Agenda item

Data Protection Action Plan - Progress Update


The Policy and Information Manager introduced her report providing an update on the progress made against the Action Plan originally put in place in 2017 in preparation for the General Data Protection Regulation (GDPR) and the Data Protection Act 2018.  The report also included an update on the Council’s preparations for data protection after the EU exit transition period; examples of the Information Commissioner’s Office (ICO) applying its powers; details of the ICO’s Accountability Framework; and a new Action Plan which had been developed incorporating areas outstanding from the old Action Plan and areas identified from an accountability self-assessment.  It was noted that:


·  The Council had received guidance from the Ministry of Housing, Communities and Local Government on preparing for data protection after the EU exit transition period ends.  Most of the work had been completed and no major risks had been identified.  There were a few areas where further work was required to ensure that systems are solely based in the UK, but these were not high risk and would be resolved by the end of the year.


·  Accountability was one of the key principles in data protection.  It required organisations to comply and be able to demonstrate compliance with the legislation.  The ICO had produced a framework including an “accountability tracker” to enable organisations to review their own arrangements and create plans to improve.  The framework had ten themes with a range of actions which an organisation complying with accountability and demonstrating best practice would evidence.  When completing the self-assessment, the organisation would rank itself as fully meeting, partially meeting, or not meeting expectations.


·  A self-assessment of Maidstone’s arrangements and compliance had been undertaken.  To summarise, most of the actions were in place or partially in place.  Those that were partially in place might need updating, formalising, or expanding to meet the ICO’s expectations.  The lowest scoring area focussed on privacy notices and information and how the Council informed people it was using their data.  The Council was fully or partially meeting most of the requirements and the rest were being addressed.  Overall, only 9% of the actions did not meet expectations.  None of these were high risk areas and could be mitigated.  The only area which had limited mitigation was the ability of the organisation to deal with any increase in requests or reduction in staffing levels.  Over the next year, more members of the Policy and Information and Executive Support teams would receive training on some aspects of data protection to provide resilience, but resources were limited.


·  A new Action Plan had been developed incorporating areas outstanding from the old Action Plan and areas identified from the accountability self-assessment as not or partially meeting expectations.  It also included the remaining work to ensure compliance should the UK not receive adequacy status when the EU exit transition period ends.  Delivery of the Action Plan would be overseen by the Information Management Board.


In response to questions, the Policy and Information Manager advised the Committee that:


·  There were several pages on the Council’s website relating to data protection such as the Council’s Data Protection Policy and Privacy Notices.  This was necessary to comply with the legislation, but the website would be updated to include additional information such as risk assessments completed before new systems were implemented or changes in processes.


·  The Council was compliant with the legislation but there were things it could do to improve.  The ICO was fining organisations that did not recognise their accountability or take data protection issues seriously.  By having an Action Plan in place, regular reporting to the Committee and Member involvement in the Information Management Board, the Council could demonstrate that it was taking the issues seriously.  The Action Plan would be checked to ensure that it was up to date and forward looking.


·  The Record of Processing Activity (ROPA) was a requirement of the ICO.  The organisation was required to document very clearly what information it collects, the legal basis for collecting that information, how it ensures that the information is securely kept and who has access to it such as a third party.  Two reviews had been undertaken since the ROPA was introduced and following the self-assessment it would be reviewed again to make sure that it is fully refined.


·  Although a lot of work was done in relation to procurement initially, there was not a lot of guidance from the ICO so some work was required to ensure that data protection is clearly embedded in the procurement process.


·  In terms of back office systems, some work was required to ensure that logs of system access are as well documented and controlled as within ICT for consistency across the Council.


·  Work had commenced on some of the actions but there were some concerns about delivering the Action Plan within the timeframes.  The team was multi-functional and might be called upon to provide support in other areas such as the Community Hub.  The timeframes were ambitious, and it might be necessary to review some of the dates if other priorities were identified.


·  For clarity, a review of the Council’s website would be undertaken with the Digital and Transformation team as it was recognised that people used the terms Data Protection Act and General Data Protection Regulation interchangeably.


RESOLVED:  That the report be noted.


Councillor Perry joined the meeting during consideration of this item (7.19 p.m.).  Councillor Perry said that he had no disclosures of interest or lobbying.  Councillor Garten who had been substituting for Councillor Perry until his arrival then left the meeting.


Supporting documents: