Board 21 September 2021 - GDPR
General Data Protection Regulation Compliance Progress Update
1. Purpose of report
1.1 This report provides Board with an update on the progress made to date towards ensuring organisational compliance with the General Data Protection Regulations (GDPR) since the last board report of September 2020 and to seek approval of an updated Data Protection Policy.
Your Homes Newcastle has continued to review the use of personal data of its customers, suppliers, employees, workers and other third parties. Improving the processes for recording Data Incidents, Freedom of Information and Subject Access Requests.
2. Background information
2.1 Board received a report and presentation on GDPR in September 2020 which provided an overview of Information Governance activity from August 2019 to July 2020
2.2 Covid 19 Homeworking – Internal audit
As outlined in last year’s report, Covid-19 presented challenges with traditional ways of working. YHN’s focus was to deploy an agile workforce which presented a number of challenges in relation to the physical working environment and information security. To mitigate these challenges, we worked jointly with NCC, implementing technical controls and worked with the business to provide advice and support. In addition, YHN and NCC have cascaded a number of guidance documents to staff, most recently our ‘Stop, Think, Action’ guidance, which is mandatory for all YHN staff.
Cyber security has heightened during Covid-19 and remains a significant threat to organisations. The Information Governance team have developed a new Phishing campaign which is due to launch in September 2021. The first stage of the campaign will provide a baseline of organisational awareness. Future phases will build on this and additional campaigns will also divert staff that click the link to a training session. The campaign analysis will enable us to identify priority areas/job roles and individuals within the organisation that require additional targeted support and guidance in this area.
An Information Governance internal audit is currently being conducted. The audit will assess whether significant risks in relation to information governance and the new ways of working that were introduced during YHN’s response to the COVID-19 pandemic are adequately and effectively controlled. This is due to be reported to Group Audit and Risk Committee in November. Page 14
3. Data Protection Policy review
3.1 The Data Protection Policy has been reviewed. In summary, the following amendments of note have been made;
- Updated to reflect Data Protection legislation changes post Brexit
- Added a number of key Data Protection Policies to section 1
- Removed reference to D22 (as due to expire and be replaced)
- Expanded who is the policy for to ‘all parties’ who have access to, or process personal information held by, or on behalf of Your Homes Newcastle (YHN)
- Added 7th Principle of ‘Accountability’ in line with ICO
- Added ‘Information Assets Owners (IAO) and Managers to section 3 -‘responsibility for compliance’
- Added ‘the Police, law enforcement agencies and safeguarding purposes’ to section 8 – information sharing
- Added reference to IAO responsibilities’ to section 11 – record keeping
- New section ‘Data Protection by Design and Default and Data Protection Impact Assessments’ – section 13
Further details are itemised in Appendix 1 and the Policy is presented for approval as Appendix 2.
4. Current Position as of August 2021
4.1 The table below provides Board with an overview of additional key developments that we have undertaken since the last update:
Table A: GDPR actions July 2020 - to date
Table A: GDPR actions July 2020 - to date
|
||||||||||||||||||||||||||||||
Table B- Identified actions that have been started this year and are ongoing:
|
5. Data Incidents and Breaches
5.1 The Information Governance team continue to prioritise building relationships with the business, actively encouraging services to contact us, our ethos is ‘if it doesn’t feel right it probably isn’t – contact us and we’ll work through the situation with you’. We have seen an increased contact from service areas in relation to information sharing which is a positive preventative step.
The team’s priority continues to be offering expert advice and support in relation to incidents and breaches, proactively working with service areas that to identify learning points.
The team have continued to develop the database to enable a better understanding of themes which has allowed us to develop appropriate training and comms.
5.2 Reporting Analysis
The information Governance team commenced records analysis in January 2019. The reporting analysis is for the period January 2020 to July 2021 to reflect the current position to date.
The table below shows the numbers of data incidents and breaches reported per month.
The analysis shows;
• Over the period reports have averaged 3 per month, this is consistent across all reporting years (3.5 – 2019, 2.91 – 2020, 3.08 – 2021).
• Reporting increased January 2021 to March 2021 which was a period where Covid-19 restrictions were increased, children were being home schooled, and the organisation adapted ways of working in line with the external pressures.
• The highest reportable month was June 2021, having 7 reports. Upon analyses there was no correlation or know external factors at this time, although it should be noted that services continue to deliver under new ways of working.
• Reassuringly officers continue to report incidents, even when contained internally, which evidences that they have an awareness of best practice in relation to GDPR and the importance of reporting ‘near misses’.
• One breach met the reporting threshold this year and was reported to GARC on the 20th May 2021 and 8th July 2021. The decision from the ICO was no further action, received 5th July 2021.
5.3 |
The table below shows the number of data incidents since January 2019 to date and categorises the reporting. It should be noted that the reporting period for year 1 differs and is therefore not directly comparable. Future reports will show a 3-year comparison and will be on Board forward plan for September each year, reporting on the period 1st August to 31st July.
|
||||||||||||||||||||||
6. |
Lessons Learnt |
||||||||||||||||||||||
6.1 |
The Information Governance team have continued to embed lessons learnt sessions into the breach reporting framework. 90% of our breaches are because of avoidable human error, with 50% being attributed to sending emails to incorrect recipients. The ‘Stop, Think, Action’ campaign which has recently been launched highlights the learning points from the sessions and provides practical guidance to mitigate the risk of accidental disclosure. This is a mandatory guidance document for all staff. A formal lessons learnt session was held for the reportable breach (097), as a result of which we are working jointly with NCC to review the Contract Management framework and developing a risk based approach. |
7. |
Collaboration with Newcastle City Council |
7.1 |
Your Homes Newcastle have a shared Data Protection Officer (DPO) with Newcastle City Council. Our Governance and Implementation Team work very closely with the DPO, NCC’s Information Governance team and Legal. The teams continue to meet to a weekly basis, this a useful forum for sharing best practice, forward planning and to ensure we have a consistent corporate approach to GDPR. In addition to the Assistance Director for Business Support and Information Governance Manager attends NCC’s Information Governance Board. |
8. |
Priorities and Next Steps |
8.1 |
Work with key service areas to support deployment with retention and disposal policy. |
9. |
Conclusion and recommendations |
9.1 |
The substantial financial sanctions and reputation implications associated with GDPR non-compliance should ensure that all of the members of the Board and Executive Team recognise the importance of compliance and of the work and resources that YHN have deemed necessary to ensure this. This report is intended to maintain awareness of the regulations and provide assurance on the on-going steps that YHN is taking to maintain compliance and deal with the increased risks due to Covid-19. |
9.2 |
Board are recommended to:
|
Appendices
Appendix 1 – Data Protection Policy – key changes overview
Appendix 2 – Data Protection Policy
Contact Officer:
If you have any questions about this report that you would like clarifying before the meeting or would like more detail on any of the actions outlined in the report, you can contact Karen Hedley- Governance and Implementation Manager by email: karen.hedley@yhn.org.uk.