To receive a report from the Information and Data Protection Manager.

The Chairman welcomed Group Information Manager and Data Protection Officer, Richard Steele to provide the Information Governance Annual Update, pages 211 to 218 of the Agenda refer.

The report provided Members of the Audit and Governance Committee with an overview of activity in relation to information governance, including data protection for the Authority and highlighted any changes or risks for the forthcoming year.

Members were advised that the report was written to cover the period between October 2022 to October 2023.  The first area of focus was access to information and transparency, which includes the Freedom of Information (FOI) Act and Environmental Information Regulations (EIR) and noted that signoff was imminent to replace the Council’s FOI Policy.

Key information was highlighted to Members as follows:

·       It was highlighted that the Council was consistently exceeding 95% compliance rate when responding to FOI and EIR which exceeds the Information Commissioner’s Office (ICO) target for good performance.

·       FOI and EIR had seen a 10% increase in the number of requests based on the previous year which is consistent with other Council’s in the partnership.

·       693 Freedom of Information requests met the requirements to be considered and outlined in the report.

·       In most instances, the use of exemptions was to protect personal data.

·       Low number of internal reviews whereby FOI’s have been challenged demonstrated the quality of the response provided. Out of 633, only 5 were internally reviewed including one that was referred to the ICO which was not upheld.

·       Data Protection Act 2018 was due for replacement by the Data Protection and Digital Information Bill in 2024 which would impact on requirements to update the Council’s Policy.

·       Assurance was given that 53 incidents reported across the organisation including subprocesses compared to the number of transactions the Council undertakes including PSPS was a very small.

·       There were only 13 Subject Access Requests (SAR) in the 12-month period.

·       Significant work in the Information Governance team was underway to facilitate data reuse and sharing with third parties such as the Police, Home Office and HMICFRS.

The Group Information Manager and Data Protection Officer concluded that the report provided assurance that the Council demonstrated good governance in respect of information management and compliance with legislation.

Members were invited to put their comments and questions forward.

·       A Member queried how the 10% increase in the number of requests compared to other councils. In response the Group Information Manager and Data Protection Officer, advised that in terms of the Councils in the South and East Lincolnshire Partnership, East Lindsey had seen the greatest increase. The total requests were 733, South Holland has had a 9% increase and Boston a similar amount. The figures were thought to be representative of wider local authorities as a sector. 

·       A Member queried if the response time was fulfilled for the 13 Subject Access Requests received. The Group Information Manager and Data Protection Officer responded that this information would be obtained and provided back to the committee.

·       A Member sought clarification on what checks were undertaken on requests for information to ensure personal information was kept secure. In response, the Group Information Manager and Data Protection Officer advised that responders were trained in both FOI and data protection and have a good awareness of GDPR. There were also processes in place to make sure inadvertent release of data does not occur through technology related measures, for example to prevent any vulnerabilities when using Microsoft Excel. 

·       In reference to services such as PS2, a Member queried how ELDC dealt with FOI requests on their behalf. In response, the Group Information Manager and Data Protection Officer advised that the triage process would determine the best person to respond. The Council would respond for third party services, but not for third party employees. In general, it was ELDC who would answer the majority of requests.

·       A Member sought further clarification on who would respond to requests for Magna Vitae. In response, the Group Information Manager and Data Protection Officer advised if Magna Vitae were formed as a Local Authority Trading Company they would respond to their own requests. However, the Assistant Director Governance & Monitoring Officer advised that Magna Vitae was its own Charitable Trust, therefore the Council would determine whose data it was and how best to respond.

No further comments or questions were received.

Following which it was,

RESOLVED:

That the Information Governance Annual Update be noted.