Agenda item

To advise members in respect to the Council’s activity and compliance with Data Protection, Environmental Information Regulation and Freedom of Information requirements (report of the Assistant Director – Governance (Monitoring Officer) enclosed).

Consideration was given to the report of the Assistant Director – Governance which advised members in respect of the Council’s activity and compliance with Data Protection, Environmental Information Regulation and Freedom of Information requirements.

The Group Information Manager and Deputy Data Protection Officer introduced the report which updated the Panel on the Council’s activities and compliance in respect of the Data Protection Act 2018, Environmental Information Regulation and Freedom of Information requirements during the previous 12 months. The report included the following main areas:

• Background to the report; and
• Freedom of Information and Environmental Information Regulation update.

Members considered the update and made the following comments:

• Members noted a significant number of Freedom Of Information requests and suggested that the processing time would be considerable. Were officers able to identify common types of request which could be pre-empted by information available on the website?

o   The Group Information Manager and Deputy Data Protection Officer responded that identified patterns were passed to the Communications Team in order to adapt/increase the disclosure of information online. A recent example related to the increase in requests regarding Business Rates which had led to information being published on the website on a regular basis.

·       Members referred to point 2.2.5 of the report in respect of data incidents reported to the Data Protection Team and queried the type of incidents involved.

o   The Group Information Manager and Deputy Data Protection Officer responded that the occurrence of breaches was extremely low taking into account the total number of transactions undertaken. The following example was given to the panel:

§  A Direct Debit letter had been forwarded to an incorrect address;

§  When the Council were advised of the issue, an investigation was undertaken by PSPS;

§  The PSPS investigation was scrutinised by the Group Information Manager and Deputy Data Protection Officer to ensure a full and complete scope;

§  The investigation informed learning and assessment of any mitigations or safeguarding approaches that were required;

§  A change was implemented to the process that had led to the breach in order to prevent repeat occurrences; and

§  The Senior Leadership Team were informed of the breach and that it had been resolved.

·       Members asked for details of the breach which was reported to the Information Commissioner’s Office (ICO) and action taken.

o   The Group Information Manager and Deputy Data Protection Officer responded that:

§  A security breach of the Community Lottery Service provider’s (Gatherwell) sub-processor (London and Zurich) had taken place; 

§  A database held by London and Zurich had been stolen by hackers and a ransom had been demanded;

§  In accordance with due process, London and Zurich informed Gatherwell of the breach, who in turn, informed SHDC;

§  SHDC instigated its data protection response which included mitigation and management of risk to both the subjects and the council;

o   Regarding action taken:

§  Details of the incident were relayed to the Deputy Chief Executive, the Assistant Director – Governance, and the Cabinet;

§  The Information Management team liaised with wider Lincolnshire local authorities to ensure a managed and consistent approach was taken;

§  The incident had been reported to both the Information Commissioner and the Gambling Commissioner, and SHDC awaited a response;

§  SHDC advised affected Community Lottery customers of the breach which enabled individual protective action to be taken;

§  Following investigation of the incident by an external consultant, London and Zurich had provided assurance that breached data had not been sold on the dark web for re-use and was therefore unlikely to cause detriment; and

§  It was stated that responsibilities of service providers and sub-processors were stipulated in contracts as part of the procurement process which ensured due diligence.

• Members asked for data breach comparative data across the partnership;
  • The Group Information Manager and Deputy Data Protection Officer responded that whilst the number of data breaches at Boston Borough Council (BBC) were similar to SHDC, those at East Lindsey District Council (ELDC) were slightly higher.

• Members asked whether best practice was shared across the partnership.
  • The Group Information Manager and Deputy Data Protection Officer responded:
    • That the Group Information Manager and Deputy Data Protection Officer held responsibility for this area across the partnership and that best practice had been shared; and;
    • That SHDC had benefitted from this approach as much as the other authorities within the partnership.

• Members referred to point 2.2.1 of the report and noted that the Data Protection Policy was due for renewal in 2024. Would this be a partnership-wide policy or specific to SHDC?
  • The Group Information Manager and Deputy Data Protection Officer responded that a partnership aligned policy would be coming forward which would incorporate expected and significant changes to the Data Protection Act; and

AGREED:

That after consideration by the Governance and Audit Committee, the Information Governance Annual Update be noted.