Agenda item

Report of the Chief Legal Officer

The Audit and Procurement Committee considered a report of the Director of Law and Governance, which provided a summary of the Council’s performance during 2021/22 in responding to requests for information received under the Freedom of Information Act 2000, the Environmental Information Regulations and Data Protection Act.  It also reported on the management of data protection security incidents reported and data protection training.

Information is one of the Council’s greatest assets and its correct and effective use is a major responsibility and is essential to the successful delivery of the Council’s priorities.  Ensuring that the Council has effective arrangements in place to manage and protect the information it holds is a priority.

Data protection legislation sets out the requirements on public organisations to manage information assets appropriately and how they should respond to requests for information.  The Information Commissioner’s Office (ICO) is the UK’s independent supervisory authority set up to uphold information rights in the public interest, promote openness by public bodies and data privacy for individuals, and monitors compliance with legislation.

The Information Governance function supports the Council’s compliance with the Freedom of Information Act 2000 (FOIA), Environmental Information Regulations (EIR), General Data Protection Regulations GDPR (now UK GDPR) and Data Protection Act (DPA) 2018. The Council has a statutory obligation to comply with this framework by responding appropriately to requests and managing personal data appropriately.

The Information Governance Team supports the organisation in meeting these requirements, by monitoring internal compliance, informing and advising on data protection obligations, providing advice and guidance and raising awareness on data protection matters. 

The Committee noted that the landscape in which local authorities were operating had continued to change since the introduction of the GDPR and the UKGDPR and the new Data Protection Act 2018 (DPA 2018).

The pandemic particularly during periods of lockdown and subsequently had a significant impact on ways of working and priorities.  During this period, the Information Governance Team supported the Council to adapt and keep working effectively, supporting data to flow compliantly for the purposes of the Council’s pandemic response and as new ways of working have been introduced to meet needs while ensuring the continuing protection of information.

During the year the government launched its consultation ‘Data: a new direction’ to inform its development of proposals to reform the UK’s data protection laws as part of the UK’s National Data Strategy and the ICO had more recently launched its ICO25 plan which sets out how the ICO will regulate and prioritise work over the next three years.

The number of Freedom of Information Requests received by the Council, 1167 was slightly down (by 100 requests) from 2020/21.  The Council responded to 86% of FOIA/EIR requests within the target time of 20 working days in 2021/22 compared to 71% for the previous year.  Although a much better completion rate overall, the performance however remains below the 90% target set by the ICO.

The Council received 47 requests for internal reviews in the year 2021/22. The Council responded to these with the following outcomes:

·  8 were not upheld – the exemptions that had been applied were maintained and no further information was provided

·  8 were not upheld – but advice or clarification was provided

·  13 were partially upheld – some further was information provided

·  16 were upheld - information was provided

·  2 were withdrawn

11 complaints were made to the ICO during 2021/22. The reasons and outcomes for these were:

·  7 complaints related to the handling of the FOI/EIR and the exemptions engaged by the Council.

·  4 complaints related to Data Protection obligations and information rights and practices.

Of the 11 complaints referred to the ICO:

·  9 were not upheld/no further action required (four of these had Decision Notices issued)

·  1 case was closed by the ICO following no response from the complainant

·  1 complaint was upheld with a Decision Notice being issued to the Council and a direction to disclose the requested information.

225 valid Subject Access Requests (SARs) were received during 2020/21.  The number of Subject Access Requests received by the Council had been rising year on year since the introduction of GDPR but this represented a fall on the previous year of 268 requests.  While the Council receives fewer SARs than other information requests, many of these are complex and can involve managing significant amounts of sensitive information. While the overall number of requests reduced this year, the number of requests relating to Children’s Social care increased, as did the number of SARs to which extensions were applied due to their size and/or complexity. The completion rate within the target time has seen a slight decrease to 79%.

The Council received 14 requests to carry out an internal review into a SAR application during 2021/22.  In 9 cases, further information was provided which was located through further searches based on information provided by the requester or by reviewing the information which had originally been redacted. Where information was not provided, this was due to the original exemptions being upheld or information not being held by the Council.

One complaint was made to the ICO related to Subject Access Requests in 2021/2022.  The ICO found that the Council had not provided all the personal information the requester was entitled to and requested this was rectified and in future extra care was taken to provide all information the requester is entitled to where exemptions do not apply.

Protecting information from theft, loss, unauthorised access, abuse and misuse is crucial in order to reduce the risk of data breaches or financial loss incurred through noncompliance with key legislation.  The Information Governance data protection security incident reporting process supports the Council’s objective that breaches are managed promptly, and outcomes of investigations are used to inform reviews of the control measures in place to keep personal information secure.

In addition, the Council actively encourages the reporting of near misses and potential breaches to identify learning, promote awareness and reduce the likelihood of a serious breach to information even though not all reported incidents will have resulted in a breach.  Even where there is no breach, incidents can provide valuable insight into training requirements and processes and procedures which may need to be strengthened as a preventative measure. When investigating data protection security incidents, the Data Protection Team routinely consider resultant training needs and provide advice and guidance as required. Messages continue to be provided to staff alerting them to the need to protect personal data and use it appropriately.

In 2021/22, 263 reports of information security incidents were sent to the Data Protection Team, a decrease from 295 in the previous year.  Of these, 135 did not involve a breach of personal data.  These included for example near misses, loss or theft of equipment, cases where technical measures prevented access to data and incidents where a breach was contained.  Of the incidents where a breach of personal data was identified, 120 were identified as low risk, 8 medium and 0 high. The majority of reports were classified as information being disclosed in error with 75 reports relating to technical/procedural errors, 24 reports relating to loss or theft of hardware and two to unauthorised access.

Data Protection training is key to ensuring staff are aware of their responsibilities. Training is currently delivered through the Council’s e-learning platform and annual completion of the data protection course is mandatory for all staff with access to personal data. Staff who do not have access to a computer in their role (not office based) and those with minimal personal data involved in their role are provided with appropriate level training. This ensures that an appropriate level of understanding and awareness is reached that is relevant to their role/responsibilities.  For the 2021/22 year, the Council reported a completion rate of the Council’s mandatory data protection training of 90%. During the year, Council adopted an Elected Member Training and Development Strategy which also includes data protection training.  In addition to the above, ICT have delivered awareness sessions specifically relating to cyber security and regular cyber security messages are issued by ICT to staff. This has included a programme of awareness raising during cyber security month.

RESOLVED that the Audit and Procurement Committee:

1.  Note the Council’s performance on Freedom of Information, Subject Access and other Data Protection Act requests, including the outcome of internal reviews and the number and outcome of complaints made to the ICO.

2.  Note the reporting and management of data security incidents and / or those reported to the ICO.

3.  Note data protection training compliance.