Agenda item

At its meeting on 7 June 2017 the Executive Committee considered a report which sought to prepare the Council for the General Data Protection Legislation. The Committee RECOMMENDED TO COUNCIL that ongoing funding for the Business Administration Manager post be included in the base budget for 2018/19 and future years.

30.1           At its meeting on 7 June 2017, the Executive Committee had considered a report which detailed the preparations required for compliance with the General Data Protection Regulation that was due to be implemented on 25 May 2018. The Executive Committee had recommended to Council that ongoing funding for the Business Administration Manager post be included in the base budget for 2018/19 and future years.

30.2           The report which was considered by the Executive Committee had been circulated with the Agenda for the current meeting at Pages No. 17-30.

30.3           The recommendation was proposed by the Vice-Chair of the Executive Committee. He informed Members that the Regulation significantly increased the data protection obligations on the Council and its requirements were extensive and complex. He explained the risks associated with non-compliance, which included reputational and financial, the latter involving fines that could be as much as €20 million. Members were encouraged to support the recommendation to establish a Business Administration Manager’s post who would work with the Senior Information Risk Owner and the Data Controller and all teams to implement the requirements of the General Data Protection Regulation and maintain compliance post the implementation date of May 2018.

30.4           During the discussion which ensued, a Member questioned whether the Regulation was linked to the European Union (EU). In response, the Chief Executive explained that this was an EU Regulation but the United Kingdom (UK) government had already indicated that it intended to adopt the same standard, regardless of Britain’s exit from the EU, and this had been confirmed by the Information Commissioner’s Office. The Regulation had a serious impact on all organisations that stored, handled and received personal data and, as well as ensuring it was in compliance, the Council would need to help others to comply e.g. Parish Councils. Another Member questioned whether the Regulation would have an impact on individuals i.e. when Councillors kept personal data on their files. In response, the Chief Executive advised that if information was held by individuals the legislation did not apply; however, as Councillors, they may have the information for one of three reasons: in their role as a Councillor; for Ward purposes; or for personal information. When handling the Council’s data they were covered by the Council as a whole and therefore there was a duty to manage it properly. The Ward information was a Councillor’s own personal responsibility and he encouraged Members to register themselves with the Information Commissioner’s Office as a Ward Councillor. In order to ensure Councillors were kept fully appraised of the legislation as it developed, seminars would be provided in due course. The purpose of the recommendation today was to gain the financial support for the new post.

30.5           A Member noted that the job description for the new Business Administration Manager post indicated that there would be a large impact on the Council and she felt this would also apply to Parish and Town Councils; she questioned whether the new post would be available for the Borough Council to ‘sell’ to Parishes. In response, the Chief Executive advised that the role would be quite busy looking after the Council’s own business and it should be remembered that all organisations were responsible for their own data. The first thing was to ensure everyone was aware the new Regulations were coming as the fines for breaches would be very high and this was a priority for the Information Commissioner. The Council’s priority was to protect the data it received and ensure it had the correct policies in place to deal with it. In terms of the action plan, he advised that it was based on the actions that the Information Commissioner had stated needed to be put into place. The Information Commissioner had a very good website which gave a lot of information including a video which explained the new legislation; the Chief Executive undertook to circulate a link to the website to all Members.

30.6           In response to a query regarding the difference between paper and electronic files, the Chief Executive advised that personal data was still personal data in whichever format it was held. It was possible to hold information for legitimate reasons but the data controller must know what was held and why and ensure that it was not held for longer than it was needed. Essentially there were four reasons why personal data could be kept: with consent; by reason of contract; statutory requirement to hold information in law; and for a task of a public nature. The Council’s policies needed to ensure the information was managed correctly, was not dealt with inappropriately and was deleted when it was no longer needed. The Council must be compliant by May 2018 and this was an extremely detailed piece of work which needed a lot of resources. A Member was concerned about the Council-owned equipment and how she would remove data and, in response, the Chief Executive indicated that the data was the important thing rather than the equipment it was stored on. He felt sure Members would be able to delete the information that they had stored on such equipment but this would be considered as part of the policy development. Cloud storage was very important and storage in Europe would have to comply with the same Regulations. America did not comply with the same standards so organisations would have to be mindful of this when purchasing cloud storage; this was not something which was of concern to Tewkesbury Borough Council as its cloud-based storage was held in Europe.

30.7           Having considered the information provided, it was

                  RESOLVED          That ongoing funding for the Business Administration Manager                                post be included in the base budget for 2018/19 and future                             years.