To receive a presentation on the General Data Protection Regulations.

The Committee received a presentation on the General Data Protection Regulations.

During the discussion of this item the following points were made:

·           The General Data Protection Regulations (GDPR), an EU law, would replace the Data Protection Act 1998 and would be enforced from 25 May 2018.

·           There was a UK Data Protection Bill which was currently going through Parliament and the GDPR provisions would be absorbed into this.  However, it was not known when this Bill would come into effect.

·           Compliance would be evidence driven and fines for breaches could be up to €20million.  It was not yet known how the Information Commissioner’s Office (ICO) would fine although the ICO had indicated that fines would be proportionate.

·           The Customer Relations Officer informed the Committee that a Project Group had been established in August.  Subject matter experts in the different areas were providing support.

·           The GDPR would be enforced from 25 May 2018.  It was appreciated that the 21^st century council project would still be ongoing at that point.  It was important that a project plan and communications plan was in place at that time which outlined what items remained, which could be provided to the ICO if requested.

·           The Customer Relations Officer took the Committee through action that was required to ensure GDPR compliance.

·           Privacy Notices would be required so that the Council was transparent about how and why it collected data.  There would be some exceptions and exemptions.

·           Members were informed that the retention schedule was under review.  Councillor Patman questioned whether the Council currently held information which would need to be disposed of in order to comply with the GDPR.  The Customer Relations Officer commented that there was a number of boxes of documents which had passed their review date which would require disposal.  He went on to state that there were various different retention periods for different types of data.

·           There would be a Data Protection Officer, which would be a mandatory role with new legislatively set responsibilities.

·           Members were informed of work already completed and work still be done to ensure compliance. 

·           It was noted that the privacy impact assessment checklist was completed and being trialled. 

·           E learning for staff would be introduced in April , and regular communications issued on new and important parts of GDPR for staff.

·           The Information Asset Register would be a live document which needed to be monitored to ensure that it did not go out of date quickly.

·           The wording of contract clauses was being updated to ensure compliance.

·           Quality checking and publishing to the Council’s website would begin from 1st May.

·           Councillor Bray questioned how the Council could be assured that its suppliers were compliant with GDPR.  The Customer Relations Officer stated that the wording of tender documents would be updated to highlight the importance of compliance, and that the letter amendment would cover existing suppliers.

·           Councillor Bray went on to ask how the residents’ online accounts would be dealt with and was informed thatwith all data capture forms and the online accounts, there would be wording which would advise people to click a link for further information (Privacy Notice).  This would be easier to maintain.

·           Members asked how many breaches the Council had had in the past and were informed that there had been 2.  There were approximately 60 to 70 lesser incidents per year. 

·           The Committee felt that it would be useful to be updated on any breaches.

·           Councillor Bray asked what would happen if personal information was sent to the wrong person which was then not retrieved.  The Customer Relations Officer commented that it would be dependent on the type, sensitivity and confidentiality of the information and who it  had been sent to.  Incidents and breaches needed to be investigated on a case by case basis.

·           Councillor Clark asked how the schools were preparing to comply for GDPR.  She was advised that the schools, as were the Council owned companies, were separate entities and were responsible for their own compliance.  An officer from People Services was supporting the schools in this process.

·           Councillor Bray questioned whether Members would receive a briefing on the matter.  The Assistant Director, Governance, agreed to take this forward.

RESOLVED:  That the presentation on the General Data Protection Regulations be noted.