Agenda item

The Head of Information Security and Technology and Data Protection Officer presented a report on Freedom of Information Requests, Data Protection Act Breaches and Data Subject Access Requests. Following presentation of the report, the Chair invited Members to ask questions:

·        A Member questioned the increased numbers of internal reviews and asked if there had been a change in process or quality checks. It was responded that members of the public are more aware of the use of freedom of information requests if they are unable to get information direct from a service area.  There is also an increase in the technical content from the whole authority, and often the authority does not hold the information requested.  Requestors may be disappointed with the information received hence the increase in internal reviews.  It was responded that all the internal reviews were upheld.

·        A Member queried the 78% completion rate for mandatory training, if numbers undertaking the training are monitored and if there is a process planned to ensure greater compliance. It was responded that the priority is learning especially in high-risk areas where personal data is handled and breaches occur.  The training is repeated every two years.  It is mandatory that new starters complete the training.  The training is available online, face to face and bespoke to service area requirements.  Schools have a separate module as they are their own data controllers, as are County Councillors.  The Chair offered the support of the Committee to encourage better training compliance. 

An update was provided about the corporate training database that will assist in capturing data and identifying deficiencies. The Chair asked for a report of the mandatory training completion rates broken down by service area at the next meeting.

A Member emphasised that mandatory training is mandatory, and if it is considered that some staff should be classified as not a priority, and there is a good reason for doing so, their training requirement could be downgraded from mandatory.  The Member asked if there is any sanction for members of staff who have failed to comply with mandatory training.  It was confirmed that IT privileges would not be removed for business continuity reasons.  It was confirmed that there are three weeks during the year that focus on Cyber security and Data Protection to raise awareness. 

It was noted that e mails are the biggest source of data breaches, and it was queried if there was any link to staff not completing training.  It was confirmed there is no link and staff committing a data breach having not done the training are required to do the training. If they have done the training, they may have to refresh it.  Often the breach is classed as human error and the action taken is to contain the breach and inform those involved.

·        A Member asked how the number of data breaches compares with other authorities and was informed that levels are similar with the SRS partner authorities.  Work is in progress to compare information and performance across South Wales.

·        A Member queried the increase in FOI requests for Children and Young People. It was explained that Covid affected numbers of requests and the ability to deal with them.  The general trend is upwards for all service areas. There is also an increase in complexity.

·        A Member, whilst not minimising the seriousness of data breaches, commented that the number of e mail data breaches is very small in comparison with the number of e mails sent from the organisation and would be to external and internal sources. In response to a question, it was confirmed that the threshold for reporting to the Information Commissioners Office is by assessing the harm caused.

·        The Chair asked for information on governance arrangement for the policies for these areas as the Committee had not received any policies for review and endorsement.  The Head if Information Security and Technology informed the Committee that the policies are available to view on the Intranet site and can be presented to the Committee.  There is an Information Governance Group that approves changes to policies.  The Chair suggested that as part of the governance responsibilities it should be reviewing and endorsing a number of corporate risk control policies and asked that the Deputy Chief Executive consider which of these  policies (extending beyond IT and data protection) that the Committee should periodically review and recommend for approval across the authority.