Agenda item

The Committee considered a report of the Comptroller and City Solicitor, which provided a general update on the progress of phase two of the GDPR/DPA Implementation Project and the planned outcomes for the final phase of the work to embed GDPR/DPA implementation into the City Corporation.

Members heard how the Finance Committee and Policy & Resources Committee would be considering a change in the terms of reference of the Digital Services Sub Committee to ensure that all physical and mechanical breaches of GDPR would be reported to this Sub-Committee. It was noted that the Chairman of the Audit and Risk Management Committee also received notice of ICO breach reports as they happened and members requested that they receive updates of detailed reports every six months.

A Member, noting that the Electoral Services Team had not completed their self-audit, stressed the importance of the Team to check its cloud based services would not be affected by moving out of the European Economic Area after Brexit. The Member also noted that it was important that the Information Commissioner’s Office (ICO)’s advice be clarified, as an organisation would need specific reasons to explain why it had missed the 72 hour window to report a GDPR breach.

The Chairman commended the Comptroller & City Solicitor on his recent GDPR accreditation.

A Member noticed that there appeared to be compliance issues with Human Resources and Department of Built Environment. The Comptroller reassured the Member that some of these red risks were ready to be moved to amber, and that he expected green status to move to 80% across the City Corporation.

In addition, Members heard how the Barbican Estate had been breaking down barriers by translating information to non-English speakers who live in the Barbican so that they understood the importance of data security.

The Sub-Committee expressed collective disappointment for those Departments who are not 100% GDPR compliant and suggested any Department that failed to adhere to the standards put in place on GDPR/PDA would be asked to appear before this Sub Committee.

RESOLVED – That the Committee:

·         note the report;

·         receive further GDPR/DPA monitoring reports in relation to data breach at a frequency of every six months;

·         request that any Department who failed to maintain 100% GDPR compliance be invited to explain the reasons for this at the Digital Services Sub Committee.