Issue - meetings

To consider policies for approval (report of the Assistant Director – Governance (Monitoring Officer) enclosed).

Consideration was given to the report of the Service Director – Legal and Governance and Monitoring Officer which considered policies for approval.

The Portfolio Holder for Finance clarified that the item before Members related specifically to the Data Protection and Records Management Policy and not to any incidents that may or may not have been occurring at that time.

In presenting the policy, the Portfolio Holder highlighted that the Council was entirely reliant on the availability and quality of the information it held.

It was noted that the policy had been updated to ensure compliance with the latest statutory requirements, including UK GDPR, the Data Protection Act 2018, and the Data Use and Access Act 2025. The updates aimed to ensure consistency across the partnership, and the recommendations of the Overview and Scrutiny Committee had been incorporated.

The Portfolio Holder added that by way of overview, the Records Management Policy established a clear framework to ensure records were accurate, accessible, secure, and retained appropriately. It supported compliance with legal and regulatory requirements and applied to all staff, elected Members, contractors, and partners.

The Portfolio Holder advised that the scope of the policy covered all recorded information, regardless of format, including paper, digital records, emails, audio and video, and applied across the full information lifecycle from creation and collection through storage, use, processing, sharing, archiving, and final deletion or destruction. This also included records generated through artificial intelligence.

It was noted that the policy was based on the Information Commissioner’s Office Code of Practice issued under Section 46 and was underpinned by the principles of accountability, integrity, accessibility, security, and appropriate retention.

DECISION:

That the Cabinet approves the draft Data Protection Policy and Records Management Policy attached at Appendices 1 and 2.

That Cabinet approves delegation of amendments to the records management policy to the Assistant Director Governance in consultation with the relevant Portfolio Holder to reflect changes in ICO guidance when issued.

That Cabinet approves delegation of amendments to the data protection policy to the Data Protection Officer in consultation with the relevant Portfolio Holder to reflect changes in ICO guidance when issued.

(Other options considered:

·         Not to recommend or make suggested changes to the policies.

Reasons for decision:

·         Reviewing and adopting revised policies demonstrates the Council’s commitment to transparency, accountability, and the protection of individual rights, which is vital for public trust.

·         The impact of the Data Use and Access Act means that the ICO will issue new mandatory guidance to be followed. To reflect this the policies may need to be adapted to accommodate these changes before the policy refresh lifecycle.)

To review updated policies prior to Cabinet consideration (report of the Assistant Director – Governance enclosed).

Consideration was given to the report of the Assistant Director – Governance and Monitoring Officer which asked members to review the updated policies prior to Cabinet consideration.

The Group Manager for Information Governance and Data Protection Officer introduced the report and stated that the policies had been updated to comply with the latest statutory requirements, which included the new Data (Use and Access) Act 2025 (DUAA), and were to be aligned across the partnership. The key updates included:

• The introduction of a new statutory complaints process under the DUAA, which required a 30?day response deadline, which is outside of  the Council’s complaint process:
• A shift to proportionate searches for rights requests and subject access requests (SARs), replacing the previous requirement for exhaustive searches; and
• A new high?level approach to Records Management, focused on accuracy, security, retention, and transparency, supported by the Information Commissioners Office Code of Practice.

Members considered the report and made the following comments;

• Members asked for clarification on the term “port data” referenced within the Data Protection Policy.
  • The Group Manager for Information Governance and Data Protection Officer explained that this related to the GDPR right to data portability, whereby individuals may request that certain categories of their personal data be transferred to another organisation. It was confirmed that this transfer was not automatic and would only occur upon request, with engagement between the Council and the receiving organisation as appropriate.

·         Members raised the need for Member training on data protection, explaining that the policies were highly technical and that councillors routinely handled sensitive information.

o   The Group Manager for Information Governance and Data Protection Officer confirmed that training sessions had previously been delivered at the other partnership councils and that they would be willing to provide group training sessions on request, covering Data Protection and Freedom of Information, and agreed to liaise with Democratic Services to arrange sessions.

·         Members asked whether the Council had experienced data protection breaches and enquired about liability and insurance cover.

o   The Group Manager for Information Governance and Data Protection Officer advised that one voluntary report to the Information Commissioner had been made in the past twelve months. The Council, as data controller, carried liability for compensation where required, including liability relating to data processors. It was confirmed that insurance was in place, although claims would depend on the findings of loss adjusters, and that the existence of current policies formed part of the required control environment. Further information would be provided to the members outside of the meeting.

• Members asked if the Council could refuse a data portability request.
  • The Group Manager for Information Governance and Data Protection Officer replied that it was a qualified right, not an absolute one, and could be refused in defined circumstances. The Policy wording would be amended to reflect “right to request” rather than an unconditional right.

·         Members queried how identity was verified when a subject access request (SAR) was made verbally, particularly when documents such as driving licences were provided electronically.  ...  view the full minutes text for item 74