Agenda item

To consider a report by the  Head of Business Improvement and Modernisation (copy enclosed) which details breaches of the data protection act and complaints relating to Freedom of Information legislation.

A report by the Head of Business Improvement and Modernisation (HBIM) had been circulated previously.

The HBIM introduced the report which covered the period April, 2015 to March, 2016 and detailed breaches of the Data Protection Act by the Council which had been subject to investigation by the Senior Information Risk Officer (SIRO).  It also covered complaints about the Council relating to Freedom of Information legislation which had been referred to the Office of the Information Commissioner (ICO), and provided information about the Access to Information/FOI requests made to the Council.  The Council’s Data Protection Policy required an annual report on progress to the Corporate Governance Committee.

The Data Protection Officer (DPO) and Senior Information Risk Owner (SIRO) had a responsibility to ensure that information held by the Council was managed safely, effectively in accordance with the legislation.  Details of the process were provided.

There had been no significant breaches of the Data Protection Act in the Council during the 2015/16 year.  There had been five instances where personal data had been lost or compromised and these had been investigated by the SIRO.  None had been deemed serious enough to warrant reporting to the ICO and details of the breaches had been provided.

As a consequence of one of the outcomes of the SIRO investigations there had been an increased focus on the systems and processes in the teams where these breaches had occurred.  Workshop sessions had been held with the admin support teams in Childrens’ Services and in Education to explore how their processes could be reviewed, and to ensure that the information they held was kept up to date by other professional groups.  Details of the practical initiatives which had been introduced had been included in the report.

The new General Data Protection Regulations (GDPR) were expected to be published in July, 2016.  There would be 2 year transition period before they became enforceable in 2018 and would replace the current Data Protection Act 1998.  The GDPR would include some new requirements which would necessitate Data Controllers to consider and have the right people, processes and procedures in place ready for 2018.  Details of the new requirements had been included in the report, together with, an outline of the WASPI agreement (Wales Accord on Sharing Personal Information).  The new Regulations would place greater emphasis on organisations demonstrating the legal basis for sharing information in future, which should be achievable within the current WASPI arrangements.

A summary of Freedom of Information (FOI) and Environmental Information Regulation (EIR) requests had been incorporated in the report.  Table 1 provided details of the number of completed requests for 2015/16 and 2014/15.  The FOI and EIR requests were concentrated on specific areas and were predominantly business related or from individuals.  Particulars pertaining to the most frequent requesters over the last 12 months had been incorporated in a table in the report. 

Details of Applicant Types for 2015/16 had been included in Table 2.  In some cases decisions regarding access to information were challenged by the requestor, or there was disagreement internally about whether information held by the Council should be released or not.  These cases were reviewed by a Panel chaired by the HLHRDS, and Appendix A provided a list of the cases reviewed.

In the 2015/16 period, no complaints about the Council under the FOI Act were investigated by the Information Commissioner’s Office.  In response to last year’s complaints, procedures were improved to ensure that complex cases were recognised early in the process to ensure timely responses were provided, and it appeared that this action had improved the Council’s performance.  The officers confirmed that managing FOI/EIR and DP requests continued to present a resource cost to the Council.  In addition, considerable work was delivered within Services by the IMOs, who provided the detailed answers for each question.

In response to questions from Members, the HBIM outlined the procedures in place to deal with repetitive requests and vexatious complaints which could be resource intensive and costly to the Authority.  He also highlighted the difficulties encountered when addressing such issues.

Mr P. Whitham referred to the number of FOI requests received and questioned whether members of the public were utilising the FOI Act to access information which was already available via alternative sources such as the internet.  The officers confirmed that in such instances the person submitting the request would be directed to the relevant information.

RESOLVED – that the Corporate Governance Committee receive and note the contents of the report.

      (AS to Action)