Consideration was given to an update and annual report presented by Paul Vessey, Head of Information Management, on the Council’s compliance with the General Data Protection Regulation (GDPR) and the Data Protection Act (DPA).
Monitoring of the Council’s compliance with GDPR and DPA was carried out by the Corporate Information Governance Group (CIGG) which had representatives from all Directorates and Chaired by the Council’s Senior Information Risk Officer (SIRO). Any risks relating to Information Governance, including GDPR and Data Protection were monitored on a regular basis by the group. Risks and actions were logged and reviewed at CIGG meetings and, if necessary, escalated in line with the Council’s risk management processes.
The key issues were:-
- Maintain compliance
Compliance with Data Protection principles was a continuous project
CIGG fulfilled a core function in monitoring and overseeing information risks
Regularly monitored the effectiveness of the Council’s Data Protection Policies and each Directorate’s Information Governance and Data Protection processes
- Monitor performance of Freedom of Information (FOI) and Right of Access requests
Slight increase in the number of FOIs completed on time – 87% 2019/20 91% 2021/21
Decrease in the number of Right of Access Requests (ROARs) received – 188 (2019/20) 162 (2020/21) but also decrease in the number completed on time (64%-43%)
Appendix 1 of the report submitted provided performance for the last 4 financial years.
Discussion issued with the following issues raised/clarified:-
· Performance would continue to be closely monitored with the focus on improvement
· Requests varied substantially in complexity and workload making analysing, allocating resources and forecasting problematic. In practical terms this meant that until a request was received, it could not be known how long it would take to complete
· Joint requests for information were a cause for concern and work was taking place on how the process could be improved for determining which Directorate was to provide the response
· An audit had been undertaken of the figures to provide assurance that the processes in place in terms how ROARs were dealt with were robust. It was found that delays in service had arisen mostly due to the complexity of cases, pressures on service and the pandemic. The outcomes of the report were being worked through
· A monthly reporting process had been activated
· FOI requests could be turned down if they were vexatious and/or other reasons. The number of these were not currently captured in the information presented
· There was no bench marking with other authorities
Since the last report submitted on 26th November, 2019 (Minute No. 48 refers), all outstanding tasks had been completed and all required policies and processes for compliance with GDPR and DPA were now in place and embedded within the organisation. It was now the responsibility of all Directorates and Service areas to comply with the Council’s Data Protection policies and procedures.
Resolved:- (1) That the General Data Protection Regulation annual report 2019/20 be noted.
(2) That the legal requirement of the Council continuing its maintenance of its Information Governance policies and processes in compliance with legislation be noted.
(3) That future reports include the number of Freedom of Information requests refused and any breaches of the GDPR Regulations.