Agenda item

Report of the Director of Law and Governance

The Audit and Procurement Committee considered a report of the Director of Law and Governance that provided a summary of the Council’s performance during 2024/2025 in responding to requests for information received under Data Protection legislation. It also reported on the management of data protection security incidents and/or those reported to the Information Commissioner’s Office (ICO) and on data protection training.

Information was one of the Council’s greatest assets and its correct and effective use was a major responsibility and was essential to the successful delivery of the Council’s priorities. Ensuring that the Council had effective arrangements in place to manage and protect the information it held, both personal and business critical information, was a priority.

Data protection legislation set out the requirements on organisations to manage information assets appropriately and how they should respond to requests for information. The ICO was the UK’s independent supervisory authority set up to uphold information rights in the public interest, promote openness by public bodies and data privacy for individuals, and monitors compliance with legislation.

The Information Governance (IG) function supported the Council’s compliance with the UK General Data Protection Regulations (GDPR), Data Protection Act (DPA) 2018, the Data (Use and Access Act) 2025, Freedom of Information Act 2000 (FOIA) and Environmental Information Regulations (EIR). The Council had a statutory obligation to comply with this framework by responding appropriately to requests and managing personal data lawfully. The Information Governance Team assist the organisation in meeting these requirements by monitoring internal compliance, informing and advising on data protection obligations, providing advice and guidance and raising awareness on data protection matters.

The landscape in which public authorities were now operating had continued to change since the introduction of the GDPR and subsequently UKGDPR and the new Data Protection Act 2018 (DPA 2018) in 2018. The landscape would continue to change.  Good information governance has an important part to play as the introduction of integrated care systems to plan and deliver joined up health and care services continue to develop, the use of AI to transform service delivery develops and the cyber security landscape becomes more challenging.

Since 2023, successive governments have proposed legislation to reflect the changing context in which personal data is managed.  The Data Use and Access Act 2025 (DUAA) received Royal Assent in June 2025 and introduced target reforms to the UK’s data protection framework.  While retaining core principles of the UK GDPR and Data Protection Act 2018, the DUAA aims to simplify compliance, promote innovation, and enable responsible data sharing.  The Act complemented and did not replace existing legislation.  As with the introduction of previous data protection legislation, most elements are awaiting commencement orders, regulations and guidance from the ICO and the Information Governance Team would continue to ensure the organisation responds appropriately.

The ICO continued to apply its revised approach to working more effectively with public authorities, initially introduced in June 2022. This approach has seen an increased use of the ICO’s wider powers under data protection law, including warnings, enforcement notices and reprimands as well as changing its approach to the application of fines in the public sector.  The DUAA established a new strategic framework for the ICO to focus on public trust, innovation and competition as well as upholding data protection, changing its governance model to become the Information Commission with an executive and board of directors and expanded powers and regulatory oversight.

The number of Freedom of Information Requests received by the Council in 2024/25, 1,381, a small reduction on the number of requests in the previous year. The Council responded to 87% of FOIA/EIR requests within the target time of 20 working days in 2024/25 which was an increase on the previous year. This was just below the 90% threshold set by the ICO.

The Council received 37 requests for internal reviews in the year 2023/24 (up from 30 the previous year) and responded to these with the following outcomes:

·  8 were not upheld – advice and clarification given

·  10 were not upheld –  the exemptions that had been applied were maintained;

·  6 were partially upheld – some further was information provided;

·  9 were upheld - information was provided;

·  3 were upheld – no information was provided;

·  1 was withdrawn.

Three were made to the ICO during 2024/25, compared to no complaints the previous year.

282 valid Subject Access Requests (SARs) were received during 2024/25, similar to the number received in the previous year.  While the Council received fewer SARs than other information requests, many of these were complex and could involve managing significant amounts of sensitive information. The number of requests relating to Children’s Social care, as well as the number of SARs to which extensions were applied due to their size and/or complexity both increased significantly. The completion rate within the target time had reduced to 71% in 2024/54, from 84% the previous year.

The Council received 19 requests to carry out an internal review into a SAR application during 2024/25, up from 12 the previous year. In 8 cases, further information was provided which was located through further searches based on information provided by the requester or by reviewing the information which had originally been redacted. Where information was not provided, this was due to the original exemptions being upheld or information not being held by the Council.

Three complaints were made to the ICO related to Subject Access Requests in 2024/25.

In respect of data security incidents, protecting information from theft, loss, unauthorised access, abuse and misuse was crucial in order to reduce the risk of data breaches or financial loss incurred through noncompliance with key legislation. The IG data protection security incident reporting process supported the Council’s objective that breaches were managed promptly, and outcomes of investigations were used to inform reviews of the control measures in place to keep personal information secure.

The Council actively encouraged the reporting of near misses and potential breaches to identify learning, promote awareness and reduce the likelihood of a serious breach to information even though not all reported incidents would have resulted in a breach. Even where there was no breach, incidents could provide valuable insight into training requirements and processes and procedures which may need to be strengthened as a preventative measure. When investigating data protection security incidents, the Data Protection Team routinely consider resultant training needs and provide advice and guidance as required. Messages continue to be provided to staff alerting them to the need to protect personal data and use it appropriately.

In 2024/25, 166 reports of information security incidents were sent to the Data Protection Team, a decrease from 176 in the previous year. Of these, 101 did not involve a breach of personal data. These included for example near misses, loss or theft of equipment, cases where technical measures prevented access to data and incidents where a breach was contained. Of the incidents where a breach of personal data was identified, 62 were identified as low risk, 0 medium and 0 high. The majority of reports were classified as information being disclosed in error (64) with 70 reports relating to technical/procedural errors, 24 reports relating to loss or theft of hardware and 3 to unauthorised access.

The GDPR introduced requirements for personal data breaches that meet certain thresholds to be reported to the ICO. No self-reports were made to the ICO during 2024/2025.

3 complaints were made to the ICO during 2024/2025 related to the council’s Data Protection Obligations. 1 complaint had already been completed prior to the ICO correspondence being received. The ICO confirmed that they did not intend to take regulatory action on the other 2 complaints and provided guidance to the council on measures to implement to avoid future incidents.

Data Protection training was key to ensuring staff were aware of their responsibilities. Training was currently delivered through the Council’s e-learning platform and annual completion of the data protection course was mandatory for all staff with access to personal data. Staff who did not have access to a computer in their role (not office based) and those with minimal personal data involved in their role were provided with appropriate level training. This ensured that an appropriate level of understanding and awareness was reached that was relevant to their role/responsibilities. For the 2024/25 year, the Council reported a completion rate of the Council’s mandatory data protection training of 86%. The Elected Member Training and Development Strategy, introduced for the 2022/23 year, also included data protection training.

The Data Security and Protection Toolkit was an online tool that allowed relevant organisations that processed health and care data to measure their performance against data security and information governance requirements which reflected legal rules and Department of Health policy. The self-assessment tool enabled the Council to demonstrate that it could be trusted to maintain the confidentiality and security of personal information, specifically health and social care personal records. All organisations that had access to NHS patient data and systems used this Toolkit to provide assurance that they were practicing good data security and that personal information was handled correctly. For the 2024/25 reporting period, the Council met all but 1 of the mandatory requirements.  By September 2025, the Council was able to report that it had completed the outstanding requirement having achieved a data protection training completion rate of 95% and its assessment was updated to standards met.

RESOLVED that, the Audit and Procurement Committee:

1.  Note the Council’s performance of Freedom of Information, Subject Access and other Data Protection Act requests, including the outcomes of internal reviews and the number and outcome of complaints made to the ICO.

2.  Note the reporting and management of data security incidents.

3.  Note data protection training compliance.

4.  Confirm they have not identified any comments or recommendations.