|
Subject: |
Data Protection Officer designation required by the General Data Protection Regulation |
|||
|
Date of Meetings: |
Audit & Standards Committee: 27th March 2018 Policy, Resources & Growth Committee: 29th March 2018 |
|||
|
Report of: |
Head of Law and Monitoring Officer |
|||
|
Contact Officer: |
Name: |
Abraham Ghebre-Ghiorghis |
Tel: |
29-1500 |
|
|
Email: |
Abraham.ghebre-ghiorghis@brighton-hove.gov.uk |
||
|
Ward(s) affected: |
All |
|||
FOR GENERAL RELEASE
1. PURPOSE OF REPORT AND POLICY CONTEXT
1.1 This report is referred to this Committee as well as to the Council’s Policy Resources and Growth Committee, this in light of the existence of concurrent delegations in relation to the oversight of the Council’s information governance arrangements.
2. RECOMMENDATIONS
Audit & Standards Committee:
2.1 That in response to the requirements of the General Data Protection Regulation, the Committee approve in principle this Council’s designation of a statutory Data Protection Officer which Brighton & Hove City Council shares with its fellow founding Orbis partner authorities: East Sussex County Council and Surrey County Council.
2.2 That the Committee recommend to Policy, Resources and Growth Committee that the Executive Director – Finance & Resources be given delegated authority to take all steps necessary or incidental to appoint to the above role.
2.3 That the Committee recommend that Policy Resources and Growth Committee grant to the Monitoring Officer delegated authority to amend the Council’s Constitution so as to include provision in the Scheme of Delegations to Officers for the new statutory Data Protection Officer role.
2.4 That in addition, the Committee recommend to Policy Resources and Growth Committee that responsibility for acting as the Council’s Senior Information Risk Owner be delegated to the Executive Director – Finance & Resources and that this be reflected in the Scheme of Delegations to Officers.
Policy, Resources & Growth Committee:
2.5 That in response to the requirements of the General Data Protection Regulation, the Committee approve in principle this Council’s designation of a statutory Data Protection Officer which Brighton & Hove City Council shares with its fellow founding Orbis partner authorities: East Sussex County Council and Surrey County Council.
2.6 That Policy, Resources and Growth Committee approve that the Executive Director – Finance & Resources be given delegated authority to take all steps necessary or incidental to appoint to the above role.
2.7 That Policy Resources and Growth Committee grant to the Monitoring Officer delegated authority to amend the Council’s Constitution so as to include provision in the Scheme of Delegations to Officers for the new statutory Data Protection Officer role.
2.8 That Policy Resources and Growth Committee approve that responsibility for acting as the Council’s Senior Information Risk Owner be delegated to the Executive Director – Finance & Resources and that this be reflected in the Scheme of Delegations to Officers.
3. CONTEXT & BACKGROUND INFORMATION
3.1 On 30th November 2017, Policy Resources & Growth Committee received a written report on the Council’s response to the requirements of the General Data Protection Regulation. This detailed a number of proposals for steps to be taken to ensure compliance with a changing and significantly more robust data protection regime and sought capital and revenue budget funding for the range of measures considered necessary to achieve compliance.
3.2 The above Committee agreed the recommendations and approved the funding bid, giving delegated authority to the Executive Director – Finance and Resources to take all steps necessary to implement the GDPR strategy. The proposed vision indicated during discussion of the proposals was that the Audit & Standards Committee (which holds concurrent delegations in relation to the Council’s information governance arrangements) would scrutinise compliance in this area.
3.3 The afore-mentioned report noted the requirement that public authorities designate a statutory Data Protection Officer but did not make specific recommendations in this regard. This was because different options were at that point still being explored.
4. DESIGNATION OF A DATA PROTECTION OFFICER FOR BRIGHTON & HOVE CITY COUNCIL
4.1 Article 38 of the General Data Protection Regulation (which is directly applicable in the UK) imposes a mandatory requirement that all public authorities designate a Data Protection Officer (‘the DPO’). It provides that ‘the data protection officer shall be designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices and the ability to fulfil the tasks referred to in Article 39’.
4.2 The DPO’s details must be published, and – although they may be an employee or contractor – they must be supported in carrying out their roles and responsibilities, which are to be executed with independence. The DPO may not be dismissed or penalised for carrying out his or her tasks and must report to the highest management level regarding the detailed range of tasks indicated in article 39. These include providing advice on the lawful performance of the Council’s obligations and monitoring its compliance as well as assisting in the assignment of responsibilities and in relation to data protection impact assessments and acting as contact point with the Information Commissioner’s Office (‘the ICO’).
4.3 The term ‘Data Protection Officer’ has been in currency in local government for some term and has historically been used to describe those officers who deal with subject access requests made under the Data Protection Act 1988. However this statutory role is a new requirement for local authorities (and indeed most organisations) and is to be distinguished from that.
4.4 Article 38 of the GDPR specifically permits a single Data Protection Officer to be designated for several public bodies or authorities. This has been actively explored as an option by this Council in discussion at officer level with its fellow Orbis partners, Surrey County Council and East Sussex County Council. The increasing alignment of relevant support services including Audit – an alignment which is obviously a key feature of the Orbis project - has informed these proposals. They will offer this Council access to an individual with dedicated expertise and seniority, this via a model which as well as satisfying a key GDPR requirement offers the potential to positively influence the work done by the sovereign Information Governance function, including meeting the need to ensure compliance in terms of our arrangements across Orbis for sharing information.
4.5 It is proposed the funding for the joint DPO appointment will be agreed by the Joint Management Board and will reflect an appropriate methodology which is governed by the relative information maturity of the three authorities. There is no bid for funding additional to that which has already been agreed.
4.6 This proposal is considered to offer a solution which complies with the requirements of the GDPR in such a way as to inform and benefit this authority’s approach to its information governance arrangements. The shared DPO’s independence will be reinforced by the basis on which they are appointed (ie across the three authorities) and they will moreover be well-placed amongst other things to identify opportunities for any joint work streams which arise while ensuring that their main focus is on deploying their skills, experience and seniority to discharge their statutory functions.
5. THE COUNCIL’S SENIOR INFORMATION RISK OFFICER
5.1 It is considered by the ICO to be good practice for councils to appoint a Senior Information Risk Owner (SIRO) to ensure accountability and effective risk management in relation to information held across the range of the authority’s functions. Although this is a non-statutory role, it is considered to be key to ensuring that one of the Council’s Chief Officers retains responsibility for maintaining oversight of the Council’s ongoing (and continually evolving) use of technology to deliver its functions.
5.2 Currently the SIRO role is fulfilled by this Council’s Chief Executive. While it is proposed that the role continue to exist, it is considered that the more logical Chief Officer – as the Executive Director with responsibility for relevant service areas – is the Executive Director – Finance and Resources.
6. ANALYSIS & CONSIDERATION OF ANY ALTERNATIVE OPTIONS
6.1 Compliance with the requirements of the General Data Protection Regulation is mandatory and – while different models exist for ensuring compliance with the requirement to designate a DPO – the proposals outlined here are recommended.
7. COMMUNITY ENGAGEMENT & CONSULTATION
7.1 No need to consult with the local community has been identified.
8. CONCLUSION
8.1 Members are asked to note the contents of this Report and to review the recommendations which are proposed as a means of ensuring compliance.
9. FINANCIAL & OTHER IMPLICATIONS:
Financial Implications:
9.1 The Policy Resources and Growth committee meeting on the 30th November 2017 approved funding to support GDPR and the costs associated with the Data Protection Officer will be met from this allocation
Finance Officer Consulted: James Hengeveld Date: 08/03/2018
Legal Implications:
9.2 These are covered in the body of the Report.
Lawyer Consulted: Victoria Simpson Date: 26/02/18
Equalities Implications:
9.3 There are no equalities implications arising from this Report
Sustainability Implications:
9.4 There are no sustainability implications arising from this Report
Any Other Significant Implications:
9.5 None
SUPPORTING DOCUMENTATION
Appendices:
None
Documents in Members’ Rooms:
None
Background Documents:
None