To receive a report from the Executive Director of Finance, Resources & Customer Services providing a report on the Information Governance Board Annual Performance 2017/18 and Update on the GDPR.
RECEIVED the report of the Executive Director of Finance, Resources & Customer Services providing updates on the work of the Information Governance Board (IGB), changes to data protection rights and obligations introduced by the General Data Protection Regulation (GDPR), the NHS digital audit, the internal review of the National Audit Office Guidance regarding Cyber and Information Security Risk Guidance and any Data Protection breaches or ICO referrals for 2017/18.
1. Jayne Middleton-Albooye (Head of Legal Services) presented the report as the Chair of the Information Governance Board.
2. This update report to the Committee concerns the changes that are to be bought in by the General Data Protection Regulations (GDPR) which is coming in on 25 May 2019. The changes are detailed at paragraph 3 (pages 2-4) of the report.
3. The work of the Information Governance Board (IGB) is detailed at pages 4-5 of the report, which highlights the preparation work for the GDPR and the work that they have done for an audit by NHS Digital at the end of November 2017.
4. Data Protection breaches and FOIA referrals are detailed at page 5 of the report.
5. The National Audit Office guidance is detailed at pages 5-6, which had been requested by the Audit & Risk Management Committee.
6. The IGB meets monthly and the new membership had met 4 times. There are sub-working groups and an implementation working group. Attached at Appendix 1 (pages 9-12) of the report is an implementation plan which Steve Durbin (IT Capital Programme & Security Consultant) could answer any questions on.
7. The Board had already approved and reviewed all the policies the Council need to have in place to be GDPR compliant. The Board had also looked at the privacy statement and also had approved that.
8. The NHS Digital Audit, detailed at page 5 of the report, took place at the end of November 2017. The draft report of the audit was still in progress and Jayne Middleton-Albooye intends to bring the report to a later Committee meeting to provide details of the Audit.
ACTION – Jayne Middleton-Albooye (Head – Legal Services)
9. The NAO guidelines were issued very recently and are an attempt to provide a view on high level cyber security from an audit perspective. These were reviewed in the light of what the team are currently doing and they tried to give a readiness assessment of them. There was a couple of amber ratings in areas the team already knew about. The audit reports on most of those amber areas and most things were in the green. The Council are well covered on mostly everything and there was nothing new in them or surprising. It was nice to have a consistent set of guidelines the team could follow going forward.
10. The following comments and questions made in response to the report:
a. The guidelines also suggested that if the Council would still be dealing with the European Union, in light of Brexit, then they would still be required to be GDPR compliant.
b. Peter Nwosu (Independent Member), enquired in terms of the plan and to be compliant on the day for the Council, were the team on track. Would the Council be benchmarked externally or was it already being dealt with by in-house expertise within the Council. Steve Durbin clarified that the Council would be as compliant as it could be. However, there were going to be areas of gaps because there were some things the team are not clear of as yet. As this was a moving target, the Government decided to introduce something called ‘action fill’ to bring GDPR into UK law and was only started in October 2017. The Council are probably already compliant but hadn’t got all the evidence to show it.
11.The Chair thanked Jayne Middleton-Albooye for her report.
AGREED that Audit & Risk Management Committee note the overview of the changes which will be brought about by the GDPR and the Data Protection Bill, the progress of the IGB to date, and any deadlines, contained within the implementation plan, to implement GDPR, the inspection of the NHS auditors and comments on the NAO guidance.