Agenda item

To consider a report by the Head of Business Improvement and Modernisation (copy enclosed) which details breaches of the data protection act by the Council that have been subject to investigation by the Senior Information Risk Officer.

A report by the Head of Business, Improvement and Modernisation (HBIM) had been circulated previously.

The HBIM introduced the report which covered the period from April, 2013 to March, 2014 and detailed breaches of the Data Protection Act by the Council which had been subject to investigation by the Senior Information Risk Officer (SIRO). It also covered complaints about the Council relating to Freedom of Information legislation which had been referred to the Information Commissioner, and provided some information about the Access to Information requests made to the Council.  The Council’s Data Protection Policy required an annual report on progress to the Corporate Governance Committee to allow Member oversight of the process.

Deficits in the information management system had been a risk for several years and a new approach had been introduced, including the appointment of a Corporate Information Manager and the review of key policies, particularly relating to Data Protection and Access to Information. Following the reviews, the Corporate Information Manager had published a strategic approach to information management in Denbighshire and would report on progress to the Committee on a regular basis.

The HBIM explained that developments had reduced the risks to the Council and the risk score on the Corporate Risk Register had now been reduced.  Key to the improvements had been the development of improved training, greater clarity in the use of systems, and rigour in reporting and managing information.  Alongside the Data Protection Officer, the Senior Information Risk Owner (SIRO) had an explicit responsibility to ensure that information held by the Council was managed safely, effectively and in accordance with the legislation.  The systems designed to ensure that the roles were carried out successfully were dependant on transparency and openness, and it was especially important that Members had an oversight of the process.

The report formed part of the commitments made in the Council’s Data Protection and Access to Information policies.  The appendices detailed some of the key actions over the year to 31^st March 2014, focusing on the Data Protection breaches reported to the SIRO (Appendix A).  Other information had been included to inform Members: a list of complaints made to the Information Commissioners Office (ICO) about the Council, and the outcome (Appendix B); statistics relating to the receipt of Access to information requests (Appendix C) and a table setting out the disputes handled by the Access to Information Panel and the outcomes (Appendix D).

There had been no major breach of the Data Protection Act by the Council, although some had been considered to be sufficiently serious to report them to the ICO.  A common feature had been the poor addressing of letters, so that personal information goes to an unintended recipient.  Training and improved checking procedures could help reduce this sort of error, and ultimately, the increasing use of automatic systems would reduce this further.  The Council had so far avoided the significant losses of personal information which had befallen many organisations, often incurring significant civil penalties.  However, it was the person whose data had been lost or incorrectly disclosed who had suffered the greater hardship.  As awareness amongst staff increased and the systems for managing information gradually improved breaches would become more uncommon.

Details of the volume of access to information requests received by the Council had been included in the report.  Details of the five most frequent areas of inquiry over the last few months had been included in the report, and Appendix D set out the source of Access to Information requests to the Council by requestor type.

In some instances decisions regarding access to information were challenged by the requestor or there was no agreement internally about whether information held by the Council should be released or not.  These cases were reviewed by a Panel; Chaired by the HLDS, and a list of the cases reviewed along with the outcomes had been included in Appendix E.

Mr P. Whitham explained that he was disappointed that issues raised at Access to Information Training in February, such as the management and proactive prevention and reduction of requests received, had not been reflected in the report.  The HBIM explained that the report related to activity and avoided the duplication of work undertaken by the Corporate Information Manager, who would be presenting a report to the Committee which would address the issues raised.  He provided confirmation that the publication scheme and disclosure log were being progressed.  The HLDS outlined the need to ascertain the volume and nature of information which could be made publicly available to respond openly and transparently to requests received from the public.

The HLDS responded to concerns raised and provided details of the Welsh translation service provided by Conwy County Borough Council.

RESOLVED – that Corporate Governance Committee receives and notes the contents of the report.