Agenda item

This report will be presented by Nicholas Bennett, Monitoring Officer & Data Protection Officer.

The Interim Monitoring Officer provided Members with a full explanation on the seriousness of the breach and the damage that could have been caused reputationally and financially to the Council. He explained that the breach was in relation to an incident that took place after a meeting of the Development Control meeting on 26 May 2020. He confirmed that the Chief Executive sent a confidential email to all Members and information contained with in that email had been leaked. He explained that Members were expected to treat emails from Officers in the manner of which they had been sent, specifically in this case, the trust that had been broken due to the confidential matter within the content of the email. He then advised Members that the breach was reported properly to the ICO (Information Commissioner Office) and because of this it was dealt with in a comparatively light way. He also confirmed to members that an investigation had taken place for Officers and Members who had been in receipt of the email. The investigation provided evidence that two Members had forwarded the email outside of the Council, which he explained was very disappointing. He confirmed that the ICO had made a number of recommendations, that detailed exactly what the Council was required to do in order to rectify the issue and referred Members to section 1.4 of the report where these actions had been set out. He was pleased to confirm that all Officers had completed all the required training. However he found that there was a lack of Members that had signed up the to the I.T Security Policies at the start of his investigations, however he was now pleased to report that all member’s had now signed up to these. He reported that in future should these policies not be signed up to when required I.T access would be removed until these had been satisfactorily completed and signed.

In summing up he reiterated that the impact of this case had been set out clearly within the report, but highlighted that the financial penalties for breaches could be huge and that any policies and protection measures put in place were only as good as the Members and Officers that uphold them. He also highlighted that to, recklessly disclose personal data is a criminal offense and the breach should be seen by the Committee as a very near miss and therefore taken very seriously. He stated that the Council had managed the situation very well and that whilst the investigation had revealed that two Members had not followed protocol, he stated it would remain unknown if those two Members were indeed who leaked the information to the Press. The ICO did take into account the work that was done to protect the Council and the fact that, the breach was reported early went in the Council’s favour. What the Council does with its data, matters, and the disregard for the protocol’s in place was not acceptable, and an aggravating criminal factor, a further aggravating factor was that all Members were asked if they had caused the breach and no one came forward.

          The Chairman then confirmed to Members that the recommendations were split into two, the second part were forward looking. She reminded Members that they should avoid discussing personal matters at this time.

          During discussion it was commented that it was disappointing to learn that two Members may have been responsible and had not followed protocol. It was asked by several Members if the names of the two Members could and would be released as it was felt that the public had a right to know who they were. It was advised by the Interim Monitoring Officer that due to this being a criminal matter he could not provide names at the meeting, but he was happy to have separate conversations outside of the meeting. It was also asked why the Chief Executive had not referred the two members to the Standards Committee as it was a clear breach of the Councils code of conduct. It was explained that this situation was one that could potentially have more than one legal route to take and it can cause problems when carrying out investigations with the Police for example. It is standard procedure to separate out each option and it was important that the Council not be seen to prejudice or impede any other ongoing investigation.

          The Chief Executive advised that he saw the report as part of rounding off the whole investigation internally. He also advised that there was still a possibility that this situation could go to the Standards Committee.

          Following further discussion, the Chairman drew the debate to a close by reconfirming that the recommendations in front of the Committee were split in to two parts. She advised that she did not feel there was enough satisfaction in the summary of findings section and confirmed that the Committee were expected to receive a further update along with an additional report to be provided to the Standards Committee.

          The Committee

RECOMMEND to FULL COUNCIL that;

1)    the summary of findings from the data protect breach be noted by Full Council and the Standards Committee;

2)    recognise, engage and fully endorse the importance of all Members and Officers completing mandatory training and adhering to policies, in order to minimise the risk of future data protection breaches;

3)    recognise that the Council is responsible and accountable for breaches of data protection, and as such can face large fines, be liable to pay compensation, and suffer adverse reputational damage; and

4)    Council IT equipment should not be issued until the relevant security policies have been signed. In the case of re-elected Members who already have equipment, their accounts should be disabled until policies are signed.