Agenda item

Sally Brooks, Data Protection Officer:

a.    presented a report to update Audit Committee on progress made with Information Management monitoring the council’s compliance with data protection legislation including the General Data Protection Regulation (GDPR) and the Data Protection Act 2018 (DPA)

b.    highlighted that update reports were submitted to Audit Committee on a bi-annual basis, the last report was provided in March 2021.

c.     advised that Information Management resources continued to be required in the arrangements surrounding the response to the pandemic. This was in addition to the council’s ‘business as usual’ date protection compliance. This had included ongoing updates to the customer privacy notice, business support grants, retention arrangements for new datasets created, promoting vaccine up take in 18-30 year olds and self-isolation payments for parents and carers.

d.    advised on data protection training that was underway by the council at paragraph 4 of the officer’s report which was a legal requirement under the GDPR and the ICO

e.    reported on work completed in relation to contracts, Brexit and UK GDPR as detailed at paragraph 5 of the report

f.      updated members of Audit Committee in relation to progress made with the Office 365 roll out as detailed at paragraph 6 of the report.

g.    reported that the Annual Governance Statement (AGS) status for Information Governance had been downgraded from Red to Amber due to progress made in the implementation of the GDPR and had since been removed from the AGS although remained closely monitored with reports submitted to IG Board, CMT and Audit Committee.

h.    invited committees’ questions and comments

Question: Referred to the e-learning and asked if staff were still able to ask questions and who would be responsible for providing support.

Response: The e-learning would have a testing element to ensure that staff understood the information. The Data Protection Officer and Legal Services would provide support and be available to answer any questions.

Question:  Referred to section 6 of the report and asked how the roll out of Office 365 had progressed.

Response:  Approximately two thirds of staff had received the new equipment, however, there was now a global shortage of equipment which was difficult to source. All staff had access to Teams even if they did not have new equipment.

Question: Asked if Zoom would still be used for meetings.

Response: Teams would be available to everyone and Zoom would be phased out.

Question:  Asked if the data breaches were of a serious nature?

Response: On average there were four to five data breaches each month. There had not been a significant increase in the number data breaches with home working.

Question: Referred to risk number 11 on the risk register and asked if it had been reported correctly and should be shown as a declining risk instead of a static risk?

Response: The risk was not declining as there had been improvement, it would be updated to reflect this.

Question: Asked how the Independent Member would receive the training as she did not have access to the Councils IT systems.

Response: The training would take place face to face with the Data Protection Officer.

Question: Asked if the Council could charge for data requested by the general public.

Response: Previously the Council were able to charge the general public for data about themselves, but the Council could not charge for Freedom of Information requests.

Question: Asked how information was protected when staff were working from home using laptops.

Response: The data was not held on the laptop it was held in a cloud, and this could not be accessed without the log on information. Guidance had been provided to staff to advise them not to share data, or let others use their device and to log out and shut the screen when away from their desk.

Question: Asked if there was a remote working policy in place.

Response: As the move to home working was urgent during the pandemic, procedure notes were provided. Remote working was included in the ICT Security Measures Policy which would be considered by Policy Scrutiny Committee and Executive shortly.

RESOLVED that the content of the report be noted.