Agenda item

Report from the Head of Performance, Delivery and Compliance and Data Protection Officer attached

The Head of Performance, Delivery and Compliance and Data Protection Officer presented a report  updating the Audit Committee on the Council's Information Governance activity for 12 months up to 28 February 2026. As mentioned in previous reports to Audit Committee, these reports now focus on the Council's performance in the delivery of Information Governance.

The report set out the figures in relation to the number of Subject Access Requests (SAR), Freedom of Information Requests (FOI), and Environmental Information Reviews (EIR) received in the 12 month period and the timelines for responding to the requests.

There had been:

299 SAR received

1261 FOI requests received

27 EIR received

It was reported that there has been new software purchased to manage FOIs, EIRs, SARs and Data Breaches. This will be implemented from 1 May 2026 and provide further efficiencies in the process that should reflect in the performance figures going forward.

The report also set out details of the number of Council-related data breaches, outlined the actions being taken to improve performance in this area, and provided members with an update on GDPR training for staff and Members. This included information on non-compliance and the steps being taken to ensure completion of the training.

Those present were given the opportunity to ask questions, the following points were raised:

·         Councillor Berry referred to FOI requests that had been compiled with the use of AI and asked whether this had led to an increase in more complex requests being received.

The Head of Performance, Delivery and Compliance and Data Protection Officer explained that this was not something that had been discussed but will be considered.

·         Councillor Bernstein asked if the number of SARs, FOIs and EIRs received by Bury Council was in line with other Metropolitan Councils of a similar size.

It was explained that it would be in line with other local authorities and that work was being done with the ICO to benchmark across councils.

·         Councillor Rubinstein referred to the GDRP training and non compliance and asked what was being done in relation to this and what sanctions were being put in place.

It was reported that the reasons behind the non compliance were being looked at and different options. There is a proposal in development to develop the training into a cyclical process completed at a particular part of the year. This will provide opportunity to understand compliance and analyse actual progress. In addition, work is ongoing to improve data recording and reporting by developing a live data dashboard on training compliance.

·         Councillor Staples-Jones referred to the quality of responses provided to Freedom of Information requests and asked whether efforts were being made to ensure responses were sufficiently comprehensive to prevent further requests being submitted.

It was explained that the new software that was being introduced would ensure that the responses were as thorough as they could be.

·         Councillor Staples Jones also referred to the GDPR training and asked if examples of where things had gone wrong locally should be included.

It was explained that the training provided was being reviewed and this was something that would be considered.

·         Mr Webster referred to FOIs and SAR and the backlog that had built up and asked if these would be cleared.

It was reported that the backlog would be cleared and plans were in place and the work was being done. It was also anticipated that the new software system would also assist.

·         Councillor Moss referred to non-compliance by Members in relation to GDPR training and noted that there had previously been a drive to encourage Members to complete the training.

The Monitoring Officer explained that this issue had been escalated through the Member Development Group and via the Group Whips. It was clarified that the figures quoted in the report related only to Members who had completed the online e-learning module and did not include training delivered through face-to-face sessions and virtual meetings as part of the wider Member training programme. It was therefore noted that overall compliance would be higher once this additional information was taken into account.

It was agreed:

That the contents of the report be noted.