Agenda item

To present the report of the Director of Function (Council Business)/ Monitoring Officer.

The report of the Director of Function (Council Business)/Monitoring Officer providing an analysis of the key information governance issues for the period 1 April 2023 to 31 March 2024 including current information risks and mitigations, was presented for the committee’s consideration. The report provided the Senior Information Risk Owner’s statement and overview of the Council’s compliance with legal requirements in handling corporate information and compliance with the UK GDPR, Data Protection Act 2018, Freedom of Information Act 2000, Regulation of Investigatory Powers Act 2000 (Surveillance) and relevant codes of practice.

The report was introduced by the Data Protection Officer and Corporate Information Governance Manager who highlighted the key points with regard to contact with external regulators, security incidents, breaches of confidentiality and/or near misses during the period.

At the invitation of the Chair, Officers on behalf of the Learning, Public Protection, Resources and Information Technology services gave account of the reasons for their services’ late responses to Freedom of Information Act (FOIA) requests during the reporting period and the remedial actions being taken to achieve the expectations of the Information Commissioner’s Office that 90% of FOIA requests are answered within twenty working days. The lack of a dedicated resource to manage FOIA requests within services, the complexity of requests and having to balance retrieving and providing the information for applicants with day-to-day operational duties were cited as reasons for not responding promptly to FOIA requests in all instances.

The following were points of discussion by the committee –

• The responsibility within the Council for assigning FOI requests to various service areas and whether the timeline for responding applies from when the request is received centrally by the Council or from when it is allocated to the service and/or information holder.
• The process with regard to the twenty-nine subject access requests which are on hold pending confirmation or clarification regarding the identity of the applicants.
• Whether the Council is responsible for ensuring that the partner organisations, external bodies, and/or companies it works with, is contracted to, or operate on its behalf comply with GDPR and data protection requirements.

The Committee was further advised as follows –

• That while FOIA requests are normally received and distributed centrally by the Data Protection Officer and Corporate Information Governance Manager’s team, an FOIA request may on occasion be embedded in ongoing correspondence or a general enquiry in which case it would be forwarded to the central team. The first day of the twenty working days timeline commences the day following the day on which the FOIA request is received. The Council has been developing the CRM system as a means of hosting and managing the administration of the FOIA and complaints processes. It is envisaged that using the CRM system to manage the contact relationship between the central team and officers will result in improved performance.
• That there is no requirement on the Council to process the twenty-nine subject access requests currently on hold unless the applicant is able to prove their identity as to disclose information to an individual who is not entitled to receive it is unlawful. Most of the requests are on hold because the applicant has failed to provide the Council with evidence of identity. The requests will be deleted after a period of time as they are not valid and cannot be actioned without breaching the same law which the Council is seeking to uphold.
• That the Council is responsible for ensuring that its GDPR and data protection responsibilities extend along the chain when contracting for services. The legislation imposes a duty on the Council to ensure that in cases where it commissions another body to provide a service which involves the processing of personal data an agreement is put in place which places the same responsibilities for managing information risks and ensuring the security of the data on the body so commissioned, and on any sub-contractors which the body may engage. While there is no legal requirement for such an agreement in instances where the Council works in partnership with other councils and/or charities, there is an expectation that the same standards of data protection are adhered to. In addition, the Council should when procuring services from other providers assure itself that cyber risks have been considered and that it only procures from companies that operate to a high level of data protection and cyber security.

It was resolved to accept the report and to approve the recommendation that the SIRO and the Council’s senior leaders are provided with regular updates on cyber risks and mitigations so that informed, strategic decisions relating to the constant cyber threat to the integrity and confidentiality of the Council’s data assets can be made promptly and effectively.