Agenda item

To present the report of the Director of Function (Council Business)/ Monitoring Officer.

The Annual Report of the Senior Information Risk Owner (SIRO) for 2019/20 was presented for the Committee’s consideration. The report set out the SIRO’s statement and overview of the Council’s compliance with the legal requirements and relevant codes of practice in handling corporate information and, at Appendices 1 to 7 provided information about the Council’s contact with external regulators, security incidents and breaches of confidentiality or near misses along with Freedom of Information requests and complaints during the period.

The Director of Function (Council Business)/Monitoring Officer and designated Senior Information Risk Owner (SIRO) highlighted the main points arising on the Annual Report as follows –

•           That this was the first year the SIRO felt able to state with confidence that there is significant documented evidence to demonstrate that the Council’s data protection and information governance arrangements are good and not just satisfactory as has been the opinion in the previous years.

•           This assessment is based on the information governance systems, processes, policies and training the Council has in place which have been strengthened during the past year. The report also provides evidence of how the Council deals with data with it being the SIRO’s considered opinion that this particular work has remained stable for some time. Additionally, the SIRO considers that information governance is now embedded within the operational culture of the Council and that this was demonstrated during the response to the Pandemic.

•           That the nature of requests for the Legal Service’s guidance and support has changed; in the past services were reluctant to share instances of data  breaches or to ask for advice thereon, in more recent years services have progressed to actively seeking the Legal Service’s advice on how to respond to data breaches whereas by now services are seeking the  Legal Service’s endorsement of actions they propose to take in response to identified data incidents in line with what they understand are the expectations.

•           That appendices 2,3,4 and 5 demonstrate a pattern of  robust action with regard to dealing with specific requests for information on a day to day basis e.g.

•           Of the 6,905 Freedom of Information questions submitted and dealt with, 12 resulted in requests for an internal review of the decision made by the Council with the original decision upheld in 9 cases; 2 cases resulted in the Council Service’s response being changed and new refusal notices issued and in one case a determination was made that a Section 21 refusal notice should have been issued as the information was available to the applicant by other means. A total of 3 FOI appeals were lodged with the ICO during this period one of which was withdrawn; in one of the  other two cases the Council was required to provide advice and assistance to the requestor within a specified timescale and in the other case the Council was required to respond within 10 working days.

•           Of the 7 Data Protection Act (DPA) complaints to the Council none of the complaints were upheld; the Council’s processing was lawful and the data subject rights could not be exercised. The Information Commissioner contacted the Council in respect of 3 DPA complaints and whilst the matters were not ultimately investigated by the ICO, the Council was asked to review its responses and take any steps to ensure that the complaints were dealt with fully. This was done.

•           Of the 24 Subject Access Requests received, 83% of the responses were sent within the one month deadline. The responses to 3 of the requests were late by a few days and one request was complex and took 3 months to respond to (one month over the statutory time permitted for complex cases).

•           During the period the Council made 2 successful applications for Covert Human Intelligence Sources (CHIS) authorisations.

•           During the period of the report, the Council’s policy and procedures under the Regulation of Investigatory Powers Act 2000 (RIPA) were revised and training provided to operational staff. The use of the Surveillance Camera Commissioner’s CCTV specific Data Protection Impact Assessment and Guidance were introduced and a register of CCTV systems, managers and operators was created. A new CCTV policy was also developed.

•           The Council’s information governance policies were reviewed and quality assured during the period (Appendix 6 refers). Ten key policies were reviewed to ensure compliance with current ICO guidance and case law. The policies are due for their next review in 2022.

•           A work plan for data protection was developed in the months following the implementation of the new data protection legislation in 2018. A summary of the current work plan to March 2021 is provided at Appendix 7. Items shown as outstanding and requiring completion will be addressed as soon as services are able to resume the work. An audit of the use of consent as a lawful ground for processing has been concluded in all services apart from the Learning Service. The work which had re-commenced was stalled by Covid-19 but is planned to re-commence again during 2020. Work is also planned to re-commence on developing and monitoring the Council’s Article 30 Record of Processing Activities (ROPA).

In response to questions raised by the Committee specifically in relation to the risk implications of the outstanding audit in the Learning Service, the workload pressures generated by the volume of FOI requests year on year and the management of CCTV the Director of Function (Council Business)/ Monitoring Officer further clarified –

•           That under the new data protection legislation that came into force in 2018 services are required to demonstrate they are processing personal data under a statutory authority if a statutory authority exists and that they are not solely relying on consent because that involves risk. The Learning Service was not able to allocate any internal resources to undertake the work with Legal Services who in turn could not undertake it on their behalf. Although the Director of Education, Skills and Young People is committed to carrying out the audit, current circumstances mean that the Learning Service is focusing resources on returning pupils to school making it difficult for the service to specify a timescale for completing the audit work. Not completing the audit does render the service open to a potential degree of risk that does not apply to the other services which have recognised the statutory basis for processing personal data and are therefore at less risk that individuals unhappy with the way their data has been processed would be able to make a valid complaint.

•           That the number of FOI requests do increase year on year in every local authority as public awareness of rights increases. The number of overall requests was approximately 1,500 – the figure in the report includes the number of individual questions asked in order to give an indication of the level of demand. Some requests are submitted as multiple questions and some services receive significantly more enquiries than others. The number is high and continues to grow as does the workload as a result.

•           That with regard to the management of CCTV individual Heads of Service through their staff operate, manage and supervise the systems under their jurisdiction. The change in policy involves ensuring that there is corporate oversight of the circumstances in which services can develop systems.

Having considered the report, the Audit and Governance Committee resolved  –

•           To accept the SIRO’s statement covering the period April, 2019 to March, 2020.

•           That the Learning Service ensures that adequate resources are allocated to ensure that the long outstanding consent audit is completed.

•           That the Council’s development of its GDPR Article 30 Record of Processing Activities is supported by its services.

•           To endorse any remaining actions on the Data Protection Work Plan as reflecting the information governance risks facing the Council.

NO ADDITIONAL ACTION WAS PROPOSED