Issue - meetings

To advise members in respect to the Council’s activity and compliance with Data Protection, Environmental Information Regulation and Freedom of Information requirements (report of the Assistant Director – Governance (Monitoring Officer) enclosed).

Consideration was given to the report of the Assistant Director – Governance which advised members in respect of the Council’s activity and compliance with Data Protection, Environmental Information Regulation and Freedom of Information requirements.

The Group Information Manager and Deputy Data Protection Officer introduced the report which updated the Panel on the Council’s activities and compliance in respect of the Data Protection Act 2018, Environmental Information Regulation and Freedom of Information requirements during the previous 12 months. The report included the following main areas:

• Background to the report; and
• Freedom of Information and Environmental Information Regulation update.

Members considered the update and made the following comments:

• Members noted a significant number of Freedom Of Information requests and suggested that the processing time would be considerable. Were officers able to identify common types of request which could be pre-empted by information available on the website?

o   The Group Information Manager and Deputy Data Protection Officer responded that identified patterns were passed to the Communications Team in order to adapt/increase the disclosure of information online. A recent example related to the increase in requests regarding Business Rates which had led to information being published on the website on a regular basis.

·       Members referred to point 2.2.5 of the report in respect of data incidents reported to the Data Protection Team and queried the type of incidents involved.

o   The Group Information Manager and Deputy Data Protection Officer responded that the occurrence of breaches was extremely low taking into account the total number of transactions undertaken. The following example was given to the panel:

§  A Direct Debit letter had been forwarded to an incorrect address;

§  When the Council were advised of the issue, an investigation was undertaken by PSPS;

§  The PSPS investigation was scrutinised by the Group Information Manager and Deputy Data Protection Officer to ensure a full and complete scope;

§  The investigation informed learning and assessment of any mitigations or safeguarding approaches that were required;

§  A change was implemented to the process that had led to the breach in order to prevent repeat occurrences; and

§  The Senior Leadership Team were informed of the breach and that it had been resolved.

·       Members asked for details of the breach which was reported to the Information Commissioner’s Office (ICO) and action taken.

o   The Group Information Manager and Deputy Data Protection Officer responded that:

§  A security breach of the Community Lottery Service provider’s (Gatherwell) sub-processor (London and Zurich) had taken place; 

§  A database held by London and Zurich had been stolen by hackers and a ransom had been demanded;

§  In accordance with due process, London and Zurich informed Gatherwell of the breach, who in turn, informed SHDC;

§  SHDC instigated its data protection response which included mitigation and management of risk to both the subjects and the council;

o   Regarding action taken:

§  Details of the incident were relayed to the Deputy Chief Executive, the Assistant Director – Governance, and the Cabinet;

§  The Information Management  ...  view the full minutes text for item 35