Regulations and Data Protection Act.  It also reported on the management of data protection security incidents reported and data protection training.

Information is one of the Council’s greatest assets and its correct and effective use is a major responsibility and is essential to the successful delivery of the Council’s priorities.  Ensuring that the Council has effective arrangements in place to manage and protect the information it holds is a priority.

Data protection legislation sets out the requirements on public organisations to manage information assets appropriately and how they should respond to requests for information.  The Information Commissioner’s Office (ICO) is the UK’s independent supervisory authority set up to uphold information rights in the public interest, promote openness by public bodies and data privacy for individuals, and monitors compliance with legislation.

The Information Governance function supports the Council’s compliance with the Freedom of Information Act 2000 (FOIA), Environmental Information Regulations (EIR), General Data Protection Regulations GDPR (now UK GDPR) and Data Protection Act (DPA) 2018. The Council has a statutory obligation to comply with this framework by responding appropriately to requests and managing personal data appropriately.

The Information Governance Team supports the organisation in meeting these requirements, co-ordinating and providing support to the Council’s activity including co-ordinating requests received under legislation.  The Data Protection Team, comprising the Data Protection Officer (DPO), the Head of Information Governance, and four Information Governance Officers) manage the organisations’ approach to data protection including the management of data protection security incidents.

While the report covered the year 2019/20 and a future report would address the current year, the Committee noted that the landscape in which public authorities are now operating has changed significantly since 2018, which saw the introduction of the GDPR and the new Data Protection Act 2018 (DPA 2018).  At the end of the 2019/20 year, the country went into lockdown as part of its response to the Covid 19 pandemic and the impact of Brexit has subsequently led to introduction of the UK GDPR.

The number of Freedom of Information Requests received by the Council had increased year on year to 1,540 in 2018/19 and a small reduction to 1,474 was seen in 2019/20.  The Council responded to 78% of FOIA/EIR requests within the target time of 20 working days in 2019/20 compared to 62% for the previous year.  While the proportion of requests dealt with within the target time had improved, performance remained below the 90% target set by the ICO. 

The Council received 48 requests for internal reviews in the year 2019/20. The Council responded to these with the following outcomes:

•  13 were not upheld – the exemptions that had been applied were maintained and no further information was provided

•  11 were not upheld – more information or clarification was provided

•  6 were partially upheld – some further was information provided

•  15 were upheld - information was provided

•  1 was upheld – a further exemption was engaged

•  1 was withdrawn

•  1 was closed with no further action

Five complaints were referred to the ICO during 2019/20.  The reasons and outcomes for these were:

•  Requester stated that they had not received a response. The response to the FOI had been issued on day 23. The was ICO notified and there was no further action.

•  The response was reviewed and a revised response issued. The ICO was notified and there was no further action.

•  The requester submitted an amended request and the complaint was withdrawn.

•  A complaint that the requested information had not been provided was not upheld and the ICO found in favour of the City Council.

•  In response to a complaint about the handling of an EIR request, the complaint was not upheld and the ICO issued a decision notice. 

The City Council already publishes a significant amount of information and identifying opportunities to increase the volume and type of information published (subject to legal compliance) will increase transparency and help to reduce the number of FOI’s the Council receives, if the information is already available.

The Council received 266 valid Subject Access Requests (SARs) during the course of 2019/20, compared to 225 in the previous year (see table 3). The number of SARs has been rising year on year with a significant increase seen following the introduction of the GDPR. While the Council receives fewer SARs than other information requests, many of these are complex and can involve managing significant amounts of sensitive information. The introduction of the GDPR also reduced the required response time for responding to SARs from 40 days to one calendar month. The completion rate within the target time has remained broadly the same at 72%.

Protecting information from theft, loss, unauthorised access, abuse and misuse is important in order to reduce the risk of data breaches or financial loss incurred through non-compliance with key legislation such as the DPA. It is good practice to report on information incidents and breaches.  The Council encourages the reporting the reporting of near misses and potential breaches as this promotes awareness, avoids complacency thus reducing the likelihood of a serious breach to information.

In 2019/20, the Data Protection Team received 219 reports of potential data security incidents. Of these, 156 did not involve a breach of personal data.  These included for example near misses, loss or theft of equipment, cases where technical measures prevented access to data and incidents where a potential breach was contained.  Of the 63 incidents where a breach of personal data was identified, 42 were identified as low risk, 13 low/medium, 7 medium and 1 high.  The majority of these were classified as information being disclosed in error with 5 incidents logged as a result of unauthorised access and 4 as technical/ procedural failures.  The GDPR introduced requirements for personal data breaches that meet certain thresholds to be reported to the ICO.  No self-reports were made to the ICO during 2019/20 compared to one in 2018/19.  One complaint was made by a data subject directly to the ICO who advised an informal resolution with the City Council.  While there had been a technical/procedural error, no data had been breached.

Data Protection training is key to ensuring staff are aware of their responsibilities. Training is currently delivered through the Council’s e-learning platform and annual completion of the data protection course is mandatory for all staff handling personal data. Staff who do not have access to a computer in their role (not office based) and those with minimal personal data involved in their role are provided with alternative training. This ensures that an appropriate level of understanding and awareness is reached that is relevant to their role/responsibilities. In addition to the Data Protection Training there is also a need to provide specific Cyber Security training. Data Protection and Cyber Security are two separate complementary areas with equal importance for different reasons.

For the 2019/20 year, the Council reported a completion rate of the Council’s mandatory data protection training of 90.64% when completing NHS Data Security and Protection Toolkit. This self-assessment tool enables public authorities to demonstrate their ability and commitment to maintain the confidentiality and security of personal information, particularly health and social care personal records. The Council met all of the standards, with the exception of that related to training which requires a minimum completion rate of 95%.

RESOLVED that, the Audit and Procurement Committee note:

1.  The Council’s performance on Freedom of Information, Subject Access and other Data Protection Act requests, including the outcomes of internal reviews and the number and outcome of complaints made to the ICO.

2.  Reporting and management of data security incidents.

3.  Data Protection training compliance