Issue - meetings

The Policy and Information Manager introduced her report providing an update on the progress made against the Action Plan originally put in place in 2017 in preparation for the General Data Protection Regulation (GDPR) and the Data Protection Act 2018.  The report also included an update on the Council’s preparations for data protection after the EU exit transition period; examples of the Information Commissioner’s Office (ICO) applying its powers; details of the ICO’s Accountability Framework; and a new Action Plan which had been developed incorporating areas outstanding from the old Action Plan and areas identified from an accountability self-assessment.  It was noted that:

·  The Council had received guidance from the Ministry of Housing, Communities and Local Government on preparing for data protection after the EU exit transition period ends.  Most of the work had been completed and no major risks had been identified.  There were a few areas where further work was required to ensure that systems are solely based in the UK, but these were not high risk and would be resolved by the end of the year.

·  Accountability was one of the key principles in data protection.  It required organisations to comply and be able to demonstrate compliance with the legislation.  The ICO had produced a framework including an “accountability tracker” to enable organisations to review their own arrangements and create plans to improve.  The framework had ten themes with a range of actions which an organisation complying with accountability and demonstrating best practice would evidence.  When completing the self-assessment, the organisation would rank itself as fully meeting, partially meeting, or not meeting expectations.

·  A self-assessment of Maidstone’s arrangements and compliance had been undertaken.  To summarise, most of the actions were in place or partially in place.  Those that were partially in place might need updating, formalising, or expanding to meet the ICO’s expectations.  The lowest scoring area focussed on privacy notices and information and how the Council informed people it was using their data.  The Council was fully or partially meeting most of the requirements and the rest were being addressed.  Overall, only 9% of the actions did not meet expectations.  None of these were high risk areas and could be mitigated.  The only area which had limited mitigation was the ability of the organisation to deal with any increase in requests or reduction in staffing levels.  Over the next year, more members of the Policy and Information and Executive Support teams would receive training on some aspects of data protection to provide resilience, but resources were limited.

·  A new Action Plan had been developed incorporating areas outstanding from the old Action Plan and areas identified from the accountability self-assessment as not or partially meeting expectations.  It also included the remaining work to ensure compliance should the UK not receive adequacy status when the EU exit transition period ends.  Delivery of the Action Plan would be overseen by the Information Management Board.

In response to questions, the Policy and Information Manager advised the Committee that:

·  There were  ...  view the full minutes text for item 147