Agenda item

general data protection regulation policy

Corporate Governance, Risk and Compliance Officer



The Corporate Governance, Risk and Compliance Officer introduced the General Data Protection (GDPR) Policy, as circulated with the agenda.  He explained that the existing data Protection Act 1998 would be replaced by new legislation on the 25 May 2018 and the committee were asked to recommend that Cabinet approve the new policy.  It was also recommended that the Borough Solicitor be designated as the Data Protection Officer and the Shared Service arrangement between Cheltenham Borough Council, Gloucester City Council and One Legal (Tewkesbury Borough Council) be varied.  


The Corporate Governance, Risk and Compliance Officer responded to member questions: 


  • Data sharing was not an issue assuming people were advised that their data would be shared and assuming a data sharing agreement was in place.  Data audits had been undertaken across the council, of all data collected, with many sharing agreements already in place, and where they were not, discussions were ongoing to ensure that they were put in place.
  • There were instances where residents could ask that their details not be shared and consideration was being given to how long details of objectors to planning applications, for example, were retained.  Privacy notices would set out why data was being processed, who it would be shared with and how long the data would be retained.  

·         As part of the member training that had been provided it had been made evident that members needed to clear about in which role they were collecting data, as a ward, borough or party representative. 

·         Registration with the Information Commissioner was members’ responsibility with the council having no power to force members to do this, though it was highlighted that they were putting themselves at risk by not doing so.  Democratic Services were supporting members’ with the process (and covering the fee) this year.  All members had been invited to visit Democratic Services to complete the online registration and thus far only two had done so.  Democratic Services would be arranging a drop-in session prior to and immediately after the next Council meeting.

·         A project team had been set-up to deliver compliance and that project had a long list of risks, which included IT risks.  The policy tabled with the committee was a different matter.  Members were reminded that each project had a risk register which was managed by the project team, but should a risk score 16 or more, it was automatically added to the Corporate Risk Register and monitored and reviewed by the Senior Leadership Team and Cabinet members.  IT had a Divisional Risk Register and PSN compliance formed part of this.

·         Admittedly, PSN required an annual return to ensure compliance, which he assumed parts of the NHS had completed.  He wouldn’t comment on how it had therefore been possible for hackers to get into their systems. 

·         Members were reminded that as part of Publica a joint PSN return was made, rather than one for each of the partner councils. 

·         He was not able to confirm whether or not the company that undertook penetrative testing of the councils IT systems was accredited or not, but would refer this question to the IT Manager and circulate the response to members by email. 

·         When sharing data with entities such as Ubico, who delivered services on our behalf, CBC remained the Data Controller and were simply authorising them to process data on our behalf. 

·         Legal had provided clear advice as to the necessary audit trail regarding the source and ultimate destination for any data collected.  Every team in every division had a retention schedule, data was only kept as long as there was a legitimate business need and this varied from data to data. 

·         All but two existing members had completed the GDPR training.  The Democracy Officer advised that these two members had committed to attending the session that had been arranged for newly elected members.  It was also noted that all staff had now been trained to the appropriate level. 


Members commented on how informative they had found the GDPR training and encouraged those members that had not yet attended, to do so.


Upon a vote it was unanimously




1.    The committee recommend that Cabinet approve the new Data Protection Policy;

2.    The committee recommend that Cabinet delegate authority to the Director of Resources and Corporate Projects to vary the existing s101 Share Service arrangement between the Council, Gloucester City Council and One Legal (Tewkesbury Borough Council) to;

-       Include undertaking the statutory function of the Data Protection Officer (DPO) under the Data Protection legislation and;

-       Designate the council’s Borough Solicitor as the DPO for the Council.

Supporting documents: