Agenda item

5.1

Mark Gannon, Director of Business Change and Information Solutions and Catherine Hodgkinson, Senior Information Management Officer, attended the meeting and presented the report.

5.2

Mark Gannon informed the Committee that the Annual Report was retrospective and would not show the impact of Covid-19.  This would be reflected in the next year’s report.

5.3

Information Management was a complex landscape, subject to law and codes of practise, mainly General Data Protection Regulations (GDPR), Freedom of Information (FOI) and Regulation of Investigatory Powers (RIPA).  The Council also had a strong network of Caldicott Guardians who were responsible for protecting the confidentiality of people’s health and care information and making sure it is used properly.

5.4

GDPR covered mainly Data Protection (DP) and this was an ongoing and ever-changing field. Constant vigilance was needed and the area was under constant review, to reflect guidance from the Information Commissioner’s Office and caselaw.  The most commonly received request under data protection law was that of Subject Access Requests. 2019/2020 was the first year in which the Council achieved a target of 85% of requests being responded to within the statutory time period. This was a major improvement on previous years, especially within the context of a higher volume of requests received than in previous years.

5.5

FOI included a number of obligations to which the Council must respond.  93% of FOI requests received were responded to on time. A number of internal reviews had been requested.

5.6

The Council was also working on improving how open data was published.  Officers were encouraged to publish as much as possible, as this could reduce the amount of FOI requests received.

5.7

231 data security incidents had been logged in 2019/20.  Officers were encouraged to report data breaches, no matter how small.  Only five data breaches had needed to be reported to the Information Commissioner’s Office (ICO).

5.8

RIPA powers were very specific and were used infrequently.  Only 3 applications were granted in 2019/20.  The use of RIPA was independently assessed on a three year rolling programme and the last inspection had had a positive outcome. A correction to the report was noted. At paragraph 8.5 of the report, it was reported that the Council had conducted two surveillance activities under the Directed Surveillance Authorisations. However, the Committee was advised that this figure should have read ‘three’ surveillance activites.

5.9

Councillor Angela Argenzio stated that she was pleased that training was mandatory and asked that the list of officers be placed on the Members intranet.  A progress report was requested on the GDPR Action Plan.  She further asked whether there were any worries regarding Brexit and DP and whether any departments were resistant to sharing open data.

5.10

Mark Gannon noted that Catherine Hodgkinson was currently working on a status report on GDPR and that Brexit was causing some concerns regarding where data is stored and contract assessments.  Catherine Hodgkinson confirmed that ICO guidance prioritised suppliers processing personal data and assurances were being sought from suppliers that they would remain compliant with any regulations.  It was also noted that there was no resistance to data migration, but it possibly wasn’t given enough focus.

5.11

Councillor Simon Clement-Jones asked what the Council would use its RIPA powers for.  Catherine Hodgkinson explained that RIPA could only be used in very limited circumstances, mainly in Trading Standards cases.  All authorisations were approved by the relevant Executive Director and a magistrate.  The authorisations were also time limited.

5.12

Councillor Mohammed Mahroof asked whether the Council suffered from Council House Tenancy Fraud and Linda Hunter confirmed that this was not a known problem, but this would be confirmed to Members.

5.13

Councillor Adam Hurst asked how the Council got to know about fraud.  It was explained each department could have different types of fraud.  There was a dedicated team within Internal Audit who responded to any referrals or whistleblowing cases. This team also regularly met with fraud teams from Core Cities and South West Yorkshire Group and identified common themes and potential fraud areas.

5.14

RESOLVED: That the annual information governance update be noted.