Action Plan Update
Action |
Start Date |
End Date |
Responsible |
Status |
Update |
Review processes around Data Protection Impact Assessments |
Nov-18 |
Mar-19 |
Anna Collier |
Completed |
A new Data Protection Impact Assessment (DPIA) has been developed. The form is now very comprehensive but also provides a lot of guidance (when viewed and completed electronically).
A
new process has been implemented with the ICT service: requests for new
systems or amendments to systems are immediately flagged by the ICT officers
and escalated to the Data Protection Officer for review, those that which are
collecting new personal data or a change in processing will need to complete
a DPIA before ICT will progress the project.
|
Review Record of Processing Activities |
Mar-19 |
Aug-19 |
Anna Collier |
Completed |
A formal review of the ROPA has been completed. Meetings have been held with managers across the Council to update the document where processes have changed or been introduced and to collect further information. The recommendations for changes in processes will be reviewed by the information management group in January and form part of a new monitoring plan. |
Review Retention Schedules |
Mar-19 |
Aug-19 |
Anna Collier |
Underway, estimated completion date October 2020 |
As part of the ROPA review retention schedules are also being checked and updated. Retention schedules not on the ROPA will be reviewed during 2020 A project on email retention is also being undertaken. |
Review and update information Asset Register |
Mar-19 |
Aug-19 |
Anna Collier |
Not Started, completion date December 2020 |
A review of the Information Asset Register has been postponed due to staff capacity. This will be undertaken in 2020. |
Review Information Sharing |
May-19 |
Jul-19 |
Anna Collier |
Completed |
A draft information sharing policy and supporting documentation including information checklist, agreement and guidance have been developed. These will agreed by the Information Management Board in January. Existing agreements outside of the Kent and Medway Sharing Agreement will be reviewed in accordance with the new policy when it signed off. Training will be given to staff on the new policy in the new year.
|
Review of training needs ensuring cultural change |
Feb-19 |
Sept- 19 |
Angela Woodhouse |
Completed |
Further training has been identified and undertaken by the DPO and the Policy and Information team to increase understanding in some specific DPA areas. Service specific training sessions have been given as well as training for new starters, in high risk service areas. Further training is planned on information sharing in the new year. An ongoing review is now considered business as usual |
Update Range of Guidance for Intranet |
May 19 |
Jul-19 |
Anna Collier |
Completed |
A full range of guidance is available for staff on the intranet and will shortly be updated to include information on information sharing and email retention. Guidance will constantly need to be updated to reflect ICO guidance and lessons learnt. This has now moved to business as usual. |
Ensure contracts and partners are GDPR compliant |
ongoing |
ongoing |
Simon Logan Legal/Procurement teams |
Completed |
All contracts have been reviewed and amendments or agreements signed accordingly. GDPR is now part of standard contract development. |
Review and audit archive arrangements |
Feb 19 |
May 19 |
Gary Hunter |
Completed |
Archive arrangements have been reviewed and our contract has been renewed. Work is now underway reviewing internal storage arrangements. |
CCTV Review |
Aug 19 |
Nov 19 |
Anna Collier |
Completed |
A full review of CCTV arrangements has been undertaken, recommendations have been made and draft documents produced. The information management group will be considering the recommendations in January, and these will form part of a new monitoring plan. |
Model for monitoring implementation of changes to processing activities |
Oct 19 |
Nov 19 |
Anna Collier |
Completed |
A new monitoring plan will be introduced and held by the Policy and Information Team and overseen by the information management group. This will hold actions and recommendations from reviews as well as any actions from high risk DPIAs for which the manager's will be accountable. |