Issue - meetings

Data Breach Policy

Meeting: 06/07/2021 - Executive (Item 94)

94 Data Breach Policy pdf icon PDF 319 KB

Additional documents:

Decision:

That;
a) the revised Data Breach Policy and its related procedural documents are adopted

b) the Information Governance and Data Protection Manager be authorised to make any minor amendments that may be required, in consultation with the Head of Legal and Democratic Services

Minutes:

The Executive Member for Corporate Services submitted a report on the Data Breach Policy.

 

Councillor Cutting proposed and Councillor Boylan seconded a motion supporting the recommendations in the report. On being put to the meeting and a vote taken, the motion was declared CARRIED.

 

RESOLVED – That (A) the revised Data Breach Policy and its related procedural documents are adopted; and

 

(B)   the Information Governance and Data Protection Manager be authorised to make any minor amendments that may be required, in consultation with the Head of Legal and Democratic Services.

 


Meeting: 08/06/2021 - Overview and Scrutiny Committee (Item 68)

68 Data Breach Policy and Procedures pdf icon PDF 64 KB

Additional documents:

Minutes:

The Information Governance and Data Protection Manager submitted a report that presented the revised East Herts Council Data Breach Policy and its related revised procedural documents, the Data Breach Flowchart, the Staff Data Breach Report Form and the Data Breach Report template.

 

Members were advised that the policy updated and replaced the Data Security Breach Management Policy, which had been approved by Leadership Team in 2018 but had not been considered by Overview and Scrutiny Committee or adopted by the Executive.

 

The Information Governance and Data Protection Manager said that the revised policy ensured that the Council had robust breach reporting procedures in place and also facilitated decision making on whether to notify the Information Commissioner’s Office (ICO) and affected data subjects in respect of any breaches. The policy also ensures that records were kept of all data breaches in order to satisfy the accountability requirements of the UK GDPR.

 

Members were advised that the policy set out what data breaches were and how they could be recognised. The Policy also set out the notification and identifications stages of a breach and how this should be dealt with internally.

 

The Information Governance and Data Protection Manager set out the full investigative process that covered how much data had been released and who was affected. This stage also helped Officers decide whether to inform the ICO or the affected data subjects. He referred Members to the data breach flow chart as a go to guide that summarised the content of the Data Breach Policy.

 

Councillor Snowdon sought and was given some clarification as to the appendices. He also asked about e-learning courses and training packages for Officers. The Information Governance and Data Protection Manager said that this was all included in the compulsory e-learning course for GDPR which he had just finished updating.

 

Councillor Devonshire asked about hacking, phishing and information obtained by deception and whether any of that activity had occurred at East Herts Council. The Information Governance and Data Protection Manager said that he was not aware of any such activity but IT colleagues would be better placed to give an update on this.

 

Councillor Devonshire proposed, and Councillor Buckmaster seconded, a motion that the recommendations as detailed in the report be approved. After being put to the meeting and a vote taken, the motion was declared CARRIED.

 

RESOLVED – that (A) the Data Breach Policy and its related procedural documents be considered and Members provide any observations and suggested amendments to the Information Governance and Data Protection Manager for inclusion in the final version; and

 

(B)   the revised Data Breach Policy and its related procedural documents be recommended to Executive for adoption.