Agenda item

To understand the provisions of the GDPR and to consider the Council’s preparation to comply with its requirements. The Council is required to be compliant with the GDPR by 25 May 2018.

Robert O’Reilly introduced the report to Members. He advised that a Member Development session was scheduled to discuss GDPR in more detail but a report had been provided to offer assurance to the Commission that the Council was on track to deliver the necessary changes in readiness for the implementation date of 25 May 2018.

The key focus of the project had been to provide awareness around the regulation and the changes it imposed on staff, Members and the Council overall. An e-learning package had been developed to aid this campaign.

Robert O’Reilly advised that the Corporate Programme Project Board decided that an information audit (internal or external) of existing personal data held by the Council was not required at the outset of the project because, if the Council was already compliant with the Data Protection Act, the potential risk did not justify the cost involved.

Good progress was being made all around and the GDPR review would go into more detail.  

The project decided to roll out new privacy notices rather than review existing privacy notices. Members heard that services were required to input specific reasons for processing personal data into the privacy notice in order to move the action forward.

The Commission was informed that the Council would conduct an examination into the types of data it processed and identify the legal basis for doing so - ensuring that this information was fully documented. Robert O’Reilly advised that the GDPR impacted every Local Authority (LA) and, as such, West Berkshire Council was prepared to consider how the majority of LAs had interpreted the regulatory changes and follow suit.

Robert O’Reilly assured Members that the Council was making good progress in time for the deadline. Councillor Emma Webster invited the Portfolio Holder, Councillor Graham Bridgman, to comment.

Councillor Bridgman stated that his involvement, as the newly appointed Portfolio Holder, had been limited but he was familiar with GDPR through his involvement with the Governance and Ethics Committee.

Councillor James Cole was invited to comment on progress - through his involvement with the project. Councillor Cole advised that the project was much wider than an ICT matter and many questions had been asked of Officers regarding the Council’s preparedness for the looming implementation date. He was concerned that there was still a lot of work to be done.

He considered that progress was rather slow and a lot more thought ought to be given to the paper and third party elements of the GDPR.

Councillor Ian Morrin advised that he had some experience with GDPR. He was concerned that the Council was hesitant in its approach to complying with the changes - choosing to follow suit with the majority of LAs would not be his preferred approach. He suggested that, rather than reviewing the Council’s current position, effort should be focused on identifying the standards and aiming to comply with these. Furthermore, he did not feel that the Council would be significantly penalised if it was found to have breached GDPR through a genuine mistake (rather than gross misconduct or negligence). However, it was imperative that the Council developed/documented sufficient policies and procedures to ensure it had the guidelines in place to avoid such an event occurring.

David Lowe advised that the regulations, in essence, were not new to the Council. Previous reports of breaches had been reported to the Information Commissioner Officer (ICO) and dealt with appropriately and with due diligence. However, it was a balance for the ICO to ensure agencies felt comfortable reporting such breaches without fear of the repercussions - otherwise they ran the risk of deterring any reports coming forward.

Members agreed that it would be useful to create a task and finish group to monitor and support the work of the GDPR project board. In terms of timing, this would be finalised post further discussion at Corporate Board. It was anticipated that the group would then convene in February 2018 to ensure it was effective in its contribution prior to the deadline. This would also take place post the Member Development Sessions. Councillors James Cole and Ian Morrin were nominated to be involved.

(19:40 - Councillor Ian Morrin exited the meeting)

Councillor Tim Metcalfe asked whether the Council had insurance against fines due to GDPR breaches. Andy Walker advised that the Reserve Fund was, typically, kept for such events.

Resolved that:

1)    A Task and Finish Group would be established to assist with the GDPR project.

2)    The report was noted.