Agenda item

6.1

The Senior Information Management Officer submitted a report providing an update on the Council’s position in preparing for and complying with the General Data Protection Regulations and the Data Protection Act 2018, both of which came into effect on 25 May 2018, the latter replacing the Data Protection Act 1998.

6.2

Mark Jones, Senior Information Management Officer, commented that the priority was to ensure compliance across the Council, but in particular in the higher risk areas that process large amounts of personal and sensitive personal data, for example social care, housing, etc.  The Information Management Team had, and continues, to work with representatives across the portfolios to provide advice and guidance to the work required, but is reliant on staff to assist with compliance. The team are attempting to embed compliance within the organisation through the business strategy teams.

6.3

Mark Jones further commented that he was aware there were still some data protection issues within the organisation, which the team were working to resolve. If an employee or a manager became aware of an issue they should report it to the Information Management team to help improve or resolve the situation as quickly as possible. 

6.4

In response to a question from a Member regarding risk, Mark Jones commented that risks of non-compliance were high and the Information Commissioner’s Office (ICO) could issue fines of up to £20m for non-compliance to data protection. However, the ICO had confirmed the new data protection laws were the start of a new beginning and accepted organisations may not be compliant by May 25^th, but need to be working towards compliance and being able to demonstrate so.  The ICO has a range of enforcement powers, which include fines, but fines have generally been confined to incidents involving personal data breaches.

6.5

In respect of IT, Mark Jones confirmed that work was still being carried out to identify where personal data was being held.  Individual services are responsible for managing personal data in accordance with the law and the Information Management team is not yet confident it has clear visibility where all this information is held.  Work is ongoing to identify what personal data is held and where and to identify any potential non-compliance issues, for instance if personal data cannot be deleted because system or software limitations. If a partner organisation of the Council failed to comply with the regulations they may be liable rather than the Council.

6.6

Regarding contractors, Mark Jones commented that the Information Management team is working with Procurement Services to help ensure appropriate clauses and documentation are in place when personal data is being processed as part of a contract, for example Data Processor Agreements. He was hoping that by Christmas, processes would be in place to help ensure compliance from contractors.

6.7

In response to a question from a Member, Mark Jones commented that there were pockets of non-compliance evident in many organisations particularly organisations the size of the Council.  Subject Access requests were a particular issue. However, there was lots of evidence of good practice across the organisation.

6.8

Mark Jones further commented that when the General Data Protection Regulations came into force on May 25^th, the Data Protection Act 1998 was also replaced with the Data Protection Act 2018.  The new Act provides the details to how organisations can process personal data, but its lateness has meant the Information Commissioner’s Office has not been able to provide clear guidance on all the areas.  The Information Management team has provided guidance to council officers and will continue to do so, but is in part dependent on the Information Commissioner’s advice and guidance, code of practice, and casework decisions.

6.9

In response to a further question from a Member regarding historical documents, Mark Jones commented that the Council had a records management service which was a secure unit managed by professional staff. They were aware of the sensitivity of the information they held.

6.10

Resolved:  That the actions to date be noted, the ongoing work be supported and Mark Jones be invited to a future meeting of the Committee to provide a further update.