Issue - meetings

Corporate Governance, Risk and Compliance Officer

The Corporate Governance, Risk and Compliance Officer introduced the General Data Protection (GDPR) Policy, as circulated with the agenda.  He explained that the existing data Protection Act 1998 would be replaced by new legislation on the 25 May 2018 and the committee were asked to recommend that Cabinet approve the new policy.  It was also recommended that the Borough Solicitor be designated as the Data Protection Officer and the Shared Service arrangement between Cheltenham Borough Council, Gloucester City Council and One Legal (Tewkesbury Borough Council) be varied.  

The Corporate Governance, Risk and Compliance Officer responded to member questions: 

• Data sharing was not an issue assuming people were advised that their data would be shared and assuming a data sharing agreement was in place.  Data audits had been undertaken across the council, of all data collected, with many sharing agreements already in place, and where they were not, discussions were ongoing to ensure that they were put in place.
• There were instances where residents could ask that their details not be shared and consideration was being given to how long details of objectors to planning applications, for example, were retained.  Privacy notices would set out why data was being processed, who it would be shared with and how long the data would be retained.  

·         As part of the member training that had been provided it had been made evident that members needed to clear about in which role they were collecting data, as a ward, borough or party representative. 

·         Registration with the Information Commissioner was members’ responsibility with the council having no power to force members to do this, though it was highlighted that they were putting themselves at risk by not doing so.  Democratic Services were supporting members’ with the process (and covering the fee) this year.  All members had been invited to visit Democratic Services to complete the online registration and thus far only two had done so.  Democratic Services would be arranging a drop-in session prior to and immediately after the next Council meeting.

·         A project team had been set-up to deliver compliance and that project had a long list of risks, which included IT risks.  The policy tabled with the committee was a different matter.  Members were reminded that each project had a risk register which was managed by the project team, but should a risk score 16 or more, it was automatically added to the Corporate Risk Register and monitored and reviewed by the Senior Leadership Team and Cabinet members.  IT had a Divisional Risk Register and PSN compliance formed part of this.

·         Admittedly, PSN required an annual return to ensure compliance, which he assumed parts of the NHS had completed.  He wouldn’t comment on how it had therefore been possible for hackers to get into their systems. 

·         Members were reminded that as part of Publica a joint PSN return was made, rather than one for each of the partner councils. 

·         He was not able to confirm whether or not the company that undertook penetrative testing  ...  view the full minutes text for item 5