|
Audit Governance and Standards Committee |
19 March 2018 |
|||
|
|
||||
|
Progress update on the General Data Protection Regulation |
||||
|
|
||||
|
Final Decision-Maker |
Audit, Governance and Standards Committee |
|||
|
Lead Director/Head of Service |
Head of Policy, Communications and Governance and Data Protection Officer |
|||
|
Lead Officer and Report Author |
Anna Collier, Policy and Information and Manager |
|||
|
Classification |
Public
|
|||
|
Wards affected |
All
|
|||
|
|
||||
|
Executive Summary |
||||
|
The General Data Protection Regulation (GDPR) will replace the Data Protection Act (1998), coming into force on 25 May 2018. This report provides an update on progress to prepare to ensure that the Council is compliant with the changes. |
||||
|
|
||||
|
This report makes the following recommendations to this Committee: |
||||
|
1. The update on the General Data Protection Regulation be noted. |
||||
|
|
|
|||
|
Timetable |
||||
|
Meeting |
Date |
|||
|
Audit, Governance and Standards Committee |
19 March 2018 |
|||
|
Progress update on the General Data Protection Regulation |
|
|
1. INTRODUCTION AND BACKGROUND
1.1 The purpose of this report is to provide an update on the Council’s preparations for the General Data Protection Regulation (GDPR) that will replace the Data Protection Act (1998), coming into force on the 25 May 2018.
1.2 Members were presented with a report in November 2017 that gave a summary of the General Data Protection Regulation and what the Council would need to do in order to become compliant.
1.3 Four months into the preparation, this report provides an update on progress to date, information and advice from the Information Commissioners Office and risks that Committee should be aware of.
2. Action Plan Progress Update
2.1 Over the last four months a substantial amount of work has been undertaken across the authority to ensure that the Council is prepared and compliant with the new data protection legislation. The action plan is monitored by the Information Management Group to which the Chair of the Audit Governance and Standards Committee is invited.
2.2 A third of the total action plan is now complete with an additional third in progress or ongoing. There have been some delays mainly due to difficulties recruiting to a temporary shared post to help support the work. The majority of the actions that were scheduled to be completed by February have been completed with only 2 actions delayed for completion in April.
2.3 An overview of the work undertaken is summarised below.
Training and awareness raising.
2.4 The Head of Policy, Communications and Governance (DPO) and the Policy and Information Manager have both undertaken and passed the GDPR Practitioner course and training has been undertaken by the Information and Corporate Policy Officer. Additional training has been identified as being important to the Data Protection Officer role and this has been booked for later this year.
2.5 Four briefing sessions were held for Councillors in January and 21 Councillors attended. The Council is currently awaiting an e-learning module for Councillors from the Local Government Association, which will be circulated when available. Further briefing sessions will be held in late April/Early May as a refresher and to launch Member guidance.
2.6 Team Talks have been issued and run by managers or by the Head of Policy, Communications and Governance or the Policy and Information Manager. Unit managers have been asked to identify areas where teams have concerns about data protection and specific guidance is being designed around this.
2.7 Guidance or ‘Need to Knows’ have been developed and are available to staff and Members on the Council’s intranet site.
2.8 The latest edition of Borough Insight contains information for local residents on changes and what it means for them both in terms of their rights and the service they can expect to receive from the Council. The website will be updated for residents to coincide with Borough Insight’s delivery.
Information Lifecycle Audits
2.9 Information Lifecycle Audits is the tool officers are using to map the Council’s processes and determine how those processes manage personal information. They are very intensive taking between 20-40 minutes per process. We are just over half way through the audits with 25 now at various stages between scoping, live and action planning. The Maidstone only high risk areas are all at action planning stage. The MKS services are being audited initially by external consultants at Tunbridge Wells or Swale and the information passed to Maidstone officers. Following this, officers will follow up to complete the audit.
Information Sharing
2.10 We are currently working to develop a clear map of all sharing agreements, shared standard operating procedures, informal sharing agreements that exist across the authority. Whilst these arrangements can be very helpful for supporting local residents, we do need to ensure they are being used appropriately and are compliant.
2.11 The Council was fortunate enough to be invited to join a small working group that is updating the Kent and Medway Information Sharing Agreement. This work is underway and a completed update is expected by May with training for key staff to follow after.
Partners and Suppliers
2.12 All existing contracts which involve the processing of personal information on behalf of Maidstone Borough Council need to be reviewed, to ensure that the suppliers are compliant with the new legislation and to ensure that our expectations are met. Work has begun identifying all of these contracts and informal conversations started with some suppliers.
2.13 A joint working group has been set up with representatives from Maidstone, Swale and Tunbridge Wells’ procurement teams and MKS legal, to ensure that all the contracts are amended.
2.14 The working group will also be developing standard information which will be used in the tender process and in all new contracts.
2.15 The Policy and Information team has been providing support to services by facilitating early informal discussions with suppliers. Setting out what we expect them to provide to demonstrate their organisations’ compliance or providing a GDPR overview where knowledge is low. This has been additional work that wasn’t anticipated but the additional work is worth undertaking at this stage as a lack of compliance by suppliers or partners may result in the Council having to make new arrangements in the future.
Documentation
2.16 The new legislation requires organisations to have much more detailed documentation, than is required under the current legislation and this work is in progress.
2.17 A Record of Processing Activities (ROPA); a comprehensive list of Council activities that process personal data, with a detailed range of information such as the retention period, the legitimate condition for processing and any sharing arrangements. This piece of work is planned to be completed by the end of April 2018, using the information we have gathered from the information lifecycle audits.
2.18 Privacy Notices; a notification at the point of collecting information which explains the customer their rights and how the Council will be managing this information. This piece of work is being done with Tunbridge Wells to maximise resources.
3. Information Commissioners Office Updates
3.1 The ICO have been very clear that, organisations do not have to be fully compliant by 25 May 2018. What the Council must be able to do and will be able to do is demonstrate that there is a clear plan and preparations in place which demonstrate the following;
· Organisational commitment to GDPR
· Understanding the information you have
· Implement accountability measures (e.g. appointing a data protection officer if necessary)
· Ensuring appropriate security of data
· Training Staff
3.2 The ICO have confirmed that it will not be mandatory to report all data breaches but it will be mandatory to report a personal data breach under the GDPR if it’s likely to result in a risk to people’s rights and freedoms. There is work underway to develop a clear process and impact assessment to demonstrate how to demonstrate we have complied with this.
3.3 The fees for registering with the ICO are likely to go up significantly from £500 per year to £2900 as the Council will be in the highest fee band.
4. RISK
4.1 Information management has already been identified as a corporate risk for the Council. The plan at Appendix 1 sets out project risks and steps to mitigate these.
5. CROSS-CUTTING ISSUES AND IMPLICATIONS
|
Issue |
Implications |
Sign-off |
|
Impact on Corporate Priorities |
The introduction of the General Data Protection Regulation will affect both Council priorities as it will impact on the management of all information collected, used and stored for all Council activities unless legislation states otherwise. |
Angela Woodhouse Head of Policy Communications and Governance |
|
Risk Management |
Not preparing or sufficiently preparing for the changes introduced under GDPR leaves the Council open to significant risk. Should the Council not prepare for GDPR and the ICO investigates, the Council could be at risk of a fine. |
Angela Woodhouse Head of Policy Communications and Governance |
|
Financial |
Additional funding has already been made available for training and the shared support resource.
|
Section 151 Officer & Finance Team |
|
Staffing |
The preparation is having a significant impact on officers’ time. The Policy and Information Team is estimated have at least 1.5 FTE excluding a temporary resource in place. There is also a substantial impact within the Procurement team, ICT team, and service managers are expressing concerns as they begin to process changes and recommendations implemented. |
Angela Woodhouse Head of Policy Communications and Governance |
|
Legal |
The Council has legal obligations under GDPR and the actions outlined in this report are preparations to ensure that the Council is compliant with these obligations. |
Legal Team |
|
Privacy and Data Protection |
The Council has legal obligations under GDPR and the actions outlined in this report are preparations to ensure that the Council is compliant with these obligations. |
Legal Team |
|
Equalities |
Whilst auditing services there may be a need to change processes, EQIA may need to be completed at that time. Equalities data is personal data and can be sensitive personal data, audits will need to consider whether this data is required, alongside consideration as to whether collected the data will ensure that services are delivered equably. |
Angela Woodhouse Head of Policy Communications and Governance |
|
Crime and Disorder |
Services operating within this area will be audited alongside other services. |
Angela Woodhouse Head of Policy Communications and Governance |
|
Procurement |
In order to ensure compliance with GDPR the processes around procurement will need to be updated. All existing contracts which process personal data also have to be reviewed, this is a substantial amount of work which has been considered and is being undertaken as part of shared arrangement with the other Mid Kent authorities. |
Angela Woodhouse Head of Policy Communications and Governance |
6. REPORT APPENDICES
The following documents are to be published with this report and form part of the report:
· Appendix 1: Risk Register
7. BACKGROUND PAPERS
7.1 Audit Governance and Standards Committee Report Update General Data Protection Regulations 20 November 2017
7.2 Information Commissioners Office guide to the General Data Protection Regulations https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/