Agenda item

To present the Annual Report of the Senior Information Risk Owner.

The report of the Senior Information Risk Owner (SIRO) providing an analysis of the key information governance (IG) issues for the period from 1 April, 2018 to 31 March, 2019 was presented for the Committee’s consideration. The report also included assurance of on-going improvement in managing risk to information during the period.

The Director of Function (Council Business)/Monitoring Officer and designated Senior Information Risk Owner (SIRO) reported on the main points as follows –

•           29 data security incidents were recorded during the reporting period (20 in 2017/18) of which 26 were at Level 0-1 (near miss or confirmed as a data security incident but no need to report to the Information Commissioner’s Office (ICO) and other regulators) and 3 at Level 2 (data security incidents that must be reported to the ICO and other regulators as appropriate).The report provides an analysis of the nature of the incidents.

•           1,052 requests under the Freedom of Information Act were received during the reporting period which contained a total of 7,532 questions.

•           There were 20 requests for an Internal Review of an FOIA response. In 9 cases the review upheld the original response; 1 case was not upheld and a new Section 1 response was sent, and 1 request was refused as a response had been sent prior to the receipt of the request for an internal review.

•           6 appeals were lodged with the ICO in the period. In 4 cases the Council was asked to send a response; 1 case was withdrawn and in 1 case the Council’s response was upheld.

•           8 Data Protection Act complaints were made and investigated – 2 pre and 6 post GDPR. No DPA complaints were investigated by the ICO.

•           46 Subject Access Requests were received with 81% of responses being sent within the statutory deadline for SARs and complex SARs.

•           The Investigatory Powers Commissioners Office (IPCO) oversees the conduct of covert surveillance and covert human intelligence sources by public authorities in accordance with the Police Act 1997 and the Regulation of Investigatory Powers Act 2000 (RIPA). The RIPA regime aims to ensure that directed surveillance is carried out in a way that is compliant with human rights. The Council makes very little use of covert surveillance and covert human intelligence sources (Appendix 1 to the report refers). The Council’s processes and practices were inspected by the IPCO during September 2018 and this   confirmed that the Council’s compliance level meant that no physical inspection was necessary with the IPCO requiring only that the Council undertake a review of its extant CHIS authorisation, make minor amendments to the Council’s policy documents and provide refresher training for authorising officers and applicants.

•           Following on from the initial period of GDPR implementation, analysis of the Council’s data protection assurance documents suggested key areas for further development and investigation. These elements were incorporated into a Data Protection Plan for the Year (Appendix 2 to the report).The Plan seeks to address issues which present the highest risks to the Council within the Services which are deemed to be high risk because of the nature of the personal data processing that occurs within them. This is why particular attention is given to Children and Families’ Services, Adults’ Services, Learning (which includes the Local Education Authority) and Housing.

•           The importance of training as a safeguard of data protection compliance is clear. Whereas the Council has trained on data protection matters since 2013, the introduction of the new data protection legislation in 2018 required fresh training across the board. The report details the training provided via the E-learning module which was introduced to all staff to provide a foundational level of knowledge about the requirements of GDPR along with the participation level of each service. The participation of Elected Members and Co-opted Members with the data protection training is also documented.

•           In addition, a training module was developed which was intended for staff roles which the Council’s record of data security incidents demonstrate to have a key role to play in ensuring data security and compliance with the legislation. The training was delivered to frontline staff and middle managers as roles which are important in ensuring data security. A series of trainer led sessions was held for staff in the key roles identified by their Head of Service – attendance levels for each service are shown in the report and include only those nominated for attendance by their Heads of Service.

•           Aside from training the most important key element of the Work-Plan was to audit the reliance of the Council’s Services on consent as a basis for processing personal data. The new legislation places a duty on the Council to review its uses of consent and to take remedial action if consent is not the appropriate legal basis for processing personal data. The audit has resulted in increased intelligence about the Services’ processes and whilst Social Services and Housing Services made excellent progress with the audit, the Learning Service was not able to put in the resources required to prioritise this work and so made little progress. The Service will be provided with support to ensure the work is completed by next March.  Work to quality assure the audit continued after the period of the report.

•           The report sets out the steps taken in respect of providing CCTV assurance noting also that the Council is not responsible for the compliance of schools with the legislation or the Surveillance Camera Commissioner’s Code.

In discussing the report the Committee queried the cost of addressing the 1,052   Freedom of Information Act requests which the Council received during the period and whether the Council has the capacity to deal effectively with this work given the volume of requests. Additionally the Committee sought clarification of whether not being open or transparent enough in terms of the availability of information are factors in the increase in the number of FOI requests. 

The Director of Function (Council Business)/Monitoring Officer said that an estimate of the cost in Officer time of dealing with Freedom of Information Requests has not been made since the Council is statutorily required to respond to the requests and to provide the information asked for unless there is a good reason not to (i.e. the information is classed as exempt). Much of the information that is requested is minutiae that the Council would not routinely publish. The Council is however obliged to have a publication scheme and to publish information that it is reasonable for it to publish. This has been reviewed in recent times. Although the more information the Council publishes routinely, the fewer the FOI requests, the difference it makes in terms of the numbers received is not significant. The introduction of GDPR has raised public awareness and consequently the increase in FOI requests is a pattern that is replicated across the public sector.  The capacity to deal with FOI requests extends across the Authority in as much as the officers designated to deal with Freedom of Information are those who do the work in their areas and who respond to FOI requests as part of those duties. Whilst the capacity currently is deemed sufficient, Heads of Service have been asked to highlight any issues which may arise particularly as a result of more complex requests which can be time consuming.

Having considered the report, it was resolved that the Audit and Governance Committee accepts and adopts the recommendations of the report as follows –

•           That all Members who have yet to undertake the e-learning data protection module do so within three months of this meeting.

•           That the Learning Service ensures that adequate resources are allocated to ensure that the consent audit is completed by the end of March, 2020.

•           That the Council’s audit of its CCTV systems is supported by the services;

•           That the Data Protection Officer for Schools consider the risks of CCTV and provides support and guidance to schools on best practice.

•           That the Committee endorses the remaining actions in the Data Protection Action Plan as reflecting the information governance risks currently facing the Council.

NO ADDITIONAL ACTION WAS PROPOSED