Issue - meetings

General Data Protection Regulations

Meeting: 07/02/2018 - Audit Committee (Item 47)

47 General Data Protection Regulations pdf icon PDF 781 KB

To receive a presentation on the General Data Protection Regulations.

Minutes:

The Committee received a presentation on the General Data Protection Regulations.

 

During the discussion of this item the following points were made:

 

·           The General Data Protection Regulations (GDPR), an EU law, would replace the Data Protection Act 1998 and would be enforced from 25 May 2018.

·           There was a UK Data Protection Bill which was currently going through Parliament and the GDPR provisions would be absorbed into this.  However, it was not known when this Bill would come into effect.

·           Compliance would be evidence driven and fines for breaches could be up to 20million.  It was not yet known how the Information Commissioner’s Office (ICO) would fine although the ICO had indicated that fines would be proportionate.

·           The Customer Relations Officer informed the Committee that a Project Group had been established in August.  Subject matter experts in the different areas were providing support.

·           The GDPR would be enforced from 25 May 2018.  It was appreciated that the 21st century council project would still be ongoing at that point.  It was important that a project plan and communications plan was in place at that time which outlined what items remained, which could be provided to the ICO if requested.

·           The Customer Relations Officer took the Committee through action that was required to ensure GDPR compliance.

·           Privacy Notices would be required so that the Council was transparent about how and why it collected data.  There would be some exceptions and exemptions.

·           Members were informed that the retention schedule was under review.  Councillor Patman questioned whether the Council currently held information which would need to be disposed of in order to comply with the GDPR.  The Customer Relations Officer commented that there was a number of boxes of documents which had passed their review date which would require disposal.  He went on to state that there were various different retention periods for different types of data.

·           There would be a Data Protection Officer, which would be a mandatory role with new legislatively set responsibilities.

·           Members were informed of work already completed and work still be done to ensure compliance. 

·           It was noted that the privacy impact assessment checklist was completed and being trialled. 

·           E learning for staff would be introduced in April , and regular communications issued on new and important parts of GDPR for staff.

·           The Information Asset Register would be a live document which needed to be monitored to ensure that it did not go out of date quickly.

·           The wording of contract clauses was being updated to ensure compliance.

·           Quality checking and publishing to the Council’s website would begin from 1st May.

·           Councillor Bray questioned how the Council could be assured that its suppliers were compliant with GDPR.  The Customer Relations Officer stated that the wording of tender documents would be updated to highlight the importance of compliance, and that the letter amendment would cover existing suppliers.

·           Councillor Bray went on to ask how the residents’ online accounts would be dealt with and was informed thatwith all  ...  view the full minutes text for item 47