Agenda item

Information Commissioners Audit and General Data Protection Regulations Programme


The Service Director IT and Head of Internal Audit and Corporate Anti-Fraud will submit a joint report providing an overview of the recent Information Commissioners Office audit and on the progression towards General Data Protection Regulations compliance.



The Service Director IT and Head of Audit and Corporate Anti-Fraud submitted a joint report providing an overview of the recent Information Commissioners Office (ICO) audit and on the progression towards General Data Protection Regulations Compliance.


As previously reported, the Council had agreed to a consensual audit of its processing of personal data, on how the Council delivered training and awareness to its employees and on the processing of information requests.  This audit had taken place on the 17th – 19th October, 2017.


The ICO had made significant recognition of the strong leadership and good practice that the Council had embedded citing the excellent online training, comprehensive case management systems for processing Freedom of Information Requests and Shortwood had been identified as having very well established processes for managing paper records.  The report in highlighting many of the key strengths also suggested a number of urgent and more challenging areas for improvement and these were outlined in detail within the report.  Whilst there were a number of recommendations for action, the majority were of a medium or low priority and an action plan had been developed which would be facilitated by Internal Audit.  Further reports on progress would be submitted to future meetings.


Overall, however, the audit opinion of the Council was ‘Reasonable assurance’.  The ICO would contact the Council during September to request an updated Action Plan in order to carry out a follow up audit.


In relation to the General Data Protection Regulations, these were to become effective from the 25th May, 2018 and enhanced existing legislation as well as introducing some new requirements details of which were outlined.


The report detailed the action being taken to meet these new requirements including a process mapping exercise in relation to the processing and handling of personal and/or sensitive data.  Significant resources had been given to support Business Units to complete this task but given the volume of processes involved, as well as the gaps identified, the initial internally set milestone had been changed from 31st December, 2017 to 31st March, 2018.  This would be monitored by the Information Governance Team to ensure readiness for the introduction of the Regulations on the 25th May.


The report also gave details of


·         the 134 processes currently mapped in the ‘live’ system together with the progress by Business Unit

·         the intention to publish a quick reference guide for business support and guidance

·         the assignment to the Head of Internal Audit and Corporate Anti-Fraud, the role of Data Protection Officer

·         the outcome of a training and awareness session held on the 25th October, 2017

·         the GDPR Programme Plan (which was appended to the report)


In the ensuing discussion, particular reference was made to the following:


·         Members were encouraged to read the Executive Summary of the ICO report (the link was included within the submitted report) as this provided a good overview of what had been audited together with the findings

·         The appendix to the report provided details of the rigorous arrangements in place to meet the requirements of GDPR

·         There was a general consensus that not all organisations would be 100% compliant with GDPR on the 25th May but the Council had a good action plan to ensure that as far as possible those requirements were met

·         All Business Units were now fully engaged in process mapping their services

·         The Head of Internal Audit and Corporate Anti-Fraud did not see that there was any conflict between his Internal Audit role and his role as Data Protection Officer and no concerns had been expressed by External Audit.  Arising out of this discussion he gave a brief resume of the type of work involved and his work with senior officers on GDPR matters.




(i)            That the report and action taken in be noted; and


(ii)       That the significant work of officers and particularly the Head of ICT (Service Management and Information Technology) and the Service Director IT and their Teams be noted in preparing for the ICO audit and it also be noted that the outcome of that audit provides significant reassurance about the processes and procedures in place for handling personal and/or sensitive data.

Supporting documents: