AUDIT, GOVERNANCE AND STANDARDS COMMITTEE

14 November 2022

 

Information Governance Report – Annual Report

 

Final Decision-Maker

Audit, Governance and Standards Committee

Lead Head of Service/Lead Director

Angela Woodhouse Director of Strategy, Insight & Governance

Lead Officer and Report Author

Anna Collier Corporate Insight Communities and Governance Manager and Georgia Harvey Senior Information Governance Officer

Classification

Public

Wards affected

All

 

Executive Summary

The Information Governance Team oversees the management of complaints, information requests (Freedom of Information (FOI) & Environmental Information Regulation Requests (EIR)), subject access requests (SAR), information sharing requests as well as handling data breaches.  This report provides performance data on the management of information governance to ensure corporate oversight and minimise risk to the Council.

 

This report makes the following recommendations to this Committee:

To note the report.

 

 

Timetable

Meeting

Date

Audit, Governance and Standards Committee

14 November 2022



Information Governance Report – Annual Report

 

 

1.       CROSS-CUTTING ISSUES AND IMPLICATIONS

 

Issue

Implications

Sign-off

Impact on Corporate Priorities

We do not expect the recommendations will by themselves materially affect achievement of corporate priorities.  However, they will support the Council’s overall achievement of its aims as good information governance ensures that the Council learns from customer experience and develops services to deliver all objectives

 

Anna Collier Insight, Communities and Governance Manager

Risk Management

This report is presented for information only and has no risk management implications.

 

Anna Collier Insight, Communities and Governance Manager

 

Financial

The proposals set out in the recommendation are all within already approved budgetary headings and so need no new funding for implementation.

Mark Green

Director of Finance, Resources & Business Improvement

Staffing

We will deliver the recommendations with our current staffing.

Anna Collier Insight, Communities and Governance Manager

 

Legal

This report provides a review of information governance including complaint handling.

There is no statutory duty to report regularly to Committee on the Council’s performance. However, under Section 3 of the Local Government Act 1999 (as amended) a best value authority has a statutory duty to secure continuous improvement in the way in which

its functions are exercised having regard to a combination of economy, efficiency and effectiveness.

Anna Collier Insight, Communities and Governance Manager

 

Privacy and Data Protection

The recommendations will not have an impact on the processing of personal data, and there is no need for a Data Protection Impact Assessment.

Anna Collier Insight,

Communities and

Governance

Manager

Equalities

The recommendations do not propose a change in service therefore will not require an equalities impact assessment

Anna Collier Insight,

Communities and

Governance Manager

Public Health

 

 

We recognise that the recommendations will not negatively impact on population health or that of individuals.

 

Anna Collier Insight, Communities and Governance Manager

Crime and Disorder

No impact

Anna Collier Insight, Communities and Governance Manager

Procurement

No impact

Anna Collier Insight, Communities and Governance Manager

Cross Cutting Objectives

The report recommendation supports the

achievements of all cross-cutting objectives, by ensuring data is well managed and lessons learnt from customer feedback are implemented.

Anna Collier Insight, Communities and Governance Manager

Biodiversity and Climate Change

There are no implications on biodiversity and climate change.

 

Anna Collier Insight, Communities and Governance Manager

 


 

1.           INTRODUCTION AND BACKGROUND

 

1.1.      Annual reports have historically been presented to this Committee separately on complaints and data protection. To provide greater oversight on Council wide information governance, these reports have now been combined. This reflects the work of the Information Governance team and Council services and provides Members with a clearer oversight, as well as identifying overlapping key themes.  

 

1.2.      The Information Governance Team is part of the wider Corporate Insight, Communities and Governance team. The team consists for 3 FTE posts:

 

·   Senior Information Governance Officer,

·   Information Governance Officer, and

·   Information Governance Assistant which is currently a job share

 

1.3.      The Information Governance Team are responsible for managing:

·   The complaints process including unreasonable and unreasonably persistent persons,

·   Logging and responding to information requests (also known as Freedom of Information - FOI and Environmental Information Regulation - EIR),

·   Data protection (including subject access requests, CCTV requests, data protection impact assessments, data sharing, and records of processing activities),

·   Records management, and

·   Correspondence with members of parliament.

 

1.4.      Performance data can be seen at Appendix 1.

 

Information Requests

 

1.5.      The term ‘information requests’ covers both Freedom of Information (FOI) and Environmental Information Regulation (EIR).

 

1.6.      The time limits for responding to these requests are set out in statute as 20 working days, subject to qualifying criteria.  If the council doesn’t hold the information requested or doesn’t believe it should be shared, then an exemption (FOI) or exception (EIR) can be applied to all or part of the request.

 

1.7.      If the requestor doesn’t agree with the Council’s decision, then they can appeal via internal review, and these are reviewed by Legal Services.  The requestor can further complain to the Information Commissioner’s Office (ICO), who will make the ultimate decision.

 

1.8.      The total number of FOI and EIR requests received in 2021-2022 was 901 (467 FOI requests and 434 EIR requests).

 

1.9.   The Council receives more FOI requests than EIR, but there has been a shift towards a greater number of EIR requests since Q2 2020-2021. The primary reason for this is a significant increase is the number of requests received by Land Charges for information concerning properties being purchased in the Borough. 

 

1.10.   A target of 100% of responses sent on time is set to reflect the requirements by law, however it is highly ambitious and has only been achieved on two occasions.  The ICO accept that Councils won’t always achieve this and concentrates its investigations and penalties on those organisations with backlogs. This target, less 10% tolerance which we would consider good performance, has not been met on one occasion, with 10.40% in Q4 2021-2022. This reflects the training required for the newly formed team. 

 

Complaints

 

1.11.   The Council operates an internal two stage complaints process:

 

1.   All stage 1 complaints will be investigated by the service manager and responded to within 10 working days.

 

2.   Customers have the right to take the complaint to stage 2 for an independent assessment by the Information Governance Team. The Information Governance team will then undertake an assessment of the complaint, within 5 working days, in order to determine whether a full investigation would be able to add anything to the stage 1 response and/or achieve the desired outcome. If the assessment concludes that further investigation is warranted, then a full response is sent within 20 working days.

 

1.12.   If, after following our complaints process, customers are still unhappy, they can contact the Local Government and Social Care Ombudsman (LGO), an independent service set up by the Government to investigate complaints about most council matters. The Ombudsman will not investigate complaints until they have been through both stages of the Council’s complaints process.

 

1.13.   The total number of stage 1 complaints received in 2021-2022 was 679. The number of complaints received dropped in 2020-2021 and has not yet risen above the number recorded for 2019-2020.

 

1.14.   The target of 100% of responses sent in time has only been met once however it is consistently met within 10% tolerance, except on one occasion, Q4 2021-2022 with 14.95%.

 

1.15.   The number of stage 2 complaints has increased over the past year, from 59 to 95. The average number of complaints per year since 2017 is 99. This increase can be attributed to a rise in waste complaints from 29 to 64.

 

1.16.   The target for stage 2 assessment to be completed within 5 working days is 100%. The completion time stands at 96% for 2021-2022. This is an increase from previous years, which were 93% for both 2019-2022 and 2020-2021.

 

1.17.   Household Waste continues to receive the most complaints at both stage 1 and stage 2. The Waste Team provide a service that affects every household in the Borough, so it is expected that this service will receive more complaints that others by nature of its size alone.

 

1.18.   To further understand the cause of household waste complaints, data in 2022-2023 is analysed by the type of waste (refuse, recycling, garden etc) and location in real time to a more proactive approach to be taken when responding to complaints. As a result, the Council is better placed to identify localised trends that are impacting waste collections. 

 

1.19.   Each year the Local Government Ombudsman (LGO) produces statistics for each local authority showing how many complaints it received, what they were about and how they were resolved. The report provides insight about how we approach to complaints and the findings from the LGO. The 2021/22 annual letter from the LGO is enclosed in Appendix 2.

 

1.20.   As a summary the Council has had only six complaints that were fully investigated by the LGO, of these we were required to take further action in four cases. This equates to 0.008810573% of our overall complaints from 2021-2022.

 

Data Incidents

 

1.21.   A personal data breach is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.

 

1.22.   All potential breaches are investigated by the Information Governance team and must be completed within 72 hours in case they need to be reported to the ICO.  All breaches are signed off by the Data Protection Officer or Deputy Data Protection Officer and are reported to the Information Management Group, which meets quarterly. 

 

1.23.   The total number of data incidents reported in 2021-2022 was 29.  Of these, 26 were found to be data breaches and 2 were found to have no risk as no data breach has not occurred.                  

 

1.24.   The Council has fostered a culture whereby employees actively report data breaches. This approach means that employees report data breaches as soon as they are aware, which in turn enables the Council to react quickly to mitigate the impact. 

 

1.25.  Most data breaches are caused by human error, with no intended malice, resulting in a loss of confidentiality. This is typically as a result of by post or e-mails being sent to the wrong person. 

 

Data Subject Rights Requests

 

1.26.   There are seven types of rights requests including: subject access requests and erasure requests.  All requests must be processed by the Information Governance team as the request for information must be validated by identification of the individual requesting it.

 

1.27.   The number of requests for each right is shown in the table below:

 

Financial Year

Access

Erasure

Objection

Total

2018-2019

20

0

0

20

2019-2020

12

0

0

12

2020-2021

34

0

0

34

2021-2022

39

1

1

41

Total

105

1

1

107

 

1.28.   Between 2018 and 2022, 98% of rights requests received were subject access requests (SARs). These entitle individuals to have copies of all information we hold about them. The timeframe from responding to subject access requests is one calendar month. Subject access requests can be extremely time consuming, due to the need to source and review all personal data to identify what information is in scope of the request before redacting any exempt data. In 2021-2022, the average number of days taken to respond to a DSAR was 16.2 days.

 

Information Sharing Requests

 

1.29.   Information sharing requests are requests for personal data where there is a legal basis to request it.  In the main these are processed via the Information Governance team though some information requests are processed within other teams.

 

1.30.   Over the past two years there has been an increase from 234 to 317 in the number of requests received. The majority of requests are received from the police, followed by requests from insurance companies, predominantly for CCTV. 

 

1.31.   Information sharing training was being provided to departments in June 2022. The training was tailored to each department and covered real life scenarios to ensure that employees are compliant when sharing personal information while empower departments to deal with partner organisations around data sharing. 

 

Data Protection Action Plan 

 

1.32.   The Council has worked proactively to improve how we manage and hold personal data in-line with the Data Protection Act. Whilst there have been additional burdens in terms of the work required to meet the Act the actions taken have improved how the Council operates and how we manage and use personal data. Colleagues across the Council have been receptive to change and training to increase understanding and awareness of data protection and effective data management across the Council. The Action Plan provides an update on key changes and points of note, progress against the action plan and highlights the areas where further work is required. The Action Plan is enclosed at Appendix 3.

 

1.33.   The Government has announced legislative changes to the UK, publishing the Data Protection and Digital Information Bill in July 2022. The Bill plans to reform the UK Data Protection regime following Brexit. The Bill can be accessed here at https://bills.parliament.uk/bills/3322

 

 

1.34.   The ICO is increasing using its powers to issue fines and one Notice of Intent under GDPR. Recent examples include:

 

·         £4.4 Million GDPR Fine for Construction Company 

·         ICO Takes Action Against GDPR Subject Access Delays

·         £1.35 Million GDPR Fine for Catalogue Retailer

·         TikTok Faces a £27 Million GDPR Fine

 

Key Projects and Future activities in Information Governance

 

1.35.   The next projects for Information Governance Team are:

 

·         Publishing information on the website to answer frequent FOI requests. For example, we frequently receive requests for information about council tax, temporary accommodation and CCTV. Responses to these requests will be added to the website to enable to public to easily find the information. This in turn will reduce the burden on departments needing to respond to FOI and EIR requests.

·         Working with departments updating the data protection information on the website to address common queries and to review privacy notices to ensure the information reflects changes in data collection and it’s uses. Where possible we will work with Digital to implement on demand privacy notices to highlight key information to customers at the point information is collected. 

·         Reviewing all current DPIAs to assess whether updates are needed.

·         To combine police information requests from all aspects of the Council into one central location. This includes working with Kent Police to implement a revised process for sharing CCTV footage.

·         Implement the actions identified from the CCTV review conducted in 2021. The review identified a number of actions that need to be taken to address risks in the governance arrangements surrounding CCTV, the key recommendations were:

o   Security, Storage and Viewing – This is the most prevalent issue with common themes including password management and Data Processing Agreements in place which are not compliant.

o   Reviews & Documentation – Varied retention periods, which need to be documented and justified. Support departments in assessing whether purpose is still lawful, justified, necessary and proportionate. All surveillance systems require DPIAs to be re-written to ensure compliance.

o   Disclosing and Sharing – Implement a consistent process across all departments for disclosing footage.

o   Training and Awareness - Provide tailored training to the Information Governance team, and any other relevant staff, on how data protection relates to surveillance systems.


 

3.   AVAILABLE OPTIONS

 

3.1     To note the report.

 

 

4.        PREFERRED OPTION AND REASONS FOR RECOMMENDATIONS

 

4.1     To note the report.

 

 

5.       RISK

5.1        This report is presented for information only and has no risk management implications.

 

 

6.       CONSULTATION RESULTS AND PREVIOUS COMMITTEE FEEDBACK

 

6.1   None

 

 

7.       NEXT STEPS: COMMUNICATION AND IMPLEMENTATION OF THE DECISION

 

7.1     The next annual report will be provided for year 2022-2023.

 

 

8.        REPORT APPENDICES

 

·         Appendix 1: Information Governance Report – Annual Report 2021-2022

·         Appendix 2: LGO Annual Letter 2021-2022

·         Appendix 3: Data Protection Action Plan

 

 

9.        BACKGROUND PAPERS

 

9.1     None