Agenda item

Report from the Deputy Chief Executive is attached.

Marcus Connor, Information Governance Manager & Data Protection Officer presented a report giving an update on the work that had been carried out in relation to GDPR since the last meeting of the Audit Committee.

The report highlighted improvements in training compliance, performance at responded to requests for information and dealing with data breaches. 

While the overall trend shows an increasing awareness of information governance in the Council, it is essential that this momentum is continued.  Areas of particular focus over the coming months will be around updating the RoPA and increasing training to managers.

Those present were given the opportunity to make comments and ask questions and the following points were raised:

• Councillor Gartside referred to subject access requests and asked whether any had gone past a year from request.

Marcus reported that none have gone over a year.

• Councillor Bernstein asked whether there was benchmarking information with the other GM authorities to gauge against.

It was explained that Bury do look at other authorities’ performance and Bury was comparable with other Las

Jacqui Dennis explained that the  ICO see it as positive that matters are reported.

• Councillor Moss referred to staff training and asked whether it was all staff across the council.

Marcus explained that every member of staff up to the chief executive was required to carry out the training and if it wasn’t completed within the required timeframe the employee would have access to the council network withdrawn.

• Councillor Moss referred to breaches being the highest with the Corporate Core department and asked why this was.

It was explained that the Corporate Core department sent out the most correspondence of all departments within the Council.

• Councillor Moss asked about Councillors sending emails to their own personal email addresses.

It was explained that the Councillors were their own data controllers and were responsible for the data that they held. They were provided with a Council email address and encouraged to use that for council business.

• Councillor Hayes referred to data breaches and asked for examples of these within the office environment.

It was reported that there were many examples such as leaving information on the  photocopier, leaving a PC unlocked, leaving a notebook open with information showing. Marcus explained that he did carry out spot checks across the council buildings to remind colleagues to lock computers and lock away sensitive information.

• Councillor Berry referred to the the number of email breaches when looking at the number of emails sent from the council and asked what the figure would be as a percentage.

It was explained that it would be a very small percentage.

• Councillor Gartside referred to the requirement to lock screens when away from a workstation and asked if the message was being cascaded to all.

It was reported that all staff members were required to undertake the mandatory training so were aware of this but were also reminded and it was becoming second nature. Screens were also provided to stop people being able to read over shoulders etc.

• Councillor Bernstein asked that the group leaders be encouraged to remind their members to undertake the GDPR training.

Delegated decision:

That the contents of the report be noted.