Chichester District Council
Agenda item

Agenda item

General Data Protection Regulations (GDPR)

The committee is requested to consider the report and raise any issues of concern or comment. The committee is also requested to note the work being undertaken to ensure that the authority is compliant with the provisions of the General Data Protection Regulations by 25 May 2018.

 

Minutes:

The committee considered the report attached to the agenda. Mr N Bennett presented the report.

 

The committee made the following comments and received answers to questions as follows:

 

·             Training for members – The ICO would be providing guidance for elected members on processing data. Members were currently registered individually with the ICO. The next Members' Bulletin provided a steer on GDPR for members. An online training module would be offered to members once this had been updated based on the ICO guidance. In May training would be available for members before the Council meeting. 

·             The ICO would audit the council on its implementation of the regulations; it would either be every second year like Ofsted, or if there were breaches it would be ad-hoc.

·             The council had been considering GDPR for 18 months whereas a lot of other organisations had come to it late. We would have a set of rules and records fit for purpose and managers who were confident that they could use data properly and were reducing their records in an informed way. Processes would be reviewed annually.

·             The key issue was not in deleting data; it was not allowing data to go somewhere it shouldn’t. A policy was required and should include how the council would go about disclosure to the ICO if we had an incident. 13 policies were in place that deal with information law in some way e.g. CCTV. The idea was to produce a simplified set of policies. Any mistakes made were learning opportunities and it was vital that we faced these honestly. There was an ICO telephone line to discuss possible breaches and it was useful to talk it through with them before formal reporting. Deletion of data was being considered by reviewing the council’s retention policies.

·             Queried whether insurance was possible to cover us for incidents of loss? The council cannot insure against its own criminal action; this was similar to health and safety laws. Public indemnity insurance was in place.

·             Control was back with the individual. A standard form of words needed to be developed for every document. Officers were regularly sent a list of issues to be resolved and an example of words to use specifically for their own service. Revenues & Benefits and Housing has been completed. All managers had had advice on ‘consent’ and ‘public duty exemption to consent’.

·             These regulations would still be in place if Brexit went ahead next year. It applied to all businesses that process data in the UK regardless of where they were based.

·             The rules applied to anyone who dealt with data. Members would be classed as data controllers if they had information on residents.

·             Queried whether there was there a blanket approach to policies which covered everyone? Whilst there were some fundaments, there were others which were quite different. Whoever was dealing with data was expected to deal with it in a secure way. The more sensitive the information was e.g. sexuality, political parties etc. the more care was needed.

·             Queried the accountability and governance arrangements which required to be put in place?  Was the council signing up to a code of conduct? A requirement was that a suitably qualified Data Protection Officer (DPO) be appointed. Mr Bennett had had the required training and now awaited confirmation that he has achieved the qualification. As well as being the council’s Monitoring Officer he would also be the council’s Data Protection Officer. The committee needed to assure itself that he was suitably qualified to ensure that the council’s data was properly governed. In some areas local authorities had banded together to appoint a joint DPO.

·             Queried whether we needed to be setting standards for parish councils? Parish councils would need to put their own procedures in place. It was suggested that GDPR be included on the agenda for the next All Parishes Meeting.

 

RESOLVED

 

That the work being undertaken to ensure that the authority was compliant with the provisions of the General Data Protection Regulations by 25 May 2018 be noted.

 

Supporting documents:

 

Top of page