Agenda item

Information Governance Annual Report 2020/21

Report of the Director of Law and Governance

Minutes:

The Audit and Procurement Committee considered a report of the Director of Law and Governance, that provided a summary of the Council’s performance during 2020/21 in responding to requests for information received under the Freedom of Information Act, Environmental Information Regulations and Data Protection Act.  It also reported on the management of data protection security incidents reported and data protection training.

 

Information is one of the Council’s greatest assets and its correct and effective use is a major responsibility and is essential to the successful delivery of the Council’s priorities.  Ensuring that the Council has effective arrangements in place to manage and protect the information it holds is a priority.

 

Data protection legislation sets out the requirements on public organisations to manage information assets appropriately and how they should respond to requests for information.  The Information Commissioner’s Office (ICO) is the UK’s independent supervisory authority set up to uphold information rights in the public interest, promote openness by public bodies and data privacy for individuals, and monitors compliance with legislation.

 

The Information Governance function supports the Council’s compliance with the Freedom of Information Act 2000 (FOIA), Environmental Information Regulations (EIR), General Data Protection Regulations GDPR (now UK GDPR) and Data Protection Act (DPA) 2018. The Council has a statutory obligation to comply with this framework by responding appropriately to requests and managing personal data appropriately.

 

The Information Governance Team supports the organisation in meeting these requirements, by monitoring internal compliance, informing and advising on data protection obligations, providing advice and guidance and raising awareness on data protection matters. 

 

The Committee noted that the landscape in which local authorities were operating had seen its third significant change since the introduction of the GDPR and the new Data Protection Act 2018 (DPA 2018) in 2018.  At the end of the 2019/20 year, the country went into lockdown as part of its response to the Covid 19 pandemic and the impact of Brexit has subsequently led to the introduction of the UK GDPR.

 

The pandemic resulted in significant changes to ways of working and priorities.  During this period the Information Governance Team support the Council to adapt and keep working effectively.  It facilitated the rapid turnaround of sharing requests and needs whilst ensuring that requests were properly assessed to confirm that the personal data of the people concerned was used in line with relevant legislation and in keeping individuals informed of how their data is handled.  This allowed data to flow compliantly for the purposes of the Council’s pandemic response.  The number of requests for information received by the Council remained high throughout the pandemic and subsequent lockdowns and the Information Governance function has seen a significant increase in demand for its services.

 

The number of Freedom of Information Requests received by the Council had increased year on year but reduced from 1,474 in 2019/20 to 1,267 in 2020/21. The Council responded to 71% of FOIA/EIR requests within the target time of 20 working days in 2020/21 compared to 78% for the previous year.  Performance remained below the 90% target set by the ICO. 

 

The Council received 47 requests for internal reviews in the year 2020/21, compared to 48 requests during the previous year.  The Council responded to these with the following outcomes:

 

  19 were not upheld – the exemptions that had been applied were maintained and no further information was provided

  8 were not upheld – advice or clarification was provided

  10 were partially upheld – some further was information provided

  8 were upheld - information was provided

  1 was withdrawn

  1 was closed with no further action

 

Four complaints were referred to the ICO during 2020/21.  The reasons and outcomes for these were:

 

  Three complaints related to the handling of an FOI and the exemptions engaged by the Council.  The ICO issued a decision notice on one and required no further action on the remaining two.  The complaints were not upheld.

  One complaint has still to be allocated to a Case Worker within the ICO.

 

The City Council already publishes a significant amount of information and identifying opportunities to increase the volume and type of information published (subject to legal compliance) will increase transparency and help to reduce the number of FOI’s the Council receives, if the information is already available.

 

The Council received 268 valid Subject Access Requests (SARs) during the course of 2020/21. The number of SARs has been rising year on year with a significant increase seen following the introduction of the GDPR. While the Council receives fewer SARs than other information requests, many of these are complex and can involve managing significant amounts of sensitive information. The introduction of the GDPR also reduced the required response time for responding to SARs from 40 days to one calendar month. The completion rate within the target time has increased slightly to 76%.

 

The Council received 8 requests to carry out an internal review into a SAR application during 2020/21.  In 5 cases, further information was provided which was located through further searches based on information provided by the requester.  Where information was not provided, this was due to the original exemptions being upheld regarding grievance / disciplinary process and information not being held by the Council.  No complaints were referred to the ICO in relation to SARs in 2020/21.

 

Protecting information from theft, loss, unauthorised access, abuse and misuse is crucial in order to reduce the risk of data breaches or financial loss incurred through non-compliance with key legislation. The Information Governance data protection security incident reporting process supports the Council’s objective that breaches are managed promptly, and outcomes of investigations are used to inform reviews of the control measures in place to keep personal information safe.  In addition, the reporting of near misses and potential breaches is encouraged as this promotes awareness, avoids complacency and therefore reduces the likelihood of a serious breach of information.

 

In 2020/21, the Data Protection Team received 295 reports of data security incidents, an increase from 219 the previous year.  Of these, 165 did not involve a breach of personal data.  These included near misses, loss or theft of equipment, cases where technical measured prevented access to data and incidents where a breach was contained.  Of the incidents where a breach of personal data was identified, 112 were identified as low risk, 6 low/medium, 7 medium and 1 high.  The majority of the reports were classified as information being disclosed in error with 25 reports relating to loss or theft of hardware, 18 to technical / procedural errors and 13 unauthorised access.

 

The GDPR introduced requirements for personal data breaches that meet certain thresholds to be reported to the ICO.  No self-reports were made to the ICO during 2020/21.  One complaint was made by a data subject directly to the ICO who assessed that the council failed to ensure security of personal data when it disclosed third party information and asked the council to ensure that staff who handle personal data are aware of the importance of keeping data secure. In addition, a third-party organisation working with the council had an incident which resulted in the breach of City Council data. They self-reported to ICO.

 

Data Protection training is key to ensuring staff are aware of their responsibilities. Training is currently delivered through the Council’s e-learning platform and annual completion of the data protection course is mandatory for all staff handling personal data. Staff who do not have access to a computer in their role (not office based) and those with minimal personal data involved in their role are provided with appropriate level training. This ensures that an appropriate level of understanding and awareness is reached that is relevant to their role/responsibilities.  For the 2020/21 year, the Council reported a completion rate of the Council’s mandatory data protection training of 95% when completing NHS Data Security and Protection Toolkit.  In addition to the Data Protection Training ICT have delivered awareness sessions specifically relating to cyber security and regular cyber security messages are issued to staff.

 

RESOLVED that, the Audit and Procurement Committee notes:

 

1.  The Council’s performance on Freedom of Information, Subject Access and other Data Protection Act requests, including the outcomes of internal reviews and the number and outcome of complaints made to the ICO.

 

2.  Reporting and management of data security incidents.

 

3.  Data Protection training compliance.

Supporting documents: