Agenda item

The Information Governance and Data Protection Manager introduced the report, which detailed fourteen reported breaches from September 2023 to April 2024.

The Information Governance and Data Protection Manager said that one of these breaches was reported to the Information Commissioner’s Office (ICO). This was due to a cyber-attack on a sub-processor used by Gatherwell, who provide community lottery services. He said that given the actions taken by the supplier and the council’s assurance of security arrangements, the ICO took no further action and were satisfied with the council’s response.

The Information Governance and Data Protection Manager said that of the thirteen other reported breaches:

·               Nine were due to correspondence being shared with an incorrect recipient.

·               One was due to not correctly using the BCC function when sending an email.

·               Two were due to a calendar invite being sent to multiple attendees, revealing their email addresses.

·               One was due to data not being fully redacted before publication on the council’s website.

The Information Governance and Data Protection Manager said that the following actions were taken in response to the above breaches:

·               Where possible, email recalls were issued.

·               The incorrect recipient was asked to destroy personal data and confirm this by email once completed.

·               Where errors were due to software issues these were immediately rectified with the relevant supplier.

·               Data published in error was immediately corrected or removed.

The Information Governance and Data Protection Manager said that the following actions were taken to prevent similar breaches from occurring in the future:

·               Officers were advised to regularly clear their auto-complete cache to reduce the possibility of sending emails in error.

·               Officers were reminded of the serious implications of a data breach and, where relevant, were advised of further actions or given training to reduce the likelihood of future breaches.

·               A MailTip feature has been activated on outlook which will notify officers when they enter an external email address.

·               Officers were reminded of the importance of liaising with the Information Governance and Data Protection Manager prior to engaging new suppliers, that will process council controlled personal data so that a supplier assurance assessment can be carried out.

The Information Governance and Data Protection Manager said that there had been no increase in the number of reported breaches. He said that had been five subject access requests from September 2023 to April 2024, with all requests processed and responded to within the statutory time limit.

The Chairman thanked the Information Governance and Data Protection Manager for his report.

Councillor Nicholls asked if any of the reported breaches were made by Members, or if they were all caused by officers. 

Information Governance and Data Protection Manager said that all of the reported breaches in the report were attributed to officers.

Councillor Willcocks sought the definition of a subject access request.

The Information Governance and Data Protection Manager said that a subject access request was the right for an individual to access their own personal data, held by an organisation. He said that this type of request required the individual to provide proof of identification.

The Information Governance and Data Protection Manager said that a freedom of information request was more generalised, and covered recorded information held by authorities.

Councillor Willcocks asked if the breach which was reported to the ICO was the fault of the council.

The Information Governance and Data Protection Manager said that this breach was not the fault of the Council but caused by a cyber-attack on the sub-processor Gatherwell.

The Chair asked if breaches were punishable by the ICO.

The Information Governance and Data Protection Manager said that fines were imposed, these ranged from £200, up to £14 million for sensitive data breaches.

It was moved by Councillor Woollcombe and seconded by Councillor Willcocks, that the recommendations, as detailed, be approved. After being put to the meeting and a vote taken, this motion was declared CARRIED.

RESOLVED – that (A) the content of the report be noted, and any observations provided to the Information Governance and Data Protection Manager.