Agenda item

To recommend to the Executive Committee that the Data Protection Policy be approved. 

17.1          Attention was drawn to the report of the Head of Corporate Services, circulated at Pages No. 206-223, which attached, at Appendix 1, a draft Data Protection Policy describing the Council’s arrangements for compliance with the General Data Protection Regulation (GDPR).  Members were asked to recommend to the Executive Committee that the Data Protection Policy be approved.

17.2           The Head of Corporate Services advised that anyone processing personal data must comply with six principles of good practice i.e. that personal data must be: processed lawfully, fairly and in a transparent manner; only obtained for specified, explicit and legitimate purposes; adequate, relevant and not excessive; accurate and kept up-to-date; not be kept for longer than necessary; and processed in a secure manner.  Page No. 208, Paragraph 3 of the report, set out the roles and responsibilities that had been established to oversee compliance which included appointment of a Senior Information Risk Owner (SIRO) -  to ensure that information was appropriately managed and to take responsibility for the whole information governance framework and the risks associated with it - and a Data Protection Officer - to undertake the statutory role by monitoring compliance and providing training advice and assistance to the SIRO.  A summary of the key roles of the Data Controller, Data Protection Officer and the Information Commissioner was set out at Appendix 2 to the report.  The Council’s Data Protection Policy had been revised to take account of the changes and this was attached at Appendix 1 to the report.

17.3          A Member questioned whether Members’ roles and responsibilities were outlined in the policy and was advised that this was covered at Page No. 218.  A Member indicated that he was also a Gloucestershire County Councillor and a footer had been produced for Members of that authority to use on emails to explain what they did with personal data, for example, how long it was retained.  The Borough Solicitor explained that a template footer was currently being developed which Tewkesbury Borough Councillors may choose to use along with a template for a privacy page which could be made available on the Council’s website alongside the existing information about each Councillor.  Notwithstanding this, it was important to recognise that Members had a responsibility to protect themselves and, whilst these templates would be available to use, each individual Member would need to decide for themselves how long they wished to retain data.

17.4          A Member indicated that her biggest concern was residents contacting Members with questions as it was very rare that the Member could answer outright and therefore the information needed to be shared.  The Borough Solicitor felt that this needed to be addressed in the privacy pages but her general advice would be that, if the query was being passed on to anyone other than an Officer of the Council, it would be necessary to go back to the person to ask for permission; this included passing the query on to other Members.  Whilst it was reasonable to expect that Members would not be able to answer a query without reference to an Officer, it was not reasonable to expect that it would be passed to another agency or another Member.  Another Member raised concern about retention of personal data, particularly electronic data and how to ensure that it was actually deleted from a computer.  The Borough Solicitor stressed that actions to protect data had to be reasonable so if Members permanently deleted emails etc. they should no longer be able to access them and this would be deemed to be reasonable.  The Head of Corporate Services reiterated that the Internal Audit Plan included more work on GDPR to ensure that the Council remained compliant.

17.5           Having considered the information provided, it was

RESOLVED          That it be RECOMMENDED TO THE EXECUTIVE COMMITTEE that the Data Protection Policy be APPROVED.