Agenda item

Data Protection Officer's Annual Assurance Report

 

The Data Protection Officer will submit a report providing an assessment of compliance with the General Data Protection Regulations and the Data Protection Act 2018 based on specific assurance work undertaken over the last few months and general activity during the last year.

Minutes:

The Data Protection Officer submitted a report providing an assessment of compliance with the General Data Protection Regulations and the Data Protection Act 2018 based on specific assurance work undertaken over the last few months and general activity during the year.

 

The Council’s Information Governance Board, Chaired by the Senior Information Risk Owner, the Executive Director Core Services had received and considered a report of the Data Protection Officer at its meeting on the 26th June, 2019 and this report reflected the discussions and outcomes from the Information Governance Board.

 

The report covered the following key areas:

 

·         An overview for the 12 months following the formal implementation of the General Data Protections Regulations and the Data Protection Act 2018

·         DPO activity during the year

·         Specific assurance work undertake and the results thereof

·         Suggested audit/assurance activity for 2019/20 and beyond

·         How the responsibilities of the Data Protection Officer have been discharged

·         The response from the Information Governance Board

 

An Appendix to the report highlighted the key issues arising from each assurance review he had undertaken which showed the positive areas as well as those where improvement in compliance or the underlying control and governance framework was required.  Overall the review work undertaken showed good compliance but equally and acceptance that further work was needed in a number of areas and these were outlined within the report.

 

The Data Protection Officer highlighted the excellent work undertaken by the Information Governance Team in supporting services achieve the degree of compliance highlighted in the report.

 

Based on his first series of reviews and considering other areas for DPO and/or Internal Audit activity the Data Protection Officer had devised a programme of work with suggested frequencies to assist in the future planning of review resources and this was outlined within Appendix B to the report.

 

A further Appendix outlined how the Data Protection Officer discharged his duties and responsibilities and the report also outlined three key areas requiring further review progress on which would be included within future reports to the Information Governance Board and this Committee.

 

In the ensuing discussion particular reference was made to the following:

 

·         Information was provided about insurance and circumstances in which claims for compensation could be made

·         Thanks were expressed to the Data Protection Officer for the way in which he discharged his duties

·         It was noted that the Information Governance Board was satisfied at the appropriate level of coverage of the Data Protection Officer

 

RESOLVED:

 

(i)            that the report and the actions agreed to address issues raised be notified;

 

(ii)          that the response of the Information Governance Board be noted;

 

(iii)         that the programme of assurance activity proposed be noted and endorsed and that full and unfettered access be given to the Data Protection officer and/or Internal Audit Staff undertaking work on his behalf to information, systems, officers and staff;

 

(iv)         that the Committee receive 6 monthly reports on progress and the results of assurance work regarding the Authority’s compliance with GDPR and the Data Protection Act; and

 

(v)          that the Committee is satisfied that the key responsibilities of the Data Protection Officer have been discharged appropriately.

Supporting documents: