URL: https://rother.moderngov.co.uk/ieDecisionDetails.aspx?ID=1899

Decision Maker: Cabinet

Outcome:

Is Key Decision?: No

Is Callable In?: No

Purpose: To approve the Data Protection Policy

Content: A new draft Data Protection Policy (DPP), attached at Appendix A to the report had been developed in response to evolving legislation and increased public expectations regarding data privacy.  The DPP ensured the Council maintained compliance with the Data Protection Act 2018 and UK General Data Protection Regulations (GDPR).  It also reflected best practices in data governance and security.   It was reported that local government was among the most at risk for data beaches and findings from the Information Commissioner’s Office found that from 2023 until March this year, there were around 1,956 GDPR breaches impacting councils.    The Council handled a wide range of personal and sensitive data in the delivery of its services; therefore, it was essential that data was managed responsibly.  The DPP was based on six core data protection principles, over which ‘accountability’ was the primary theme.  The DPP improved focus on data governance, aligned with key themes within the Council Plan and would aid readiness for Local Government Reorganisation.   Cabinet was supportive of the new DPP and agreed it ensured that the Council met is legal obligations under current legislation and supported operational efficiency by defining roles, responsibilities and procedures for managing data security.  It was also recommended that delegated authority be granted to the Data Protection Officer, in consultation with the relevant Senior Information Risk Owner and Head of Digital and Customer Services to make any minor amendments to the DPP, as required, as well as implementation and overseeing staff training and awareness.      RECOMMENDED: That:   1)     the proposed Data Protection Policy at Appendix A to report, be approved and adopted;   2)     delegated authority be granted to the Data Protection Officer, in consultation with the relevant Senior Information Risk Owner and Head of Digital and Customer Services, to authorise minor amendments to the Data Protection Policy as required by legislative or other procedural changes; and   3)     delegated authority be granted to the Data Protection Officer, in consultation with the relevant Senior Information Risk Owner and the Head of Digital and Customer Services to implement the Data Protection Policy and oversee staff training and awareness.

Date of Decision: November 3, 2025