Agenda item

Risk Update on GDPR

(All wards)


Report authorised by: Andrew Travers: Chief Executive


Contact for enquiries: Padraig O’Mahony, Project Manager, GDPR Phase 2, 0207 926 3184,



During the discussion of this item, the guillotine fell at 8.00pm.


It was MOVED by the Chair, and,


RESOLVED: That in accordance with Standing Order 9.5-9.7, the meeting continue for a further period of up to 30 minutes.


Alison McKane, Director of Legal and Governance; Padraig O’Mahony, Project Manager; Matthew Ginn, Head of Information Governance; and, Majella Sharma, Interim Deputy Director for Resident Experience, noted the report and answered questions as follows:

·           The GDPR Project Phase 1 had been completed, and the Council was now entering Phase 2, ensuring Lambeth met its obligations under the Data Protection Act.

·           A comprehensive information asset register had been completed, with new obligations on accountability and demonstrating correct data handling, and ensuring training and awareness of staff.  This was now in the implementation phase, with a high number of risks identified, which were being worked through as part of the project.

·           Oversight of the GDPR Steering Group would be provided by a Proejct Board, Information Governance Group, Management Board and Corporate Committee.

·           Alison McKane was the Project Sponsor, Matt Ginn was the statutory Data Protection Officer, and Padraig O’Mahony was the Project Manager, with the latter responsible for project delivery.

·           The Phase 1 Project had started in February 2018, with the Information Asset Register going beyond what other London boroughs had done and it was not accurate that the Council had been late to address this issue.  Officers were confident that Lambeth had robust information governance processes in place.

·           The three critical risks from 1,700 risks assessed, were denoted as unsustainable risks.

·           Three project officers had been appointed to address risks, with a further post to be filled.

·           The 1,700 risks appeared to be a lot, but each process had multiple risks attributed to it.

·           The Information Asset Register online portal under development was to be digital and user friendly, and help engagement with business.

·           The £680,000 cost allocated for Phase 2 was largely comprised the additional five officers over two years.  Corporate Committee requested that they receive updates to monitor spend.

·           iCasework was under review and had been identified as not fit for purpose and currently out of support.  Officers were largely certain that data could be migrated across from the Hounslow server to the cloud, and iCasework would be provided with a copy of part of the database to be provided by 19 November 2019 to examine any issues between the existing locally hosted system and the proposed cloud solution.  Officers would provide an update outside of the meeting as to the issues with iCasework relating to the Council’s case management system (complaints, FoI, SARs, Member’s Enquiries, etc.).  There would be no downtime during the General Election period.

·           Councillors could undertake GDPR training online, and this would be re-offered.

·           Any organisations that shared or processed Lambeth’s data would have contract clauses to ensure proper data management, with contract review forming part of the project, to ensure they were upholding agreed terms, and this was done via their data protection officers.

·           Lambeth schools were able to buy into Lambeth’s data protection service.


Corporate Committee thanked officers for their report, but noted that councillors’ handling of data needed to be reviewed and included in the report as a significant risk, and that they be offered training on meeting data protection guidelines and provided with a system to handle enquiries or correspondence from the general public. 



1.       To note the work undertaken in Phase 1 of the GDPR Project (see appendix 1) including work carried forward to Phase 2.

2.       To note the risk assessments and mitigating actions for all data processes within the council being undertaken as part of Phase 2 of the Project.

3.       To note the Information Governance framework including Information Management policy, procedure, training and awareness and to provide any comments on the implementation plan.

4.       To note the implementation plan for regularisation of all information sharing and data processing agreements between the council and third parties.


Supporting documents: