Agenda item
DATA PROTECTION ACT
To consider a report by the Head of Business Improvement and Modernisation (copy enclosed) which details breaches of the data protection act by the Council that have been subject to investigation by the Senior Information Risk Officer.
Minutes:
A report by the Head of Business, Improvement and
Modernisation (HBIM) had been circulated previously.
The HBIM introduced
the report which covered the period from April, 2013 to March, 2014 and
detailed breaches of the Data Protection Act by the Council which had been
subject to investigation by the Senior Information Risk Officer (SIRO). It also
covered complaints about the Council relating to Freedom of Information
legislation which had been referred to the Information Commissioner, and
provided some information about the Access to Information requests made to the
Council. The Council’s Data Protection
Policy required an annual report on progress to the Corporate Governance
Committee to allow Member oversight of the process.
Deficits in the
information management system had been a risk for several years and a new
approach had been introduced, including the appointment of a Corporate
Information Manager and the review of key policies, particularly relating to
Data Protection and Access to Information. Following the reviews, the Corporate
Information Manager had published a strategic approach to information
management in Denbighshire and would report on progress to the Committee on a
regular basis.
The HBIM explained
that developments had reduced the risks to the Council and the risk score on
the Corporate Risk Register had now been reduced. Key to the improvements had been the
development of improved training, greater clarity in the use of systems, and
rigour in reporting and managing information.
Alongside the Data Protection Officer, the Senior Information Risk Owner
(SIRO) had an explicit responsibility to ensure that information held by the
Council was managed safely, effectively and in accordance with the
legislation. The systems designed to
ensure that the roles were carried out successfully were dependant on
transparency and openness, and it was especially important that Members had an
oversight of the process.
The report formed
part of the commitments made in the Council’s Data Protection and Access to
Information policies. The appendices
detailed some of the key actions over the year to 31st March 2014,
focusing on the Data Protection breaches reported to the SIRO (Appendix
A). Other information had been included
to inform Members: a list of complaints made to the Information Commissioners
Office (ICO) about the Council, and the outcome (Appendix B); statistics
relating to the receipt of Access to information requests (Appendix C) and a
table setting out the disputes handled by the Access to Information Panel and
the outcomes (Appendix D).
There had been no
major breach of the Data Protection Act by the Council, although some had been
considered to be sufficiently serious to report them to the ICO. A common feature had been the poor addressing
of letters, so that personal information goes to an unintended recipient. Training and improved checking procedures
could help reduce this sort of error, and ultimately, the increasing use of automatic
systems would reduce this further. The
Council had so far avoided the significant losses of personal information which
had befallen many organisations, often incurring significant civil
penalties. However, it was the person
whose data had been lost or incorrectly disclosed who had suffered the greater
hardship. As awareness amongst staff
increased and the systems for managing information gradually improved breaches
would become more uncommon.
Details of the
volume of access to information requests received by the Council had been included
in the report. Details of the five most
frequent areas of inquiry over the last few months had been included in the
report, and Appendix D set out the source of Access to Information requests to
the Council by requestor type.
In some instances
decisions regarding access to information were challenged by the requestor or
there was no agreement internally about whether information held by the Council
should be released or not. These cases
were reviewed by a Panel; Chaired by the HLDS, and a list of the cases reviewed
along with the outcomes had been included in Appendix E.
Mr P. Whitham explained that he was disappointed that issues
raised at Access to Information Training in February, such as the management
and proactive prevention and reduction of requests received, had not been
reflected in the report. The HBIM
explained that the report related to activity and avoided the duplication of
work undertaken by the Corporate Information Manager, who would be
presenting a report to the Committee which would address the issues
raised. He provided confirmation that
the publication scheme and disclosure log were being progressed. The
HLDS outlined the need to ascertain the volume and nature of information which
could be made publicly available to respond openly and transparently to
requests received from the public.
The HLDS responded
to concerns raised and provided details of the Welsh translation service
provided by Conwy County Borough Council.
RESOLVED – that Corporate Governance Committee
receives and notes the contents of the report.
Supporting documents: