To receive the report of the Director of Law & Governance presenting the Information Governance Board’s year end annual performance update 2018/19 and the implementation of the General Data Protection Regulations (GDPR).
Received the report of the Director of Law and Governance presenting the IGB annual report 2018/19 including GDPR implementation update.
1. The report was introduced by Jayne Middleton-Albooye (Head of Legal Services) and was to update members on the work of the Information Governance Board (IGB) that Jayne Chairs.
2. The report sets out the work of the IGB. Last year was very important for the IGB as GDPR came into force and the whole of the previous year, officers were preparing for this and has now been implemented since May 2018.
3. Assurance was given that the Council has complied with achieving GDPR and that information governance systems across the Council are looked at regularly including any data breaches.
GDPR is important in many ways but not least because it introduced a high level of fines and some councils have already started to receive those fines. Fortunately, this council has kept out of that so far. However, you can now have breaches of up to 4% of your turnover, which would not be a good situation to be in for this council.
4. As detailed at paragraph 3.3 of the report, which states that part of GDPR was required to bring in a data protection officer (DPO). This officer must be independent of the Council and report to the highest level of the Council. The DPO takes a report each year to Cabinet, on his work. He must be an expert in his field and adequately resourced. The DPO attends IGB aswell, to give advice, review policies, implement training, etc. Training is important, because if the Council did have a breach, it would be then to show the Information Commissioner’s Office (ICO) that the Council has mitigating measures in place and may then assist in saying something has been done. This may lead to a less than expected fine or nothing at all. The Council has very compliance with GDPR training. There is also a cyber security module, which is mandatory for all staff.
There has also been an audit of compliance with GDPR and have been provided with an overall reasonable assurance, as detailed at paragraph 3.5 of the report. Internal audit had found 4 medium risks and 3 low risks.
5. The Council also has a security working group, which feeds into IGB, and meet separately. They deal with systems and security breaches and provide updates to IGB to show an overall picture of any incidents. They also produce an annual report and as detailed at paragraph 3.6 of the report, the table details the breakdown of data breach incidents. There had been 59 breaches of data loss and of these only 3 were reported to the ICO.
6. As detailed at paragraph 3.7, three annual reports are attached.
7. The following questions and queries raised in response to the report:
a. As detailed at page 20, bullet point 3, Contribution towards extension adaptations means that the Council may have a disabled property and may have to extend that property.
b. Councillor David-Sanders asked how effective staff training was for data retention, considering the medium risk finding around this. Jayne Middleton-Albooye clarified that the training is broad and data retention is one aspect of information governance. This has been recognised from the audit and that staff are only allowed by law to keep certain things for a certain length of time. There is a policy which states that documents can be kept for 6 years. Audit team found that not all staff know how long they should be keeping things and what they should be deleting from the systems beyond the 6 years.
Internal Audit have provided an action plan whereby the IGB have to implement any recommendations made by internal audit to mitigate the risk of data retention. Internal audit will always follow up all recommendations if they are not implemented.
c. Councillor David-Sanders asked how Enfield compared around the ICO reporting. Enfield only reported 3 data loss incidents to the ICO in 2018/19. Jayne Middleton-Albooye would speak to the DPO and report to the Committee.
ACTION: Jayne Middleton-Albooye (Head of Legal Services).
d. Councillor Gunawardena queried the MEQ response times, as detailed in section 5 (page 26 of the report). This was the comparison of MEQ responses for 2017/18 and 2018/19. Jayne Middleton-Albooye clarified that the first bar chart relates to volume. MEQ’s have increased but the percentage has not gone up. We recognise we have problems in this area. The 74.3% of MEQ’s were answered in time but it should have been 95%. The teams have now been split with MEQ’s & Statutory Complaints with Claire Johnson (Head of Scrutiny and Governance) and FOI’s, Complaints and SAR’s under Jayne Middleton-Albooye. MEQ’s are not as complex as Subject Access Requests (SARs) with differing levels of complexity as concerns statutory complaints and FOI’s. The teams are being monitored and if the need arises, more resources may be added.
e. Councillor David-Sanders asked what had changed with SARs, had they become more complex. Jayne Middleton-Albooye clarified that the teams had some challenging staff issues. There is now a new stable team that have just been recruited and there should be an improvement in turnaround response times.