Agenda item

Paul Vessey, Head of Information Management, to present the Information Governance 2024-25 Annual Report

Consideration was given to the annual report presented by Paul Vessey, Head of Information Governance, which set out the detail of Council’s compliance with Data Protection and Freedom of Information legislation.

The report, therefore, set out in detail performance for Freedom of Information, Right of Access Requests and any Data Protection Incidents and Breaches.

In terms of responses to Freedom of Information Requests (within the statutory time limits) overall performance was at 98% with the number of requests received during Year 2024/25 up to 1,347 compared to 1,307 in 2023/2024.

This was an improvement in performance compared to the previous year and following analysis of the data there were no concerns raised on the year’s performance.

With regards to Right of Access Requests during 2024/25 there had been an increase leading to an improvement in performance by 22% percentage points for requests dealt with within the statutory time frame.

In terms of Data Protection Incidents and Breaches, the Council actively encouraged services to report any suspected data incidents and all reported cases were investigated. Attached to the report was an Appendix which provided a breakdown of the number and classification of incidents.

There had been one complaint received direct from the Information Commissioner’s Office which was addressed.

In the main all the breaches reported were of a minor nature.

The Committee in the course of its questioning asked further about the complex nature of Right of Access Requests, whether they were mainly personal requests or part of a specific investigation, the context of the Information Data Incident Statistics and if there was any year-on-year data.

In their response officers explained and gave examples of complex Right of Access Requests which were primarily related to Social Care and Children and could be resource intensive and lengthy when collating historical records.  In the main requests were of a personal nature, but there were occasions where requests were received as a result of an investigation.

Unfortunately, there was no further breakdown for the statistics, but every single request received was investigated.  The tables within the appendices provided numbers on a year-on-year basis for all requests in accordance with the Data Protection and Freedom of Information legislation.

Further examples of low-risk data protection incidents and breaches were provided which were often due to misdirected emails with limited or no personal data, emails sent with Carbon Copy (CC) instead of Blind Carbon Copy (BCC) exposing email addresses, and Council Tax bills sent to the wrong address.

Serious beaches were reported to the Information Commissioner’s Office and two incidents were reported in 2024/2025 financial year. No action was taken by the Information Commissioner.

The Committee wished to explore further the complaint from the Information Commissioner’s Office and were advised this related to a bus pass application and the request for information.

Further the Committee asked about performance for Freedom of Information Requests at 98% and why this was not 100% and were advised this was down to responses from individual Directorates who were responsible for providing information.  It was their determination of priorities when delays occurred.

Whilst it was noted that the Service managed the processes, any concerns with the receipt of responses were escalated and discussed by the Senior Leadership Team.

A question raised about software that advised of deadlines was currently in operation with logged Freedom of Information requests. 

A request for further detail on the requesters (business or individuals) was answered and it was noted that the majority of requests were from individuals.  During 2024/25 there was a request deemed invalid due to a suspected impersonation and another that was vexatious on a specific line of enquiry.  Even requests that were deemed vexatious received a formal response under the Act.

The Committee asked about any potential risk to the Council if timeframes were delayed and it was noted the risk was minimal.  Should there be any complaints from individuals they had the opportunity to refer their concerns to the Information Commissioner’s Office.

Whilst there was still a risk of Information Data Incidences these were few and far between and of those indicated on the statistics, these were of a minor nature.

Resolved:- (1)  That the Data Protection/FOI Annual Report 2024/25 be received and the contents noted.

(2)  That the Council continues its maintenance of its Information Governance practices and processes as a requirement and in compliance with legislation.