Decision Maker: Audit Committee
Decision status: For Determination
Is Key decision?: No
Is subject to call in?: No
Providing a comprehensive and modern framework
for data protection across South Lakeland District
The Principal Performance and Intelligence Officer informed Members that the Data Protection Act 2018 (DPA) covered the use of personal data within the scope of the General Data Protection Regulation (GDPR) and beyond it. Amongst other provisions, it repealed and replaced the Data Protection Act 1998, incorporated the GDPR into UK law, laid the ground for the free-flow of data between the United Kingdom and the European Union after Brexit, set out permitted exemptions under the GDPR and set out the duties and powers of the UK's Information Commissioner’s Office (ICO).
With administrative fines under the new DPA now having an upper limit of 20 million Euros, it was crucial that the Council was compliant with the GDPR/ DPA, as it had been under the Data Protection Act 1998. The report sets out the work undertaken to prepare for and implement GDPR across the Council.
The General Data Protection Regulations Project Initiation Document had been presented to Audit Committee on 6 December 2017 and set out the scope, objectives, outcomes and deliverables of the project.
The Information Governance Board, as outlined in the General Data Protection Regulations Project Initiation Document, had been established to ensure senior leadership, drive and accountability.
The current Principal Performance and Intelligence Officer had been appointed as the Council’s Organisational Data Protection Officer. He had qualified as a General Data Protection Regulation Practitioner.
A number of activities were in operation to ensure continued compliance with the law, details of which were provided within the report.
A number of documents, some of which were named within the report, had been formally reviewed by the Management Team and/or Cabinet (where appropriate) to assist Members, Officers, and members of the public.
The Council’s Information Asset Register was complete and had been published on the Council’s SharePoint site. The Council’s Register of Processing Activity, in accordance with Article 30 of the GDPR, was complete and had been published on the Council’s dedicated Data Protection SharePoint page.
An Information Asset Register (IAR) was a simple way to help the Council understand and manage its information assets and the risks to them. It was important to know and fully understand what information the Council held in order to protect it.
In support of the Council’s IAR, the Information Handling and Classification Protocol was in place and would be applied in accordance with the overall GDPR/DPA 2018 implementation.
A generic corporate Privacy Notice had been published on the Council’s website covering all services provided by the Councils. Alongside this Privacy Notice, service specific Privacy Notices for every service were being added. Privacy Notices advised the Council’s customers what information about them was collected, when it was collected, how it was used, how long it was kept and whether it was shared, and with whom. The Notices also set out peoples’ rights under GDPR and DPA 2018. Publication of Privacy Notices was an ongoing task, and the Notices published to date could be found on the Council’s website.
A Data Protection Impact Assessment (DPIA) had to be performed where processing was likely to result in a high risk to the rights and freedoms of natural persons. Where the Information Asset Registers had identified that the Council was holding sensitive data (for example ethnic origin, religion, health data), a DPIA would need to be completed to risk assess such data and ensure it was held as securely as possible.
A template Data Processing Agreement had been implemented and shared with Procurement Services which would accompany all procurement documents where it was considered relevant.
A Data Breach Notification Protocol was in place and was available to all Officers through the dedicated Data Protection SharePoint page.
A procedure for implementing the Subject Access process was in place. The amended Subject Access Request form was available to the public via the Council’s website.
In closing, the Principal Performance and Intelligence Officer informed Members that an audit of Information Governance was due to take place in February 2019. In response to a query raised about cyber security and robustness of systems, he explained that he had been working closely with the IT department with regard to site security and a full audit had been carried out to ensure that governance arrangements were in place. Additional work was being carried out around firewalls and updates and how data was retained, either on or off site. Work was also ongoing regarding the issue of the Right to be Forgotten.
The Chairman referred to the delivery of training for Members and requested that the relevant slides be made available. He also raised the need for Members to be aware of their individual responsibilities with regard to meeting the Information Commissioner’s Office requirements.
RESOLVED – That the update on the introduction of the General Data Protection Regulations and Data Protection Act 2018 across the Council be noted.
Report author: Paul Mountford
Publication date: 03/01/2019
Date of decision: 05/12/2018
Decided at meeting: 05/12/2018 - Audit Committee