AUDIT, GOVERNANCE AND STANDARDS COMMITTEE |
14 November 2022 |
|||
|
||||
Information Governance Report – Annual Report |
||||
|
||||
Final Decision-Maker |
Audit, Governance and Standards Committee |
|||
Lead Head of Service/Lead Director |
Angela Woodhouse Director of Strategy, Insight & Governance |
|||
Lead Officer and Report Author |
Anna Collier Corporate Insight Communities and Governance Manager and Georgia Harvey Senior Information Governance Officer |
|||
Classification |
Public |
|||
Wards affected |
All |
|||
|
||||
Executive Summary |
||||
The Information Governance Team oversees the management of complaints, information requests (Freedom of Information (FOI) & Environmental Information Regulation Requests (EIR)), subject access requests (SAR), information sharing requests as well as handling data breaches. This report provides performance data on the management of information governance to ensure corporate oversight and minimise risk to the Council. |
||||
|
||||
This report makes the following recommendations to this Committee: |
||||
To note the report. |
||||
|
|
|||
Timetable |
||||
Meeting |
Date |
|||
Audit, Governance and Standards Committee |
14 November 2022 |
|||
Information Governance Report – Annual Report |
|
1. CROSS-CUTTING ISSUES AND IMPLICATIONS
Issue |
Implications |
Sign-off |
Impact on Corporate Priorities |
We do not expect the recommendations will by themselves materially affect achievement of corporate priorities. However, they will support the Council’s overall achievement of its aims as good information governance ensures that the Council learns from customer experience and develops services to deliver all objectives
|
Anna Collier Insight, Communities and Governance Manager |
Risk Management |
This report is presented for information only and has no risk management implications.
|
Anna Collier Insight, Communities and Governance Manager
|
Financial |
The proposals set out in the recommendation are all within already approved budgetary headings and so need no new funding for implementation. |
Mark Green Director of Finance, Resources & Business Improvement |
Staffing |
We will deliver the recommendations with our current staffing. |
Anna Collier Insight, Communities and Governance Manager
|
Legal |
This report provides a review of information governance including complaint handling. There is no statutory duty to report regularly to Committee on the Council’s performance. However, under Section 3 of the Local Government Act 1999 (as amended) a best value authority has a statutory duty to secure continuous improvement in the way in which its functions are exercised having regard to a combination of economy, efficiency and effectiveness. |
Anna Collier Insight, Communities and Governance Manager
|
Privacy and Data Protection |
The recommendations will not have an impact on the processing of personal data, and there is no need for a Data Protection Impact Assessment. |
Anna Collier Insight, Communities and Governance Manager |
Equalities |
The recommendations do not propose a change in service therefore will not require an equalities impact assessment |
Anna Collier Insight, Communities and Governance Manager |
Public Health
|
We recognise that the recommendations will not negatively impact on population health or that of individuals.
|
Anna Collier Insight, Communities and Governance Manager |
Crime and Disorder |
No impact |
Anna Collier Insight, Communities and Governance Manager |
Procurement |
No impact |
Anna Collier Insight, Communities and Governance Manager |
Cross Cutting Objectives |
The report recommendation supports the achievements of all cross-cutting objectives, by ensuring data is well managed and lessons learnt from customer feedback are implemented. |
Anna Collier Insight, Communities and Governance Manager |
Biodiversity and Climate Change |
There are no implications on biodiversity and climate change.
|
Anna Collier Insight, Communities and Governance Manager |
1. INTRODUCTION AND BACKGROUND
1.1. Annual reports have historically been presented to this Committee separately on complaints and data protection. To provide greater oversight on Council wide information governance, these reports have now been combined. This reflects the work of the Information Governance team and Council services and provides Members with a clearer oversight, as well as identifying overlapping key themes.
1.2. The Information Governance Team is part of the wider Corporate Insight, Communities and Governance team. The team consists for 3 FTE posts:
· Senior Information Governance Officer,
· Information Governance Officer, and
· Information Governance Assistant which is currently a job share
1.3. The Information Governance Team are responsible for managing:
· The complaints process including unreasonable and unreasonably persistent persons,
· Logging and responding to information requests (also known as Freedom of Information - FOI and Environmental Information Regulation - EIR),
· Data protection (including subject access requests, CCTV requests, data protection impact assessments, data sharing, and records of processing activities),
· Records management, and
· Correspondence with members of parliament.
1.4. Performance data can be seen at Appendix 1.
Information Requests
1.5. The term ‘information requests’ covers both Freedom of Information (FOI) and Environmental Information Regulation (EIR).
1.6. The time limits for responding to these requests are set out in statute as 20 working days, subject to qualifying criteria. If the council doesn’t hold the information requested or doesn’t believe it should be shared, then an exemption (FOI) or exception (EIR) can be applied to all or part of the request.
1.7. If the requestor doesn’t agree with the Council’s decision, then they can appeal via internal review, and these are reviewed by Legal Services. The requestor can further complain to the Information Commissioner’s Office (ICO), who will make the ultimate decision.
1.9. The Council receives more FOI requests than EIR, but there has been a shift towards a greater number of EIR requests since Q2 2020-2021. The primary reason for this is a significant increase is the number of requests received by Land Charges for information concerning properties being purchased in the Borough.
1.10. A target of 100% of responses sent on time is set to reflect the requirements by law, however it is highly ambitious and has only been achieved on two occasions. The ICO accept that Councils won’t always achieve this and concentrates its investigations and penalties on those organisations with backlogs. This target, less 10% tolerance which we would consider good performance, has not been met on one occasion, with 10.40% in Q4 2021-2022. This reflects the training required for the newly formed team.
Complaints
1.11. The Council operates an internal two stage complaints process:
1. All stage 1 complaints will be investigated by the service manager and responded to within 10 working days.
2. Customers have the right to take the complaint to stage 2 for an independent assessment by the Information Governance Team. The Information Governance team will then undertake an assessment of the complaint, within 5 working days, in order to determine whether a full investigation would be able to add anything to the stage 1 response and/or achieve the desired outcome. If the assessment concludes that further investigation is warranted, then a full response is sent within 20 working days.
1.12. If, after following our complaints process, customers are still unhappy, they can contact the Local Government and Social Care Ombudsman (LGO), an independent service set up by the Government to investigate complaints about most council matters. The Ombudsman will not investigate complaints until they have been through both stages of the Council’s complaints process.
1.13. The total number of stage 1 complaints received in 2021-2022 was 679. The number of complaints received dropped in 2020-2021 and has not yet risen above the number recorded for 2019-2020.
1.14. The target of 100% of responses sent in time has only been met once however it is consistently met within 10% tolerance, except on one occasion, Q4 2021-2022 with 14.95%.
1.15. The number of stage 2 complaints has increased over the past year, from 59 to 95. The average number of complaints per year since 2017 is 99. This increase can be attributed to a rise in waste complaints from 29 to 64.
1.16. The target for stage 2 assessment to be completed within 5 working days is 100%. The completion time stands at 96% for 2021-2022. This is an increase from previous years, which were 93% for both 2019-2022 and 2020-2021.
1.17. Household Waste continues to receive the most complaints at both stage 1 and stage 2. The Waste Team provide a service that affects every household in the Borough, so it is expected that this service will receive more complaints that others by nature of its size alone.
1.18. To further understand the cause of household waste complaints, data in 2022-2023 is analysed by the type of waste (refuse, recycling, garden etc) and location in real time to a more proactive approach to be taken when responding to complaints. As a result, the Council is better placed to identify localised trends that are impacting waste collections.
1.19. Each year the Local Government Ombudsman (LGO) produces statistics for each local authority showing how many complaints it received, what they were about and how they were resolved. The report provides insight about how we approach to complaints and the findings from the LGO. The 2021/22 annual letter from the LGO is enclosed in Appendix 2.
1.20. As a summary the Council has had only six complaints that were fully investigated by the LGO, of these we were required to take further action in four cases. This equates to 0.008810573% of our overall complaints from 2021-2022.
Data Incidents
1.21. A personal data breach is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.
1.22. All potential breaches are investigated by the Information Governance team and must be completed within 72 hours in case they need to be reported to the ICO. All breaches are signed off by the Data Protection Officer or Deputy Data Protection Officer and are reported to the Information Management Group, which meets quarterly.
1.23. The total number of data incidents reported in 2021-2022 was 29. Of these, 26 were found to be data breaches and 2 were found to have no risk as no data breach has not occurred.
1.24. The Council has fostered a culture whereby employees actively report data breaches. This approach means that employees report data breaches as soon as they are aware, which in turn enables the Council to react quickly to mitigate the impact.
1.25. Most data breaches are caused by human error, with no intended malice, resulting in a loss of confidentiality. This is typically as a result of by post or e-mails being sent to the wrong person.
Data Subject Rights Requests
1.26. There are seven types of rights requests including: subject access requests and erasure requests. All requests must be processed by the Information Governance team as the request for information must be validated by identification of the individual requesting it.
1.27. The number of requests for each right is shown in the table below:
Financial Year |
Access |
Erasure |
Objection |
Total |
2018-2019 |
20 |
0 |
0 |
20 |
2019-2020 |
12 |
0 |
0 |
12 |
2020-2021 |
34 |
0 |
0 |
34 |
2021-2022 |
39 |
1 |
1 |
41 |
Total |
105 |
1 |
1 |
107 |
Information Sharing Requests
1.29. Information sharing requests are requests for personal data where there is a legal basis to request it. In the main these are processed via the Information Governance team though some information requests are processed within other teams.
1.30. Over the past two years there has been an increase from 234 to 317 in the number of requests received. The majority of requests are received from the police, followed by requests from insurance companies, predominantly for CCTV.
1.31. Information sharing training was being provided to departments in June 2022. The training was tailored to each department and covered real life scenarios to ensure that employees are compliant when sharing personal information while empower departments to deal with partner organisations around data sharing.
Data Protection Action Plan
1.32. The Council has worked proactively to improve how we manage and hold personal data in-line with the Data Protection Act. Whilst there have been additional burdens in terms of the work required to meet the Act the actions taken have improved how the Council operates and how we manage and use personal data. Colleagues across the Council have been receptive to change and training to increase understanding and awareness of data protection and effective data management across the Council. The Action Plan provides an update on key changes and points of note, progress against the action plan and highlights the areas where further work is required. The Action Plan is enclosed at Appendix 3.
1.33. The Government has announced legislative changes to the UK, publishing the Data Protection and Digital Information Bill in July 2022. The Bill plans to reform the UK Data Protection regime following Brexit. The Bill can be accessed here at https://bills.parliament.uk/bills/3322.
1.34. The ICO is increasing using its powers to issue fines and one Notice of Intent under GDPR. Recent examples include:
· £4.4 Million GDPR Fine for Construction Company
· ICO Takes Action Against GDPR Subject Access Delays
· £1.35 Million GDPR Fine for Catalogue Retailer
· TikTok Faces a £27 Million GDPR Fine
Key Projects and Future activities in Information Governance
1.35. The next projects for Information Governance Team are:
· Publishing information on the website to answer frequent FOI requests. For example, we frequently receive requests for information about council tax, temporary accommodation and CCTV. Responses to these requests will be added to the website to enable to public to easily find the information. This in turn will reduce the burden on departments needing to respond to FOI and EIR requests.
· Working with departments updating the data protection information on the website to address common queries and to review privacy notices to ensure the information reflects changes in data collection and it’s uses. Where possible we will work with Digital to implement on demand privacy notices to highlight key information to customers at the point information is collected.
· Reviewing all current DPIAs to assess whether updates are needed.
· To combine police information requests from all aspects of the Council into one central location. This includes working with Kent Police to implement a revised process for sharing CCTV footage.
· Implement the actions identified from the CCTV review conducted in 2021. The review identified a number of actions that need to be taken to address risks in the governance arrangements surrounding CCTV, the key recommendations were:
o Security, Storage and Viewing – This is the most prevalent issue with common themes including password management and Data Processing Agreements in place which are not compliant.
o Reviews & Documentation – Varied retention periods, which need to be documented and justified. Support departments in assessing whether purpose is still lawful, justified, necessary and proportionate. All surveillance systems require DPIAs to be re-written to ensure compliance.
o Disclosing and Sharing – Implement a consistent process across all departments for disclosing footage.
o Training and Awareness - Provide tailored training to the Information Governance team, and any other relevant staff, on how data protection relates to surveillance systems.
3. AVAILABLE OPTIONS
3.1 To note the report.
4. PREFERRED OPTION AND REASONS FOR RECOMMENDATIONS
4.1 To note the report.
5. RISK
5.1 This report is presented for information only and has no risk management implications.
6. CONSULTATION RESULTS AND PREVIOUS COMMITTEE FEEDBACK
6.1 None
7. NEXT STEPS: COMMUNICATION AND IMPLEMENTATION OF THE DECISION
7.1 The next annual report will be provided for year 2022-2023.
8. REPORT APPENDICES
· Appendix 1: Information Governance Report – Annual Report 2021-2022
· Appendix 2: LGO Annual Letter 2021-2022
· Appendix 3: Data Protection Action Plan
9. BACKGROUND PAPERS
9.1 None