Agenda item

To present the Annual Report of the SIRO for 2016/17.

The report of the Senior Information Risk Owner (SIRO) which provided an analysis of the key information governance issues for the period from 1 April, 2016 to 31 March, 2017 along with current priorities was presented for the Committee’s consideration.

The Head of Function (Council Business) and Designated SIRO reported on the salient point as follows –

•           That the main statutory driver with regard to Information Governance at the Council is currently the Data Protection Act significant breaches of which can result in large monetary penalties, currently up to a maximum of £500k.

•           A considerable amount of audit work, including that of the Information Commissioner’s Office (ICO) (2013-14) has highlighted deficiencies in the Council’s data protection arrangements. Since 2013, the Council has invested in improving its compliance with the Data Protection Act and now has in place the relevant policies and procedures to support and to demonstrate compliance with the Act.

•           The work that has been done to date and is ongoing and will continue in perpetuity. It is being led by the Corporate Information Governance Board which was established in 2014 originally as a project team to respond  to the recommendations of the ICO audit from 2013.The Board is now a permanent governance structure and reports to the Senior Leadership Team. A summary of the work which the CIGB has and continues to be engaged with is provided at section 5 of the report.

•           This work includes developing an initial version of the Council’s Information Asset Register (IAR). The register allows the mapping of information content and information systems as they interact with changes to business requirements and the technical environment and is a key mechanism for understanding an organisation’s information holdings and the risk associated with them. Whilst the intention was to undertake further work on the Information Asset Register to assess high risk areas for data breaches, the forthcoming General Data Protection Regulations (GDPR) which will replace much of the existing data protection legislation in May, 2018 requires that work on other aspects of the IAR be prioritised. Guidance from the ICO is to focus on work relating to retention schedules. The Council’s retention schedules have now been completed on a service by service basis and will be circulated to Heads of Service. The new legislation will make complying with destruction dates on data held electronically and on paper fundamentally more important so the retention schedules represent a key step in that direction.

•           The Council has devised IG policies and procedures over time and they are currently up to date. The Council has implemented a policy management system, Policy Portal which has served as a library of policies since November, 2016. Paragraph 5.3 of the report lists the policies available on the Portal. The system is useful in providing clear version control in terms of which policies are current as well as upcoming review dates. The click to accept function provides assurance that key IG policies are being read, understood and formally accepted by staff.  The SLT receives reports on levels of compliance and across the Council these are mixed. Social Services for example are not compliant to a high level and there are ICT issues in relation to Education which means they are not included in the system. These two services because of the nature of the information they hold are considered high risk in terms of data breaches. A pause and review period at the end of the next quarter will give an opportunity to consider what can be done to increase the level of compliance.

•           Section 5.6 of the report outlines the training arrangements which the Council has put in place for staff; these include mandatory basic training for all staff which is refreshed every two years. Compliance levels are at 88%. Training has been highlighted as a significant area in all the reports which the Council has received in relation to IG. An E-Learning platform is about to be launched through which the mandatory training package will also be delivered.

•           The number and breakdown of data security incidents reported by the Council is provided in Appendix A to the report. There were 34 incidents during the period covered by the report; of these 33 were classified as Level 0 to Level 1 i.e. near misses or incidents that do not need to be reported to the ICO or other regulators. There was one Level 2 incident which was reported to the ICO. The proportion of Level 0 to Level 1 incidents has risen sharply from 6 in the previous year’s report. A significant proportion of the incidents have involved information being sent by email. The SIRO thinks that the increase in Level 1 breaches being reported is due to an encouraging increased awareness of the need to report data security incidents, rather than a worsening of data security.

•           Section 5.10 of the report refers to performance against key Performance Indicators.

•           Section 6.1 of the report confirms that the Action Plan devised to respond to the recommendations in the Enforcement Notice issued by the ICO in October, 2015 under the Data Protection Act has now been completed and a closure report thereon to the Senior Leadership Team is tabled for September, 2017.

•           Internal Audit will undertake an audit of GDPR readiness during October to December, 2017; additionally a matrix is at present being populated to identify the actions that need to be taken to ensure compliance with GDPR by May, 2018. This will be shared with the Senior Leadership Team and then with the Heads of Service.

•           In conclusion, the SIRO considers that there is significant documented evidence to demonstrate that –

•           The Council’s arrangements for Information Governance and data protection compliance are reasonably effective;

•           Much progress has been made (from a low base) to implement the recommendations if the ICO’s audit work, and enforcement activity;

•           The measures required are not yet fully implemented, and where they are implemented, they are not yet sufficiently matured to justify an enhanced level of assurance;

•           To move to a higher level of assurance will require implementation and successful testing of the further steps described in the report;

•           The Council’s overall (there being variance between services) data protection compliance remains a medium risk to the Council;

•           Any failure to implement and comply with the GDPR will be a major risk for the Council.

The Committee considered the information presented and raised points as follows –

•           The Committee noted that the SIRO is not able to report on the adequacy of the controls and mitigations of information risk currently associated with each critical asset because the Council does not as yet have a complete understanding of the information risks and the mitigations and controls in place. The Committee sought clarification of the steps the Council needs to take to attain a complete understanding of the position with regard to information risk and how it is managed as well as the resource implications of doing so. The SIRO said that gaining this level of understanding is a process involving the steps that are identified in the report; these include the Information Asset Register when populated which will encompass Retention Schedules when completed; notifying the public about the use of personal data by way of privacy notices on documents and undertaking Privacy Impact Assessments when required. These are three key elements that need embedding fully within the Council to enable the SIRO to be satisfied that the Council is doing as much as it can to understand and manage information risks and the related control environment. The Officer further confirmed that current resources are at present sufficient in the context of the work required; work is also being conducted on a regional level to facilitate consistency and avoid duplication. Whilst the Council Business section is leading on providing the policies and procedures and ensuring that appropriate training is commissioned, there are expectations on services to contribute to the process given that they are best placed to know what information they hold and why and the systems used to manage the information. It is a responsibility that is shared across the Council corporately with Council Business providing support to services to take the necessary action to manage the information risks within their services.

•           The Committee noted that Social Services and Education are lagging behind as regards compliance with the Council’s Click to Accept policy acceptance system. Given that these two service areas are recognised as being high risk as regards data breaches because of the nature of the information they hold, the Committee sought assurance that action is being taken to improve both services’ levels of compliance. The SIRO said that compliance across the Council is 74% with some individual services attaining compliance levels of 90% and over. Compliance levels in Adults’ and Children’s Services are 60% and 38% respectively. The Education service is not as yet part of the Policy Acceptance System because of ICT issues relating to its shared system with schools for which the policy acceptance process is not relevant. An 8 week pause and review period has started during which a further report will be sent to the SLT and Y Penaethiaid.

•           The Committee noted that a high proportion of the Level 0 to Level 1 data security incidents recorded relate to information sent by e-mail. The Committee sought clarification whether this is a matter of human error or a systemic issue that requires input by the ICT service in terms of reviewing the robustness of the e-mail programme. The SIRO said that the principal risk lies in the potential that information is inadvertently shared with unauthorised external parties. The ICO has recommended that the Council considers dispensing with the autocomplete function on its e-mail system. The SLT has asked each service to review its use of autocomplete against the risk of a data breach with the result that whilst two services and two sections have disabled the function the majority of services have not because they find it useful from a business perspective. The next step is to encourage all staff to have their photograph installed on the Outlook e-mail system; a report to that effect is to be presented to the SLT. Alternatively, information regarding the individual’s contact number, department etc. can be inserted in the space where a photograph should be. It is believed that this will reduce the risk of data breaches arising from autocomplete.

•           The Committee sought clarification of the Council’s approach to the risk that data may be compromised by malicious hacking by external parties. The SIRO said that that is a technical matter which comes under the domain of ICT Services rather than that of the SIRO. The ICT service is represented on the Information Governance Board and ICT issues are addressed by the latter.

•           With respect to GDPR, the Committee sought assurance that the Council has sufficient resources and capacity to ensure compliance by May, 2018. The SIRO said that with some additional funding which is to be confirmed depending on the exact requirements, the corporate centre will be able to roll out the work to the services; the latter will then have to confirm whether or not they have the resources to implement what they need to do. This will be addressed by the Action Plan to be presented to the SLT and Y Penaethiaid.

The Committee accepted and noted the SIRO’s conclusions as to the position with regard to Information Governance at the Council. Whilst the Committee  was concerned that the Social Services and the Education Service’s  level of compliance with the Council’s Policy Acceptance system is below expectation, it accepted that Senior Management is aware of this and is assessing the situation with a view to taking steps to secure improvement in the these services’ compliance.

It was resolved to note and to accept the report with the proviso above.

ADDITIONAL ACTION PROPOSED: ICT Service to report back to the Committee on the Council’s approach to dealing with the threat from malicious hacking activities.