Agenda and minutes

To receive any declaration of interest by any Member or Officer in respect of any item of business.

Councillor Euryn Morris declared a personal interest only with regard to item 3 on the agenda as an employee of Gwynedd Council.

To present the minutes of the previous meeting of the Governance and Audit Committee held on 7 December 2023.

The minutes of the previous meeting of the Governance and Audit Committee held on 21 September 2023 were presented and were confirmed as correct.

Matters arising on the minutes –

·      The Chair read out a statement regarding why it was unlikely that the elements of a development plan relating to the Complaints Management Process discussed at a previous meeting of the Committee will be delivered. The Chair explained that the anticipated inability to implement the action plan is the result of a single point of failure rather than a systemic failure. However, appropriate measures have been taken to address the cause and support is currently in place to address the various service delivery issues that have been identified.

The Committee was further advised by the Director of Function (Resources)/Section 151 Officer that the matter is being addressed via service business managers and is being examined both in terms of training and also from the perspective of the Council’s business processes and systems and how those are monitored.

·      It was confirmed that the Schools Data Protection Guidance document for school governors has been circulated to all the Council’s elected Members.

·      It was clarified that the reference to the materiality level in respect of related party transactions for individuals at £10,000 and for Senior Officer Remuneration at £1,000 under item 4 was from the Auditors’ ISA 260 report.

·      The Head of Audit and Risk advised with regard to Cloud Computing that Internal Audit had conducted a review of Cloud Management in April 2023 and had reported on the review findings to the Governance and Audit Committee on 18 April 2023. That documentation had been re-circulated to the Committee’s members.

·      The Head of Audit and Risk confirmed that the Committee’s Training Needs Assessment Questionnaire had also been re-circulated to the Committee’s members.

To present the report of the Senior Information Risk Owner.

The Annual Report of the Senior information Risk Owner (SIRO) for 2022/23 was presented for the Committee’s consideration. The report provided the SIRO’s statement and overview of the Council’s compliance with legal requirements and relevant codes of practice in handling corporate information.

Points of discussion by the Committee –

·      The number of Freedom of Information requests responded to within timescale

·      The arrangements for monitoring CCTV systems usage and for responding to requests for CCTV footage by an outside body

·      The need to establish guidance, policy, and processes around the emerging use of drone technology rather than allowing usage to develop in an ad-hoc way.

The Committee was advised by the SIRO that the Council’s performance in relation to responding to FOI requests is reported quarterly to the Corporate Scrutiny Committee via the Corporate Scorecard Monitoring report which is available on the Council’s website. Corporate knowledge of Services’ use of CCTV in terms of numbers, location, operation, and the processing of that information including data sharing with third parties is not comprehensive hence the recommendation that the Leadership Team be requested to undertake an assessment of CCTV use. Whilst currently, requests for access and how they are dealt with are determined by Heads of Service the aim is to have in place arrangements for corporate oversight of those processes to ensure compliance. The SIRO confirmed with regard to drone technology that the first step is to establish the extent of its use or intended use by services based on which a policy and process will be developed as appropriate to ensure they have the necessary authorisation.

It was resolved –

·      To accept the report as an accurate reflection of Information Governance issues in the Council for the relevant period.

·      To support the SIRO asking the Leadership Team to: -

·           assess the Council’s use of CCTV and its use, of any, of drone technology

·           undertake an assessment of the data protection risks of partnership working, together with the cyber threat of contract management/procurement in the Council

·           put in place appropriate arrangements to ensure that the Leadership Team is adequately sighted on the Council’s cyber threats and mitigations.

To present the report of the Director of Education, Skills and Young People.

the report of the Director of Education, Skills and Young People which provided an overview of the Information Commissioner’s Office’s (ICO) investigation into the cyber incident at the Council’s secondary schools in 2021 was presented for the Committee’s consideration. The report also provided an overview of the actions taken by the Schools Data Protection Officer and the Council’s ICT Service by way of forming an internal work programme to address various technical and information governance elements that were found to be deficient.

Points of discussion by the Committee –

·      The percentage of headteachers, school staff and governors who have attended data protection training identified as an action in the internal work programme.

·      The constraint on schools as regards the deployment of applications/programmes and whether there should be a list of approved applications.

·      The effectiveness of Windows security and the challenges involved in upgrading systems in schools to new operating systems.

·       Some concern was expressed regarding the timelapse between reporting the incident to the ICO June 2021 and being informed of the outcome of the ICO’s investigation into the incident in August 2023, and consequently the value of the ICO’s report when the Council had identified what needed to be adopted and improved and had implemented a plan of action.

·      Not having identified the cause of the suspicious traffic on secondary school e-mail servers at the root of the incident, whether an assessment was subsequently made of the kind of data that was at risk or could have been compromised.

·      Whether there were any deficiencies in the audit process in not identifying the weaknesses, given the nature of the incident.

·      Whether it has to be recognised that seeking 100% protection can lead to over-complexity and that the focus should be on keeping key data safe.

In response to the points raised the Committee was advised as follows - 

·      That all schools have received data protection training and that a breakdown of attendance could be provided if required. Having supported schools to put in place data protection policies, the Schools Data Protection Officer’s annual visits to schools involve ensuring and overseeing compliance.

·      That following the incident an assessment of the security of programmes/applications was conducted and a list of assessed applications compiled resulting in a collection of common applications across schools. It is a compromise between assessing the security risk of software and educational/classroom needs and a piece of work is being undertaken to establish how that compromise can be modelled and risks identified.

·      That Windows security is considered sufficient as part of a broader package and programme of security features. The IT Team Manager explained the issues and options involved in upgrading operating systems and confirmed that corporately the transition to Windows 11 has begun and that the upgrade is taking place in schools as part of the Welsh Government HWB programme. Assurance was provided that there are plans to ensure that the Council is not in a position of not having planned for the upgrading and/or replacement of digital  ...  view the full minutes text for item 4.

To present the report of the Principal Corporate Health and Safety Advisor.

The report of the Head of Regulation and Economic Development outlining the Authority’s performance with regard to Health and Safety during the period from 1 April 2022 to 31 March 2023 was presented for the Committee’s consideration. The report provided an overview of the health and safety activity at the Council during the period including an analysis of accident and incidents and key achievements and set out an action plan for the following year.

Points of discussion by the Committee –

·      In light of the increase in reported incidents as well as RIDDOR reportable incidents in 2022/23 compared to the previous two years, the inclusion of pre-Covid data would have been helpful to ascertain whether the figures are comparable to those in the years immediately before Covid and reflect a change in Covid restrictions, or whether they are indicative of an underlying cause for concern and therefore require a review of the health and safety strategy going forward.

·      Whether reported incidents to date in 2023/24 indicate any emerging pattern or trend

·      Whether the incident of slips or falls include those within Authority run residential care homes and whether that information can be drilled down in the report given that the impact of a fall can affect the nature of the care provided for older people.

·      Whether the increase in health and safety incidents has led to an increase in insurance claims resulting in additional costs to the Council.

The Principal Health and Safety Advisor advised that it is difficult to measure 2022/23 against previous years due to the lifting of restrictions over those periods and that 2023/24 is likely to provide a better comparison as more normal working arrangements have resumed. He outlined the legal requirements as regards the retention of the various categories of health and safety incident data and he confirmed that to January 2023 the incident rate was up on that of the previous year but added as a caveat that the increase may not necessarily reflect an issue and that the data needs to be analysed and not just benchmarked before drawing conclusions. The Officer clarified that incidents noted within the report cover all incidents reported and that they include falls suffered by clients in care homes as well as pupil slips and falls in school, and he advised that the data for older people’s slips and falls in care homes can be extrapolated if so required.

The Head of Audit and Risk advised that she did not have data regarding insurance claims against the Council and their costs immediately to hand but that the information is available.

It was resolved to endorse the recommendation of the report that the Council should follow the strategic plan for management of Health and Safety and implement the Corporate Health and Safety Action Plan.

Additional Actions –

·      To ask the Head of Regulation and Economic Development to include pre-Covid data for reported and reportable health and safety incidents in the 2023/24 Corporate Health and Safety Annual Report

·      That the  ...  view the full minutes text for item 5.

To present the report of the Director of Function (Resources)/Section 151 Officer.

The report of the Director of Function (Resources)/Section 151 Officer providing an update on the treasury management position at the 2023/24 mid-year point was presented for the Committee’s consideration. The report confirmed that the Council’s Treasury Management position remains stable with better than forecast investment returns and all prudential indicators remaining within the boundaries and targets set in the Treasury Management Strategy Statement 2023/24.

The Director of Function (Resources)/Section 151 Officer confirmed in response to questions that the Council’s investment strategy has been revised. Previously the Council’s relatively high level of cash balances meant that it was fully invested with banks and building societies and that any surplus cash was therefore invested with other creditworthy local authorities as loans, providing a higher return than had the money been deposited in call accounts. As the Council’s cash balances are utilised and reduce, the need to invest with other councils has similarly reduced the capacity with the banks and building societies now being sufficient. Additionally councils are seen as a less secure option for investment than previously with several councils in England struggling financially. The Section 151 Officer further advised with regard to the Council’s historic PWLB loans at high interest rates that the Council does consider early repayment of loans as part of debt re-scheduling but that the premium for early redemption is usually prohibitive and the cost of these loans are therefore factored into the budget. The present value of the loans is included to reflect the fact that the value of money reduces over time and to show a more realistic impact the loans will have in future.

It was resolved to note the Treasury Management Mid-Year Review report, treasury activity and prudential indicators as at 30 September, 2023 and to forward the same to the Executive without additional comment.

To present the report of the Director of Function (Resources)/Section 151 Officer.

The report of the Director of Function (Resources)/Section 151 Officer incorporating the Treasury Management Strategy Statement (TMSS) for 2024/25 was presented for the Committee’s consideration. The Statement outlines the Council’s strategy for managing borrowing and investment for the 2024/25 financial year supported by prudential and treasury indicators as set out in Appendix 11 to the report.

Points of discussion by the Committee –

·      The impact on the Council’s finances of unforeseen events such as the RAAC issue in schools.

·      The reduction in the total balance of investment from £43m approximately in September 2023 to £33m as at 31 December 2023

·      The impact of the Council’s capital spending and resourcing on its revenue budget. It was noted that the need for external borrowing will have increased from £121.557m in 2023/24 to £158.593m in 2024/25 with the costs of servicing the debt being met from the revenue budget. It was asked whether in view of the increasing pressures on revenue spending, capital expenditure and therefore the Council’s need to borrow should be reconsidered. 

The Director of Function (Resources)/Section 151 Officer advised that expenditure in relation to unplanned events such as the emergence of the RAAC issue in two of the Authority’s secondary schools is met from the Council’s reserves hence the need to maintain healthy level of reserves to enable the Council to respond to such eventualities and to mitigate the risks facing the Council. With regard to investment balances, the Section 151 Officer explained the relationship between borrowing and investment and the Council’s cashflow position, and the factors that influence whether cash is invested, where it is invested and for how long, or whether it is retained and is accessible in the business to meet the Council’s cashflow needs. The Section 151 Officer also clarified the Council’s capital commitments for 2024/25 in relation to the General Capital Fund and the Housing Revenue Account and confirmed that the level of unsupported borrowing for 2024/25 against the General Fund Revenue Account will be nil with the only additional calling on the General Fund Revenue Account being to externalise previous internal borrowing the cost of which has been factored into the 2024/25 budget.

It was resolved to note the Treasury Management Strategy Statement for 2024/25 and to forward the same to the Executive without additional comment.

To present the report of the Head of Audit and Risk.

The report of the Head of Audit and Risk providing an update as at 31 January, 2024 on the audits completed since the previous update as at 30 December 2023 was presented for the Committee’s consideration. The report also set out the current workload of Internal Audit and its priorities for the short to medium term going forward.

The Head of Audit and Risk in response to a query by the Committee regarding Internal Audit capacity, confirmed that the Service is not recruiting at present but continues to utilise the savings from two vacancies to commission additional external support and subject matter expertise this arrangement incurring no extra costs. In response to a question about the complaint that triggered the investigation regarding the Housing Maintenance Unit and proportionality in undertaking the investigation, the Head of Audit and Risk elaborated on the background and the course which the complaint had taken saying that it was important that it was investigated properly and to ensure that the reputation of the officers and the supplier against whom the complaint was made was not affected by an unfounded allegation.

It was resolved to note the outcome of Internal Audit’s work, the assurance provided and its priorities going forward.

To present the report of the Head of Audit and Risk.

The report of the Head of Audit and Risk incorporating the Risk Management Health Check Report was presented for the Committee’s consideration. The Council commissioned Zurich Resilience Solutions to review its risk management arrangements across the Council, with a specific focus on exploring the views, understanding and perception of risk through key stakeholder discussions.

The Head of Audit and Risk advised that the recommendations made by Zurich are set out in section 4 of the report and have been transposed into a timetabled action plan with training for members having been arranged for March and funded by the WLGA. She further advised in response to a question by the Committee that in order to improve its maturity rating the Council needs to evidence a consistent approach to risk across each service area supporting and feeding into the strategic approach and to have reference to risk appetite in its decision making and projects.

It was resolved that the Committee –

·      Takes assurance from the report for Zurich Resilience Solutions that risk management is being effectively developed and operated within the Council.

·      Supports the actions proposed to address the recommendations made by Zurich Resilience Solutions.

·      To present the report of Audit Wales.

·      To present the organisational response.

The report of Audit Wales which reviewed the Council’s strategic approach to digital including its application of the sustainable development principle and arrangements for securing value for money was presented for the Committee’s consideration.  Also presented was the organisational response to the recommendations made by Audit Wales. The review was being undertaken in each of the 22 councils in Wales as part of the programme of national value for money examinations and studies and in addition to a local report for each council a national report would be produced drawing together examples of good practice.

The Head of Profession (HR) and Transformation reported on the organisational response and advised that the audit review was undertaken in June 2023 at the time of the publication of the Council Plan which the Council was keen to have in place before commencing work on the Digital Strategy to ensure its alignment with the Council Plan. A great deal of work has since been achieved with the digital strategy now in draft form and progressing through internal governance channels which process is expected to have been completed by the end of February 2024.

Points of discussion by the Committee –

·      The practicability of a five-year Information Technology Plan given the rapid developments in the field.

·      The extent to which cost is a factor in determining annual priorities

·      Whether resources have been allocated to support the delivery of the Digital Strategy

The Committee was further advised that the Digital Strategy is an overarching document setting out the overall IT principles and approaches within which there will be annual plans for delivery which will be reviewed for progress. Cost is a factor in considering improvement objectives as is risk mitigation and whether a development is linked to a security objective or a transformational goal. It is unlikely that a scheme of works would be undertaken without an understanding of the cost implications in terms of implementation and ongoing revenue costs and those would always be considered as part of a business case or a proposal for the inclusion of an individual item in an annual plan. It was confirmed that no additional funding has been earmarked for the delivery of the strategy and that services will have to fund any costs from within current budgets.

It was resolved to note the report of Audit Wales and to accept the organisational response as timely and appropriate.

·      To present the report of Audit Wales.

·      To present the organisational response.

The report of Audit Wales was presented for the Committee’s consideration. The report set out the findings of a review of the service user perspective and outcome information provided to senior officers and senior members at the Isle of Anglesey County Council and how this information is used. The review was being undertaken in each of the 22 councils in Wales as part of the programme of national value for money examinations and studies and in addition to a local report for each council a national report would be produced drawing together examples of good practice.

The Head of Profession (HR) and Transformation reported on the organisational response and explained that the response by way of the Action Plan is detailed to reflect the amount of work ongoing with regard to the range of processes and mechanisms that generate performance information for senior officers and senior members. The organisational view is that this work including a review of the Corporate Scorecard and the introduction of thematic data dashboards provides an opportunity to ask the Council’s senior members what additional information they require to better understand how well services and policies are meeting the needs of service users. The Council is looking forward to the publication of Audit Wales’s national report bringing together good practices from across the other local authorities in Wales in which the review has also been conducted, and to using those to inform the way forward for the Council and the approaches it develops. The Head of Profession (HR) and Transformation confirmed that in the meantime, the Council will continue with its planned work including the review of the Corporate Scorecard in anticipation that the national report will be available by the Action Plan’s scheduled completion date of September 2024 although the timescale may have to be reviewed if it is not.

Points of discussion by the Committee –

·      The personnel interviewed to arrive at the conclusions and recommendations set out

·      That although the review is about using performance information to understand the service user perspective, the review has not focused on engagement with service users to establish how well the Council understands their needs

·      Whether the organisation concurs with the findings of the audit review.

·      That it would be helpful to have included information to show how existing data can be gathered from across the Council to provide a picture of performance and how services can be encouraged to share information and data within the parameters of freedom of information legislation.

Lora Williams, Audit Wales clarified the audit scope, questions and criteria as set out in section 4 of the report and in Appendix 1 as well as the performance related documentation reviewed and what that reflected in terms of the service user perspective. She confirmed that the audit was not about the Council’s consultation or engagement arrangements nor about how it conducts major surveys of user views with regard to service changes or the development of policies and strategies with the focus having been on  ...  view the full minutes text for item 11.

To present the report of the Head of Audit and Risk.

The report of the Head of Audit and Risk incorporating the Committee’s Forward Work Programme for 2023/24 was presented and changes to the scheduling of reports were highlighted and were noted.

It was resolved -

·      To accept the Forward Work Programme 2023/4 as meeting the Committee’s responsibilities in accordance with its terms of reference.

·      To note the changes to the dates on which reports will be submitted.

To consider adopting the following: -

“Under Section 100(A)(4) of the Local Government Act 1972, to exclude the press and public from the meeting during the discussion on the following item on the grounds that it may involve the disclosure of exempt information as defined in Schedule 12A of the said Act and in the attached Public Interest Test”.

It was considered and resolved Under Section 100(A)(4) of the Local Government Act 1972, to exclude the press and public from the meeting during the discussion on the following item on the grounds that it involved the disclosure of exempt information as defined in Schedule 12A of the said Act and in the Public Interest Test presented.

To present the report of the Head of Profession (HR) and Transformation.

The report of the Head of Profession (HR) and Transformation incorporating the Annual Cyber Security Report 2023/24 was presented for the Committee’s consideration. The report outlined some of the challenges in cyber security experiences in 2023/24 and how those were overcome, the common cyber threats that face the Council and the mitigating and operational controls in place to detect and prevent malicious activity.

Due to issues experienced by some of the Committee’s members in accessing the confidential report and their not having been able therefore to consider its contents, the item was deferred by the Chair to the next meeting of the Committee with a request that the issues encountered be looked into.