to: organisational improvement and development

Policy Committee
Councillors:
J Kerr-Brown (Chair), G Friend (Deputy), J Davidson, A Dirir, L Dirir, A Hill, A King, S Krizanac and P Walker Organisational Improvement and Development Policy Committee
Date: Wednesday, 20 June 2018
Time: 18:30
Venue: Council Chamber, Town Hall, Sankey Street, Warrington, WA1 1UH
Contact – Adam Kellock, Democratic Services Officer, Tel: 01925 442144,
Email:[email protected]
Note – In line with The Openness of Local Government Bodies Regulations 2014 this meeting may be recorded.
A guide to recording meetings has been produced by the Council and can be found at
https://www.warrington.gov.uk/info/201104/council_committees_and_meetings/1003/access_to_council_me
etings
AGENDA
Part 1
Items during the consideration of which the meeting is expected to be open to members of the public (including the press) subject to any statutory right of exclusion. 1 Apologies
To record any apologies received.
2 Code of Conduct - Declarations of Interest
Relevant Authorities (Disclosable Pecuniary Interests)
Regulation 2012
disclosable pecuniary or non-pecuniary interest which they have
in any item of business on the agenda no later than when the
item is reached.
Town Hall Sankey Street
3 Minutes
To confirm the Minutes of the meeting of 17 April 2018 as a correct
record.
Report of the Assistant Director - Customer and Business
Transformation.
Transformation.
To agree the membership of the working group.
7 Work Programme 2018-19
Committee.
ORGANISATIONAL IMPROVEMENT & DEVELOPMENT POLICY COMMITTEE 17 April 2018
Present: Councillors J Kerr-Brown (Chair), S Hall (Deputy), L Dirir, A King and P Walker
Also Present C Harris – Head of Finance G Hopkins – Assistant Director – Customer and Business Transformation OID 26 Apologies for Absence Apologies were received from Councillors J Flaherty and A King. OID 27 Declarations of Interest There were no declarations of interest made. OID 28 Minutes The minutes of the meeting held on 6 February 2018 were agreed and signed as a correct record. OID 29 Enterprising Warrington 2017-20 The Head of Finance presented the Enterprising Warrington strategy for the period from 2017-20 which was the Council’s first commercial strategy. The report provided an update for members on progress against the strategy which continued to play a significant role in securing a sustainable financial future for the authority. The strategy set out clearly that the Council would continue to invest wisely on a commercial basis by taking advantage of opportunities that presented themselves. Items such as the Redwood Bank and Birchwood Business Park would be included in the strategy for future versions and measures to demonstrate performance against the strategy would be brought back to the committee in future meetings. In response to a query it was confirmed that the Finance Team had robust procedures in place to ensure that Council services that were being sold were properly invoiced with money received in a timely manner whilst also acknowledging that there are areas of improvement. Members were requested to provide feedback from any experiences of delayed invoices to the Head of Finance. The strategy specifically referred to loans to social landlords whilst queries were raised with regards to more specific investments in social housing in order to increase the amount of social housing available within the Borough. It was noted that this was not part of the
Item 3
3
strategy but specific information regarding this would be circulated to the committee by the Head of Finance. The committee raised the issue of members being kept informed fully informed about the commercial activities of the Council as during previous transactions issues regarding commercial sensitivity meant that items were considered under Part 2 when going through the Executive Board. The committee considered it vital for members to be kept as informed as possible and requested that reports could have commercially sensitive information removed so that wider members could be able to view them. This would be feedback to the Monitoring Officer for consideration in future. It was also noted as being important for members to be kept up to date as events were taking place rather than after decisions had been made. Feedback would be provided to the Director of Corporate Services and the Monitoring Officer with regards to early engagement with members around investments and commercial decisions. In response to queries regarding member involvement in investments and commercial decisions it was confirmed that the Treasury Management Board and the Regeneration Board provide details regarding such activities for members. Further information about such investments were included within the Treasury Management and Capital Strategies which both required the approval of Full Council after being considered by the Executive Board and Audit and Corporate Governance Committee. OID 30 Time Square New Council Office Accommodation Update The committee received an update report on the new Council office accommodation within the Time Square development project. A previous report on the new offices had been brought to the committee for consideration during the 2016/17 municipal year. It was noted that visual progress had been made on the new offices with some external structures in place as of April 2018 with the two years away from completion. It was acknowledged that a significant amount of work still needed to be carried out with key issues for the project at the moment including building management and ICT. New work streams which covered the key areas of work going forward with responsible officers named had been established to assist with the completion of the project within the next two years as outlined below:
Technology; o Review the defined technology requirements for the new building; o Designing possible technology solutions; o Produce and execute a plan for technology delivery; o Ensure acceptance criteria for technology solutions are defined and
successfully passed
Facilities Management; o Review the defined facilities management design of the building; o Recommend to the New Council Office Board any changes that they think are
necessary to the design supported by a clear business case;
4
o Baseline the current facilities management operation and develop a plan for introducing any required changes to delivery required for the new building
Staff: o Carry out research to better understand the Council’s current operating
practices, what work has been done elsewhere and what policies and procedures need to be modified;
o Gain an understanding of what impact the new office will have on all staff, in areas as diverse as storage, catering, time and attendance recording, space allocation, mail, furniture, managing visitors, sue of meetings rooms and the over-riding rules and guidance;
o Staff engagement activities When the building was completed a total of around 1000 staff would be moved in and it was critical that the building was up and running correctly from the first day and the officers were aware of the new working practices that would be in place. This would involve a lot of engagement with staff over the coming two years. Regular engagement with staff and the trade unions was already taking place. The ground floor of the building required more work as the upper floors were more generic office spaces whilst the ground floor was the customer facing area with the main reception, meeting rooms, specialist rooms and the contact centre meaning that it needed to be designed accordingly. An additional work stream had been established to focus on the requirements of the ground floor. For the next update report to the committee 4d images and plans of the building would be provided to show members in detail how the offices would be laid out and the facilities that would be available. It was noted that moving to new, modern and efficient offices would be a big opportunities for the authority to modernise its working practices and make improvements that would be beneficial to both officers and residents. Additionally the new building was expected to deliver a saving that was already included within the Medium Term Financial Plan. OID 31 Corporate Strategy 2018-20 Progress The Assistant Director – Customer and Business Transformation presented the draft Corporate Strategy 2018-20 to the committee for member’s consideration. The committee had previously considered a report on the previous strategy and had requested that the strategy be seen at a draft stage so that input could be provided prior to it being adopted. It was noted that the strategy remained a draft version with the priorities having been set by members and with work already ongoing with members and officers to further develop the strategy which would run for the remainder of this Council term. The final version of the strategy would be considered by the Executive Board at its meeting in May 2018 prior to being formally adopted.
5
Members were invited to feedback any comments on areas that they would like to see included or to raise any queries on points that required further clarification. The Assistant Director – Customer and Business Transformation could be contacted directly with any of these comments which would be included in the report to the Executive Board. In response to a query it was noted that a retrospective look at the previous strategy was not included within the draft document as it was considered more appropriate for this information to be included as part of performance reports that were seen regularly by the Executive Board. Members raised points with regards to engaging with housing associations regarding keeping streets clean and tidy, the creation of a circular walkway around the whole town centre to join up all areas and the need to consider the way in which consultations were carried out in light of the Local Plan Consultation feedback. This information would be feedback to the Executive Director – Economic Regeneration, Growth and Environment prior to the strategy being seen by the Executive Board. OID 32 Work Programme – 2017/18 The committee received and note the work programme and considered topics to be carried over for the 2018/19 municipal year. A work programme would be brought to the next meeting of the committee, the first of the 2018/19 municipal year for the committee to agree.
Chairman ………………………………………
Date ……………………………………..
6
WARRINGTON BOROUGH COUNCIL ORGANISATIONAL IMPROVEMENT AND DEVELOPMENT POLICY COMMITTEE – 20 June 2018 Report of: Gareth Hopkins, Assistant Director, Customer & Business
Transformation
Contact Details:
TITLE OF REPORT: General Data Protection Regulation (GDPR)
1. PURPOSE 1.1 This report provides the committee with an overview of the recent changes to data
protection law which came into force from 25 May 2018. The report provides an update on the key actions required to ensure the council is compliant with this new legislation.
2. CONFIDENTIAL OR EXEMPT 2.1 This report is not confidential or exempt. 3. INTRODUCTION/BACKGROUND 3.1 From 25 May 2018 the Data Protection Act 1998 was abolished and replaced by the
General Data Protection Regulation within Europe and in the UK the Data Protection Act (DPA) 2018. The new legislation provides frameworks for data protection in the UK and Europe. They sets new standards for protecting data, giving people more control over use of their data, and providing then with new rights to move or delete personal data.
3.2 The new laws are based on the similar principles but expands further and brings in more
mandatory requirements for organisations to follow. The new DPA 2018 legislation is an evolution of the 1998 data protection law, rather than a complete overhaul. The GDPR brings significant changes to data protection law and provides a much needed update to the existing legislation.
3.3 All organisations need to be aware of the requirements under both pieces of legislation,
especially if data is being stored or transferred overseas. Brexit will not affect these requirements, at least not initially.
Item 4
7
4. WHAT IS THE GENERAL DATA PROTECTION REGULATION (GDPR) AND DATA PROTECTION ACT 2018?
4.1 The Data Protection Act 1998 was no longer fit for purpose and the legislation was replaced by the General Data Protection Regulation (GDPR) on May 25 2018. This legislation has replaced the DPA 1998 across Europe.
4.2 As the UK requires additional legislation, it has taken the GDPR and adapted this with the
required additions covering law enforcement processing and the powers of the Information Commissioners Office (ICO) to form the Data Protection Act 2018.
4.3 The GDPR aims to bring greater consistency in data protection law across Europe. This means big companies such as Facebook and Google will be dealt with the same way in every country they operate in.
4.4 The GDPR increases the scope of what is deemed “personal data”, including IP addresses
and biometric information. The GDPR relates to the use of EU Citizen data wherever it is used throughout the world. This means an American company selling goods to EU Citizens is still bound by the GDPR.
4.5 The Information Commissioner’s Office (ICO) and the Department for Communities and Local Government, Culture and Sport (DCMS) have confirmed that good data protection laws are vital to continued trade and interaction with Europe, post-Brexit,
4.6 Since the introduction of the DPA 1998 digital technology has transformed almost every aspect of our lives. The new Data Protection Act aim to make the data protection laws fit for the digital age, in which an ever increasing amount of data is being processed. It also empowers people to take control of their data.
5. KEY CHANGES INTRODUCED BY THE GDPR
5.1 The GDPR brings more rights for individuals and shorter timescales for organisations to comply with requests. The Right to be Forgotten is the most significant new right, allowing individuals to ask an organisation to remove their data in certain circumstances.
5.2 Significant breaches must now be reported to the ICO within 72 hours of discovery. This is
to encourage greater openness and transparency for organisations handling personal data. Prior to GDPR there was no set timeframe for reporting. Fines will increase under the GDPR and the ICO can now fine organisations up to €20 Million.
5.3 The GDPR requires organisations to improve communicating with people on how we use
their data and for what purpose. Transparency and openness are key concepts of the GDPR.
5.4 Data Protection by Design is also introduced by the GDPR. This requires an organisation to
consider the data protection and privacy implications of a project before they start it. This allows the organisation to make projects such as new technology or systems compliant with the law and uphold citizens’ rights.
5.5 The GDPR requires public authorities and organisations who process sensitive personal
data to have in place a Data Protection Officer.
8
5.6 In response to the GDPR the ICO has reviewed its fee structure, with organisations now paying a higher registration fee. The council will see an increase from £500 to £2900 per year when the fee is up for renewal in November 2018. Non-payment will result in a fine of up to £4,350. The ICO fee for Elected Members will change from £30 per individual to £60.
6. THE RISKS OF NON COMPLIANCE
6.1 The risks of not complying with the new legislation are clear. Reputationally, the council must comply to maintain the trust of the general public whose information it collects and uses. The council holds large amounts of sensitive information about clients and vulnerable people within the borough. Without controls in place to treat this information with the necessary level of confidentiality, the council could put vulnerable people at risk. Data breaches can damage public confidence in the council, which is a key reason to ensure our compliance as thoroughly as possible.
6.2 As referenced above the Information Commissioner’s Office (ICO) can now impose fines of up
to €20 million for serious breaches. Under the new act a financial penalty of any size could have a significant impact on the council’s budget and future financial stability.
6.3 There will be organisational risks that in order to fully review all processes, procedures and
information held that resources to manage this and the day to day requirements could impact on the speed at which the tasks are met and delivered.
7. WHAT DOES THE COUNCIL NEED TO DO
7.1 The implementation of the GDPR is an extensive project for the council. The Information Governance Team has an action plan to manage the tasks required for compliance (see appendix 1). Whilst the new legislation came into force in May 2018, and work was started before this date, compliance will take time and the action plan will continue to be used to keep the council focused and on track.
7.2 To support the implementation and maintain compliance with the legislation, council wide
working groups have been established to deliver key elements of the action plan. These groups will drive forward the necessary changes. The working groups will be added to and expanded as the implementation progresses and may co-opt officers as and when needed for specific tasks. They may be directorate specific or mixed directorate depending on the need. Working group areas are currently covering a number of key areas and requirements including:
Commissioning & Procurement
Environment & Regeneration
Privacy Notices
Consultation & Marketing
Data retention 7.3 Implementing the new legislation will mean making a wide range of changes including:
Reviewing the council’s website and communications output
Reviewing contracts with suppliers, computer systems and the way in which we use technology to process personal information
9
Updating all policies that relate to personal data (this is not limited to locally held Information Governance policies)
Refresher training for all council employees, with particular focus being given to social workers and HR staff that handle sensitive information. The current eLearning Data Protection Course will be replaced with GDPR specific content.
Completion of detailed work to ensure the council can respond to requests for individual’s rights, such as the right of subject access (to see a copy of information held about them) or the right to be forgotten (the right to ask for information about them to be deleted)
Reviewing all uses of consent and where appropriate replacing with a more appropriate lawful basis for processing
Completing and updating the council’s Information Asset Register which covers both our information assets and act as a register for why we are processing the related information. It is every information asset owner’s responsibility to ensure that they complete this for their service area and is a mandatory requirement under the GDPR. The ICO may request to view the register at any point
7.4 The requirements to comply with the GDPR and Data Protection Act 2018 also applies to
Elected Members. The ICO have not released updated specific guidance for how the new legislation impacts on Elected Members. However, the key principles apply to all Elected Members.
7.5 Elected Members have data protection responsibilities for the personal information they
process in their work. They are data controllers under the GDPR. This means they are responsible for making sure all personal data handled by their office is done in a way that complies with the requirements of the GDPR. A Members briefing was produced and circulated (Appendix B).
7.6 The resource implications of the GDPR are significant for all organisations, personal data is
used by all services within the council and the legislation has far reaching changes that the council’s current structure and resources may not support. There is a risk that without prioritisation of work or further resources that the Council will not achieve compliance with the legislation, which will continue to be monitored by the Council’s Senior Information Risk Owner (Deputy Chief Executive).
7.7 Document and data retention requirements remain the same under the new legislation,
however as part of the compliance work to identify what information we hold, the Corporate Records Project Manager is leading a piece of work to implement a new council wide data retention schedule. There will be a briefing to the Policy Committee covering this topic in September 2018.
8. ROLES AND RESPONSIBILITIES UNDER GDPR
8.1 The governance structure which was previously in place for data protection has been strengthened with the requirement for all organisations to have a mandatory named data protection officer in place. The council has an established structure in place for the management of information risks.
8.2 The roles that are in place are:-
Senior Information Risk Owner (SIRO) (responsible for the organisation's information risk policy, and acts as an advocate for information risk on the Board
10
Caldicott Guardian (responsible for protecting the confidentiality of people's health and care information and making sure it is used properly)
Information Governance Manager & Data Protection Officer (monitors internal compliance, inform and advise on data protection obligations, acts as a contact point for data subjects and the supervisory authority.
Information Governance Officer & Assistant Data Protection Officer (Supports the role of the information governance manager & data protection officer)
8.3 The reporting channels are:-
Information Governance Group - includes representatives from each directorate and reports into the SIRO.
SIRO briefing - includes the SIRO, Deputy SIRO, IG Manager (Data Protection Officer), ICT Security, Internal Audit and Deputy Head of Business Intelligence.
Strategic Management Team (SMT) – SIRO regularly briefs SMT on data protection matters.
Breach reporting – formal process and procedures for reporting any information and cyber incidents.
Governance Group and Corporate Risk and Business Continuity Group – receive regular updates from the Information Governance Group.
9. GDPR BRIEFINGS AND TRAINING
9.1 The Information Governance Team has been delivering GDPR awareness briefings since October 2017 and to date has:
Briefed 335 people over all directorates
Led 16 individual awareness sessions
Presented 3 schools specific briefings covering primary, secondary and academy schools, with over 140 attendees over the three sessions
Presented 4 supplementary team meeting sessions
Presented a specific session for 15 elected members with a further session planned for July
Produced briefing for Parish Councils 9.2 The mandatory information governance, data protection and information security training
through iLearn, the council’s elearning platform, will be reviewed and updated during the year to incorporate the new legislation.
10. NEXT STEPS 10.1 To successfully meet the new legislation there will be a continued focus on the key tasks
identified. Compliance with the GDPR and Data Protection Act 2018 is everyone’s responsibility. Compliance is an ongoing piece of work and the action plan will be reviewed and updated regularly.
10.2 Regular updates will continue to be provided to the channels identified. 11. RECOMMENDATION
11
11.1 The Organisational Improvement and Development Policy Committee is asked to:
Note the contents of this report
Review the compliance action plan
Refer to Audit and Corporate Governance Committee to consider as part of its monitoring role
12. WIDER READING 12.1 The Information Commissioner’s Office has produced a range of guidance with regards to
the General Data Protection Regulation.
The Guide to GDPR - https://ico.org.uk/for-organisations/guide-to-the-general-data- protection-regulation-gdpr/
Raise Awareness of GDPR Within the Council
Engage with Senior Managers, Members and key stakeholders (SIRO & Caldicott)
Arrange working groups with high risk teams (complaints, social care, procurement etc.)
Update online training and induction training
Draft clear communications strategy for the next 8 months
Assess the Information Held by the Council
Publish the contact details of the Data Protection Officer
Understand what contractors and Arm’s Length Companies the council uses
Each service to complete individual audit on their data, this will be monitored through the GDPR Working Group
Identify and document purposes of processing for all personal data
Document description of the categories of data subjects and types of data
Identify and document who the data is shared with
Identify and document the retention period for the data
Identify whether the data is transferred or held abroad including data centres and any transfers to people or organisations
Document the description of technical and organisational measures used to secure the data.
Create a council-wide Asset Register of Processing Activities
Undertake a paper records audit
Effectively Communicate Privacy Information
Ensure all Privacy Notices meet GDPR requirements.
Ensure all Privacy Notices are uploaded to the council’s external website.
Work with services as part of Action 2 (above) to ensure Privacy Notices are communicated at appropriate stages when information is being collected.
13
Updates to Individual’s Rights
Ensure the council is prepared to process the expanded and new Subject’s Rights under the GDPR. Find out through best practise and guidance how they will apply to WBC, exemptions and types of information that are relevant.
Ensure robust policies are in place to guide staff through the processes of responding to the new rights.
Ensure data subjects have access to clear information about how they can enact their rights through the external website.
Explore the technical challenges behind right to be forgotten – can our systems actually remove/restrict the use of data in them?
Changes to Subject Access Requests (SAR)
Ensure that current reporting and recording processes are robust enough to handle potential increase in SARs post May 2018.
Create and roll out redaction training and toolkit for staff that handle documents and responses.
Ensure there is a process for how to handle data/GDPR complaints
Legal Basis for Processing Data
Full audit of all council data is required and decisions need to be made with services as to why the council holds this information.
Document as part of the Information Asset Register of Processing (IAROPA) activity
As a result of this audit, identify which information can be removed under the Rights of Portability and Erasure
Consent Mechanisms
All consent forms need to be updated to comply with the more stringent requirements of GDPR.
No “Opt-out” consents can be used, such as pre-ticked boxes.
Review of where consent is used and a decision made as to whether consent is appropriate.
Ensure consent is specific by containing granular consent boxes which break down the processing into its separate functions.
Children’s Data
Identify where children’s data is processed and the legal basis for doing so.
Review how we engage with children online
14
Data Breaches
Review process to report serious breaches to the ICO within 72 hours of discovery. Ensure this is communicated to any data processors the council has contracts with; if they lose council data then the council must be informed within 24 hours. This may lead to contracts being updated.
Comprehensive breach register must be maintained and updated.
Insurance coverage should be revisited to confirm whether it would need to cover the council for a €20 Million fine as the result of a breach.
Data Protection by Design and Impact Assessments
Ensure that all projects have data protection built into them from the start in order to comply with the GDPR
The DPO needs to sign off the risks identified in all Data Protection Impact Assessments (DPIAs). The current process will need to be updated to ensure this happens.
The need for DPIAs to be communicated to key teams as soon as possible. This will include Procurement, Projects, ICT and CCTV.
Ensure DPIAs are covered in the Communications Plan under Action 1(above).
A library of DPIAs must be created and regularly updated.
Article 29 Working Party guidance states that all projects must be covered retrospectively by a DPIA form 3 years after the implementation of the GDPR. A plan should be drawn up to cover this.
Data Protection Officer Role
Identified officer
Data Protection Officer to have independent role with regards to decision making for things like DPIAs and breach reporting.
International Transfers Identify where information is processed or stored
outside of the UK and the EEA.
Policies and Procedures
Work with services to identify policies they have that will be affected by the changes in data protection law. This is likely to include all social care services and HR. Work needs to be done as per various actions above to identify the teams at highest risk in terms of the amount of sensitive information they handle, and to work with them first.
Information Sharing Agreements (ISA)
Review ISA template and ensure it is GDPR compliant
Collate full ISA library. Update old agreements where necessary.
Ensure all supporting ISA documents – consent forms, Privacy Notices etc are updated in line with the GDPR.
15
Contracts with Data Processors
Ensure procedures are in place to stop sub-contracting within council projects unless it is approved by the council first. In line with GDPR requirements.
Develop a system of due diligence to ensure processors are complying with the council’s contracts.
Ensure procurements and contracts involving personal data are checked by the Information Governance Team so that a decision can be made about controller/processor relationship.
Accountability Principle
Existing ICO Registration needs to be maintained locally, even when the need to Notify has expired. This will form the basis of the council’s Accountability documentation.
Decisions to be made as to which documents will be proactively published on the external site. The council’s external Data Protection pages will need to be re-written in order to reflect the need for more transparency.
Training for Employees and Members
Key training covering: o Transition from DPA to GDPR o GDPR and Data Protection Act 2018 principles o What to do if there is a breach/incident o How to disclose information
GDPR professional training for key officers
Cloud Hosting
Begin to review existing arrangements with cloud providers. Ensure security is still at a high level, regular diligence and contact maintained with suppliers and appropriate contract in place.
Records Management Programme in place to develop corporate data
retention schedule
CCTV
Ensure there is a CCTV lead within the council
Conduct an audit to ensure all council CCTV is still fit for purpose, it has an appropriate and lawful use and the technology is still good enough to provide accurate and clear pictures.
Live Data Testing Ensure appropriate technical and organisational
measures are in place
Procurement Work with procurement to ensure DPIAs are built into
all procurement processes as standard.
Audit
Work with Audit to develop a template for arm’s length compliance checks with data processors and suppliers.
Internal Audit and Information Governance to work together to regularly audit and monitor the council’s record for the Accountability Principle.
16
Social Media
Update all Privacy Notices on the external site around the use of any existing monitoring of social media
Appropriate e-learning and advice to be provided to regular social media users. Just because personal data is in the public domain, does not mean that it is exempt from GDPR.
Ensure all photos and use of personal data for promotional purposes is accompanied by an appropriate legal basis or consent form and that consent is regularly reviewed.
Employee Investigations/Monitoring
Data Protection Impact Assessments must be undertaken before any employee monitoring can take place.
Review of Privacy Notices to be undertaken
17
Introduction to the General Data Protection Regulation Guidance for Councillors April 2018
Introduction
The purpose of this document is to help councillors meet the requirements of the General Data Protection Regulation (GDPR) and look after personal information about constituents and others in a fair and lawful way.
The GDPR is Europe's new framework for data protection laws and replaces the Data Protection Act (DPA)1998. The new regulation starts on 25 May 2018 and will be enforced by the Information Commissioner's Office (ICO) .The Government has confirmed that the UK's decision to leave the European Union will not alter this. The GDPR is part of a wider reform of data protection that includes the Data Protection Bill.
Role of a Councillor
Councillors have three different roles:
As a member of the council, for example, as an Executive Board member or a
member of a committee. A representative of residents of their ward, for example, in dealing with
complaints They may represent a political party, particularly at election time.
This document focuses on the first two roles. Councillors are advised to contact their respective political parties for advice on the GDPR and their political role.
How to comply with the General Data Protection Regulation
1. Personal Information
Personal information is any data about an individual which can directly or indirectly identify that person. This includes:-
Name Address Telephone number both landline and mobile Email address Social media profiles Identification number
Personal information can be stored either electronically or manually.
Page 1 Produced by the Business Intelligence Team
There are special categories of personal information which are known as sensitive data under the GDPR which are:-
Racial or ethnic origin Political opinions Religious or similar beliefs Trade union membership Physical/mental health or condition Genetic or biometric information (e.g. fingerprints, retinal scan) Sexual life or sexual orientation
2. Principles
The GDPR has six principles which set out how personal information should be used, which are:-
Principle 1: Personal information must be processed lawfully, fairly and transparently
This means that before you use any personal information you must be reasonably sure that the person concerned knows:
who is legally responsible for the use made of the information i.e. the councillor or
councillors? This is often referred to as the data controller. why you are asking for the information, what the information will be used for, who will be seeing it, and how long it will be kept
Principle 2: Personal information should only be obtained and used for specific lawful and compatible purposes.
You must be clear and open about the purpose for which personal information is obtained and used. You must not then use this information for a different purpose unless it is compatible with the original task. A constituent contacting their councillor about an issue will not necessarily want their details used for any purpose other than that stated in their email or letter. Seek advice from the Information Governance Team if you wish to use personal information for a purpose which was not specified when you obtained the data.
Page 2 Produced by the Business Intelligence Team
19
Principle 3: Personal information must be adequate, relevant and limited to what is necessary
Make sure that you do not ask for or record too much information. Do not obtain or keep information in case it might be useful. Only record relevant personal data, and do so in a manner which you would be happy to show to the person who is the subject of that information. When contacting other organisations consider how much information is necessary to give to the other organisation in order for them to address the needs of your constituent. It may be possible to withhold some of the detail and still successfully represent your constituent.
Principle 4: Personal data must be accurate and kept up to date.
You must make sure that any personal information you use is accurate. This is particularly important if it has been obtained from another person or organisation rather than directly from the subject of the information. Take particular care with constituents’ contact details, to ensure that correspondence is not sent to the wrong email address or postal address. Getting details wrong could cause distress or problems for a constituent.
Every reasonable step must be taken to ensure that personal information that is inaccurate is amended or erased immediately.
If you forward personal information about an individual to the wrong person it is essential that you notify the Information Governance Team immediately at [email protected]
Principle 5: Personal Information must not be kept for longer than is
necessary.
The GDPR does not outline time periods for which records should be kept. Identify the different types of records you hold e.g. constituency case files, contact details etc and consider how long it would be reasonable to keep each type of record. Appropriate periods are determined by other laws and by accepted best practice. Seek advice from the Information Management Team if you are unsure.
Principle 6: Personal information must be protected by appropriate security
Losses of personal or sensitive personal information by various organisations have highlighted the importance of this principle. You are responsible for the protection of any personal information you hold. You should ensure that personal information is protected against unauthorized use, accidental loss or destruction using council technical or organisational security measures.
Page 3
21
3. Rights of Individuals
The GDPR provides a number of rights for individuals which are:-
The right to be informed – This emphasises the need for transparency over how
you use personal information.
The right of access – Individuals have the right to access their personal information and any supplementary information.
The right to rectification – Individuals have the right to have their personal
information rectified if it is inaccurate.
The right to erasure – This is also known as the ‘the right to be forgotten’. Individuals have the right to request the deletion of personal information where there is no compelling reason for its continued processing.
The right to restrict processing – Individuals have a right to suppress the
processing of personal information. If processing is restricted personal information can still be stored.
The right to data portability – This allows individuals to obtain and reuse their
personal information for their own purposes across different services.
The right to object – Individuals have the right to object to the processing of their personal data based on legitimate interests.
Rights in relation to automated decision making and profiling – The GDPR contains
specific provisions on automated individual decision making and profiling (automated processing of personal data to evaluate certain things about an individual).
4. Consent
The GDPR sets a high standard for consent. Consent means offering individuals real choice and control. Genuine consent should put individuals in charge and build trust and engagement with constituents.
If you are representing an individual resident who has made a complaint, you will usually have the implied consent of the resident to retain the relevant personal data provided and to disclose it as appropriate. You might want to identify if there is a legal basis for using the information instead of consent.
However if there is any uncertainty regarding the resident’s wishes, it would be appropriate to make direct contact with the resident to obtain consent on how their personal information will be used and who it will be shared with.
Sensitive personal information which is defined in paragraph 1 is treated differently; where consent is being relied on this should be explicit in nature. Further advice should be obtained from the Information Governance Team.
Page 4
23
There may be situations where you may need to pass on a resident’s personal information to another councillor/s in the same ward. You should only disclose to other ward councillor/s the personal information that is necessary:
to address the resident’s concerns; where the particular issue raises a matter which concerns other elected
members in the same ward; or where the resident has been made aware that this is going to take place and why it is
necessary.
If a resident objects to a use or disclosure of their information, their objection should be honoured. You should not pass on personal information which is not connected to the resident’s case.
5. A Quick Checklist
Do I really need this information about an individual?
Have I considered whether it is sensitive personal data and taken extra
precautions if it is?
Do I know what I’m going to use it for?
Do the people whose information I hold know that I’ve got it, and are they likely to
understand what it will be used for?
Am I satisfied the information is being held securely, whether it’s on a computer, mobile
electronic devices or paper? Are all my electronic devices secure?
Am I sure personal information is accurate and up to date?
Do I delete/destroy personal information as soon as I have no more need for it?
Is access to personal information limited only to those with a strict need to know?
6. Advice and Support and Further Resources
Advice and support can be obtained from the Information Governance Team at [email protected]
Further information on the General Data Protection Regulation (GDPR) can be found on the Information Commissioners Website here
25
26
Contact Details: Email Address: [email protected]
Telephone: 01925 44 4213
Key Decision No. N/A
1. PURPOSE
1.1. For Organisational Improvement and Development Policy Committee to be updated on the Council’s current and future approach to ICT Security.
1.2. Further, the Government publishes proposals via the National Cyber Security Centre (NCSC), which is part of GCHQ. They explain the security steps organisations should take in response to increased threat of cyber security attacks. Two recent reports from the NCSC were “Hostile state threats: Advice to staff” and “Increased Cyber Threats – Security steps to take”. This paper describes the WBC position with regard to those reports.
2. CONFIDENTIAL OR EXEMPT
2.1. This report is neither confidential nor exempt. 3. THE WBC APPROACH TO ICT SECURITY 3.1. The Council has clearly defined rules for ICT Security defined in documents such as our
Information Security Policy Manual and our Acceptable Use Policy available on WINNIE, the Council’s intranet.
3.2. Our approach to protecting the Council involves measures to prevent threats where feasible and allow us to detect and manage threats if they do arise.
Item 5
27
3.3. To get the right level of protection we strive to:
Deliver systems (technologies and processes) that have good security inherently built into them to preclude bad things from happening
Educate our people (colleagues, councillors, external users, suppliers, etc) about the part they play and what they should do to keep us from harm
Encourage and welcome external specialists to examine what we do and provide advice on potential improvement areas; from both a policy and implementation point of view.
3.4. Independent reviews of our ICT Security include:
Formal inspection each year for accreditation against the Public Services Network compliance standards. This includes ‘ethical hacking’ where trained experts use special tools and techniques to try and break into our network, systems and user accounts.
Annual audit of our policies and procedures by another local authority (typically Salford)
Occasional inspection by other third parties such as the Society for IT Managers (SOCITM).
4. ASSESSMENT FINDINGS
4.1. Independent inspection of our policies, systems and controls endorses our internal opinion that we are in a good state of health and find that:
Technology - The way we design, build and test our systems is in line with good practice, from the way we segment our IT network to how we encrypt devices like laptops.
Processes – The things we do to review, test and improve our IT Security protection and defences are also good.
Forward look – We pro-actively work with industry leaders such as the National Cyber Security Centre and the Cyber Information Sharing Partnership to research emerging trends and new best practices.
4.2. The outcomes of these inspections are that (a) each year we pass our PSN audit inspection, (b) all of the potential improvements they recommend have already been identified by our own ICT Security Team and are planned for implementation at a time.
4.3. At the recently PSN inspection the assessors informed us verbally that we are in the top 5% of Local Authorities (LAs) they inspect. They also said that the level of rigour we apply to management of third party systems is in their view “unparalleled” compared to other LAs. This is important because systems that are not properly patched and maintained are one of the most common sources of security vulnerabilities.
28
4.4. We questioned whether this means that we are making excessive efforts at excessive cost. They responded that we are reaching the appropriate benchmark and all LAs should be aiming for this threat management.
5. THREAT POSITION
5.1. Just like other organisations in public and private sector we are subject to cyber-attacks from time to time. In such cases we follow our defined procedures, operate potential defence measures and contact the NCSC, following any guidance they suggest. To the current point in time, we have managed to sustain all such attacks with minimal business impact, namely, our Senior Management Team have been made aware but the rest of the business has not noticed any material degradation in our operational services.
5.2. The world is constantly changing with new technologies becoming available, new digital business models appearing and novel threats sources being developed. To address this, techniques for preventing, detecting and managing threats must evolve. We apply a model of continuous improvement for our ICT Security. A few of our key next improvements are described in the next section of this report.
5.3. As per section 1.2, the NCSC publishes changing and updated guidance on cyber risks and responses. We performed a self-assessment against the two recent reports listed in section 1.2 and determined that we are already doing, or have plans to do, all of the recommendations in those documents.
6. PROPOSED IMPROVEMENTS
6.1. Cyber Strategy for A Digital First Organisation - During recent years our technology estate has been pretty static as we tightly controlled ICT investment and had a plan for keeping things the same and minimising costs. Our strategy is now different and we are aiming to create a step-change in operational performance by transforming WBC into a digital first organisation through the Warrington 20:20 Transformation programme. We’ll be allowing a lot more people to access technology systems, through different means and for different purposes. We’ll develop a technology roadmap with suitable architecture for the new systems and also to address the new threat types that might come with a new business model. These will be reflected in the ICT business plan and factored into budget provision for future years.
6.2. Process for Cyber Incidents - We have a Major Incident Management (MIM) process for significant ICT issues. We always invoke this for suspected cyber security incidents with a couple of additional actions such as contacting the NCSC. Our MIM documentation is being amended to include the extra steps we take if an incident is security related.
29
6.3. Improved End User Awareness and Behaviour - Internal and external assessments report that end user awareness and good behaviours are areas for improvement and potentially one of the biggest risks we carry regarding ICT and information security. We have introduced new mandatory training for all staff on Information Security, Information Governance and Data Protection. This is the starting point for a plan of ongoing activities of education, communications and stronger accountabilities for continuous improvement.
7. RECOMMENDATIONS 7.1. Organisation Improvement and Development (OID) policy committee are asked to
consider the information within this report and ask questions as appropriate.
7.2. The OID policy committee members are also asked to give their support to discussions about ICT security within WBC, ensuring they personal adopt the good behaviours communicated to end users and be advocates to other of the importance of this.
7.3. To keep this important topic within the OID work programme going forward and ensure cyber-security is maintained as a strategic priority for WBC.
30
20 June 2018 Produced by the Business Intelligence Team
Introduction
The purpose of this document is to assist in the development of the policy committee work programme 2018/19. The document contains the following information:
Purpose and remit of the policy committee and topics it has looked at in 2017/18.
Guidance from the LGA on selecting work programme topics
National policy themes relevant to this committee
Local ideas for inclusion in the 2018/19 work programme.
What does the Committee do?
The Committee assists the Council and Executive in developing, monitoring and reviewing the Council’s plans, policies and strategies
Scrutinises decisions taken by Executive Board, Committees, Sub-Committees and Officers where appropriate.
Makes recommendations to Executive Board relevant to its area of activity.
What topics can the Committee look at?
Customer gateway programme
Human Resources policies
Corporate Strategy and corporate plan
Development of Council budget
What topics has the Committee looked at in the last year?
During 2017-18 the committee looked at the following topics;
Document Retention and Records Management
Corporate Strategy and performance reports
New office accommodation and agile working
Enterprising Warrington Strategy
Warrington 20:20
Item 7
Living wage
32
Guidance for selecting work programme topics
The following criteria is a guide for prioritising and selecting topics for policy committee work programmes:- Topics are suitable for inclusion when: • the policy committee could have an impact and add value
• the topic is of high local importance and reflects the concerns of local people
• it avoids work duplication elsewhere
• the issue is one that the committee can realistically influence
• the issue is related to an area where the council is not performing well
• the issue is relevant to all or large parts of the local area
Topics are not suitable for inclusion when: • the issue is already being addressed elsewhere and change is imminent
• the topic would be better addressed elsewhere (and will be referred there)
• policy committee involvement would have limited or no impact upon outcomes
• the topic is too broad to undertake any meaningful policy development
• new legislation or guidance relating to the topic is expected within the next year
• The topic area is currently subject to inspection or has recently undergone substantial change.
Defining work programme topics For every item on the work programme, it should be clear: • What is the issue/activity/policy development topic under consideration?
• What is the policy committee being asked to do?
• What are the reasons for/expected benefits of involving the policy committee in the matter? • Is there a specific deadline for the piece of work?
33
Note: - Adapted from the Local Government Association Scrutiny for Councillors,
Councillor Workbook
National Policy Themes relevant to this Committee This section contains details of key national policy themes relevant to the committee which could have an impact on the Council’s customers and the town:-
Workforce
Gender Pay Gap – The national publication of gender pay reporting figures show eight in 10 companies in the UK pay men more than women, with an average pay gap of 9.8%.(4 April 2018)
Figures on gender pay gaps provided as part of a Government investigation reveal that almost nine out of 10 public sector organisations with more than 250 employees pay men more than women. On average, women in the public sector are paid 14% less than their male colleagues (30 March 2018)
Sexual Harassment at Work – The Equality and Human Rights Commission has published a report which shares evidence about sexual harassment in the workplace gathered from individuals and employers. It shares evidence gathered from around 1,000 individuals and employers between December 2017 and February 2018 and makes a number of recommendations. (27 March 2018).
Job Quality and Workforce Happiness - The CIPD, the professional body for HR and people development, has launched the annual UK Working Lives survey. The survey found that 64% of workers say they are satisfied with their job, with 18% dissatisfied. The survey also identifies key challenges in the labour market, with those at the lower levels far less likely to have access to skills and training, and those in middle management feeling significantly squeezed by their workload. (11 April 2018)
Minimum wage rise not covering living costs - Analysis by the Living Wage Foundation suggests workers on the national minimum wage are unable to meet everyday living costs unless they work for an extra six weeks. More than 2m people will receive a pay rise of at least 4.4% from 1.4.18 as the living wage increases to £7.83 per hour from £7.50 for over- 25s. The foundation’s own estimate for a “real living wage” is £8.75 per hour. (1 April 2018)
Pets at Work - Recent years have seen a rise of the office animal. According to estimates, as many as a third of businesses across the UK have pet policies in place. There have been many studies linking animals in the workplace with lower levels of stress. Apart from alleviating stress, other benefits cited in numerous studies include improved cooperation in group work settings, a friendlier working environment and improved job satisfaction. (5 April 2018).
Better public services green paper and Manifesto: this Green Paper, launched at the Institute for Government, aims to spark debate about the future of public services and how best to make improvements to the benefit of all. It proposes a plan to enable public services to modernise by incorporating the best elements of modern, internet-enabled organisations, and to grow, learn, adapt and evolve these over time. (27 March 2018)
Handling Confidential and sensitive information – The LGA have produced a short briefing which provides an overview of the types of confidential or personal information and how it should be handled. It also covered matters related to interaction with the media and some of the legislative requirements for handling data. (16 April 2018).
London council fined £120,000 for personal data breach - The Royal Borough of Kensington and Chelsea has been fined £120,000 for unlawfully sharing the personal details of the owners of vacant properties in the borough. (19 April 2018) Cyber security report published - The Public Accounts Committee has published a report on cyber security following a major ransomware attack on the NHS nearly a year ago. (18 April 2018).
A councillor’s guide to cyber security: The LGA have produced a guide on how councils should continuously review, refresh and reinforce their approach to cyber security. (29 March 2018)
Organisational Improvement and Development Policy Committee Draft Work Programme 2018-19
This section contains the draft work programme 2018-2019 for approval by the Policy Committee. It contains items that have been brought forward from the 2017/2018 work programme and new topics for inclusion in the 2018/19 work programme. The purpose of the topic and what the committee is being asked to do have been included in the work programme.
Work Programme Topic
Link to National Policy & Local Context
Lead Officer
General Data Protection Regulations (GDPR)
To scrutinise the implementation of the new General Data Protection Regulations (GDPR). In addition this item will look at outcomes and issues arising from the implementation and national GDPR developments
To forward the committee’s findings to the Audit and Corporate Governance Committee
GDPR is a new framework for data protection laws which starts on 25 May 2018. GDPR includes enhanced individual rights and increased penalties for non-compliance
Amanda Juggins, Business Intelligence Manager
20 June 2018 &
5 February 2019
ICT Security To look at the council’s current and future approach to ICT security. This topic will also include cyber security implications for councillors
Submit recommendations to Executive Board
The Government has published a report setting out proposals to improve national cyber security following a major attack on the NHS in 2017.
Heather Berry, Head of ICT and Print Service
20 June 2018
Document retention and records management
To scrutinise progress on the project to change how the council retains and records information from paper to digital.
To forward the committee’s findings to the Audit and Corporate Governance Committee forward
Links to the digital vision for local government and digital innovation in the public sector
Amanda Juggins, Business Intelligence Manager
25 Sept 2018
36
Procurement Strategy To scrutinise the delivery of the procurement strategy. This topic will also include examples of contracts where the living wage has been included.
Submit findings to Executive Board or Portfolio Holder, Personnel and Communications
The Public Services (Social Value) Act came into force in 2013. It requires people who commission public services to think about how they can also secure wider social, economic and environmental benefits
Claire Harris, Head of Finance
25 Sept 2018
Strategic Equalities Group To review progress on the delivery of the groups priorities
To submit the findings of the committee to Executive Board
The Strategic Equalities Group has been reformed, the first meeting is scheduled for July 2018. The purpose of the group is to ensure compliance with the
Equality Act 2010.
5 February 2019
Theme – Customer
Warrington 20:20 To scrutinise progress on the development of digital customer services and look at progress on the review of internal services. .
To forward the committee’s findings to Executive Board
Links to public service reform which aims to fundamentally change how services are received by customers. Also links to a digital vision and innovation for local government
Gareth Hopkins, Customer & Business Transformation Assistant Director Kate Lindley, Head of Transformation
25 Sept 2018
Warrington 20:20 – Service Design Working Group
The working group will test and provide input into the design of customer facing services as part of the Warrington 20:20 programme
That the views of the working group be incorporated into the new customer facing services
Links to public service reform which aims to fundamentally change how services are received by customers.
Sept 2018 onwards
Theme – Workforce
New Office To review progress on the To submit Council initiative to build Iain Dykes, 20
Accommodation development of the new council building including the design of the ground floor. This topic will also review progress on the development of workforce agile working.
recommendations to Executive Board on the design of the ground floor
new office accommodation. Agile working is an initiative to enable employees to work unrestrained from a physical office base
Project Manager November 2018
Living Wage Review the implementation of the Living Wage policy throughout the Council and consider future working with businesses in the Borough.
Links to the national living wage and rising living costs due to housing shortages, high rents, low wage growth and welfare and tax reforms
20 November
2018
Apprenticeship Levy To scrutinise the Council’s approach to the apprenticeship levy and identify future areas for development
From April 2017 the council is required to pay a monthly Apprenticeship Levy and will be able to access funding for training. The funding can also be used to develop the existing workforce by undertaking frameworks and new standards.
Gareth Hopkins, Customer & Business Transformation Assistant Director
25 Sept 2018
Workplace Wellbeing Charter
To scrutinise the delivery of the actions contained within the Workplace Wellbeing Charter. This topic will also include a review of staff sickness levels
The Council achieved the Workplace Wellbeing Charter in 2016. It is due to be reaccredited at the end of 2018
Julie Holt, Head of Human Resources & Organisational Development
20 November
3 Minutes
Introduction
1. Personal Information
Principle 1: Personal information must be processed lawfully, fairly and transparently
Principle 2: Personal information should only be obtained and used for specific lawful and compatible purposes.
Principle 3: Personal information must be adequate, relevant and limited to what is necessary
Principle 4: Personal data must be accurate and kept up to date.
Principle 5: Personal Information must not be kept for longer than is necessary.
Principle 6: Personal information must be protected by appropriate security
3. Rights of Individuals
6. Advice and Support and Further Resources
Advice and support can be obtained from the Information Governance Team at [email protected]
5 ICT\ Security\ Update

to: organisational improvement and development

Documents