Meeting documents

The Committee will receive an update on the Council's new centralised Information Management function and gain an insight into how preparatory work for the new Buckinghamshire Council is progressing in this area.

Contributors:

Mr John Chilver, Cabinet Member for Resources

Mr Matt Everitt, Head of Insight and Business Intelligence

The Chairman welcomed Mr John Chilver, Cabinet Member for Resources and Mr Matt Everitt, Head of Insight and Business Improvement to the meeting.  Mr Everitt took members through a presentation which detailed recent changes to the Information Management team at the Council, improvement work that had been undertaken over the past six months and priorities for the team for the next six months. 

During the presentation and in response to Members’ subsequent questions the following main points were noted:

·         Following the introduction of GDPR in May 2018, the Council undertook an Information Governance and Data Protection review. It was important to ensure that data was being used in accordance with legal requirements and that the Council could maximise the value of the information that it holds.

·         As GDPR brought in stricter requirements a decision was taken to establish a centralised Information Management Team, which incorporated: Data Protection & Information Governance, Rights to Information, Freedom of Information, Modern Records and Business Partners, and was headed up by a new Information Strategy and Governance Manager, who had recently taken up the post.

·         Seven Information Management Standards had been developed, including more detailed guidance for how we respond to Data Loss Incidents/Breaches and Subject Access Requests.

·         Improvements had been made to data collection and reporting processes, using the Respond system across all areas of the Council.  This provided a more accurate oversight and improvement work is continuing in this area.

·         Additional resources of two specialist Business Partners – one to work in TEE and Resources and one to work in Communities, Health and Adult Social Care – had also been introduced.

·         Between April and September 2019, two data breaches had been reported to the Information Commissioners Office (ICO), compared to three in the same period in 2018 and five in the 6 months immediately following GDPR.  There had been 78 Data Loss Incidents which was an increase of 61 from the same period in 2018, but this was largely due to better understanding amongst staff and increased reporting and recording.

·         76% of SARs were completed within timescales, with the highest number of requests being received by Children’s Services.

·         Freedom of Information (FOIs) requests had increased from 757 in 2018 to 836 in the same period in 2019. 

·         Mr Everitt explained the difference between a Data Loss Incident and a Data Breach.  A Data Loss Incident could be something like an email being sent to the wrong address by accident. A Data Breach has to be reported to the ICO as the nature of the data that has been lost or shared incorrectly could impinge on an individual’s rights and freedoms.

·         It was acknowledged that there was a reliance on staff to report data losses or breaches and Members expressed concerns that some people might be reluctant to admit they had made such a mistake. Mr Everitt was confident that the operating model of the team supported improved reporting, as evidenced by the increase reported this year.

·         There had been an increase in the number of FOI requests since the introduction of GDPR, with Children’s Services and Transport, Economy and Environment receiving the most. It was reported that the dedicated FOI team had a very efficient process and expertise in terms of how to respond.  They were also promoting the transparency agenda – if the Council made more information publicly available on the website this could reduce the number of FOIs.

·         A Member asked if there was an estimated cost to the Council for responding to FOIs or some sort of indication of the number of hours spent on this activity as it required cross-Council liaison.  It was agreed that Mr Everitt would investigate this and respond after the meeting.

ACTION: Matt Everitt

·         Approximately 380 SARs were received per year with circa 80% directed to Children’s Services.  Once the identity of the request has been verified, the Council has one calendar month in which to provide the information, although an extension of up to two further months can be requested if the SAR is particularly complicated.  Some information may have to be redacted.

·         A Data Protection Hub had been established on the Intranet, designed as an accessible resource for staff with queries on the subject and included guidance on how to deal with requests and report data losses or breaches. Flow Charts were also being developed to make the guidance more accessible. Increased communication for staff was planned over the next 6 months.

·         In response to a question about the Brava redaction tool, it was explained that this would sit within the content server system that the Council already had, which was a secure electronic repository for data files.   The Brava redaction tool would enable electronic redaction which would be more efficient than doing it manually and also offered a very strong audit function.

·         An Information and Data Workstream had been set up with colleagues from the district councils to plan for the Unitary transition.  The workplan was all on track and policies, robust processes and plans for staff training were all in development and there was strong collaboration across the Information Management teams across all authorities.  Members noted that it was vital that a seamless service could be provided for FOIs and SARs from vesting day.

·         The Committee also emphasised that in addition to bringing together all the data held by the five existing councils, it was paramount that corporate memory was not lost during the transformation period.

The Chairman thanked Mr Chilver and Mr Everitt for attending the meeting.