Agenda item

(A report by John Medler, Assistant Director – Governance & Monitoring Officer)

The Committee received a comprehensive presentation from the Group Manager for Information Governance and Data Protection Officer on the updated Data Protection Policy (attached as Appendix 1 within the report) and Records Management Policy (attached as Appendix 2 within the report), both of which had undergone a full review to reflect recent legislative, technological and organisational developments. Members were reminded that the Council’s ability to deliver effective services was fundamentally dependent on the quality, availability and security of the information it held. The review had therefore been undertaken to ensure continued compliance with statutory requirements and to strengthen the Council’s governance framework for handling data across all departments and partnership arrangements.

Members were advised that both policies had been rewritten to integrate the latest requirements of the UK General Data Protection Regulation, the Data Protection Act 2018, and critically, the recently introduced Data Use and Access Act (DUAA) 2025, which brought significant changes to data-sharing, access rights, complaint-handling and public?sector interoperability. They were informed that the DUAA placed new obligations on public bodies particularly around ‘reasonable and proportionate’ search expectations for Subject Access Requests, transparency in data sharing, the handling of automated decision?making, and the management of datasets across partnerships and multi?authority environments. The updates had been embedded within both revised policy documents.

The Records Management Policy had similarly been modernised to reflect the full lifecycle of information, encompassing creation, storage, use, archival retention, secure disposal, and the handling of AI?generated records. Members were advised that the policy aligned with national frameworks, including the Section 46 Code of Practice under the Freedom of Information Act, and sought to ensure that the management of records both paper and digital met the standards expected of a modern local authority. The Group Manager for Information Governance and Data Protection emphasised that the updates were intended not only to maintain compliance but also to promote organisational resilience, operational efficiency and public trust, particularly as more teams across the South & East Lincolnshire Councils Partnership adopted shared processes and systems.

Members held a detailed discussion on the implications of the revised governance framework, recognising the significance of information handling to Council operations and the growing importance of data protection in public life.

It was explored how the updated policies would support the Council to manage increasing volumes of complex data, including digital records, cross?partnership datasets and information generated by emerging technologies. Members sought clarification on how the new DUAA requirements would influence day?to?day processes, particularly regarding Subject Access Requests and other statutory rights.

The Group Manager explained that the shift from an exhaustive search obligation to a reasonable and proportionate one would reduce the administrative burden on officers while maintaining legal compliance and ensuring individuals’ rights were upheld. Members noted that it represented a significant practical improvement, especially in service areas managing large volumes of case files or legacy systems. They also discussed the new, DUAA?mandated complaints process, which sat outside the Council’s corporate complaints procedure and mirrored the structure used by the Information Commissioner’s Office. The added formality would help ensure consistency, clarity, and adherence to statutory timelines, particularly in complex data?handling scenarios. The Group Manager confirmed that updated training materials and guidance would support staff in implementing the revised process.

Questions were raised about the responsibilities of councillors when handling personal data. Members were reminded that councillors may act in different legal capacities depending on the context, such as acting independently as a data controller when managing ward casework, and that the updated policies were aligned to provide greater clarity on those distinctions.

The Group Manager confirmed that when Members acted on behalf of the Council, they were covered by the Council’s data protection framework and insurance arrangements, but separate obligations applied when operating outside Council business.

Members further explored the impact of digital transformation and automation, particularly the handling of AI generated records. They were informed that both policies explicitly addressed modern digital workflows, including the creation, classification and retention of records generated or processed by automated systems, which ensured that such records were subject to the same standards of security, accessibility and lifecycle management as other Council records.

The Records Management Policy also set expectations for metadata, retention schedules and disposal, ensuring transparency and auditability across all formats. Throughout the discussion, Members acknowledged the crucial role of effective training in ensuring compliance. The Group Manager outlined the mandatory training programme for staff, including induction, refresher training, specialist modules for high?risk roles, and ongoing awareness campaigns to ensure that officers and Members remain up to date with statutory requirements and organisational policies.

Members thanked the Group Manager for the comprehensive update, recognising the scale and importance of the work undertaken and noting the value of clear and robust information governance in supporting public confidence and operational effectiveness.

The recommendations were proposed by Councillor Paul Gleeson and seconded by Councillor Barrie Pierpoint.

Resolved:

That the draft Data Protection Policy and Records Management Policy, attached at Appendices 1 and 2 within the report, be recommended to Cabinet for approval.

[The Group Manager for Information Governance and Data Protection Officer left the meeting at 7.55pm, following consideration of the item.]