Agenda item

To receive a report by the Chief Digital Officer and Interim Senior Information Risk Owner (copy enclosed) which details breaches of the Data Protection Act,

Freedom of Information, Environmental Information and Data Protection requests received by the Council and information from schools.

The Head of Corporate Support Service: Performance, Digital & Assets along with the Chief Digital Officer and Interim Senior Information Risk Owner April 2022-Sept 2023 introduced the report to the Committee (previously circulated).

The report covered the period April 2022 to March 2023 and provided information on the Council’s information governance including data breaches of the Data Protection Act, Freedom of Information, Environmental Information and Data Protection requests received.

The report allowed the committee an oversight of information governance arrangements and performance.

Members heard there were 27 data incidents involving personal data, a decrease on last year (2021/22) when there were 35. Most of the data incidents were minor. It was felt the new ways of working had imbedded with employees and people were more mindful of the ways of working.

There were three incidents considered reportable to the Information

Commissioner’s Office (ICO), all of the reports resulted in no further action against the Council. The underlying cause of the majority of issues were human error, new procedures for remote ‘checking’ was being explored especially useful in the context of increased home working of most office-based staff.

There was a total of 1,057 Freedom of Information and Environmental Information Regulation requests during the 12 months to 31st March

2022.

Higher levels of data protection requests were received during 2022/23 compared to 2021/22 (203 total) these were likely because Data Protection cases for Children’s Services which were now routinely recorded centrally.

Internal reviews had taken place 16 in total 8 of which were all or partially upheld.

The Chair thanked the officers for the detailed report and thanked the officers for the right level of assurance for members of the Governance and Audit committee.

Members suggested that annual reports such as this should be considered as an information item unless any concerns or issues officers felt warranted member discussion. The report provided members with the level of assurance that they were happy with.

The Monitoring Officer stressed the importance of such annual reports being presented to Members for their attention. Members could always request further details or reports following an information item if they wished.

He informed Members that the authority was in receipt of thousands of pieced of correspondence annually. The authority took its responsibility seriously with processes in place to resolve any breaches.

Data protection forms part of the mandatory training for all staff. It had to be reviewed every three years. There was also an information governance group, were communication and awareness was fed through. Officers had assurance in some of the high risk areas that mitigations were in place to reduce the risk of breaches. Services with a higher risk of data breaches receive extra training. When a breach is recorded the individual concerned is required to fully complete all data protection training.

Officers were monitoring the impact of homeworking and the number of breaches around flexible working. Members were keen to monitor the current working policies and if that impacted on the number of breaches recorded.

Members asked if school staff were required to complete the data protection training and additional refresher 3 year modules. The Head of Corporate Support Service: Performance, Digital & Strategic Assets informed members she would seek the answer and circulate to members.

RESOLVED that the Governance and Audit Committee note the contents of the annual Senior Information Risk Owner report and in addition, future reports would be presented to the Committee for information.