Agenda item

Ms Anna Collier, Policy and Information Manager, presented her report setting out the progress of the delivery of the General Data Protection Regulation Action Plan which was first reported to the Committee in November 2017.  Ms Collier explained that:

·  The General Data Protection Regulation became law on 25 May 2018 as the Data Protection Act 2018.  The legislation provided a framework within which personal information must be managed taking into consideration collection, processing, storage, retention period and deletion.  It also set out requirements about how this would be communicated to those whose data was processed by the Council.

·  Implementing the changes had meant an extensive review of service areas and processes across the Council, and the exercise had been extremely complex in terms of the volume and intricacies of the processes.

·  Overall significant progress had been made to ensure compliance with the requirements of the legislation.  Information lifecycle audits had been completed with all services reviewing all processes.  Training, briefings and guidance had been provided for Officers and Members and the range of statutory documents that the Council was required to have in place including a Record of Processing Activity (ROPA) and Privacy Notices had been implemented.

·  As might be expected with the introduction of significant legislative changes, there had been and continued to be challenges.  For example, whilst the report stated that the volume of Subject Access Requests (SARs) had not increased as might be expected, the number of requests had now started to increase, and this would be monitored as they could be very resource intensive.

·  The original Action Plan had been reviewed and revised.  The key areas of focus over the next year included:

Revisiting services to ensure actions identified are being implemented;

Implementing a programme of ongoing monitoring of the ROPA and the Retention Schedule;

Ensuring systems are compliant particularly in relation to retention, deletion and security;

Updating the Information Asset Register; and

Implementing cultural changes to ensure that Data Protection Impact Assessments are being considered at the start of all projects; information sharing is being consistently logged; and information is deleted at the end of retention periods.

In response to questions by Members, Ms Collier explained that:

·  Whilst the volume of Freedom of Information requests remained high, there had not necessarily been an increase across the board.  In terms of SARs, the increase had been more in relation to front facing services where people might wish to challenge the actions of the Council, and also generally because people were exercising their right to make a request.

·  Every effort was being made to implement the Action Plan with existing resources within the team plus some additional support because of the volume of work.  It was not anticipated that it would be necessary to take on any additional staff permanently at the moment, but if SARs continued to increase in volume, additional administrative support might be needed.

·  For consistency, a privacy notice would be put on the website for Members as Data Controllers in their own right to link to if they wished, and Members would be advised accordingly.

RESOLVED:  That

1.  The progress of the delivery of the General Data Protection Regulation Action Plan and the challenges to date be noted.

2.  The next steps and new Action Plan be noted.