Data Protection Policy
Meeting: 12/06/2018 - Cabinet (Item 62)
Report of Executive Manager for Governance and Data Protection Officer.
- Appendix 1 - Data Protection Policy, item 62 PDF 166 KB
- Appendix 2 - Data Breach Protocol, item 62 PDF 115 KB
- Appendix 3 - Subject access response procedures, item 62 PDF 103 KB
The Executive Member for Governance reminded members of the work that had taken place to prepare the Council for the introduction of the General Data Protection Regulation that took effect from 25 May 2018.
One of the key changes was the requirement for ‘accountability’ which was a duty to evidence compliance. An important part of meeting that obligation was to have clear policies and procedures in place. The draft Data Protection Policy was appended to the report together with two procedures; one for dealing with breaches of data protection and the other for dealing with requests from data subjects to exercise their rights.
The policy made it clear that it applied to the employees and members of the Council. A query had been raised about the fact that Members were currently required by the Information Commissioner to be registered as data controllers. The Executive Member for Governance had asked the Executive Manager for Governance to investigate this point with other authorities and the Local Government Association.
He asked Members to approve the current draft policy and to note that as queries were resolved and further guidance was received there would be the need to make changes to the policy and asked for delegated authority to the Executive Manager for Governance, in consultation with the Executive Member for Governance to make such amendments as required.
1) Approve the Policy and Procedures as written
2) Approve the Policy and Procedures with amendments
3) Do nothing.
Approval would ensure that the Council had a fit-for-purpose Policy to assist in compliance with GDPR.
1) The new draft Data Protection Policy, Data Security Breach Procedure and Response Procedures for Data Subject Requests be approved and adopted.
2) That the Shared Executive Manager and Data Protection Officer be authorised, in consultation with the Executive Member for Governance, to make amendments to the Policy and Procedures so far as is necessary to reflect legislative changes, emerging guidance and to incorporate links to other relevant documents.
Report of the Executive Manager for Governance and Data Protection Officer, Mark Stinson.
- Appendix 1 - Data Protection Policy, item 58 PDF 168 KB
- Appendix 2 - Data Breach Protocol, item 58 PDF 115 KB
- Appendix 3 - Subject access response procedures, item 58 PDF 103 KB
The Legal Services Manager Sarah Wolstenholme-Smy presented the report on behalf of the Executive Manager for Governance.
General Data Protection Regulations (GDPR) enhanced the rights of individuals, giving more control over their data. It also placed enhanced obligations on organisations who control and/or process data.
Members were asked to note that the recommendations in the report should include Delegation to the Executive Manager for Governance and Data Protection Officer be given “in consultation with the Portfolio Holder”.
Members were updated with the work that had currently been undertaken by Officers to ensure Breckland was compliant with GDPR. Kirsty Mallet had been appointed as the Information Governance Officer and the Information Asset register was near completion. Many privacy notices had been drafted on the website and shorter privacy statements would follow. The version for Members would be shared shortly, together with a frequently asked questions sheet.
Councillor Bowes asked if the privacy notice would automatically be embedded onto the footer of Members Emails. It was confirmed that as soon as the privacy notice had been agreed it would be added.
Councillor Marion Chapman-Allen said that historically Members home addresses were available on the website. She was aware that it had been changed but information could still be found on the Declaration of Interest (DPI) forms. Members were informed that whilst their addresses had been removed from the public facing website, it was still a requirement to be on the DPI form.
Councillor Turner had attended training on GDPR and would recommend that anyone who had not attended training should do so, especially as all Members were Data Controllers as they all held data.
The Chairman asked if it was a requirement for Members to complete training. Whilst it was stated in the constitution that the only mandatory training Members should complete was licensing; the Deputy Leader questioned if there should be a change to the constitution. It was asked for further clarification on whether Members were required to carry out training, and report back to a future meeting of the Commission.
Councillor Oliver was concerned that the policy did not clearly differentiate between employees and Members. He felt that Members should not be data controllers as constitutionally the Council consisted of the 49 elected members. He stated that when Members acted in capacity as a ward representative, they were the intermediary between the resident and the Council and therefore struggled to see the difference between an employee and a Member. In addition once he had forwarded on information to the Council on behalf of the resident, the Council would then be responsible for that information. Therefore if there should be a breach, he would be held responsible as the data controller. He asked to seek clarification of this point.
Councillor Bambridge agreed that individuals should have control over their data, but was concerned at the number of loopholes organisations had found in the Act. He had also heard that small parish councils were exempt from the Act.
Councillor Wilkinson ... view the full minutes text for item 58