Agenda item
ANNUAL SIRO REPORT
To consider a report by the
Head of Business Improvement and Modernisation (copy enclosed) which details breaches of the data protection act and
complaints relating to Freedom of Information legislation.
Minutes:
A
report by the Head of Business Improvement and Modernisation (HBIM) had been
circulated previously.
The HBIM introduced
the report which covered the period April, 2015 to March, 2016 and detailed
breaches of the Data Protection Act by the Council which had been subject to
investigation by the Senior Information Risk Officer (SIRO). It also covered complaints about the Council
relating to Freedom of Information legislation which had been referred to the
Office of the Information Commissioner (ICO), and provided information about
the Access to Information/FOI requests made to the Council. The Council’s Data Protection Policy required
an annual report on progress to the Corporate Governance Committee.
The Data Protection
Officer (DPO) and Senior Information Risk Owner (SIRO) had a responsibility to
ensure that information held by the Council was managed safely, effectively in
accordance with the legislation. Details
of the process were provided.
There had been no
significant breaches of the Data Protection Act in the Council during the
2015/16 year. There had been five
instances where personal data had been lost or compromised and these had been
investigated by the SIRO. None had been
deemed serious enough to warrant reporting to the ICO and details of the
breaches had been provided.
As a consequence of
one of the outcomes of the SIRO investigations there had been an increased
focus on the systems and processes in the teams where these breaches had
occurred. Workshop sessions had been
held with the admin support teams in Childrens’
Services and in Education to explore how their processes could be reviewed, and
to ensure that the information they held was kept up to date by other
professional groups. Details of the practical
initiatives which had been introduced had been included in the report.
The new General
Data Protection Regulations (GDPR) were expected to be published in July,
2016. There would be 2 year transition period before they became
enforceable in 2018 and would replace the current Data Protection Act
1998. The GDPR would include some new requirements which would
necessitate Data Controllers to consider and have the right people, processes
and procedures in place ready for 2018.
Details of the new requirements had been included in the report,
together with, an outline of the WASPI agreement (Wales Accord on Sharing
Personal Information). The new
Regulations would place greater emphasis on organisations demonstrating the
legal basis for sharing information in future, which should be achievable
within the current WASPI arrangements.
A summary of
Freedom of Information (FOI) and Environmental Information Regulation (EIR)
requests had been incorporated in the report.
Table 1 provided details of the number of completed requests for 2015/16
and 2014/15. The FOI and EIR requests
were concentrated on specific areas and were predominantly business related or
from individuals. Particulars pertaining
to the most frequent requesters over the last 12 months had been incorporated
in a table in the report.
Details of
Applicant Types for 2015/16 had been included in Table 2. In some cases decisions regarding access to information were
challenged by the requestor, or there was disagreement internally about whether
information held by the Council should be released or not. These cases were reviewed by a Panel chaired
by the HLHRDS, and Appendix A provided a list of the cases reviewed.
In the 2015/16
period, no complaints about the Council under the FOI Act were investigated by
the Information Commissioner’s Office.
In response to last year’s complaints, procedures were improved to
ensure that complex cases were recognised early in the process to ensure timely
responses were provided, and it appeared that this action had improved the
Council’s performance. The officers
confirmed that managing FOI/EIR and DP requests continued to present a resource
cost to the Council. In addition,
considerable work was delivered within Services by the IMOs, who provided the
detailed answers for each question.
In response to
questions from Members, the HBIM outlined the procedures in place to deal with
repetitive requests and vexatious complaints which could be resource intensive
and costly to the Authority. He also
highlighted the difficulties encountered when addressing such issues.
Mr P. Whitham
referred to the number of FOI requests received and questioned whether members
of the public were utilising the FOI Act to access information which was
already available via alternative sources such as the internet. The officers confirmed that in such instances
the person submitting the request would be directed to the relevant
information.
RESOLVED – that the
Corporate Governance Committee receive and note the contents of the report.
(AS to Action)
Supporting documents: