Agenda item

To review updated policies prior to Cabinet consideration (report of the Assistant Director – Governance enclosed).

Consideration was given to the report of the Assistant Director – Governance and Monitoring Officer which asked members to review the updated policies prior to Cabinet consideration.

The Group Manager for Information Governance and Data Protection Officer introduced the report and stated that the policies had been updated to comply with the latest statutory requirements, which included the new Data (Use and Access) Act 2025 (DUAA), and were to be aligned across the partnership. The key updates included:

• The introduction of a new statutory complaints process under the DUAA, which required a 30?day response deadline, which is outside of  the Council’s complaint process:
• A shift to proportionate searches for rights requests and subject access requests (SARs), replacing the previous requirement for exhaustive searches; and
• A new high?level approach to Records Management, focused on accuracy, security, retention, and transparency, supported by the Information Commissioners Office Code of Practice.

Members considered the report and made the following comments;

• Members asked for clarification on the term “port data” referenced within the Data Protection Policy.
  • The Group Manager for Information Governance and Data Protection Officer explained that this related to the GDPR right to data portability, whereby individuals may request that certain categories of their personal data be transferred to another organisation. It was confirmed that this transfer was not automatic and would only occur upon request, with engagement between the Council and the receiving organisation as appropriate.

·         Members raised the need for Member training on data protection, explaining that the policies were highly technical and that councillors routinely handled sensitive information.

o   The Group Manager for Information Governance and Data Protection Officer confirmed that training sessions had previously been delivered at the other partnership councils and that they would be willing to provide group training sessions on request, covering Data Protection and Freedom of Information, and agreed to liaise with Democratic Services to arrange sessions.

·         Members asked whether the Council had experienced data protection breaches and enquired about liability and insurance cover.

o   The Group Manager for Information Governance and Data Protection Officer advised that one voluntary report to the Information Commissioner had been made in the past twelve months. The Council, as data controller, carried liability for compensation where required, including liability relating to data processors. It was confirmed that insurance was in place, although claims would depend on the findings of loss adjusters, and that the existence of current policies formed part of the required control environment. Further information would be provided to the members outside of the meeting.

• Members asked if the Council could refuse a data portability request.
  • The Group Manager for Information Governance and Data Protection Officer replied that it was a qualified right, not an absolute one, and could be refused in defined circumstances. The Policy wording would be amended to reflect “right to request” rather than an unconditional right.

·         Members queried how identity was verified when a subject access request (SAR) was made verbally, particularly when documents such as driving licences were provided electronically.

·         Members asked whether any examples existed where individuals had provided information that was later deemed insufficient to verify their identity.

o   The Group Manager for Information Governance and Data Protection Officer advised that most requests related to individuals already known to the Council and that additional documents such as Power Of Attorney were requested where required. The Council aimed to balance appropriate verification with avoiding unnecessary barriers for individuals seeking access to their data.

·         Members raised concerns regarding the potential risks of scammers attempting to obtain personal data and queried whether strengthened processes were required.

o   The Group Manager for Information Governance and Data Protection Officer noted that scammers were increasingly sophisticated and confirmed that risk?based checks and additional verification steps were applied when necessary, including ensuring that unfamiliar email addresses were appropriately challenged. Additional written guidance was again agreed.

·         Members sought clarification on the ‘stop?the?clock’ provision within the Data Use and Access Act.

o   The Group Manager for Information Governance and Data Protection Officer confirmed that where further information or clarification was required from the requester, the statutory response period did not run until the necessary information had been received.

• Members asked how long the Council retained records of the subject access requests.
  • The Group Manager for Information Governance and Data Protection Officer responded that records of SARs were kept for six years, in line with the limitation period requirements and agreed to include further clarification within the policy for readability.

AGREED:

That following consideration by the Committee the Data Protection Policy and Records Management Policy attached at Appendices 1 and 2 be recommended to Cabinet for approval.