Agenda item

To present the  SIRO’s Annual Report 2015/16.

The report of the Council’s Senior Information Risk Owner setting out the key information governance issues for the period from 1 April, 2015 to 31 March, 2016 along with current priorities was presented for the Committee’s consideration.

The Senior Information Risk Owner (SIRO) reported that it is an expectation of the role of SIRO that it produces an annual report and the report presented is the first such report by the SIRO in Anglesey and has been used to take stock of the position at the Council. The report includes a summary of information governance issues that have arisen in the past as well as charting the actions taken to date and the plans going forward.

The Officer referred specifically to the following:

•           The Data Security Incidents during the period categorised according to their assessed severity. The number of incidents recorded is set out at Appendix B and comprises of 6 Level 0 to Level 1 incidents (having applied the data security incident methodology to these occurrences it was concluded that 5 were incidents that do not require reporting to the Information Commissioner’s Office – ICO and 1 was a near miss). No Level 2 incidents (incidents that must be reported to the ICO and other regulators) were recorded.

•           That the Council monitors specific Information Governance related Performance Indicators some on a monthly and others on a quarterly basis. These are acted upon on an exception basis and are used to escalate matters as necessary to the attention of the SLT.

•           Specific Information Governance roles have been established within the Council and include Information Asset Owners and Information Asset Administrators whose responsibilities are summarised in paragraph 4 of the report and who have received specialist training to undertake the roles.

•           All the Council’s staff are required to undertake basic Information Governance training which is refreshed every two years. This training commenced in June, 2014 and a process to ensure maximum take up was followed .Compliance close to 90%.

•           A range of key IG policies as set out in paragraph 5.2 of the report have been established and are available on the Council’s intranet. These policies are reviewed and updated by the Corporate Information Governance Board (CIGB). Following the identification of funding, the Council has now procured and is currently implementing a policy management system which will provide the SIRO with assurance that the key IG policies are being read, understood and formally accepted by individual members of staff.  The policy management system will be of wider application the idea being that staff will have available to them a digital library of up to date policies across all corporate services.

•           The Council’s overall data protection compliance has been assessed as a medium risk by Internal Audit. The SIRO is aiming to produce a Statement of Control in the next 3 years subject to the implementation and successful testing of the steps described in the report. The principal factor in respect of the Council’s being able improve on its medium risk status is the Information Asset Register which is the key mechanism for  understanding an organisation’s information holdings and the key risks associated. The Council’s register is not as yet developed to the extent that adequate information about the risks to the assets is captured at granular level. This work will have to be done within current resources and on a risk based approach.

•           The report also makes reference to the work associated with the Office of Surveillance Commissioners and Regulation of Investigatory Powers Act.

•           The SIRO is able to conclude that the Council’s arrangements for IG and data protection compliance are reasonably effective.

The Committee considered the report and made the following points –

•           The Committee noted that a great deal of progress has been made, albeit from a low base, to implement the ICO’s audit work and enforcement activity.

•           The Committee sought clarification in an environment where the emphasis is increasingly on the digitisation of services and on interaction through digital means e.g. the use of Skype to engage with clients and service users, of the steps being taken to put in place safeguards in the implementation of such new practices. The SIRO said that in such circumstances the individual service would lead with advice from the SIRO and ICT and it would then be reported through to the CIGB.

•           The Committee noted that whilst much has been done at corporate level to address weaknesses in IG arrangements at the Authority, many breaches can arise from carelessness and bad practice. The Committee sought assurance that the same level of attention is being paid to getting the basics right e.g. that there is a mechanism for checking and ensuring the accuracy of e-mails/addresses and information held on databases. The SIRO said that the ICO recognises the potential for human error and that this cannot be completely eliminated; the expectation therefore is not to have zero data breaches but to manage the risks effectively and to learn from any incidents that do occur. While no system can take out all the risks, the objective should be to manage the risks down to the minimum level and to a level which the Authority can tolerate operationally.  The Head of Function (Resources) and Section 15 Officer said that the Council has released funding to improve business processes and that two bids were approved, one to link the Authority’s systems to the national property gazetteer (a list of property reference numbers for each address in the UK) which will improve accuracy, and one to implement a Customer Relationship Management system which also verifies information e.g. addresses.

•           The Committee noted that there is a variance between services in terms of information governance and data protection and it sought clarification of the steps being taken to ensure the same level of proficiency and compliance across all services. The SIRO confirmed that the level and areas of compliance between services are different with some services being better at some things than others e.g. because they are often complex, responding to subject access requests can be a slow process in Social Services but that the consensus is that in this respect, accuracy is preferable to speed so as to minimise the risk of sensitive information being inadvertently shared with an unauthorised party.

It was resolved to accept the Annual Report of the SIRO for 2015/16 and to note the level of compliance and risk which the report documents as concluded by the Senior Information Risk Owner.

NO FURTHER ACTION ENSUING