Agenda item

Report of the Director of Law and Governance.

The Audit and Procurement Committee considered a report of the Director of Law and Governance that provided a summary of the Council’s performance during 2023/2024 in responding to requests for information received under Data Protection legislation. It also reported on the management of data protection security incidents and/or those reported to the Information Commissioner’s Office (ICO) and on data protection training.

Information was one of the Council’s greatest assets and its correct and effective use was a major responsibility and was essential to the successful delivery of the Council’s priorities. Ensuring that the Council had effective arrangements in place to manage and protect the information it held, both personal and business critical information, was a priority.

Data protection legislation set out the requirements on organisations to manage information assets appropriately and how they should respond to requests for information. The ICO was the UK’s independent supervisory authority set up to uphold information rights in the public interest, promote openness by public bodies and data privacy for individuals, and monitors compliance with legislation.

The Information Governance (IG) function supported the Council’s compliance with the UK General Data Protection Regulations (GDPR), Data Protection Act (DPA) 2018, Freedom of Information Act 2000 (FOIA) and Environmental Information Regulations (EIR). The Council had a statutory obligation to comply with this framework by responding appropriately to requests and managing personal data lawfully. The Information Governance Team assist the organisation in meeting these requirements by monitoring internal compliance, informing and advising on data protection obligations, providing advice and guidance and raising awareness on data protection matters.

The landscape in which public authorities were now operating had continued to change since the introduction of the GDPR and subsequently UKGDPR and the new Data Protection Act 2018 (DPA 2018) in 2018.

In March 2023, the Government introduced the Data Protection and Digital Information Bill which did not complete its passage through parliament prior to the UK parliamentary general election being called for July 2024. The new Government had subsequently introduced to parliament the Data (Use and Access) Bill with the stated purpose to “unlock the secure and effective use of data for the public interest”. While it retained some of the measures proposed in its predecessor, others were amended and some new elements introduced. Implications for local government would be monitored as the Bill progressed to ensure that the City Council would be able to meet the new requirements when they are introduced.

In June 2022, the ICO set out a revised approach to working more effectively with public authorities. This approach has seen an increased use of the ICO’s wider powers under data protection law, including warnings, enforcement notices and reprimands as well as changing its approach to the application of fines in the public sector and the ICO is currently considering the next steps.

The number of Freedom of Information Requests received by the Council in 2023/24, 1428 was higher (232) from the previous 2022/23 year. The Council responded to 81% of FOIA/EIR requests within the target time of 20 working days in 2023/24 which was a decrease on the previous year. While this replicated the improvement in performance seen after the introduction of a new management system, performance remained below the 90% threshold set by the ICO.

The Council received 30 requests for internal reviews in the year 2023/24 (down from 37 the previous year) and responded to these with the following outcomes:

·  10 were not upheld – the exemptions that had been applied were maintained and no further information was provided;

·  6 were not upheld – but advice or clarification was provided;

·  4 were partially upheld – some further was information provided;

·  7 were upheld - information was provided;

·  3 were withdrawn.

No complaints were made to the ICO during 2023/24, compared to 12 complaints the previous year.

286 valid Subject Access Requests (SARs) were received during 2023/24, an increase of 13 on the previous year.  While the Council received fewer SARs than other information requests, many of these were complex and could involve managing significant amounts of sensitive information. The number of requests relating to Children’s Social care, as well as the number of SARs to which extensions were applied due to their size and/or complexity both slightly increased. The completion rate within the target time had increased to 84% in 2023/24, up from 79% the previous year.

The Council received 12 requests to carry out an internal review into a SAR application during 2023/24, the same as the previous year. In 9 cases, further information was provided which was located through further searches based on information provided by the requester or by reviewing the information which had originally been redacted. Where information was not provided, this was due to the original exemptions being upheld or information not being held by the Council.

No complaints were made to the ICO related to Subject Access Requests in 2023/24.

In respect of data security incidents, protecting information from theft, loss, unauthorised access, abuse and misuse was crucial in order to reduce the risk of data breaches or financial loss incurred through noncompliance with key legislation. The IG data protection security incident reporting process supported the Council’s objective that breaches were managed promptly, and outcomes of investigations were used to inform reviews of the control measures in place to keep personal information secure.

The Council actively encouraged the reporting of near misses and potential breaches to identify learning, promote awareness and reduce the likelihood of a serious breach to information even though not all reported incidents would have resulted in a breach. Even where there was no breach, incidents could provide valuable insight into training requirements and processes and procedures which may need to be strengthened as a preventative measure. When investigating data protection security incidents, the Data Protection Team routinely consider resultant training needs and provide advice and guidance as required. Messages continue to be provided to staff alerting them to the need to protect personal data and use it appropriately.

In 2023/24, 176 reports of information security incidents were sent to the Data Protection Team, a decrease from 219 in the previous year. Of these, 103 did not involve a breach of personal data. These included for example near misses, loss or theft of equipment, cases where technical measures prevented access to data and incidents where a breach was contained. Of the incidents where a breach of personal data was identified, 70 were identified as low risk, 1 medium and 1 high. The majority of reports were classified as information being disclosed in error with 57 reports relating to technical/procedural errors, 28 reports relating to loss or theft of hardware and 1 to unauthorised access.

The GDPR introduced requirements for personal data breaches that meet certain thresholds to be reported to the ICO. Two self-reports were made to the ICO during 2023/2024.

One complaint was made to the ICO during 2023/2024 related to the council’s Data Protection Obligations. The ICO confirmed that they did not intend to take regulatory action and provided guidance to the council on measures to implement to avoid future incidents.

Data Protection training was key to ensuring staff were aware of their responsibilities. Training was currently delivered through the Council’s e-learning platform and annual completion of the data protection course was mandatory for all staff with access to personal data. Staff who did not have access to a computer in their role (not office based) and those with minimal personal data involved in their role were provided with appropriate level training. This ensured that an appropriate level of understanding and awareness was reached that was relevant to their role/responsibilities. For the 2023/24 year, the Council reported a completion rate of the Council’s mandatory data protection training of 95%. The Elected Member Training and Development Strategy, introduced for the 2022/23 year, also included data protection training.

The Data Security and Protection Toolkit was an online tool that allowed relevant organisations that processed health and care data to measure their performance against data security and information governance requirements which reflected legal rules and Department of Health policy. The self-assessment tool enabled the Council to demonstrate that it could be trusted to maintain the confidentiality and security of personal information, specifically health and social care personal records. All organisations that had access to NHS patient data and systems used this Toolkit to provide assurance that they were practicing good data security and that personal information was handled correctly. For the 2023/24 reporting period, the Council met all of the mandatory requirements and was assessed as meeting required standards.

The Audit and Procurement Committee:

1.  Note the Council’s performance of Freedom of Information, Subject Access and other Data Protection Act requests, including the outcomes of internal reviews and the number and outcome of complaints made to the ICO.

2.  Note the reporting and management of data security incidents.

3.  Note data protection training compliance

4.  Did not identify any comments or recommendations.