Report of the Executive Manager for Governance and Data Protection Officer, Mark Stinson.

The Legal Services Manager Sarah Wolstenholme-Smy presented the report on behalf of the Executive Manager for Governance.

General Data Protection Regulations (GDPR) enhanced the rights of individuals, giving more control over their data. It also placed enhanced obligations on organisations who control and/or process data.

Members were asked to note that the recommendations in the report should include Delegation to the Executive Manager for Governance and Data Protection Officer be given “in consultation with the Portfolio Holder”.

Members were updated with the work that had currently been undertaken by Officers to ensure Breckland was compliant with GDPR.  Kirsty Mallet had been appointed as the Information Governance Officer and the Information Asset register was near completion.  Many privacy notices had been drafted on the website and shorter privacy statements would follow.  The version for Members would be shared shortly, together with a frequently asked questions sheet. 

Councillor Bowes asked if the privacy notice would automatically be embedded onto the footer of Members Emails.  It was confirmed that as soon as the privacy notice had been agreed it would be added.

Councillor Marion Chapman-Allen said that historically Members home addresses were available on the website.  She was aware that it had been changed but information could still be found on the Declaration of Interest (DPI) forms.  Members were informed that whilst their addresses had been removed from the public facing website, it was still a requirement to be on the DPI form.

Councillor Turner had attended training on GDPR and would recommend that anyone who had not attended training should do so, especially as all Members were Data Controllers as they all held data.

The Chairman asked if it was a requirement for Members to complete training.  Whilst it was stated in the constitution that the only mandatory training Members should complete was licensing; the Deputy Leader questioned if there should be a change to the constitution.  It was asked for further clarification on whether Members were required to carry out training, and report back to a future meeting of the Commission.

Councillor Oliver was concerned that the policy did not clearly differentiate between employees and Members.  He felt that Members should not be data controllers as constitutionally the Council consisted of the 49 elected members.  He stated that when Members acted in capacity as a ward representative, they were the intermediary between the resident and the Council and therefore struggled to see the difference between an employee and a Member.  In addition once he had forwarded on information to the Council on behalf of the resident, the Council would then be responsible for that information.  Therefore if there should be a breach, he would be held responsible as the data controller.  He asked to seek clarification of this point.

Councillor Bambridge agreed that individuals should have control over their data, but was concerned at the number of loopholes organisations had found in the Act. He had also heard that small parish councils were exempt from the Act.

Councillor Wilkinson clarified that no organisation was exempt from the regulations, but small parish councils did not need to employ a specific Data Protection Officer.

The Deputy Leader added that the reason the regulation was in place was due to serious breaches of trust from the Members of Public, and as a public body we were accountable.  Whilst there were numerous loopholes he was confident that Breckland was compliant following best practice and advice received to date.

Members discussed if further information requested should be reported back to the Commission before making recommendations to Cabinet. However Member’s decided to agree to the recommendations and receive additional information from the Legal team as soon as possible.

It was AGREED to RECOMMEND to CABINET that:

1.     The new draft Data Protection Policy, Data Security Breach Procedure and Response Procedures for Data Subject Requests be recommended to Cabinet for approval and adoption.

2.     The Shared Executive Manager and Data Protection Officer in consultation with the Portfolio Holder be authorised to make amendments to the Policy and Procedures so far as is necessary to reflect legislative changes, emerging guidance and to incorporate links to other relevant documents.