Issue - meetings

To receive a report from the Head of Digital Transformation and Customer Engagement to review the existing policy to ensure compliance with the Data Protection Act (DPA) 2018, the General Data Protection Regulations and the impact of the new Data Use and Access Act 2025 (DUAA) which gained royal assent June 2025.

The Cabinet had before it a report * from the Head of Digital Transformation and Customer Engagement to review the existing policy to ensure compliance with the Data Protection Act (DPA) 2018, the General Data Protection Regulations and the impact of the new Data Use and Access Act 2025 (DUAA) which gained royal assent June 2025.

RESOLVED that:

1.    The revised Data Protection Policy be APPROVED.

2.    Delegation of the Data Protection Policy to the Head of Digital Transformation & Customer Engagement, in consultation with the IT & Information Governance (ITIG) board and Legal Services to ensure that the policy remained current and reflected any legislative changes or regulatory guidance be APPROVED.

The Cabinet had before it a report * from the Head of Digital Transformation and Customer Engagement to review the existing policy to ensure compliance with the Data Protection Act (DPA) 2018, the General Data Protection Regulations and the impact of the new Data Use and Access Act 2025 (DUAA) which gained Royal Assent in June 2025.

The Cabinet Member for Quality of Living, Equalities and Public Health outlined the contents of the report with particular reference to the following: 

• The DUAA introduced phased changes between now and June 2026, designed to promote innovation and economic growth which would make things easier for organisations.
• Not all provisions were yet in force, but the policy had been updated in anticipation. From August 2025, the ICO’s would also be reconstituted as the Information Commission, with expanded enforcement powers.
• There were a few immediate changes that affected this Council directly: Data Subject Access Requests must now be handled on the basis of reasonable and proportionate searches, and this applied retrospectively to requests since January 2024. A new “stop-the-clock” mechanism would also apply where clarification was needed. Since August 2025, the ICO had stronger powers, including interview notices, compulsory document requests, and penalties for non-cooperation.
• Looking ahead, the Council must also implement a clear complaints system for data subjects, acknowledging receipt within 30 days and responding appropriately. Officer and Member training would be updated this autumn to ensure awareness of the new obligations.

Discussion took place with regard to:

• The use of Artificial Intelligence (AI) and protecting data, would that be covered by these policies?
• Would Members be receiving more information on the R.A.C.I model? It was confirmed that this would be circulated to Members.

RESOLVED that:

1. The revised Data Protection Policy be APPROVED.

2. Delegation of the Data Protection Policy to the Head of Digital Transformation & Customer Engagement, in consultation with the IT & Information Governance (ITIG) board and Legal Services to ensure that the policy remained current and reflected any legislative changes or regulatory guidance be APPROVED.

(Proposed by Cllr D Wulff and seconded by Cllr J Lock)

Reason for Decision:

Not complying with the Data Protection Act 2018 and GDPR would expose MDDC to enforcement action by the Information Commissioner’s Office (ICO).

Note:* Report previously circulated