Report of the Strategic Director, Corporate Services and Governance
The Committee received a report providing an overview of arrangements for Information Governance across the Council.
From the report it was highlighted that public trust in the way public services handle and share data is increasingly important, particularly in the context of greater digital storage transfer of information. It was also highlighted that success in this area depends on many factors, but effective and secure exchange and management of information is vital for both food service delivery and for compliance with an increasingly onerous and prescriptive legislative framework at both a national and European level.
It was noted from the report that the Council formed an information rights working party in March 2017 to start preparing for GDPR implementation. The following work that has been done was highlighted from the report:
a) Information asset registers have been completed, these contain the information we are required to compile under Article 30.
b) Privacy notices have been prepared.
c) Web pages have been updated to include contact details of the Data Protection Officer and to advise people how they can exercise their new rights.
d) Consent forms have been revised to be GDPR compliant.
e) Data Collection forms and systems have been re-engineered to comply with data minimisation and privacy by design.
f) Over 300 contractual agreements have been reviewed.
g) Forms and procedures have been devised for privacy impact assessments.
h) All schools have received training.
i) Training for governors has taken place.
j) Training for Councillors has taken place, Councillors have been provided with an awareness leaflet.
k) Over 560 face to face training sessions have been delivered to Council, GHC, NEPO and school staff.
l) This training was supplemented with a DVD which is on the intranet and a staff awareness leaflet.
m) Contract variation letters and data processing addendums have been sent to our suppliers. GDPR compliant clauses have been drafted for all new contracts.
n) Model data controller/processor agreements and data sharing agreements have been prepared.
o) Data breach reporting procedures and privacy impact assessment procedures and forms have been devised.
p) All information rights working party members have been trained on how to use them.
The Committee were also made of a variety of data breaches as highlighted in the report and the changes that were implemented to prevent them happening again. It was acknowledged that within every organisation there will be data breaches and that such breaches can now be reported to the Data Protection Officer (DPO) via a new mailbox.
From the report the Committee were provided with an overview of the Regulation of Investigatory Powers Act 2000 (RIPA). It was highlighted that the Protection of Freedoms Act 2012 amended RIPA to restrict when Councils can use RIPA. It was noted that an authorisation for directed surveillance of CHIS can only be made by Councils if certain conditions are met. It was also stated that Gateshead Council uses its powers under RIPA when it is appropriate to do so; details of which were provided within the report.
(i) The Committee endorsed and noted the contents of the report.