To consider an update on the introduction of the General Data Protection Regulation and Data Protection Act 2018 across the Council.
The Principal Performance and Intelligence Officer informed Members that the Data Protection Act 2018 (DPA) covered the use of personal data within the scope of the General Data Protection Regulation (GDPR) and beyond it. Amongst other provisions, it repealed and replaced the Data Protection Act 1998, incorporated the GDPR into UK law, laid the ground for the free-flow of data between the United Kingdom and the European Union after Brexit, set out permitted exemptions under the GDPR and set out the duties and powers of the UK's Information Commissioner’s Office (ICO).
With administrative fines under the new DPA now having an upper limit of 20 million Euros, it was crucial that the Council was compliant with the GDPR/ DPA, as it had been under the Data Protection Act 1998. The report sets out the work undertaken to prepare for and implement GDPR across the Council.
The General Data Protection Regulations Project Initiation Document had been presented to Audit Committee on 6 December 2017 and set out the scope, objectives, outcomes and deliverables of the project.
The Information Governance Board, as outlined in the General Data Protection Regulations Project Initiation Document, had been established to ensure senior leadership, drive and accountability.
The current Principal Performance and Intelligence Officer had been appointed as the Council’s Organisational Data Protection Officer. He had qualified as a General Data Protection Regulation Practitioner.
A number of activities were in operation to ensure continued compliance with the law, details of which were provided within the report.
A number of documents, some of which were named within the report, had been formally reviewed by the Management Team and/or Cabinet (where appropriate) to assist Members, Officers, and members of the public.
The Council’s Information Asset Register was complete and had been published on the Council’s SharePoint site. The Council’s Register of Processing Activity, in accordance with Article 30 of the GDPR, was complete and had been published on the Council’s dedicated Data Protection SharePoint page.
An Information Asset Register (IAR) was a simple way to help the Council understand and manage its information assets and the risks to them. It was important to know and fully understand what information the Council held in order to protect it.
In support of the Council’s IAR, the Information Handling and Classification Protocol was in place and would be applied in accordance with the overall GDPR/DPA 2018 implementation.
A generic corporate Privacy Notice had been published on the Council’s website covering all services provided by the Councils. Alongside this Privacy Notice, service specific Privacy Notices for every service were being added. Privacy Notices advised the Council’s customers what information about them was collected, when it was collected, how it was used, how long it was kept and whether it was shared, and with whom. The Notices also set out peoples’ rights under GDPR and DPA 2018. Publication of Privacy Notices was an ongoing task, and the Notices published to date could be found on the Council’s website.
A Data Protection Impact Assessment (DPIA) ... view the full minutes text for item 31