Agenda item

Raj Alagh, Borough Solicitor, presented the report. Members were informed that the European Union’s General Data Protection Regulation (GDPR) had come into force in May 2018 introducing a new set of laws and procedures. The Data Protection Act 2018 (DPA) had also been enacted in May 2018 bringing GDPR into English domestic law and the two statutes needed to be read together. GDPR and the DPA provided a composite set of rules for safeguarding data in the UK. GDPR required all organisations to appoint a statutory Data Protection Officer and Raj Alagh as Borough Solicitor had been appointed to this role in January 2018. The Data Protection Officer and his team had worked to prepare the Council for the new data protection regime. Approximately 12 policies had been devised and training provided across the Council for all officers and Councillors. Verbal training had been provided together with a compulsory online GDPR training module which continued to be rolled out on an annual basis.

Members were informed that, under new GDPR rules, consent to process a person’s data had to be provided in writing and an individual had the right to withdraw consent, request erasure of their personal data or correction to their data at any point. Individuals also now had the right to submit a Subject Access Request (SAR) asking for information held by the Council about them to be disclosed to them. A large number of SARs were received by the Council and there was no longer a £10 fee chargeable for this service. In respect of SARs, the Information Commissioner’s Office (ICO) had found that the majority of local authorities (including Hillingdon) were not complying with the one-month timeframe within which they needed to respond. Therefore, in October 2019, the Borough Solicitor had attended a Senior Managers’ Conference at which he had emphasised the importance of complying with SARs to avoid the ICO taking enforcement action against the Council. Since then performance had improved significantly and compliance now stood at approximately 90% which was acceptable.

The Committee heard that one area of concern related to data breaches. It was recognised that there was always scope for human error and a couple of significant breaches had been recorded in recent years. All breaches had to be reported to the Monitoring Officer, no matter how minor they appeared to be. In cases where it was felt that a breach compromised the rights and freedoms of an individual, it had to be reported to the ICO within 72 hours. Failure to do so could result in a significant fine.

It was noted that resourcing was somewhat limited – the Borough Solicitor was responsible for assessing data breaches and, where necessary, reporting them to the ICO; an Information Governance Lawyer dealt with day to day matters and Glen Egan did a lot of work on FOIs and provided training on FOIs and SARs. During the pandemic a large number of officers had been obliged to work from home therefore had needed to take assume more personal responsibility. Members were informed that the Borough Solicitor was generally satisfied with the Council’s adherence to GDPR. Refresher training would be provided following the May 2022 elections and Councillors could complete the online training at any point should they wish to do so.

Members enquired whether recently elected Members had received GDPR training. It was confirmed that packs of information had been sent but no face to face training had been provided. Members requested clarification regarding their individual registrations with the Information Commissioner’s Office as it appeared that these had been cancelled in 2019. It was agreed that this was probably an oversight - the Borough Solicitor would investigate the matter further and report back. Councillors extended their thanks and congratulations to officers noting that no major breaches had been recorded to date which was commendable.

RESOLVED:

1)    That the Borough Solicitor investigate the matter of Councillors’ individual registrations with the ICO; and

2)    That the Information Governance information report be noted.