Agenda item

General Data Protection Regulation and Data Protection Act 2018

Presentation by the Head of Business Support.


Liann Stibbs, Access Manager, Information Governance Unit, gave a presentation on the General Data Protection Regulation (GDPR) and Data Protection Act (DPA) Act 2018.  This legislation replaced and amended the previous legislation and prepared the Council ready for the digital age.  The legislation came into force on 25 May 2018.  Fines had increased, for example, if personal data was lost the fine could be £17.5m.  Fines for public authorities would be lower than this, but higher than the previous maximum of £500,000. There was an onus that everyone knew what to do with data and if data was lost that people were aware of what to do to mitigate the risks.


People’s rights had also increased. They could request that their data was erased and that data processing was stopped.  If they disagreed with something a review could be undertaken.  There was much more onus on the individual to own their data.  Emails had reduced in number since May as people now had to opt in to receiving data in specific instances.  The Information Commissioner’s (IC) Office had issued guidance and assistance to ensure they could respond if a data breach occurred.


There was a dedicated unit at the Council that monitored emails outside working hours should a breach occur.  A review of what had happened was undertaken, and advice on the necessary steps to mitigate against any further breach. There was mandatory reporting to the IC’s office of 72 hours if a breach occurred.  There was a statutory position within the Council of a Data Protection Officer held by Tracy Thorley.  She would be aware of any serious breaches and was responsible for the Council’s Information Governance Strategy.


Transparency was key.  There were more requirements now for people to know what is happening to their data, and more control over what they consented should happen to their data. A Member questioned the relevance of some data that had been held in regard to him by a motoring organisation.  He was advised that he could ask why this data was being held through the IC’s office.


In terms of getting ready for the review, the government announced that they were going to write the GDPR but there was a lack of sufficient information and guidance for local authorities, so interpretation of the legislation had been left to those working in the information governance field supported by advice from the IC’s office.  The DPA had made changes in terms of adapting the GDPR for the UK, so reference was made to fraud, for example in respect of social services. Children’s consent is set at 13 years, in line with UK case law rather than the European standard.  The terms GDPR and DPA are currently used interchangeably, but after Brexit there would just be the DPA 2018. 


A gap analysis had been undertaken. The Authority generally complied with the legislation, but some key areas were identified.  Project leads had been identified beginning at a senior manager level to support the introduction of GDPR, and operational managers who could assist the IGU and make changes.  IGU worked closely with the Communications Team to get messages to staff in a user friendly language. E-learning was created and rolled out to individuals and there had been a campaign in the run up to May whereby staff were offered help and assistance.  There were Question and Answer sessions with relevant partners e.g. social care and human resources.  However, the ICO guidance was slow.  People have right to request their personal information and there must be a response within 30 days. This deadline can be expanded in complex cases.  There was no definition of “complex”.  In regard to the DPA, it was written quickly. There was some duplication and the IC’s office were looking to streamline this.  The gap analysis had been completed, but work with staff was ongoing.  The ICO do use case law, so it is ever-changing.  Guidance is regularly updated. 


In terms of ongoing work staff training was mandatory and reports are regularly sent to managers on staff attendance.  The IGU was in the process of changing contracts and efforts were made to ensure that contracts are compliant with the legislation. The internal Fair Processing Notice and consent would be reviewed to ensure that it was compliant.  The ICO guidance was awaited in regard to some key areas.


Members asked how much guidance the Council gave, for example, to social workers, in terms of retaining information, bearing in mind the length of time that service users may have contact with the Council. Secondly, Members asked what support IGU gave to local parish councils and asked if parish councils were required to have their own DPO.  Leanne Stibbs responded that the Council uses retention schedules that give service users advice e.g. adoption records are kept for 100 years, and records for children in care are kept for 75 years.  The National Archive was used as a guide on the time records should be retained, but this was adapted according to business needs. Some records were kept for 6 years, but where someone had engaged with the service over a period of time, this time was extended.  Some cases are complex and it could take longer than the statutory period of 30 days to retrieve this information. 


The IGU still offered a service to Parish Councils.  Parish Councils do not require a DPO, but many Parish Councils were still choosing to receive a service from the IGU.


Members asked about the role of Members, acknowledging that Members had been offered training, and asked how many Members had taken up training. Members also asked how long information should be retained by Members who take on casework and information that is retained for election purposes.


The Head of Law and Democracy responded that all Members had been offered training (e learning or face-to-face training) and more training could be arranged if required.


The Scrutiny and Support Manager responded that 20 (out of 62) Members had not taken up the offer of training for Members.  A Member session had been run, with a mixed reception from Members, but a further session tailored to Members’ needs could be offered and Members’ questions were welcomed.


Members acknowledged the need for training of all staff.  Managers received regularly updates on those that had, or had not, taken up training.


The Chairman agreed to write to those Members who had not received training and request that they attend.  It was suggested that a tailor-made training session be set up for Members.


Finally, the Chairman emphasised the need to audit GDPR (and DPA) to ensure that it was being implemented properly and asked that this be considered for inclusion the internal audit plan.


Note by Clerk: A link to the retention schedule is given below:


RESOLVED: a) That the Chairman writes to all Members who have not taken up GDPR training urging them to do so; b) That feedback on the training provided be evaluated, and a decision taken on future training; c) That consideration be given to auditing the implementation of GDPR (and the DPA) across the Council.

Supporting documents: