AUDIT, GOVERNANCE AND STANDARDS COMMITTEE

13 JANUARY 2020

 

GDPR ACTION PLAN UPDATE

 

Final Decision-Maker

Audit, Governance and Standards Committee

Lead Head of Service

Angela Woodhouse, Head of Policy, Communications and Governance

Lead Officer and Report Author

Anna Collier, Policy and Information Manager

Classification

Public

Wards affected

All

 

Executive Summary

This report provides an update on progress against the General Data Protection Regulations (GDPR) action plan which the Council began implementing in 2017.  It also provides an update against the national picture as presented in the Information Commissioner’s report ‘GDPR- one year on’.

 

Purpose of Report

 

Noting

 

This report makes the following recommendations to this Committee:

1.   That the progress of the implementation of the GDPR action plan is noted

 

 

Timetable

Meeting

Date

Audit, Governance and Standards Committee

13 January 2020



GDPR ACTION PLAN UPDATE

 

1.       CROSS-CUTTING ISSUES AND IMPLICATIONS

 

 

Issue

Implications

Sign-off

Impact on Corporate Priorities

We do not expect the recommendations will by themselves materially affect achievement of corporate priorities.  However, they will support the Council’s overall achievement of its aims as set out in section 3

Policy and Information Manager

Cross Cutting Objectives

The report recommendation supports the achievements of all cross-cutting objectives.  It does this by ensuring that the Council collects, processes, stores and deletes residents’ personal information responsibly and in accordance with the GDPR/DPA 18 whilst delivering its objectives.

 

Policy and Information Manager

Risk Management

This report is presented for information only and has no risk management implications.

 

Policy and Information Manager

Financial

The proposals set out in the recommendation are all within already approved budgetary headings and so need no new funding for implementation.

 

Section 151 Officer & Finance Team

Staffing

We will deliver the recommendations with our current staffing.

Policy and Information Manager

Legal

Accepting the recommendations will fulfil the Council’s duties under the General Data Protection Regulations and the Data Protection Act 2018. 

Legal Team

Privacy and Data Protection

Accepting the recommendations will fulfil the Council’s duties under the General Data Protection Regulations and the Data Protection Act 2018. 

Policy and Information Manager

Equalities

The recommendations do not propose a change in service therefore will not require an equalities impact assessment

Policy & Information Manager

Public Health

 

 

We recognise that the recommendations will not negatively impact on population health or that of individuals.

Public Health Officer

Crime and Disorder

No Impact

Policy and Information Manager

Procurement

No Impact

Policy and Information Manager

 

2.    INTRODUCTION AND BACKGROUND

 

2.1   Prior to the General Data Protection Regulations becoming law an action plan to ensure that Council was sufficiently prepared was developed and presented to Audit Governance and Standards Committee.  Since then the action plan has evolved and Committee have been given annual updates on progress. At the last update a number of actions were still outstanding.

 

2.2   A copy of the updated action plan can be seen at appendix one. Ten of these eleven actions have been progressed since the update.

 

National overview of the General Data Protection Regulations One year on

 

2.3   The Information Commissioner Office’s report ‘GDPR – one year on’ was released in late 2019 and can be seen at appendix two.

 

2.4   The report highlights a similar national picture to the Council’s experience;  a wider awareness of data protection from residents and service users and an increase in rights requests and reporting, e.g. Subject Access Requests and data breaches. 

 

2.5   The ICO’s regulatory priorities for the next year are listed below.  Those of particular note to the Council are underlined.

 

·         Cyber security

·         AI, big data and machine learning

·         Web and cross device tracking

·         Children’s privacy

·         Data brokering

·         Political campaigns

·         Surveillance and facial recognition technology

 

2.6   Fines for breaches of the GDPR have been issued in Europe but none in the UK yet, however, two Notices of Intent have been issued.

 

·         British Airways

·         Marriot Hotel Chain

 

2.7   It should also be noted that enforcement notices are now being issued for Subject Access Requests (SARs).  However, the Council has a thorough and prompt approach to dealing with SARs so this is not a cause for concern but a recognition that good practice should be maintained.

 

GDPR action plan progress update

 

2.8   A copy of the updated action plan can be seen at appendix one. Ten of the eleven outstanding actions have been progressed since the last update and two actions remain outstanding with nine completed.

 

2.9   Whilst good progress has been made, progress has been slower than planned due to staffing challenges and competing projects in the last year.

 

2.10 Of note, a lot of time was spent working with Tunbridge Wells Council to develop a shared Data Protection Impact Assessment template.  As a result, a much more comprehensive and interactive document has been produced, see Appendix 3. Work was also undertaken with ICT to review processes to ensure that ICT projects do not progress until a data protection assessment has been completed.

 

2.11 The un-progressed area of work is a review of the Council’s Information Asset Register.  Whilst it is vital this is updated; this presents the lowest risk in terms of outstanding actions, so it was reprioritised and is scheduled to be completed by the end of 2020.

 

 

3.        AVAILABLE OPTIONS

 

3.1     The committee continues to receive an annual update on the progress of embedding GDPR into the Council’s processes.

 

3.2     The committee could choose to receive reports on specific areas of GDPR instead of an annual update.

 

3.3     The Committee could choose not to receive any further updates on the delivery of the GDPR action plan.

 

 

4.        PREFERRED OPTION AND REASONS FOR RECOMMENDATIONS

 

4.1     That the committee continues to receive an annual update on the progress of embedding GDPR into the Council’s processes until all actions become business as usual.

 

 

5.       RISK

5.1     This report is presented for information only and has no risk management implications.

 

 

6.       CONSULTATION RESULTS AND PREVIOUS COMMITTEE FEEDBACK

 

6.1    The Committee has received an annual update since 2017. The chair of the committee also holds a place on the Council’s Information Management Group, which oversees the GDPR action plan.

 

7.        REPORT APPENDICES

 

The following documents are to be published with this report and form part of the report:

·         Appendix 1: Action Plan Update

·         Appendix 2: GDPR One Year on

·         Appendix 3: Data Protection Impact Assessment Template

 

 

8.        BACKGROUND PAPERS

 

None