Report of the Strategic Director, Corporate Services and Governance
The Committee received it’s third annual report regarding the Council’s Information Governance Framework. It aims to provide the Committee with the legislative context within which the Council manages a range of sensitive information and personal data, compliance with relevant guidance and good practice and the Council’s performance in this area over the last twelve months.
Public trust in the way public services handle and share data is increasingly important, particularly in the context of greater digital storage and transfer of information. Success in this area depends on many factors, but effective and secure exchange and management of information is vital for good service delivery. The public and regulatory bodies must have confidence in the way that any data we hold is treated, taking privacy and confidentiality into account and that it is kept safe from misuse.
With the approval of the new General Data Protection Regulation (GDPR), which had been ratified by the European Parliament and comes into effect in the UK on 25 May 2018, there is a move away from seeing the law as a box ticking exercise and instead work on a framework that can be used to build a culture of privacy that pervades an entire organisation.
The Council formed an information rights working group in March 2017 to start preparing for GDPR implementation. A lot of work had been done so far:
· All information assets are being captured in information asset registers
· Privacy notices have been prepared for children’s services, schools, elections, councillors and staff. Templates are being prepared to roll out to the rest of the Council
· Web pages are being updated to include contact details of the Data Protection Officer which is a new statutory role which public sector organisations will be required to have
· Information asset registers also contain the legal basis for processing and the retention periods
· Consent forms are being revised to be GDPR compliant
· Data collection forms and systems are being re-engineered to comply with data minimisation and privacy by design
· All data controller/processor agreements are being reviewed
· Forms and procedures have been devised for privacy impact assessments
· All schools have received training
· Training for governors is scheduled in March
· A members seminar is scheduled for March
· Staff in Procurement, ICT, Web Design and Legal have been training
· Roll out of training to all remaining employees starts in February
· Data sharing and handling agreements are being drafted for all of our trading companies, including GHC
The report included information on data breaches. These are reported by an inbox which internal audit access and can investigate in relation to serious breaches. In 2017 there have been 7 reported breaches. In these cases human error has been identified as the reason for the breach. Further training has been given to the staff involved. There have been no complaints made to the Information Commissioner.
The Committee were advised that this is the second report in relation to the Council’s use of RIPA (Regulation of Investigatory Powers Act 2000). It was recommended in the new codes of conduct produced by the Office of the Surveillance Commissioner at the end of last year, that Councils should report their use of RIPA to elected members at least annually.
There are two types of covert surveillance that the Council can use
· Directed surveillance – this involves, observing, following or watching the subject of the surveillance
· CHIS – this involves using volunteer adults or children to attempt to make test purchases
Typically this council uses RIPA in relation to benefit or council tax fraud when information is received that a claimant has someone living with them or is working and claiming benefits. Surveillance will be used to watch the property to see if there is any evidence or another person living there.
The Council uses CHIS (normally members of staff or child volunteers), when it receives information that, for example, a householder is selling illegal tobacco or a shop is selling age restricted products such as alcohol, cigarettes or fireworks to underage children.
Gateshead Council uses it power under RIPA which it is appropriate to do so
· In 2017 the powers were used four times – three for counterfeit goods being sold via Facebook and one for the sale of animals on facebook without a licence. An application was made to use RIPA in relation to sale of cigarettes to underage children but the district judge refused to authorise the surveillance.
· In 2016 the powers were used twice – both for illegal tobacco sales.
· In 2015 the powers were used five times – on four occasions for illegal tobacco sales and once for counterfeit goods
· In 2014 the powers were used four times – on two occasions for counterfeit goods, once for benefit fraud and once for illegal tobacco
· In 2013 the powers were used 5 times – on four occasions for illegal tobacco sales and once for theft.
In July 2016 the Council were re-inspected by the Surveillance Commissioner and found to be fully compliant with the requirements of RIPA.
RESOLVED - (i) That the information contained within the report be endorsed
(ii) That Information Governance is operating satisfactorily
(iii) That the Council uses its powers under the Regulation of Investigatory Powers Act appropriately