Agenda item

To receive the annual report on actions undertaken during the year and to consider the action plan, attached at Appendix 1 to the report, to further improve the Council’s GDPR arrangements.

13.1          Attention was drawn to the report of the Director: Corporate Resources, circulated at Pages No. 117-127, which provided an assessment of the Council’s general activity during 2022/23 to ensure broad compliance with the Data Protection Act 2018 and the UK General Data Protection Regulation (GDPR).  Members were asked to consider the actions undertaken during the year and the action plan, attached at Appendix 1 to the report, to further improve the Council’s arrangements.

13.2          The Head of Service: Audit and Governance explained that significant work had been carried out since the introduction of GDPR and there was a continual process to ensure the Council remained broadly compliant.  A key part of that was the Single Point of Contact (SPoC) which was fulfilled by the Information Governance Officer – as had been reported earlier in the meeting, this post had recently been recruited to and the successful candidate would be starting in September.  In the interim, the role had been carried out by the Head of Service: Audit and Governance.  It was vital to have assurance regarding data protection and a key aspect of that was the delivery of the GDPR action plan, attached at Appendix 1 to the report.  In terms of the work undertaken during the year, a new Data Protection Policy had been considered by the Audit and Governance Committee in March, and had subsequently been approved by the Executive Committee, and would now be subject to annual review; a new system, built by the Business Transformation Team on the Liberty Create platform, had been developed to manage data requests which had resulted in efficiencies due to the high number of requests received; redaction software had been rolled out to appropriate Officers; an information governance structure chart had been produced as roles and responsibilities had changed significantly; and data protection training had been delivered to Members as part of the Induction Programme – it was noted there would be an ongoing requirement for online data protection training and Members would receive notification of this via a Member Update.

13.3          In terms of priorities moving forward, a data protection retention project plan was being developed to ensure that the Council was only retaining data which it needed and that it was secure – this would be a key task for the new Information Governance Officer.  In addition, a watching brief would need to be kept on the Data Protection and Digital Bill which could have impacts in terms of the requirements the Council would need to meet going forward.  Work was also planned around privacy notices to ensure ongoing compliance.  It was noted that an internal Information Governance and Security Board met on a regular basis to oversee data protection and GDPR related activity which included monitoring delivery of the GDPR action plan and receiving updates on any data breaches.  The Head of Service: Audit and Governance advised that Tewkesbury Borough Council had a no blame culture and there was a very good level of reporting data breaches as a result.  All reported breaches had been low risk so nothing had been reported to the Information Commissioner; notwithstanding this, she reiterated the importance of ensuring the Council’s arrangements were continually reviewed.

13.4          It was

RESOLVED          That the annual report on the Council’s arrangements for data protection and GDPR be NOTED.