Action

Start Date

End Date

Responsible

Status

Update

Review processes around Data Protection Impact Assessments

Nov-18

Mar-19

Anna Collier

Completed

A new Data Protection Impact Assessment (DPIA) has been developed.  The form is now very comprehensive but also provides a lot of guidance (when viewed and completed electronically). 

                                                                                                                                                                                                                                         A new process has been implemented with the ICT service: requests for new systems or amendments to systems are immediately flagged by the ICT officers and escalated to the Data Protection Officer for review, those that which are collecting new personal data or a change in processing will need to complete a DPIA before ICT will progress the project.
                                                                                                                                         Data Protection is now covered as part of all reports to Corporate Leadership Team and Committees.  The reports are reviewed and signed off by the Data Protection Officer or Policy and Information Manager.

Review Record of Processing Activities

Mar-19

Aug-19

Anna Collier

Completed

A formal review of the ROPA has been completed.  Meetings have been held with managers across the Council to update the document where processes have changed or been introduced and to collect further information. The recommendations for changes in processes will be reviewed by the information management group in January and form part of a new monitoring plan.

Review Retention Schedules

Mar-19

Aug-19

Anna Collier

Underway, estimated completion date October 2020

As part of the ROPA review retention schedules are also being checked and updated.  Retention schedules not on the ROPA will be reviewed during 2020  

                                                                                                                               A project on email retention is also being undertaken. 

Review and update information Asset Register

Mar-19

Aug-19

Anna Collier

Not Started, completion date December 2020

A review of the Information Asset Register has been postponed due to staff capacity.  This will be undertaken in 2020.

Review Information Sharing

May-19

Jul-19

Anna Collier

Completed

A draft information sharing policy and supporting documentation including information checklist, agreement and guidance have been developed. These will agreed by the Information Management Board in January.

                                                                                                                                                                    Existing agreements outside of the Kent and Medway Sharing Agreement will be reviewed in accordance with the new policy when it signed off. Training will be given to staff on the new policy in the new year.

Review of training needs ensuring cultural change

Feb-19

 Sept- 19

Angela Woodhouse

Completed

Further training has been identified and undertaken by the DPO and the Policy and Information team to increase understanding in some specific DPA areas. Service specific training sessions have been given as well as training for new starters, in high risk service areas.  Further training is planned on information sharing in the new year. An ongoing review is now considered business as usual

Update Range of Guidance for Intranet

 May 19

 Jul-19

Anna Collier

Completed

A full range of guidance is available for staff on the intranet and will shortly be updated to include information on information sharing and email retention.  Guidance will constantly need to be updated to reflect ICO guidance and lessons learnt.  This has now moved to business as usual.

Ensure contracts and partners are GDPR compliant

ongoing

ongoing

Simon Logan Legal/Procurement teams

Completed

All contracts have been reviewed and amendments or agreements signed accordingly.  GDPR is now part of standard contract development.

Review and audit archive arrangements

Feb 19

May 19

Gary Hunter

Completed

Archive arrangements have been reviewed and our contract has been renewed.  Work is now underway reviewing internal storage arrangements.

CCTV Review

Aug 19

Nov 19

Anna Collier

Completed

A full review of CCTV arrangements has been undertaken, recommendations have been made and draft documents produced.  The information management group will be considering the recommendations in January, and these will form part of a new monitoring plan.

Model for monitoring implementation of changes to processing activities

Oct 19

 Nov 19

Anna Collier

Completed

A new monitoring plan will be introduced and held by the Policy and Information Team and overseen by the information management group.  This will hold actions and recommendations from reviews as well as any actions from high risk DPIAs for which the manager's will be accountable.