Report of: The Internal Auditor, BDO

Purpose of report: To inform the Audit and Governance Committee of the results of an assessment of the Council’s compliance against key parts of UK GDPR.

Recommendation(s):

·       That the Committee notes and discusses the report.

This report will be published as a supplement item.

Alex Russell, Internal Auditor from BDO, and Emma Jackman, The Director of Law, Governance, and Strategy, were present to respond to questions.  

The Internal Auditor (AR) explained that the report focused on 4 areas when assessing how the Council complies with UK GDPR requirements including policies and procedures, staff roles and responsibilities, records of processing activities, responses to subject rights requests, and third-party data sharing.  Further detail on each category was provided to the Committee and the following key findings were highlighted: 

• Gaps in the Council’s record of processing activities were identified.  

• Retention schedules were allocated a medium risk rating as there had not been a review since July 2021. 

• Statistics for completion of data protection training amongst Council staff were not sufficient but a new HR system is being implemented to monitor this more effectively.  

• Only 42 of the 114 entries relating to third-party data sharing were demonstrated to have equivocal data sharing agreements; some of these records were not sufficiently maintained. 

• Gaps in data privacy impact assessments were identified. 

The Chair invited the Director of Law Governance, and Strategy to respond.  

The Director of Law, Governance, and Strategy informed the Committee that internal audits of service areas are being conducted by the Information Governance team to assess how data protection is audited within the Council; this has identified the need for the actions as outlined in the BDO audit and therefore were already in scope to be addressed and reported to the Corporate Management Team. The Committee were provided information regarding the data protection team, which has only one dedicated officer responsible for managing data protection measures and highlighted that the team had been focusing on dealing with ICO concerns in relation to FOIA, which were now performing strongly. As a result, attention is turning to data protection and the implementation of the report’s recommendations.  

In regards the record of processing activities, Councillor Harley questioned the concept of consent and anonymisation of data, asking what the Council does to ensure this is applied when necessary. The Director of Law, Governance, and Strategy noted that actions depend on the nature of and purpose of the information held but provided several examples to demonstrate the protection of data between departments and the use of data protection notices. It was also confirmed that personal data is anonymised when appropriate in a manner which would prohibit an individual to be identified, unless for example it is a necessary condition of reporting to central government.  

The Chair referred to pressures noted around FOIs in the management response when asking whether there have been accommodations made within the Council’s budget to appoint additional staff to support data protection responsibilities. The Director of Law, Governance, and Strategy informed that Committee of current issues with staff availability and assured members that considerations are being made around hiring, especially in the context of a recent spike in FOI requests.  

Councillor Smith referred to the management response’s commitment to reviewing all audits and asked whether the report noted for March 2025 had been delivered. The Director of Law, Governance, and Strategy explained that this had been delayed and expressed hopes that the agreement for new processes and procedures would go to CMT in time for May. The Committee also heard some examples of the proposed actions relating to data sharing agreements and training. Councillor Smith requested that the Committee be provided a diagram or summary of these actions to support their understanding at the next meeting. The Director of Law, Governance, and Strategy committed to providing this. 

The Committee noted the report.  

The Internal Auditor (AR) left the meeting.