Agenda item

A report from the Deputy Chief Executive is attached

Lynne Ridsdale submitted a report providing the Audit Committee with an update on Information Governance work completed to date in Quarter 3 of 2021/22. 

It was explained that the Information Commissioner is responsible for enforcing and promoting compliance with data protection legislation.  Article 58(1) of the UK General Data Protection Regulation (UK GDPR) states that the Information Commissioner’s Office (ICO) has the power to carry out investigations in the form of data protection audits.  Section 129 of the Data Protection Act 2018 (DPA 18) also provides provision to carry out consensual audits.  Additionally, Section 146 of the DPA 18 allows the ICO, through a written “assessment notice”, to carry out an assessment of compliance with the data protection legislation.

Bury Council agreed to a consensual audit by the ICO of its processing of personal data.  This was originally scheduled for June 2020; however, this was paused in response to the Covid-19 pandemic and was subsequently re-scheduled for 22^nd – 24^th June 2021.

The primary purpose of the audit was to provide the ICO and Bury Council with an independent opinion of the extent to which Bury Council, within the scope of the agreed audit, is complying with data protection legislation. 

A report has been provided to Bury Council which, along with a series of recommended actions, also reflected on areas of good practice. 

Since the provision of the ICO’s report, Bury Council has developed a detailed workplan to respond to the issues raised.  Progress against the items in the workplan is detailed below.

The ICO made 79 recommendations across the three themes of the audit, which have also been categorised by level of priority as follows:-

The recommendations have been translated into a detailed improvement plan for delivery by the end of the 2021/22 financial year.  The detailed plan, which is performance managed by the Information Governance Steering Group, is available for inspection.  A synopsis of activity initially planned was set out in the report.

Those present were given the opportunity to ask questions and make comments and the following points were raised:-

·         Councillor Hayes referred to the IG Champions network that was being established and asked what their role would be and whether they were receiving remuneration for taking on this role?

It was explained that the IG Champions would not receive ant extra pay in relation to the role. There had been 30 plus staff signed up so far and they would be working pro-actively within their teams to encourage people to think about processes and security in relation to IG within their roles. The Champions would be friendly support that could help with establishing good working practices and procedures. 

It was reported that the Champions would be holding their first meeting in mid-December and then regular meetings would be held after that where ideas could be bounced around and experiences shared to bring together examples of both good and bad experiences.

·         Councillor Gartside referred to the deadline of August for the policies to be updated to reflect GDPR and stated that this hadn’t been completed by the deadline set. Councillor Gartside asked why this was.

Lynne reported that all work had started but there had been a combination of things that had held it back,  it was an extensive and complicated piece of work and required quite a lot of legal input, capacity had also been a concern as the Information Governance Manager and Data Protection Officer had only been in place for 6 weeks.

• Councillor Butler referred to the Consensual Audit that was mentioned in the report and asked what this meant.

It was explained that the Council had voluntarily put themselves forward for an audit even though they were aware that there had been breaches. It was felt that the input received from the ICO at that point would be beneficial and would strengthen and support the ongoing work.

• Councillor Whitby asked whether the work will have been completed by the end of the financial year.

Lynne reported that this would up to date by then and the relevant policies would be available.

Delegated decision:

1. That the contents of the report be noted.

2. That all those involved be thanked for their hard work.