Annual data protection statement -

Year end position

This year, we focused on continual improvement and staff development. This effort took place within the service and across the entire organisation. We conducted the first Information Governance Survey to set a benchmark. This benchmark will help us track our progress in future years.

Key positives

• 90% of staff felt confident about understanding and reporting data breaches should they arise - we found that staff:
  • were aware of and read the regular communications
  • knew who their IG leads were and how to engage with them
• 70% of staff knew where to send personal data requests and in what circumstances they were not business as usual
• 93% of staff knew where to go to get support on information governance and data protection
• 90% of respondents were aware of privacy notices, but around 9% were not aware we published these on the public website as part of our legal requirements
• 52% of staff responded that they could deal with a freedom of information (FOI) or environmental information regulations (EIR) request independently, but 35% were not confident - this has been factored into the planning for 2025 to 2026

Collaboration with local authorities

We maintain close ties with other local authorities. This helps us understand what is unique to each organisation and what experiences and incidents they share. This collaboration has enabled us to:

• identify fake FOI requests and respond accordingly
• work together on best practices and universal audit issues

Information Commissioner's Office decisions on Bracknell Forest Council

The Information Commissioner's Office (ICO) published 3 decisions about Bracknell Forest Council regarding FOI and EIR decisions. Two decisions were not upheld and one decision was partially upheld.

For more details, visit the ICO website.

Areas of activity this year

Our team's work is often iterative, involving incremental changes and improvements. Key activities this year included:

• implementation of sensitivity classification labelling for Microsoft products
• introducing AI compliance monitoring through Purview to give visibility to activity and ensure adherence to the principles of the AI strategy
• development of a new assurance process for the Record of Processing Activity (ROPA)
• introduction of new training approaches following feedback from the Information Governance Survey
• updated video training and guidance on intranet pages for staff to offer more ways to learn and engage with core subjects.
• updated information sharing templates for use within the organisation
• agreement on new One Drive retention policies, further supporting data reduction
• a new publication scheme has been adopted and is under further development
• support to the Cyber Assessment Framework (CAF) get-ready programme for ICT and provided scrutiny on the process
• review, update and publication of 5 major retention schedules

Risks

We have achieved a considerable amount in the last 12 months. But, there are still some identified risks that we need to monitor over the coming year.

Responding to the Data Use and Access Bill

The Data Use and Access Bill will bring changes to existing legislation, particularly around:

• legitimate interests
• allowing secondary processing if it aligns with the original reasons for collection
• automated decision-making

The impact of data growth on climate and compliance

Continued exponential growth of data and adoption of data-hungry technology such as AI. This growth could put us at odds with:

• our climate change commitments
• core data protection principles of data minimisation (Article 5 of UKGDPR)

Increasing prosecutions for data breaches

We have continued to see a national increase in prosecutions for data breaches. These have occurred because staff in affected organisations have access to data they do not need.

To use data for better service insights, we need to clarify access control requirements and compliance monitoring to avoid those risks.

Upcoming changes in cyber resilience

The currently unpublished Cyber Resilience Bill may change how we define national infrastructure. This could include elements from our existing estate and may require:

• additional measures for overview and scrutiny
• increased pressure on resources

By understanding these issues, we can handle the complexities of data growth better. This way, we stay focused on our climate goals and protect our data principles.

Continual improvement

We are committed to continual improvement. With this in mind and based on feedback from the staff survey, we identified the following activities for 2025 to 2026:

• specific worked training examples for areas such as FOI, EIR, Data Protection Impact Assessment (DPIA) and Subject Access Request (SAR) - what does 'good' look like?
• bite-sized training that people can go back to, making access to information easier
• look to create a broader benchmarking approach with other local authorities
• look to create simpler pathways for staff and the public to report issues or concerns through existing technology, including automating non-decision-making processes where appropriate

Incident type by month

Incidents by directorate by month

Breakdown by type of incident

The most significant type of incident occurring within the organisation is data sent to the wrong people. About 4% of these breaches were reportable to the ICO.

This corresponds with the top national trend reported by the ICO for all security incidents, which is 17%.

Nationwide, unauthorised access and phishing incidents have increased for all reportable incidents.

This year, we had one incident with data breaches by our processors. At the time of writing this report, we have not confirmed the data as breached yet due to the nature of the incident. However, we filed a pre-emptive notice with the ICO.

The rise in successful phishing attacks adding malware to ICT environments is of note. We are closely monitoring this activity. We remind staff what suspicious activity looks like and how it changes with generative AI.

Since 2021, we have worked hard to improve the organisation's understanding of data breaches. We have created a learning culture that encourages staff to report issues as soon as they identify them.

Support from information governance leads has led to more reporting since 2021 and 2022. This growth reached its highest point with breaches recorded in 2022 to 2023. This is expected as areas that were often under reported are now more transparent.

Over the last 2 years, numbers have dropped, but we now notice incidents faster. Staff are also reporting issues earlier.

This shows better awareness and a desire to act within the organisation. This was supported by responses from the information governance survey.

Security incidents by type by directorate

Total security incidents year on year

The security incidents year on year chart shows:

• 2019 to 2020 - 113
• 2020 to 2021 - 83
• 2021 to 2022 - 119
• 2022 to 2023 - 145
• 2023 to 2024 - 131
• 2024 to 2025 - 120

Freedom of Information and Environmental Information Regulations

Between April 2024 and the end of March 2025, 1,235 FOIs were received. This is an increase of 8.7% from the previous year.

The average number of days for on-time FOI completions is 12. For late completions, the average is 34 days, which is a slight decrease from last year.

The ICO has published 3 decision notices about the organisation and our responses to FOI and EIR. Two were not upheld, and one was upheld on a technical note, as we had used an incorrect exemption. The principle of the exemption was correct, but we issued a section 41 instead of section 43(2).

Total number of FOI and EIR

Total FOI or EIR year on year by directorate

Monthly completion rates

Response times

21% of all responses from the organisation go beyond the statutory 20-day limit. This is an improvement from 23% in the previous reporting year and reflects a downward trend.

Of those late:

• 51% were between 1 and 5 days late
• 30% were between 6 and 14 days late
• the remainder were beyond 15 days

We made significant improvements across the year.

In quarter 4, the response rate was 92.7% within 20 working days. This quarter had the highest number of requests.

The number of internal reviews has decreased from 20 in 2023 to 2024 to 16 in this reporting period. 

Exemptions

Average response rates by directorate

Requests by breakdown

Most requests continue to come from individuals or commercial entities as they have done for the last 5 years.

An EIR can be made in writing or verbally, however FOI requests must be made in writing. We have seen an increase in FOIs being submitted directly through email and not using the online form.

This needs further investigation so we can encourage people to use the form. The form submissions will help us get a clearer understanding of what individuals need.

This will simplify responses and improve automatic classification. In turn, this will help with the disclosure process.

Category source

Category source year on year

Subject access requests

In total, we have received 158 subject access requests over this period. This is an increase of 14% on last year. 88% of these were for the People Directorate.

Of the People Directorate requests:

• 26% were for children's services - this is a drop from 46% in 2023 to 2024 (children's services are also partially involved in a further 15% of combined requests)
• 13% of requests are for adult services
• 10% are specifically related to SEN requests
• 7% are cross-organisational, which is slightly down from 10% last year

Total number of SARs

Open request status

The breakdown of SARs requests in progress shows:

• past salutatory deadline (People directorate) - 75%
• within statutory time frame (multiple directorates) - 25%

Data protection complaints and third party requests

The number of complaints where the complainant asks for it to be treated as a data protection issue is relatively low. These can come from members of the public or from the ICO.

Those received from the ICO have a strict 14-day response timeframe. These are often complex and time-consuming. They tend to follow our initial responses to a SAR or data breach complaint from individuals.

The data protection officer (DPO) works closely with other complaints managers as they are often interacting with the same individuals.

Bringing the data protection complaints into the corporate complaints system is on the backlog of work for the digital team.

Total data protection complaints received

Complaints received by month show:

• January - 3
• February - 2
• March - 1
• April - 1
• May - 2
• June - 1
• July - 2
• October - 2

Count of complaint status

Count of complaint status shows:

• closed at stage 1 - 9
• open at stage 2 - 3
• ICO complaint closed - 2

Key issues

We respond to 54% of third-party requests in full. For the remaining 46%, we find that we either:

• do not hold the data
• have not received the correct information from data subjects or their representatives
• have not had a response to further clarification requests

75% (143) of recorded third-party requests now come directly through the DPO mailbox.

Before, most requests related to Thames Valley Police (TVP) or the Department for Work and Pensions (DWP). However this year, 68% of all requests have been part of legal investigations.

Third party by status

The third party by status chart shows:

• closed (request fulfilled) - 113
• closed (request declined due to no information) - 32
• closed (request declined) - 15
• closed (further information required but not received) - 10
• closed (request cancelled) - 10
• in progress - 7
• closed (other) - 4

Third party requests by month

The third party requests by month shows:

• January - 23
• February - 21
• March - 18
• April - 8
• May - 9
• June - 9
• July - 13
• August - 15
• September - 14
• October - 25
• November - 22
• December - 44

Third party requests by type

The third party requests by type chart shows:

• third party request for information - 184
• individual rights request - 7