Agenda item

General Data Protection Regulations

Minutes:

The Information Governance Manager & Data Protection Officer provided Members with an overview to the introduction of the General Data Protection Regulations (GDPR) and the Data Protection Act 2018, its impact on the council and the work undertaken by the authority to ensure appropriate compliance.

 

Members were asked to review the report and project plan developed with regards to the implementation of the General Data Protection Regulations and provide comments as necessary.

 

The Information Governance Manager & Data Protection Officer highlighted the Information Commissioners Office (ICO) ‘12 Step Program’ and the actions undertaken by GBC to deliver appropriate compliance, as detailed in Table One to the report:

Step

Description

1

Awareness: Make sure that decision makers and key people in your organisation are aware that the law is changing to the GDPR. Implementing the GDPR could have significant resource implications, they need to appreciate the impact this is likely to have. 

GBC Status: The council’s Management Team was made aware of the GDPR and implementation date with a report presented in January 2017. Information sessions were subsequently held for senior managers at each directorate DMT, accompanied by relevant training provided to staff and Members in  January 2017 and early 2018

2

Information you hold: Document what personal data you hold, where it came from and who you share it with. You may need to organise an information audit.

GBC Status:Forming a key part of the overall project plan, the council has a three phase plan in place for identifying improvements that are needed to comply with the data processing and accountability element of GDPR: 

·         Phase one – record retention schedule

·         Phase two – information asset register

·         Phase three – information audit

 

Sub-groups within each of the Council’s Directorates are currently working their way through all stages of the project plan to implement the required changes.

 

3

Communicating Privacy Information: Review your current privacy notices and put a plan in place for making any necessary changes in time for GDPR implementation.

GBC Status: This forms part of the overall project plan that is being progressed through the Directorate sub-groups.  Changes that have been made already include updating on the privacy notices on various forms, letters and pieces of correspondence produced by the Council’s services and an update to the data processing information and Privacy Notices on the Council’s website.

 

4

Individuals’ Rights: Check procedures to ensure they cover all the rights individuals have, including how you would delete personal data or provide data electronically and in a commonly used format.

GBC Status: This forms part of the overall project plan that is being progressed through the Directorate sub-groups.  Changes that have been made already include updating on the privacy notices on various forms, letters and pieces of correspondence produced by the Council’s services and an update to the data processing information and Privacy Notices on the Council’s website.

Individuals rights are reviewed in Data Protection Impact Assessments, see further information below at step 10.

 

5

Subject Access Requests:Update procedures and plan how you will handle requests within the new timescales and provide any additional information.

GBC Status: Subject access request procedures have been reviewed, and further information is distributed to departments at the point at which a Subject Access Request (SAR) is received. This process is now managed centrally through the shared Information Governance Team, providing additional support to staff handling the requests and the individual making the request.

 

6

Legal Basis for Processing Personal Data: Look at the various types of data processing you carry out, identify your legal basis for carrying it out and document it.

GBC Status: This forms part of the overall project plan that is being progressed through the Directorate sub-groups.  Changes that have been made already include updating on the privacy notices on various forms, letters and pieces of correspondence produced by the Council’s services and an update to the data processing information and Privacy Notices on the Council’s website. The ‘Three Phase Plan’ has been drafted to account for these processing requirements. The basis for processing is reviewed in Data Protection Impact Assessments, see further information below at step 10.

 

7

Consent: Review how you are seeking, obtaining and recording consent and whether you need to make any changes.

GBC Status: Where necessary, consent is now sought for the obtaining and recording of personal data, and practical examples of this are in relation to sign-up procedures for the Council’s electronic version of Your Borough, where all recipients have had to provide their explicit permission for the Council to hold their personal data and use it to communicate with them on a regular basis.

 

8

Children: Think now about putting systems in place to verify individuals’ ages and to gather parental or guardian consent for the data processing activity.

GBC Status: This forms part of the overall project plan that is being progressed through the Directorate sub-groups.  Changes that have been made already include updating on the privacy notices on various forms, letters and pieces of correspondence produced by the Council’s services and an update to the data processing information and Privacy Notice on the Council’s website.  Changes have been made to the Council’s Safeguarding polices to take about of this requirements. The processing of children’s data is reviewed in Data Protection Impact Assessments; see further information below at step 10.

 

9

Data Breaches: Make sure you have the right procedures in place to detect, report and investigate a personal data breach.

GBC Status: The Information Governance Group now has specific responsibility for the consideration and reporting of any personal data breach identified within the authority, and training has been provided to front-line data handlers to enable them to identify instances where data could have been breached.  Such instances are rare, and tend to relate solely to human error or printing issues, with no requirement to report any data breaches to the ICO at this time.

 

 

10

Data Protection by Design and Data Protection Impact Assessments: Familiarise yourself now with the guidance the ICO has produced on Data Protection Impact Assessments and work out how and when to implement them in your organisation.

GBC Status: The GDPR makes privacy by design a legal requirement, under the term ‘data protection by design and default’. It also makes Data Protection Impact Assessments (DPIA) mandatory in situations where processing is likely to result in high risk to the rights and freedoms of individuals and accordingly all new/revised system requests (involving the processing of personal data) now require a DPIA to be carried out. As such, DPIA is a formal consideration for all decision making reports as required e.g. the recently launched Corporate Plan 2019-23 Consultation requires the processing of personal information relating to resident respondents and therefore a DPIA was undertaken to support this process.

 

11

Data Protection Officers: Designate a Data Protection Officer to take responsibility for data protection compliance and assess where this role will sit within your organisation’s structure and governance arrangements.

GBC Status: As defined by Article 39 of the Regulation, the Information Governance Manager, employed by Medway Council as part of the Legal Shared Service, has been nominated by Gravesham Borough Council as the Data Protection Officer (DPO).

 

12

International:  If your organisation operates internationally, you should determine which data protection supervisory authority you come under.

GBC Status: This is considered when investigating the use of cloud storage for any elements of the Council’s business, with a recent example being the investigation of the cloud-based storage credentials of continuing to use Survey Monkey, with the outcome being that this was considered viable for the Council.

 

 

 

The Information Governance Manager & Data Protection Officer fielded questions from the Committee and highlighted the following:

·         The Council conduct training needs analysis for staff and allocate training where required.

·         Recent history has shown that the ICO appears to be fairly lenient regarding fines for Local Authorities involved in data breaches; an enforcement notice, with a report back to the ICO in 6 months, seems to be the preferred route. However, non-compliance with an enforcement notice has resulted in fines for other Local Authorities.

·         The Council has a records retention schedule that dictates why and when data is deleted.

·         The Council has its own bespoke systems that contain modules that ensure data is properly deleted at the appropriate time.

·         The Information Governance Manager & Data Protection Officer works closely with the Service Manager (IT Services) to ensure all data processing is transferred securely.

·         The Information Governance Manager & Data Protection Officer highlighted the importance of all Councillors registering as Data Controllers on the ICO website.

 

Resolved that the Committee noted the report.

 

Supporting documents: