Report of the Chief Legal Officer
Minutes:
The Audit and Procurement Committee considered a report of the Chief Legal Officer that provided a summary of the Council’s performance during 2022/2023 in responding to requests for information received under Data Protection legislation. It also reported on the management of data protection security incidents and/or those reported to the Information Commissioner’s Office (ICO) and on data protection training.
Information was one of the Council’s greatest assets and its correct and effective use was a major responsibility and was essential to the successful delivery of the Council’s priorities. Ensuring that the Council had effective arrangements in place to manage and protect the information it held, both personal and business critical information, was a priority.
Data protection legislation set out the requirements on organisations to manage information assets appropriately and how they should respond to requests for information. The ICO was the UK’s independent supervisory authority set up to uphold information rights in the public interest, promote openness by public bodies and data privacy for individuals, and monitors compliance with legislation.
The Information Governance (IG) function supported the Council’s compliance with the Freedom of Information Act 2000 (FOIA), Environmental Information Regulations (EIR), General Data Protection Regulations GDPR (now UK GDPR) and Data Protection Act (DPA) 2018. The Council had a statutory obligation to comply with this framework by responding appropriately to requests and managing personal data appropriately. The Information Governance Team supported the organisation in meeting these requirements, by monitoring internal compliance, informing and advising on data protection obligations, providing advice and guidance and raising awareness on data protection matters.
The landscape in which public authorities were now operating had continued to change since the introduction of the GDPR and subsequently UKGDPR and the new Data Protection Act 2018 (DPA 2018) in 2018.
In March 2023, the Government introduced the Data Protection and Digital Information Bill which aimed to update and simplify the UK’s data protection framework with a view to reducing burdens on organisations while maintaining high data protection standards. The Bill aimed to provide organisations with greater flexibility on how to comply with certain aspects of the data protection legislation, improve the clarity of the framework and reform the regulator, the Information Commissioner. Implications for local government would be monitored as the Bill progressed to ensure that the City Council was able to meet.
The number of Freedom of Information Requests received by the Council, 1196 was slightly higher (29) from the previous 2021/22 year. The Council responded to 86% of FOIA/EIR requests within the target time of 20 working days in 2022/23 which was the same for the previous year. While this replicated the improvement in performance seen after the introduction of a new management system, performance remained below the 90% threshold set by the ICO.
The Council received 37 requests for internal reviews in the year 2022/23 and responded to these with the following outcomes:
• 16 were not upheld – the exemptions that had been applied were maintained and no further information was provided;
• 3 were not upheld – but advice or clarification was provided;
• 9 were partially upheld – some further was information provided;
• 5 were upheld - information was provided;
• 1 was still open;
• 3 were withdrawn.
12 complaints were made to the ICO during 2022/23. The reasons and outcomes for these were:
• 7 complaints related to the handling of the FOI/EIR and the exemptions engaged by the Council;
• 5 complaints related to Data Protection obligations and information rights and practices.
Of the 12 complaints referred to the ICO:
• 6 were not upheld/no further action required (four of these had Decision Notices issued);
• 2 cases were closed by the ICO following no response being received from the complainant;
• 1 complaint was upheld with a Decision Notice being issued to the Council and a direction to disclose the requested information;
• 3 cases were closed following no response being received from the ICO.
270 valid Subject Access Requests (SARs) were received during 2022/23. After a reduction last year, the number of Subject Access Requests received by the Council returned to the levels seen in the previous two years which reflected the increase seen following the introduction of the GDPR. Many SARs were complex and could involve managing significant amounts of sensitive information. The number of requests relating to Children’s Social care, as well as the number of SARs to which extensions were applied due to their size and/or complexity remained significant. The completion rate within the target time had seen a slight decrease to 79%.
The Council received 12 requests to carry out an internal review into a SAR application during 2022/23. In 9 cases, further information was provided which was located through further searches based on information provided by the requester or by reviewing the information which had originally been redacted. Where information was not provided, this was due to the original exemptions being upheld or information not being held by the Council.
Three complaints were made to the ICO related to Subject Access Requests in 2022/2023. Two of the complaints related to the handling of the SAR and the statutory timeframes, with one instructing disclosure to be made within 14 days. The letters from the ICO however, arrived after disclosures had ultimately been made. The ICO was notified, and no further action was required. One complaint related to failure to respond or provide information however the request was not valid as the requester had failed to provide the necessary identification required. The ICO was notified, and no further correspondence was received.
In respect of data security incidents, protecting information from theft, loss, unauthorised access, abuse and misuse was crucial in order to reduce the risk of data breaches or financial loss incurred through noncompliance with key legislation. The IG data protection security incident reporting process supported the Council’s objective that breaches were managed promptly, and outcomes of investigations were used to inform reviews of the control measures in place to keep personal information secure.
The Council actively encouraged the reporting of near misses and potential breaches to identify learning, promote awareness and reduce the likelihood of a serious breach to information even though not all reported incidents would have resulted in a breach. Even where there was no breach, incidents could provide valuable insight into training requirements and processes and procedures which may need to be strengthened as a preventative measure. When investigating data protection security incidents, the Data Protection Team routinely consider resultant training needs and provide advice and guidance as required. Messages continue to be provided to staff alerting them to the need to protect personal data and use it appropriately.
In 2022/23, 219 reports of information security incidents were sent to the Data Protection Team, a decrease from 263 in the previous year. Of these, 140 did not involve a breach of personal data. These included for example near misses, loss or theft of equipment, cases where technical measures prevented access to data and incidents where a breach was contained. Of the incidents where a breach of personal data was identified, 76 were identified as low risk, 3 medium and 0 high. The majority of reports were classified as information being disclosed in error with 85 reports relating to technical/procedural errors, 33 reports relating to loss or theft of hardware and six to unauthorised access.
The GDPR introduced requirements for personal data breaches that meet certain thresholds to be reported to the ICO. No self-reports were made to the ICO during 2022/2023.
Data Protection training was key to ensuring staff were aware of their responsibilities. Training was currently delivered through the Council’s e-learning platform and annual completion of the data protection course was mandatory for all staff with access to personal data. Staff who did not have access to a computer in their role (not office based) and those with minimal personal data involved in their role were provided with appropriate level training. This ensured that an appropriate level of understanding and awareness was reached that was relevant to their role/responsibilities. For the 2022/23 year, the Council reported a completion rate of the Council’s mandatory data protection training of 95%. The Elected Member Training and Development Strategy, introduced just prior to the start of the year, also included data protection training.
In addition to the above, ICT delivered awareness sessions specifically relating to cyber security and regular cyber security messages were issued by ICT to staff. This included a programme of awareness raising during cyber security month.
The Data Security and Protection Toolkit was an online tool that allowed relevant organisations that processed health and care data to measure their performance against data security and information governance requirements which reflected legal rules and Department of Health policy. The self-assessment tool enabled the Council to demonstrate that it could be trusted to maintain the confidentiality and security of personal information, specifically health and social care personal records. All organisations that had access to NHS patient data and systems used this Toolkit to provide assurance that they were practicing good data security and that personal information was handled correctly. For the 2022/23 reporting period, the Council met all of the mandatory requirements and was assessed as meeting required standards.
RESOLVED that the Audit and Procurement Committee:
1) Notes the Council’s performance on Freedom of Information, Subject Access and other Data Protection Act requests, including the outcomes of internal reviews and the number and outcome of complaints made to the ICO.
2) Notes the reporting and management of data security incidents.
3) Notes data protection training compliance.
4) Agrees that there were no recommendations to be made.
Supporting documents: