Agenda item

The Service Director - Finance and Improvement Services provided a brief introduction on the purpose of the presentation to be delivered by the Data Protection and Improvement Officer. The Service Director noted the role of the Committee in overseeing the Council’s risk management arrangements, one aspect of which is the on-going review of the Strategic Risk Register that includes Information Management. The Service Director added that the presentation will provide Members with an overview of the area of Information Management together with key risks and arrangements in place to manage and mitigate these.

The presentation was delivered under the following key headlines: -

-        Strategic Risk Register- Information Management

-        The Role of the Information Management Team

-        Information Management Team – Who we support

-        Legal Drivers

-        ICO ‘GDPR Accountability Framework’

-        How we comply

-        Key priorities for 2022-23

The Data Protection and Improvement Officer provided context by informing Members of the significance of managing personal data in accordance with legislation to avoid financial penalties and sanctions, and support the overall effective delivery of services by the Council.

The Data Protection and Improvement Officer outlined to Members the role of the Information Management Team which focuses on the Council and Service Level Agreements in place with external bodies to ensure compliance with data protection legislation. Members were provided with an overview in relation to supported organisations under the Information Management team and included: all Council Services, 113 Schools, Elected Members (Ward Cllr & Representative), Central South Consortium Joint Education Service, South Wales Central Area Coroner’s Services, South East Wales Corporate Joint Committee and the public (citizens, service users, visitors).

In relation to Legal Drivers, the Data Protection and Improvement Officer highlighted to Members the changes made in relation to the data protection legislation over recent years. Members were made aware that based on the introduction of the EU GDPR legislation on the 25^th May 2018, this resulted in greater obligations on organisations, along with enhanced mandatory requirements in addition to those which were in place under the Data Protection Act 1998.

The Data Protection and Improvement Officer highlighted the significant increase in the monetary penalty notices from £500,000 under the Data Protection Act 1998 to a maximum of £17.5 Million for large organisations under UK GDPR & Data Protection Act 2018 and issued by the Information Commissioner’s Office (ICO). The Data Protection and Improvement Officer informed Members of the ICO introduction of the GDPR Accountability Framework and Members were made aware that under the new legislation, compliance is significant and demonstration of compliance is vital. The accountability framework is an opportunity for Local Authorities to assess compliance of an organisation in line with the requirements of GDPR and the Data Protection and Improvement Officer informed Members of the 10 key categories for accountability, as set out in the accountability framework.

The Data Protection and Improvement Officer continued by highlighting to Members how compliance is achieved surrounding the 10 key categories of accountability. 

To ensure compliance with the GDPR transparency requirements Members were informed of the Council’s use of the Website, forms and applications to inform the public of their information rights and how their personal data is processed and the Council has in excess of 90 service specific privacy notices published on its website. The Data Protection and Improvement Officer  informed Members that one of the key information requests exercised the most within the Council is the right of access, whereby individuals request a copy of their personal data. In 2020/21, 157 requests were received, of which 104 were validated. From the requests, 78% were responded to within the statutory timeframe (1 month). In comparison to 2021-22 (April-December 2021), 204 requests were received, with 138 validated and 83% of the requests were responded to within the statutory timeframe.

The Data Protection and Improvement Officer informed Members of the Council’s well-established incident response procedure for information security incidents and events and personal data. In line with legal requirements, records of data breaches must be stored regardless of the severity. Due to increases in the number of phishing and cyber incidents, specific procedures have been implemented to handle those breaches and Members were provided with an overview of data breaches between 2020 and 2022 (April-Dec2021). It was noted that 7 breaches were reported to the ICO in 2021-2022, 5 resulted in no further action and 2 are awaiting the outcome / feedback from the ICO.

To conclude the Data Protection and Improvement Officer provided Members with an overview of the key priorities to be implemented for 2022-23. These covered the delivery of key services under Service Level Agreements; deploying new mandatory data protection e-learning training to staff, all schools and Members; supporting the governance arrangements for Phase 2 of the South East Wales Corporate Joint Committee; and support the delivery of the Council’s Digital Strategy 2022-26 (the Strategy being subject to approval).

The Chair noted the comprehensive presentation provided and recognised the complexities faced by the team and provided the opportunity for Members of the Committee to ask questions.

One Member questioned the ease of access of information on the Council’s website and if more could be done to make the information more accessible, and also if there were lessons learnt by the team in relation to data breaches and what could be done in the future to further reduce data breaches.

In response, the Data Protection and Improvement Officer advised of the transparency and openness of the Council in ensuring individuals can easily access information and noted the use of Data Protection Logos on the website which transfer individuals to the data protection page. The Data Protection and Improvement Officer confirmed there is on-going collaborative working with other departments within the Council to implement simpler, easy to understand data protection guidelines for vulnerable adults and children, and advised on the potential of working alongside schools to encourage and raise awareness of young adults and children’s information rights. With regard to lessons learned, the Data Protection and Improvement Officer advised that thorough investigations are undertaken concerning any data breaches within the Council to prevent them from reoccurring and based on the investigations undertaken, action plans are compiled and monitored in order to mitigate the risk of reoccurrence.  The Data Protection and Improvement Officer also noted that it is recognised the potential risks involved in processing personal data as a result of human error

One Member inquired on the possibility of a national cyber attack on Council systems. The Data Protection and Improvement Officer advised that there is always a risk due to the increase in sophisticated scams; however, the Officer advised that the Council has implemented more technical and robust measures to prevent, as far as possible, such attacks. The Service Director - ICT and Digital Services acknowledged the heightened risks involved due to the growth of the digital world; however he concurred with the Data Protection and Improvement Officer’s response by reassuring Members of the on-going monitoring arrangements in place to ensure cyber resilience and security are implemented across the Council. The Service Director - ICT and Digital Services also advised of collaborative networks utilised such as UK Government’s National Cyber Centre which provides intelligence on potential risks to be aware of.

Following discussions, the Governance and Audit Committee RESOLVED:

-        To note the content of the presentation