Board 21 September 2021 - GDPR

General Data Protection Regulation Compliance Progress Update

1. Purpose of report

1.1 This report provides Board with an update on the progress made to date towards ensuring organisational compliance with the General Data Protection Regulations (GDPR) since the last board report of September 2020 and to seek approval of an updated Data Protection Policy.

Your Homes Newcastle has continued to review the use of personal data of its customers, suppliers, employees, workers and other third parties. Improving the processes for recording Data Incidents, Freedom of Information and Subject Access Requests.

2. Background information

2.1 Board received a report and presentation on GDPR in September 2020 which provided an overview of Information Governance activity from August 2019 to July 2020

2.2 Covid 19 Homeworking – Internal audit

As outlined in last year’s report, Covid-19 presented challenges with traditional ways of working. YHN’s focus was to deploy an agile workforce which presented a number of challenges in relation to the physical working environment and information security. To mitigate these challenges, we worked jointly with NCC, implementing technical controls and worked with the business to provide advice and support. In addition, YHN and NCC have cascaded a number of guidance documents to staff, most recently our ‘Stop, Think, Action’ guidance, which is mandatory for all YHN staff.

Cyber security has heightened during Covid-19 and remains a significant threat to organisations. The Information Governance team have developed a new Phishing campaign which is due to launch in September 2021. The first stage of the campaign will provide a baseline of organisational awareness. Future phases will build on this and additional campaigns will also divert staff that click the link to a training session. The campaign analysis will enable us to identify priority areas/job roles and individuals within the organisation that require additional targeted support and guidance in this area.

An Information Governance internal audit is currently being conducted. The audit will assess whether significant risks in relation to information governance and the new ways of working that were introduced during YHN’s response to the COVID-19 pandemic are adequately and effectively controlled. This is due to be reported to Group Audit and Risk Committee in November. Page 14

3. Data Protection Policy review

3.1 The Data Protection Policy has been reviewed. In summary, the following amendments of note have been made;

- Updated to reflect Data Protection legislation changes post Brexit

- Added a number of key Data Protection Policies to section 1

- Removed reference to D22 (as due to expire and be replaced)

- Expanded who is the policy for to ‘all parties’ who have access to, or process personal information held by, or on behalf of Your Homes Newcastle (YHN)

- Added 7th Principle of ‘Accountability’ in line with ICO

- Added ‘Information Assets Owners (IAO) and Managers to section 3 -‘responsibility for compliance’

- Added ‘the Police, law enforcement agencies and safeguarding purposes’ to section 8 – information sharing

- Added reference to IAO responsibilities’ to section 11 – record keeping

- New section ‘Data Protection by Design and Default and Data Protection Impact Assessments’ – section 13

Further details are itemised in Appendix 1 and the Policy is presented for approval as Appendix 2.

4. Current Position as of August 2021

4.1 The table below provides Board with an overview of additional key developments that we have undertaken since the last update:

Table A: GDPR actions July 2020 - to date

Identified action

Status as of August 2021

Board e-learning on GDPR

Complete

October 2020

Training workshops with customer facing business areas. The training includes case studies and customer journey to promote discussion in relation to best practice. It also covers all key DP/GDPR policies:

Virtual sessions have been delivered to - Housing Solutions team.

Planned: Contact Centre, Safe Living team

Status: Ongoing

(expected to be a continuous action)

Ensure all BCE and contact centre staff are compliant in GDPR awareness through completion of e-learning module.

Contact Centre, BCE Managers and Operatives with AD accounts are fully compliant.

Approach implemented to ensure that new operatives complete training, linked with IT services issuing mobile devices so all operatives get training at point of issue.

The IG team will explore all operatives having access to LMS

Complete – 100% compliance

Undertake privacy impact assessments on all data processed by new BCE and Contact Centre services (Internal Audit)

Delayed due to transformation and Covid-19.

IG Manager has agreed the process with responsible AD – new target for completion March 2022.

Ongoing

Develop a more systematic approach to obtaining, recording and monitoring customer consent for use of personal data.

This has dependencies with the corporate IT strategic review.

Outstanding

Options appraisal for the procurement and implementation of a Document Management System

Options appraisal commenced.

This is being appraised as part of the corporate IT Strategic review.

Ongoing

Implement information protection tagging system to prevent accidental data loss.

Work collaboratively with NCC to appraise Data Loss Prevention options (DLP)

The IG team continue to work with NCC to develop DLP, which is currently in the first phase of testing stage.

This needs to be aligned with the corporate IT Strategic review and the 0365 project.

Ongoing

The Recruitment of additional Information Governance Officer

Complete:

May 2021

Review of All Privacy Notices

Complete:

December 2020

Develop and implement cookie policy to support website build

June 2021

Continue to monitor compliance in relation to training and policy cascade.

A robust compliance monitoring system has been implemented for all training, policy and Covid-19 guidance documents across the LMS (training) and MetaCompliance (Policy)

This is fully embedded.

Complete

Development and implement annual training plan in partnership with NCC

Agreed approach for 2021 training and purchased modules.

Complete

July 2021

Implement new confidential waste contract

Phased approach to implementation.

Complete

January 2021

Development and implement annual comms plan in partnership with NCC

The IG team have worked collaboratively with NCC to develop staff guidance and comms, recently cascading the ‘Stop, Think, Action’ guidance and screen savers.

Complete

Table B- Identified actions that have been started this year and are ongoing:

Identified action	Target completion
Recruitment of 12-month fixed term Information Governance Officer. Currently out to advert. Closure date 8^th September 2021.	November 2021
Continue to work with the business to implement secure by design business processes and solutions The IG team have actively promoted the importance of Privacy by Design in a comms campaigns which has resulted in working with a number of areas of the business to complete Data Protection Assessment (DPIAs) – this is an important element of Privacy by Design in terms of identifying and mitigating risk. The IG manager is currently leading the PMO Project Management Office (PMO) and will ensure that Privacy by Design in built into the framework. The IG Manager working jointly with NCC to develop a contract management framework which is risk based and encompasses Privacy by Design. Privacy by Design has also been added to the Data Protection Policy.	Ongoing – December 2022 to embed in project and contract management framework
Implement technical measures to support the Information Security Policy Policy at final draft stage Approved by NCC ICT and DPO IG Manager working with NCC technical lead to implement technical measures in line with Policy cascade.	Ongoing March 2022
Support the Customer Service Directorate in relation to Records Retention and Disposal. Work collaboratively with the business to support service reviews On hold due to Covid-19 and Customer Service staff working from home. IG Manager to pick up with responsible AD when hubs re-open and agree timescales.	March 202

5. Data Incidents and Breaches

5.1 The Information Governance team continue to prioritise building relationships with the business, actively encouraging services to contact us, our ethos is ‘if it doesn’t feel right it probably isn’t – contact us and we’ll work through the situation with you’. We have seen an increased contact from service areas in relation to information sharing which is a positive preventative step.

The team’s priority continues to be offering expert advice and support in relation to incidents and breaches, proactively working with service areas that to identify learning points.

The team have continued to develop the database to enable a better understanding of themes which has allowed us to develop appropriate training and comms.

5.2 Reporting Analysis

The information Governance team commenced records analysis in January 2019. The reporting analysis is for the period January 2020 to July 2021 to reflect the current position to date.

The table below shows the numbers of data incidents and breaches reported per month.

The analysis shows;

• Over the period reports have averaged 3 per month, this is consistent across all reporting years (3.5 – 2019, 2.91 – 2020, 3.08 – 2021).

• Reporting increased January 2021 to March 2021 which was a period where Covid-19 restrictions were increased, children were being home schooled, and the organisation adapted ways of working in line with the external pressures.

• The highest reportable month was June 2021, having 7 reports. Upon analyses there was no correlation or know external factors at this time, although it should be noted that services continue to deliver under new ways of working.

• Reassuringly officers continue to report incidents, even when contained internally, which evidences that they have an awareness of best practice in relation to GDPR and the importance of reporting ‘near misses’.

• One breach met the reporting threshold this year and was reported to GARC on the 20th May 2021 and 8th July 2021. The decision from the ICO was no further action, received 5th July 2021.

5.3

The table below shows the number of data incidents since January 2019 to date and categorises the reporting. It should be noted that the reporting period for year 1 differs and is therefore not directly comparable.

Future reports will show a 3-year comparison and will be on Board forward plan for September each year, reporting on the period 1^st August to 31^st July.

	Year 1	Year 2	Year 3
(7-month period)	(12-month period)	(12-month period)
1^st January 2019 – 31^st July 2019	1^st August 2019 – 31^st July 2020	1^st August 2020 – 31 July 2021
Total number of data security incidents	28	35	37
Number of data security incidents confirmed as data breaches	16	15	20
Number of data breaches reportable to the ICO	1	0	1

Lessons Learnt

6.1

The Information Governance team have continued to embed lessons learnt sessions into the breach reporting framework. 90% of our breaches are because of avoidable human error, with 50% being attributed to sending emails to incorrect recipients.

The ‘Stop, Think, Action’ campaign which has recently been launched highlights the learning points from the sessions and provides practical guidance to mitigate the risk of accidental disclosure. This is a mandatory guidance document for all staff.

A formal lessons learnt session was held for the reportable breach (097), as a result of which we are working jointly with NCC to review the Contract Management framework and developing a risk based approach.

7.	Collaboration with Newcastle City Council
7.1	Your Homes Newcastle have a shared Data Protection Officer (DPO) with Newcastle City Council. Our Governance and Implementation Team work very closely with the DPO, NCC’s Information Governance team and Legal. The teams continue to meet to a weekly basis, this a useful forum for sharing best practice, forward planning and to ensure we have a consistent corporate approach to GDPR. In addition to the Assistance Director for Business Support and Information Governance Manager attends NCC’s Information Governance Board.
8.	Priorities and Next Steps
8.1	Recruitment of fixed term Information Governance Officer Phishing campaign and training plan developed based on outcome of results Contract Management Framework Project Management Office embed ‘Privacy by Design’ Review all Privacy Impact Assessment Continue to provide face to face training and lessons learnt session, prioritised based on risk Continue to work with NCC on DLP approach Develop corporate approach to 0365 use and communicate Document cleanse and categorisation Customer data cleanse (Core systems) Work with key service areas to support deployment with retention and disposal policy.
9.	Conclusion and recommendations
9.1	The substantial financial sanctions and reputation implications associated with GDPR non-compliance should ensure that all of the members of the Board and Executive Team recognise the importance of compliance and of the work and resources that YHN have deemed necessary to ensure this. This report is intended to maintain awareness of the regulations and provide assurance on the on-going steps that YHN is taking to maintain compliance and deal with the increased risks due to Covid-19.
9.2	Board are recommended to: Receive the update on GDPR implementation and consider the information that has been provided; Approve the Data Protection Policy

Appendices

Appendix 1 – Data Protection Policy – key changes overview

Appendix 2 – Data Protection Policy

Contact Officer:

If you have any questions about this report that you would like clarifying before the meeting or would like more detail on any of the actions outlined in the report, you can contact Karen Hedley- Governance and Implementation Manager by email: karen.hedley@yhn.org.uk.