Agenda item

Sally Brooks, Data Protection Officer:

a)    presented a report to update Audit Committee on progress made with Information Management monitoring the councils compliance with data protection legislation including the General Data Protection Regulation (GDPR) and the Data Protection Act 2018 (DPA)

b)    highlighted that update reports were submitted to Audit Committee on a bi-annual basis, given the implementation of GDPR in May 2018 and compliance now becoming business as usual for the council

c)    reported that due to the coronavirus pandemic a report had not been provided since September 2019, and in March the Information Commissioner’s Office (ICO) confirmed that delays on data protection requests were understandable during the pandemic when resources were focused elsewhere on the response and that they would take this into account in any enforcement action

d)    advised that Information Management resources had been utilised in the governance arrangements surrounding the increased sharing of data required in the response to the pandemic, whilst continuing to ensure data protection compliance

e)    explained that the Audit team completed a report on Information Management and the GDPR in June 19 and gave the council ‘substantial assurance’ for its Information management and Information governance arrangements

f)     outlined a number of recommendations made for improvements by the Audit team as detailed at paragraph 3.3 of the report which had now been completed with further work planned

g)    reported on continuous resources required to ensure compliance with data protection laws was business as usual for the council as detailed at paragraph 3.4 of the report

h)    highlighted that In 2019 there was a significant 172% increase in data protection requests likely due to an increase in public awareness of individual’s data rights following implementation of the GDPR

i)     reported on work completed in relation to contracts as detailed at paragraph 4 of the report

j)     further reported on data protection training underway by the council at paragraph 5 of the officers report which was a legal requirement under the GDPR and the ICO

k)    updated members of Audit Committee in relation to progress made with Information Management in the following areas:

·         Policies

·         Implementation of 365

·         Increased Home Working

·         Brexit

l)     reported that the Annual Governance Statement (AGS) status for Information Governance had been downgraded from Red to Amber due to progress made in the implementation of the GDPR and had since been removed from the AGS although remained a ‘watching item’ to be monitored by High Performing Services Group

m)  requested that the report and outcome of the audit be noted by members

n)    invited members’ questions and comments.

Question: when members of staff left the authority, was their account deleted?

Response: Yes, a process for deletion was in place.

Question: In relation to the 365 implementation, could teams be FOI’d?

Response: All information on Microsoft Teams had the potential for FOI and DPA requests.

Question: How were the phone lines monitored with people working from home?

Response: All staff had received instructions on transferring phones to mobiles which were monitored from office phones.

Question: in relation to the 172% increase in data protection requests, was there still an adequate timescale of 20 working days?

Response: Office 365 would assist and allow automated email searches. Discussions regarding the structure were to be put in place for people who dealt with FOI’s in their area.

Members welcomed progress being made in respect of the recommendations provided within the report.

Question: If someone signed into a team meeting as a guest, was the meeting still audited if it wasn’t hosted by the City of Lincoln Council?

Response: The meeting would not be recorded unless the person hosting the meeting recorded it. The meeting could be recorded however everybody would need to be in agreement and it would need to be recorded for a purpose i.e. training other officers.

Members requested an update on Office 365 to be provided at the next meeting. Officers were in agreement with providing an update however felt that it would be better to provide it in 6 months’ time once the structure had improved.

Question: How was data for grants dealt with?

Response: It was automated on the 365 system and staff were notified when a search had been carried out.

Question: What were the most popular type of FOI requests that were received?

Response: Officers agreed to bring a list of the most common type of FOI requests that were received to a future meeting.

RESOLVED that:

1.    An update on Office 365 be provided in 6 months.

2.     A list of common FOI requests be presented to members at the next meeting

3.    The content of the report be noted.