Agenda item

Consideration was given to the annual report presented by Paul Vessey, Head of Information Management on the Council’s compliance with Data Protection and Freedom of Information legislation.

Appendix 1 of the report provided Freedom of Information and Right of Access Requests performance for the last four financial years.

Right of Access requests performance was below the target of 100% completion within the statutory time limits. This was due to the large number that were complex in nature involving large volumes of historical data, children’s services and were often linked to CSE.

Despite performance remaining below the statutory target there had been an increase in the number of requests that have been responded to within the statutory time period.

The performance for Freedom of Information requests was below the target of 100% completion within the statutory time limits. The overall number of Freedom of Information Requests received had remained static and there had been an increase in the number of requests responded to within the statutory time period.

Analysis of the data did not raise any significant concerns during the year’s performance and no valid Freedom of Information requests have been refused, except for one individual who had a Single Refusal Notice in force for vexatious requests on a specific subject.  Requests could be refused if expenditure to provide the detail would exceed £450.

The Committee in noting the detail asked what would happen if the requests were not within the prescribed timeframe and it was pointed out that Freedom of information Requests were being closely monitored and were performing at around 93%.  It was the Right to Access Requests that could vary substantially in complexity and workload making analysing, allocating resources and forecasting problematic.  Performance would continue to be closely monitored with the focus on improvement.

It was also noted that in the event that a Right of Access Request was complex, an extension could be sought.  Refusals were rare.

The differences between the two requests were provided pointing out that the key issue was to ensure that compliance with data protection and freedom of information legislation was maintained.

In terms of Appendix 2 this provided a breakdown of the number and classification of Information Security Incident for 2022/23.

The Council actively encouraged services to report any suspected data incidents and all reported cases are investigated. Monitoring information security incidents enabled the Council to proactively improve the Council’s risk profile by learning lessons from an incident and reducing the likelihood of it happening again.

Two data breaches were reported to the Information Commissioner’s Office in the 2022/23 financial year. One was inappropriate sharing of information and one was a cyber incident at a third-party contractor. Following full report to the Information Commissioner, no further action was required in either incident.

In noting the breaches the Committee asked what preventative action had been put in place.  It was pointed out that the company involved with the cyber incident was no longer involved with the Council and steps had been taken to block certain domains.  Whilst every effort was made to prevent any human error the probability of future risk was low.

The Committee asked if year on year comparisons in relation to information security incidents could be provided, which was agreed.

Resolved:-  (1)  That the Data Protection/FOI Annual Report 2022/23 be received and the contents noted.

(2)   That it was a requirement that the Council continued its maintenance of its Information Governance policies and processes in compliance with legislation.