Agenda item

Report of the Strategic Director, Corporate Services and Governance

The Committee received a report to provide an overview of Information Governance arrangements within the Council.  Due to the focus of the Committee’s business during the pandemic it is 4 years since the Committee was last presented with a report.

In 2019 the Officer with long term responsibility for Information Governance left the organisation which led to an unsettled period with a temporary Data Protection Officer in post.  Two internal audit reports were undertaken during 2019/20, one in respect of Information Governance and one regarding Data Protection.  The outcome was satisfactory, however, due to the limited resources available at that time the recommendations were not fully implemented (there were no high priority recommendations).

In April 2020, Angela Simmons-Mather was appointed as Data Protection Officer for the Council and she undertook a review of the organisation’s ability to meet data protection obligations and the management of Information Governance generally.  There was weakness identified, particularly the lack of a dedicated team dealing with Information Governance matters.

A further audit of Information Governance took place and confirmed there were areas which needed improvement, finding there were significant weaknesses overall in Information Governance.  To ensure priority could be given to the recommendations, resources were realigned to create the DPO Team in April 2021, dedicated to ensuring the Council is able to meet its Information Governance obligations.

The largest undertaking has been the creation of the Information Asset Register/ Record of Processing Activity.  This was a high priority from the 2021 Internal Audit.  It has been undertaken in two phases across every team in the Council.  The project was started in May 2022 and is still to be completed.  As it has involved every team in the Council this has led to approximately 126 IARs and 126 RoPAs being required.  The team has reviewed and provided feedback on each.  There are approximately 14 outstanding  RoPAs before the project can be brought to an end. 

A further recommendation of the internal audit was for the Information Rights Working Group to be convened.  The group has been re-named the Corporate Data Protection Group and the first meeting took place on 1 February 2023.  The attendees are representatives of each service across the Council.  They will be tasked with a project at each meeting to make sure the Council is meeting its data protection obligations.

The team will next carry out a review of each team’s retention period, the final recommendation of the internal audit to be undertaken.  This will be a resource intensive piece of work as each team will need to consider each information asset they hold and how long they need to keep that information.  It is intended that there will be an annual rolling programme of work to ensure documents, policies and procedures are regularly reviewed and updated.  

The Committee was also informed of the procedure for Freedom of Information.  The procedure has three stages.

When a request is submitted the procedure is to provide the information sought within the statutory working timescale of 20 working days, unless there is an exemption to the disclosure as set out in the Freedom of information Act 2000.  The Council uses an electronic tracking system where requests are logged.  The second stage requires the Council to have an internal review process so that if a requester is dissatisfied they have an avenue of complaint, which is separate from the corporate complaints procedure.  The review stage involves the requester writing to request an independent review of the matter within 40 working days or receiving their initial response.  The internal review will ordinarily be undertaken by the Strategic Director of Legal and Corporate Services with a formal response provided to the requester within 20 working days.  The third stage gives the requester a right of appeal to the Information Commissioner if he/she is still dissatisfied following the internal review.

A number of data breaches which have been recorded have been basic human error, not using the blind copy function when sending an email, documents attached to the back of a letter not intended for the recipient and some missing forms containing financial information.

All staff are required to undertake annual data protection training which is provided by the Learning Hub.

It was queried whether FOI requests were in line with the rest of Tyne and Wear, it was noted this information was requested but we didn’t get a good response from neighbouring authorities.  We do have a Regional DPO’s meeting and anecdotally it would seem we are not an outlier.

RESOLVED        -        (i)       that the information contained within the report be noted.

                                      (ii)      that the Committee is satisfied that the Freedom of Information and data breach procedures are operating satisfactorily.