Agenda item

To receive the annual report on the actions undertaken during the year and to consider the action plan, attached at Appendix 1, to further improve the Council’s General Data Protection Regulation (GDPR) arrangements. 

40.1          The report of the Head of Corporate Services, circulated at Pages No. 110-120, provided Members with an annual report on the actions undertaken during the year to ensue broad compliance with the General Data Protection Regulation (GDPR).  Members were asked to consider the report and the action plan, attached at Appendix 1.

40.2          Members were informed that the Internal Audit and GDPR Officer was responsible for overseeing compliance with the GDPR framework.  Page No. 112, Paragraph 2.1 of the report gave a summary of the key actions that had been undertaken during the year which included a lot of work around staff communications, particularly in terms of preventing and reporting data breaches - it was noted there had been 20 recorded breaches during the year of which 19 were categorised as low risk and one as medium risk.  In addition, an e-learning platform had been rolled out to staff and would be extended to Members in the New Year and staff had received training on the importance of retention and redaction of information.  A lot of support had been required for new and emerging projects that needed a Data Protection Impact Assessment, for example, COVID-19 grant support schemes, digital recruitment, High Street Heritage Action Zone, HR self-service, Land Registry migration, new digital platform and paperless billing.  The Business Transformation team had developed a management system for logging and responding to data requests, including Subject Access Requests which allowed residents to request a copy of the personal information the Council held about them and check that it was being lawfully processed – data requests had been increasing in number with 64 received over the last year.  Page No. 113, Paragraph 3.1 of the report outlined the key actions moving forward which would be supporting the implementation of the new website project; implementation of an information classification project; undertaking a review of key policies such as the overarching Data Protection Policy and providing support to ICT related policies e.g. cyber security; and, for the internal audit team to assess whether lessons learnt with regard to breaches were implemented and test that data was being retained in accordance with the corporate retention policy. 

40.3          The Borough Solicitor explained that ensuring compliance with data protection requirements was a continuous process and having a single point of contact through the Internal Audit and GDPR Officer had been invaluable in securing and monitoring the Council’s development and compliance.  Tewkesbury Borough Council’s record of breaches was low and none had been categorised as high risk but it was important to ensure that the arrangements were kept under review and that the action plan was delivered in order to ensure continued compliance.  In her view the action plan was robust and she was confident that the Council was doing the very best it could.

40.4          A Member recognised the importance of complying with GDPR; however, it could be quite a hinderance and she noted that Page No. 116 of the action plan included an initiative to introduce time limits on inboxes – she asked whether this would also apply to Members as this could be a problem in terms of case work which took a long time to resolve.  In response, the Borough Solicitor indicated that it was a careful balancing act between retaining data in order to give the best responses possible whilst also protecting people’s data.  It may seem counterintuitive to delete emails which may be needed in the future but preventing a potential data breach far outweighed the inconvenience of having to request that information again as and when it was needed. 

40.5          It was

RESOLVED           That the annual report on the actions undertaken during the year to ensure broad compliance with the General Data Protection Regulation, and the action plan attached at Appendix 1 to the report to further improve the Council’s arrangements, be NOTED.