Agenda item

To consider and note the production of the Data Protection/FOI Annual Report 2023/24 and that it was a requirement that the Council continues its maintenance of its Information Governance practices and processes in compliance with legislation.

Paul Vessey, Head of Information Management, presented the annual report on the Council’s compliance with Data Protection and Freedom of Information legislation.

Appendix 1 of the report provided Freedom of Information and Right of Access Requests performance for the last 4 financial years.

90% of Freedom of Information requests were responded to within the statutory time limits with the number of requests received during 2023/24 increasing to 1,307 compared to 1,145 in 2022/23.

Despite a 2% drop in performance compared to 2022/23, there had been a numerical increase in the number of requests responded to within the statutory time to 1,177.  This was more than in each of the previous 3 years.

No Freedom of Information requests had been formally refused as invalid.  There was one individual who was vexatious on a specific line of enquiry.  However, should a vexatious request be received it still received a formal response under the Act. 

Overall 41% of Right of Access requests (RoARS) were completed within the statutory time limits.  The number of requests received during 2023/24 remained the same at 214.  Performance fell by 15% compared with 2022/23 and this was reflected by a numerical decrease in the number of requests responded to within the statutory time to 87.

Performance was affected by a smaller proportion of the RoARS received that were classed as ‘simple requests’ which were easier and quicker to process.  However, the number of large and complex RoARS had increased and now made up the majority received by the Council. These were resource intensive as they involved reviewing large volumes of historical data, specialists within Children’s Services and were often linked to CSE.  Additional resources had been added to the team’s capacity to improve performance.

Appendix 2 provided a breakdown of the number and classification of Information Security Incident for 2023/24.

The Council actively encouraged services to report any suspected data incidents and all reported cases were investigated. Monitoring information security incidents enabled the Council to proactively improve the Council’s risk profile by learning lessons from an incident and reducing the likelihood of it happening again.

One data breach was reported to the Information Commissioner’s Office (ICO) in the 2023/24 financial year. This was a cyber security related incident and reported as a precaution.  Following an internal investigation, it was ascertained that no data was lost or exposed and no action was taken by the Information Commissioner. 

Discussion ensured with the following issues raised/clarified:-

-        It would be useful to have a similar breakdown to that which the Fire Authority provided i.e. summary of the FOI data received, the number of questions received/refused, number of hours spent collating the information, details of the individual data protection breaches

-        The counting of FoIs was in accordance with the ICO reporting requirements i.e. one FOI request with 3 questions was counted as one request

-        Rotherham’s performance rate compared favourably with that of most local public services

-        The 2 additional posts were making inroads into the RoAR response waiting times

-        The more complex requests took time due to the historical nature of the documentation and the manual finding of the information

-        A number of the low risk breaches were down to user error

-        Currently there was no information held as to how long staff spent on a FOI and on the costs involved.  However, there was a cost threshold of £50

Resolved:-  (1)  That the Data Protection/FOI Annual Report 2023/24 be received and the contents noted.

(2)   That the requirement of the Council to continue its maintenance of its Information Governance policies and processes in compliance with legislation be noted.