Agenda item
Information Governance Report
To consider the attached report of the Head of Risk Management and Audit Services.
Minutes:
The Head of Risk Management and Audit Services submitted a report, which provided an update on the requirements of the General Data Protection Regulations and the new Data Protection Act.
It was reported that the General Data Protection Regulations came into operation from 25 May 2018 and would effectively replace the current EU derived rules in the Data Protection Act 1998. They placed a greater demand on organisations in terms of accountability for their use of personal data, enhanced the existing rights of individuals and strengthened the controls that organisations were required to have in place over the processing of personal data.
The following work had been undertaken to ensure full compliance with both the General Data Protection Regulations and the new Data Protection Act 2018:-
· Creating information asset registers for all service areas, by facilitating workshops with managers to collate data in a template approved by the AGMA Information Governance Group
· Using those registers, to create privacy notices for publication on the public website
· Producing a Record of Processing Activities, which will need to be published on the Council website based on the information asset registers from service areas
· Reviewing the Information Governance Framework documents in line with the new requirements
· Identifying the best training and communications methods to ensure messages and training reach all staff in the most useable and appropriate way
· Producing a Contract Variation letter to be sent to all contractors, suppliers and processors
· The introduction of an Information Governance Newsletter
The key changes were outlined and included the eight principles being reduced to six, breaches of personal data that resulted in a risk to the rights and freedoms of individuals had to be reported to the ICO within 72 hours and fines could be issued for security breaches and where an organisation could not demonstrate compliance with any of the principles. Consent had to be opt-in, a Data Protection Officer must be appointed and the response time for Subject Access Requests response was now 1 month with no fee attached.
Twelve documents had been updated in light of the General Data Protection Regulations and were appended to the report. Articles had been published in Live Wire and in the Chief Executive’s Brief and a new mandatory E-Tutorial - General Data Protection Regulations would be rolled out to staff for completion by the end of June. Consideration was being given to delivering Manager Briefings about the key changes in relation to Subject Access Requests, Reporting Information Incidents and dealing with the new rights for Individual.
RESOLVED:
(i) That the report be noted; and
(ii) That approval be given to the 12 Information Governance Framework documents that were appended to the report.
Supporting documents:
-
ITEM 8 - Information Governance Report, item 7.
PDF 175 KB -
ITEM 8 - Appendix 1 - Information Governance Policy, item 7.
PDF 91 KB
-
ITEM 8 - Appendix 2 - Information Governance Conduct Policy, item 7.
PDF 151 KB
-
ITEM 8 - Appendix 3 - ICT Security Policy, item 7.
PDF 124 KB
-
ITEM 8 - Appendix 4 - Email Communications and Internet Acceptable Use Policy - updated September 2015 - amended V2, item 7.
PDF 87 KB
-
ITEM 8 - Appendix 5 - Social Media Responsible Conduct Policy, item 7.
PDF 118 KB
-
ITEM 8 - Appendix 6 - Removable Media Protocol, item 7.
PDF 88 KB
-
ITEM 8 - Appendix 7 - Mobile and Remote Working Protocol, item 7.
PDF 107 KB
-
ITEM 8 - Appendix 8 - Access and Security Protocol, item 7.
PDF 108 KB
-
ITEM 8 - Appendix 9 - Information Security Incident Reporting Procedure and Practice Note, item 7.
PDF 138 KB
-
ITEM 8 - Appendix 10 - Secure Clear Desk Procedure, item 7.
PDF 85 KB
-
ITEM 8 - Appendix 11 - Golden Rules, item 7.
PDF 115 KB
-
ITEM 8 - Appendix 12 - Subject Access Requests Guidance, item 7.
PDF 256 KB