Towards GDPR Compliance Overview and Scrutiny Committee 18

Towards GDPR Compliance Overview and Scrutiny Committee 18 September 2018

The General Data Protection Regulation (GDPR) • The General Data Protection Regulation (GDPR) came into force on 25 th May 2018. • The basic principle of GDPR is that individuals have a right to privacy and that personal data can only be used for the specific purpose for which it was obtained. Personal data must also not be kept for longer than is necessary. • Personal data applies to a wide range of information – effectively anything that could be used to directly or indirectly identify a person. This could include names, e-mail addresses, images, bank details, posts on social networking websites, medical information, or even a computer IP address.

Role of the Data Protection Officer (DPO) at Hart District Council • DPO has formal responsibility for data protection compliance within Hart District Council. • The DPO is the contact point for all data protection related queries, including: Ø Reporting a data breach; Ø If a request for personal information is raised by an individual (know as a Subject Access Request); Ø For advice about maintaining records and Privacy Notices. • The DPO is responsible for overseeing data protection strategy and implementation to ensure compliance with GDPR requirements.

Hart District Council’s compliance with GDPR • Even though the May 2018 deadline for GDPR compliance has passed, being GDPR-ready is not a one-time project. It’s an ongoing approach to Hart District Council’s business. • It is not about being 100% GDPR compliant. It’s more about looking at data and processes and developing an efficient data protection strategy. • In terms of the Data Management Risk Register, the main risks are around the HR/Payroll Workstream and the volume of data held on the Departments Share drive. The situation is better than it was 12 months ago as a result of more effective mitigations (for example, the use of Share. Point for document management), but the risks still exist. This audit work is ongoing. • Hart District Council’s main contracts are with: Ø Capita - For Customer Services, Revenues and Benefits, Finance, HR & Payroll and Governance; Ø Basingstoke and Deane Borough Council - For waste; Ø Everyone Active - For the management of Leisure Centres. The contracts include clauses which address GDPR.

What has Hart District Council done to ensure compliance with GDPR requirements? Actions Completed As a public authority, appointing a DPO Tim Wilson appointed as DPO (May 2018) Ensure that there are proper records of processing activities Records of Processing Activities (Data Audit) undertaken (January 2018) Publishing updated Privacy Notices and Cookie Consent Privacy Notices (overarching and four department specific Privacy Notices) reviewed, updated and published (April 2018) Raising awareness of the role of the DPO All Staff e-mail (August 2018), Staff briefing (September 2018) and Overview and Scrutiny Committee presentation (September 2018) GDPR Training Staff training (February 2018), Councillors training (May 2018) and Regulatory Services training (July 2018) Creating a GDPR repository for staff guidance and resources created on Share. Point (January 2018) Developing guidance for handling data breaches and Subject Personal Data Breach Response Plan developed (March Access Requests 2018) and Subject Access Requests Procedure drafted (December 2017) Auto-forwarding of e-mails and migrating all Councillors onto the secure Office 365 platform Auto-forwarding disabled (August 2018) and moving Councillors onto Office 365 (August 2018)

The next steps towards GDPR compliance? Actions to be taken Planned completion Records of Processing Activities - Annual Review March 2019 Printers - Swipe access (currently there is a Digi Lock on the Print Room door) Under review Data Protection Impact Assessments - Completed Procurement Database (September 2018); ONS Council Tax Data Project (Under review) Data Processing and Sharing Agreements - Completed Ongoing and updated Operational policies, procedures and processes - Continue working on General - Strategic Audit (November 2018); Specific - Data Protection Policy and Bring Your Own Device Policy (January 2019) Retention Schedule - Review March 2019 Training - Undertake small group training and new staff induction Ongoing Information Commissioner's Office - Advisory Visit September 2019 GDPR Project Plan - Monitor and review July 2019

Councillors • All Councillors now have their own secure Hart District Council e-mail account. Data Controllers • All Councillors are individually registered with the Information Commissioner's Office as Data Controllers. • Where you hold personal data (including e-mail addresses or anything that can identify an individual) it should be deleted once the information is no longer relevant or necessary. The data must also be held and transmitted securely to protect personal information.

GDPR Member Handbook • Previously provided with a copy • Published on Share. Point; any changes will appear there • Content includes: ØCouncillors dealing with complaints or Ward matters ØAccess to personal data held by Hart District Council ØDisclosing data to another person ØTransferring information between Ward Councillors ØUse of Personal Information for Political Purposes ØReporting a Data Breach ØTerminology

Contact details for the DPO I can be contacted by: • E-mail: • Telephone: • In person: data. protection@hart. gov. uk 01252 77(4447) I am located in Corporate Services on the second floor of the building.