To consider a report by the Director of Resources and Housing and the Director of Adults and Health which presents the Annual Information Governance Report (including the Annual Report of the Caldicott Guardian). The report seeks to assure the Committee on the effectiveness of the council’s information management and governance arrangements: that they are up to date; fit for purpose; effectively communicated and routinely complied with. The Caldicott Guardian element seeks to assure the Committee of the arrangements in place with regards to the confidentiality of patient and service-user data.
The Director of Resources and Housing and the Director of Adults and Health submitted a report which presented the Annual Information Governance Report (including the Annual Report of the Caldicott Guardian).
The report sought to assure the Committee on the effectiveness of the council’s information management and governance arrangements: that they are up to date; fit for purpose; effectively communicated and routinely complied with. The Caldicott Guardian element sought to assure the Committee of the arrangements in place with regards to the confidentiality of patient and service-user data.
Addressing the report, the Head of Information Governance & Cyber and Data Protection Officer spoke on the key issues which included:
· Improvements had been made in responding to Freedom of Information (FOI) / Environmental Information Regulation (EIR) and Individuals Rights (IR) requests within the statutory time limits.
· The service had changed its structure and working practices and had been renamed the Information Governance and Cyber service (IG&C).
· The mandatory Level 1 Information Governance eLearning development and roll out cycle was currently underway, with a provisional launch date to staff mid-September 2022.
· Information Governance & Cyber were leading on a project to review and update the current Data protection impact assessment template and process
· PSN certification was awarded in October 2021.
· In August 2021, the National Data Guardian issued guidance on the appointment of Caldicott Guardians, their role and responsibilities in respect of data processing activities undertaken within their organisations.
Referring to statutory information requests, Members noted this was an area of weakness and that the Council would continue to be exposed to successful complaints. Members asked if there was any benchmarking comparison with other authorities, whether there was a downward trend, what was being done to improve the situation.
The Data Protection Officer confirmed that benchmarking had been undertaken last year, noting that significant work had been undertaken in the current year to benefit from this. An analysis of the data received from core cities and other local authorities, indicated that two local authorities were performing better than Leeds, but others were significantly worse.
The Head of Information Governance & Cyber and Data Protection Officer confirmed the benchmarking data would be shared with Committee.
Members were informed that the Information Commissioners Office (ICO) had been in contact with LCC to undertake a survey to look at specific problem areas, indicating that this was a national problem. By way of example, the Data Protection Officer mentioned subject access requests (SARs), in particular cases involving Leeds Children’s Social Care where each case involved the redaction of up to tens of thousands of pages, a very time-consuming process. Members were informed that this information had been fed back to the ICO, and that a response / outcome was still awaited.
The Data protection Officer confirmed that changes had been implemented including the disbanding of the central requests team and the role out of basic level training on how to deal with SARs & FOIs in order share knowledge, experience, and the load of work across the team. It was acknowledged that it will take time to train up and get to standard, but that progress has been made and will have significant impact. In addition, a review is taking place of processes and activities undertaken in team to ensure that focus is given to IMG work.
Referring to the use of CCTV to help against anti-social behaviour, Members suggested it was seen as a mechanism to assist, but it often conflicted with data protection rules.
Members were informed that CCTV came under the Surveillance Commissioner, but enforcement on misuse was a data protection issue. It was reported that the legal basis for use of CCTV in prevention and detection of crime needs to prove necessity and proportionality and that DPIAs are used to evidence this.
(i) To accept the assurances provided by the Director of Resources and the Director of Adults and Health that the information governance arrangements are fit for purpose, up to date, are routinely complied with, have been effectively communicated and monitored and the necessary confidentiality arrangements are in place with regard to the Caldicott Guardian element.
(ii) That benchmarking data on statutory information requests be circulated to all Members of the Committee