Agenda item


A report from the Deputy Chief Executive is attached

A copy of the Information Commissioner’s Office report is attached


Marcus Connor, Information Governance Manager & Data Protection Officer presented a report giving an update on the work that had been carried out in relation to GDPR since the last meeting of the Audit Committee.


Marcus explained that the focus of the update was the Council’s progress against the 79 recommendations from the Information Commissioner’s Office (ICO) visit in 2021. The report highlighted that the majority of actions will be delivered by the end of Quarter 4, 2021/22. Shortly after the last Audit Committee, the Information Commissioner’s Office confirmed the date of their desk-top revisit to Bury Council, which took place 11-14 April 2022.


The ICO were positive about the progress made, with 57 recommendations completed and 22 in progress and have not stated any further plans to return to Bury.


To complement the Information Commission’s revisit, Internal Audit reviewed progress against the issues it identified prior to the ICO audit in 2021. The initial recommendations from Internal Audit where very similar to those made by the ICO, therefore, their follow-up audit has similarly found the majority of actions are either complete or in progress.


This now enables the Council to focus Information Governance activity on a ‘business as usual’ approach, including embedding Information Governance in all Council services, ensuring training compliance levels are maintained, and learning from and reducing the number of data breaches.


A copy of the Information Commissioner’s Office report is attached for information.


Members of the Audit Committee were given the opportunity to ask questions and the following points were raised:-


  • Councillor Gartside referred to the use of pen drives across the Council and what work was being done around this.


Marcus reported that the use of pen drives was not common practice but the training did include this issue within it.


  • Councillor Gartside asked whether there had been any data breaches that had gone outside he Council.


Marcus explained that there had been breaches that had gone outside the Council but there were processes in place to respond.


All figures relating to breaches were reported to the Executive Team for monitoring.


  • Councillor Jones referred spam emails and testing around this. He asked whether any testing had been carried out to see whether colleagues knew what to do if they received a spam email.


Marcus explained that this type of exercise hadn’t been undertaken but it was something that could be carried out in the future.


  • It was asked whether 20 minutes of inactivity before a laptop auto-locked was too long and whether this should be reduced to a lesser time period.


The 20 minute time period was deemed to be suitable and it was explained that it was hoped that locking the computer when not using it or away would become normal practice.


  • Councillor Arif asked whether the Council had a policy in relation to data breaches.


It was explained that all of the policies relating to GDRP including data breaches were available on the Council Intranet. The policies had been reviewed in March 2022 and would be reviewed within the next 2 years.


Delegated decision:


  1. That the excellent progress made to date be noted


  1. That all involved be thanked for their hard work and effort in relation to the progress made and going forward.


Supporting documents: