Your Councillors


Audit, Governance and Standards Committee

19 November 2018

 

Data Protection Act 2018 (GDPR) progress to compliance

 

Final Decision-Maker

Audit, Governance and Standards Committee

Lead Head of Service/Lead Director

Angela Woodhouse, Head of Policy Communications and Governance

Lead Officer and Report Author

Anna Collier, Policy and Information Manager

Classification

Public

 

Wards affected

All

 

Executive Summary

 

The Data Protection Act 2018 became law in May 2018.  An action plan has been in place for the past year to ensure the Council is prepared for the changes and compliant.  This report provides the Audit, Governance and Standards Committee with an update on progress and sets out further actions required.

 

 

This report makes the following recommendations to Audit, Governance and Standards Committee:  That

1.   Progress and challenges to date be noted.

2.   The next steps and new action plan be noted.

 

 

 

Timetable

Meeting

Date

Corporate Leadership Team

16/10/2018

Audit, Governance and Standards Committee

19/11/2018



Data Protection Act 2018 (GDPR) progress to compliance

 

 

 

1.     INTRODUCTION AND BACKGROUND

 

1.1     The purpose of this report is to provide an update on the progress of preparation and compliance with the Data Protection Act 2018 (the General Data Protection Regulation (GDPR)) that became law on the 25 May 2018. 

 

1.2     A report was presented in November 2017 which set out the proposed resources and actions required for compliance, alongside a detailed action plan. This action plan can be seen at Appendix 1. 

 

1.3     This report provides an update on progress to date and highlights the areas where further work is required.

 

2.        Achievements to date

 

2.1     The original action plan with delivery status can be seen at Appendix 1, but a summary of the key actions delivered are highlighted below. 

 

Preparation, training and guidance

 

2.2     Audits have been completed across the authority to identify what personal data is requested, how it is collected, how it is stored, what its retention period is and how it is deleted.

 

2.3     A range of training has been undertaken by the Head of Policy Communications and Governance and the Policy and Information Manager and team on GDPR and related legislation and regulations; the Privacy and Electronic Communications Regulations and Regulation Investigatory Powers Act.

 

2.4     Briefings sessions were provided to Councillors and Team Talks were developed and run by managers or the Head of Policy Communications and Governance and the Policy and Information Manager.

 

2.5     New Data Protection Act training was developed on the internal Elms learning system and rolled out to all staff and Members.

 

2.6     A full range of guidance titled ‘Need to Knows’ have been developed and are available on the intranet. These offer guidance to staff on a variety of topics including dealing with access to information requests, data protection and redaction. 

 

Statutory Changes

 

2.7     Within the legislation there are several requirements that the Council has to ensure are completed in order to be compliant.

 

2.8     All organisations are required to hold a Record of Processing Activity (ROPA). The first version has been developed using data collected from the Audits.  The ROPA is a live document however and will need regular review.  Councils that were the first to work with the ICO on preparations for GDPR have said that the development of the ROPA is iterative and refinements are continual.

 

2.9     The requirements around privacy notices have been significantly increased both in the information they contain and their appearance. Using data collected from the Audit and stored in the ROPA; privacy notices have been developed for all services and these are now held on the website.  

 

2.10 A Data Protection Impact Assessment (DPIA) is a process to help you identify and minimise the data protection risks of a project.  A template and screening questions have been developed and are available on the intranet along with guidance and support from officers being provided for the new projects that have emerged since May.   Work is now required to raise awareness of the importance of ensuring a DPIA is required before the start of a project, to ensure data protection is taken account of.  

 

2.11 There has been a change in timescale for dealing with Data Breaches and Subject Access Requests (SAR).  Both processes were already well managed and established within the Council, but have been updated in accordance with the changes.  Officers across the Council have demonstrated good understanding of how to manage these issues and maintain good communication with the Data Protection Officer and the Policy and Information Team.

 

2.12 The Council was part of a small working group that developed the new Kent and Medway Sharing agreement which sets the framework within which Kent partners must operate in order to appropriately and securely share information. All internal documentation has also been updated. Training needs now to be rolled out to ensure the new agreement is utilised properly and understood by those teams who share data.

 

 

3.        Challenges

 

3.1     The Information Commissioners Office (ICO) has been slow in producing guidance for local authorities, in certain areas it has therefore been difficult to move with speed as the legislation has been challenging to interpret.

 

3.2     There has been an issue with capacity within the team due to competing priorities, however despite this good progress has been made by reviewing resources and upskilling members of the Policy and Information team. 

 

3.3     Progress has been made through the diligence of the procurement and the legal team on ensuring contracts are compliant.  This has been slower than we would have liked because of the workload pressure on legal in carrying out this task for three authorities

 

3.4     Whilst there was some fear that the volume of SARs would increase exponentially, this has not occurred; that said there has been an increase and the volumes of Freedom of Information (FOI) requests remain high.  Therefore the time required to redact information has become more evident. So we need more resource and support for this activity including PDF PRO software

 

4.        Next Steps

 

4.1     The original action plan (shown at Appendix 1) has been reviewed and revised. The new updated action plan can now be seen at Appendix 2. 

 

4.2     Whilst there has been significant progress and key activities have been implemented to ensure compliance, there are areas which need regular review or which need further attention to ensure they are sufficiently embedded.  

 

4.3     The key areas of focus over the next year are:

 

·         Revisiting services to ensure actions identified are implemented

·         Implementing a  programme of ongoing monitoring of the ROPA and Retention Schedule

·         Ensuring systems are compliant particularly in relation to retention, deletion and security

·         Updating the Information Asset Register

·         Implementing cultural changes to ensure that

o   DPIAs are being considered at the start of all projects 

o   Information sharing is being consistently logged

o   Information is deleted at the end of retention periods

 

4.4     The Policy and Information Manager will, from January 2019, be acting as the Data Protection Officer (DPO) at Tunbridge Wells Borough Council.  This will generate an income as support is being provided at a cost to Tunbridge Wells.   As well as an income, this also offers more opportunity to collaborate on some actions.  However it should be noted it will put additional strain on the resource available for implementing the Maidstone action plan.

 

4.5     In order to offset the burden, a temporary information management assistant post is being put in place in the Policy and Information Team.    Progress is also underway to recruit the next National Management Trainee (NMT) on the National Graduate Development Programme (NGDP).  At this stage it is envisaged that this post will support the DPOs at both Maidstone and Tunbridge Wells but it should be noted that this placement if approved will not start until September 2019.

 

 

 

5.        AVAILABLE OPTIONS

 

5.1     The Audit, Governance and Standards Committee have previously expressed an interest in compliance and progress with meeting the requirements of the new Data Protection Act 2018. The Committee could however choose not to receive updates in their current format or frequency.

 

 

 

6.        PREFERRED OPTION AND REASONS FOR RECOMMENDATIONS

 

6.1     The Committee continue to receive the report annually until all actions become business as usual, continuing with updates to the Information Governance Group. 

 

 

7.       RISK

7.1     Information management has already been identified as a corporate risk for the council. The action plan at Appendix 2 sets out steps to mitigate risk.  Having an action plan in place which highlights awareness and planned actions for improvement is a key factor in assuring the Information Commissioners Office that the Council is ensuring good information management arrangements.

 

 

 

8.       NEXT STEPS: COMMUNICATION AND IMPLEMENTATION OF THE DECISION

 

 

Issue

Implications

Sign-off

Impact on Corporate Priorities

We do not expect the recommendations will by themselves materially affect achievement of corporate priorities.  However, they will support the Council’s overall achievement of its aims as set out above.

Angela Woodhouse

Risk Management

Refer to paragraph 7 of the report.

Angela Woodhouse

Financial

The requirements of the Data Protection Act will be met from within existing budgets. 

 

Section 151 Officer & Finance Team

Staffing

We will deliver the recommendations with our current staffing.

 

Angela Woodhouse

Legal

Accepting the recommendations will fulfil the Council’s duties under the Data Protection Act 2018.  Failure to accept the recommendations without agreeing suitable alternatives may place the Council in breach of the DPA 2018.

 

Legal Team

Privacy and Data Protection

Accepting the recommendations will fulfil the Council’s duties under the Data Protection Act 2018.  Failure to accept the recommendations without agreeing suitable alternatives may place the Council in breach of the DPA 2018.

Legal Team

Equalities

The recommendations do not propose a change in service therefore will not require an equalities impact assessment

Angela Woodhouse

Crime and Disorder

No Impact

Angela Woodhouse

Procurement

No Impact

Angela Woodhouse

 

9.        REPORT APPENDICES

 

 

 

The following documents are to be published with this report and form part of the report:

·         Appendix 1: Action Plan

·         Appendix 2: New Action Plan