Agenda item

To present the report of the Head of Audit and Risk.

(The report of the Head of Function (Council Business) with regard to GDPR is attached to the above)

The report of the Head of Audit and Risk setting out the progress as at the 8 June, 2018 with regard to the Internal Audit (IA) reports issued since the Committee’s previous meeting in April, 2018 was presented for the Committee’s consideration. The report provided an update on the IA reports issued since 26 April, 2018; the outcome of follow up of previous IA reports; implementation of Management actions; progress in delivering the IA Annual Plans for 2017/18 and 2018/19 as well as the timeline for the review of the Committee’s terms of reference.

The Head of Audit and Risk reported on main matters as follows –

•           That the Internal Audit Service finalised three reports during the period referred to; these were in relation to the Recruitment and Retention of Foster Carers which resulted in a Reasonable Assurance opinion as did the review report on Corporate Health and Safety.

The third report which was in relation to the Council’s Preparation for the General Data Protection Regulations resulted in a Limited Assurance opinion with 6 major, 1 moderate and 1 minor risks/issues being raised.

•           That no follow-up reviews were undertaken during the reporting period, although six are scheduled over the next six months.

•           That the Council has steadily improved its performance in implementing IA recommendations and/or addressing risks raised by IA over the last 17 months as shown by the table in paragraph 22 of the report. As at 8 June, 2018, 90% of High/Red/Amber issues had been addressed, 92% of Medium/Yellow issues and 91% of Low/Green issues.

•           That due to the significant slippage of work from 2016/17 and loss of staff because of a retirement, sickness absence and a resignation, the resource available to complete the Operational Plan for 2017/18 was significantly reduced and the Plan was revised accordingly. The revised Plan has been delivered and some audits rolled forward dependent on their priority. Although progress in delivering the 2018/19 Operational Plan (attached at Appendix A to the report) has been slow as a result of two vacancies and a long-term sickness absence, the Service has completed one Final Account Verification and commenced work in four areas as well as being involved in three ongoing investigations. The Operational Plan has been revised in accordance with the revision to the Corporate Risk Register approved by the Senior Leadership Team on 12 February, 2018.

•           That the resource available to deliver the current plan has significantly reduced due to the vacancies and the absence. This has been managed by reducing coverage where possible and by the use of contingency. However, there remains a shortfall of 50 days and it is unlikely that the Service will achieve 100% coverage of the Red and Amber Residual Risks in the Corporate Risk Register. The Plan will therefore be further prioritised to ensure that the areas of greatest risk to the organisation are covered first.

•           That the Committee’s terms of reference were originally due to be reviewed at its September, 2017 meeting. However, at this and subsequent meetings, the Committee approved the postponement of the review until the publication of the new CIPFA guidance. This was published in May 2018 and was circulated to the Committee’s members on 25 May. A workshop with members of the Committee on the new guidance was subsequently held in June; the Committee’s two Lay Members have agreed to look at a draft of the new terms of reference. These will now be formally reviewed by the Committee at its September, 2018 meeting.

The Officer expanded on the IA review report on the Council’s Preparation for GDPR which as a Limited Assurance Report, was provided to the Committee’s members in full under separate cover. She said that the audit followed an interim audit of GDPR preparedness undertaken earlier in the year. The audit report back in November, 2017 provided reasonable Assurance that the Council was on track to achieve compliance with GDPR by May, 2018.The purpose of the latest audit review was to provide assurance of whether the Council had continued work implementing its plans and undertaken enough work to be in a position of compliance with GDPR by 25 May, 2018. As at the beginning of May, 2018 IA’s review of the Corporate Implementation Plan and implementation of the five step Action Plan distributed to Heads of Service confirmed that services had not demonstrated enough progress in completing all the actions and the Council would be unlikely to be able to report a position of full compliance by 25 May, 2018. It was found that services had not evidenced that they had implemented the actions required in the Action Plan in accordance with the target dates; the Council should have mapped its data and reviewed its privacy notices and policies by April, 2018.In addition, the Council should have provided training to its high-risk services. From information provided by the Corporate Information Governance Manager, it is likely that few public sector organisations will be 100 percent compliant by 25 May, 2018. However, it is vital that the Council is able to demonstrate to the Information Commissioner’s Office that reasonable steps have been taken towards GDPR compliance, which will be seen as positive and less likely to incur fines. A follow-up review of this area will be undertaken in August, 2018.

The Committee considered the information presented and made the following points –

•           The Committee noted that the Internal Audit review of the Council’s Preparation for GDPR provided Limited Assurance only; this despite a previous interim review having provided Reasonable Assurance as to the Council’s likely compliance by 25 May, 2018. The Committee noted that the Council will have been aware of the impending Regulation for a length of time and yet from the audit report, it appears to be some way off full compliance. In view of the penalties for non-compliance which can be severe both in a financial and a reputational sense and the high risk which GDPR therefore represents, the Committee sought assurance that addressing this matter is being expedited at a corporate level and that there is a plan and timescale for ensuring that the Council becomes fully compliant.

The Head of Function (Council Business)/Monitoring Officer and Senior Information Risk Owner (SIRO) (whose report on the implementation of GDPR and the Data Protection Act 2018 (DPA 2018) across all services in the Council as at 25 May, 2018 was appended to the IA Update report) said that although the Council along with other organisations knew that GDPR was coming into force in May, 2018 it was not published until 14 September, 2017 meaning that the contents were not known until that date. A Corporate Plan was then created to implement GDPR within the resources available. The Plan was summarised into a five stage plan intended to assist the Council’s services to work towards compliance with the new legislation and to do so incrementally so as to better manage the process. The first stage of the Plan was rolled out in November 2017. The matrix at Table 1 of the SIRO’s report summarises the position on 25 May, 2018 in respect of the plan by service. All the services marked Green and Amber on the list did comply with the three steps in the project in advance of the deadline ( i.e. work on fair processing notices, data mapping  and retention schedules) and provided the corporate centre with the opportunity to undertake a quality assurance assessment of the work undertaken. The three services showing as Amber (Resources, Economic Development and Transformation) are likely to remain as Amber because of the nature and extent of the sensitive data they hold. With regard to the four services showing as Red, the Education Service did comply within the deadline but did so on the line on the day meaning that a quality assurance assessment of the work to verify that it meets the expectations of the ICO was not possible. Social Services (comprising Adults’ Services and Children’s Services) were undertaking work to secure their compliance through a dedicated officer in liaison with the Corporate Information Governance Manager; however due to the sickness absence of the Officer within the service, Social Services were not able to comply by the deadline. Since 25 May, Social Services have completed the Fair Processing Notices which have been quality assessed and confirmed as meeting the standards. They have also completed data mapping and the retention schedules but it is not yet known whether these are to corporate standards meaning there is further work to be done in these areas. The Housing Service is in a similar situation in not having met the deadline but having completed the three steps which work is now subject to a quality assurance assessment. For the services showing as Red therefore all the material is in place, but needs to be corporately assessed to confirm it meets the requirements.

•           The Committee sought clarification of the progress in addressing the specific risks raised by Internal Audit which it deemed amounted to more than a checklist that can be ticked off. The Committee further noted that after 25 May, the expectation is that GDPR is implemented as part of the Council’s day to day operations meaning that it has to be part of everyday life for its employees; it sought assurance therefore that the Council is confident that it is on the way to making GDPR a normal part of its business and that Managers understand what is required of them.

The Head of Function (Council Business)/Monitoring Officer and SIRO said that the way the corporate plan was designed to answer GDPR involves five stages the completion of which will lead to compliance. The first three stages reported on above are ones for which the services are themselves responsible. The fourth stage is in relation to the policies and processes which need to be developed in order to comply with the legislation – a list of those developed to date is contained within the report; the fifth stage relates to training. The training material on GDPR is available on the Council’s E-Learning Platform and will close on 30 June after which date the Senior Leadership Team and Heads of Service group (Y Penaethiaid) will be updated on the level of compliance with the training programme. The aim is to achieve full compliance with GDPR by the end of August by which time stages one to four will have been completed. The extent of compliance with training (Stage 5) will become apparent shortly, and some additional training may be required to be targeted at high risk services. Full compliance will be achieved when the five stages have been competed with the substantive work now having been done.

The Corporate Information Governance Manager said that GDPR is very complex legislation which was added to two days prior to 25 May when the Westminster Government published the final version of its Data Protection Bill implementing the Data Protection Act 2018. Therefore, as well as working on the five stages towards GDPR compliance the Authority has also had to respond at short notice to the requirements of the Data Protection Act. The Officer assured the Committee that the Council is living within the environment of GDPR and the Data Protection Act 2018 and is compliant with the legislation in as far as the Council is responding to any individual seeking to exercise his/her statutory rights. The Officer stressed that it is important to understand that compliance is not about hitting a target date and then forgetting about it as that in itself could create a risk by way of complacency; compliance is ongoing and the risk is one of not realising that an organisation is only as good as its last data breach. As regards Managers’ understanding of the subject, it was sufficient for service managers to understand what was required of them under the first three stages of the Plan without having to understand  the legislative details. The Council realises that it is now working in a new environment and is using the opportunity to meet with Heads of Service to check on ongoing progress and to identify any gaps and/or risks, to ensure that the first three stages complement each other and that the policies and procedures under the fourth stage are being implemented and applied.

The Head of Function (Council Business)/Monitoring Officer and SIRO said that Heads of Service are also the Information Asset Owners of the information held by their service. As the bulk of the work under the first three stages was primarily administrative it might have been a case of some services not having allocated resources soon enough to achieve the required objectives. The report has been helpful in concentrating minds and in creating sense of urgency in the run-up to the 25th May; when services’ attention was focused on the work that needed to be done, they achieved the objectives with most doing so at a high and capable level.

•           The Committee noted that the IA audit review report on GDPR is a cross-service report involving a number of personnel. The Committee also noted that the lines of accountability were not clear to it as regards where the responsibility for implementing the Action Plan lies. The Committee noted further that in a report of this kind affecting services across the Council  a mechanism is needed to co-ordinate the action planning otherwise there is a risk of drift and of actions remaining unimplemented.

The Head of Audit and Risk said that the Action Plan highlights the responsible officer for each issue raised who are expected to report back to Internal Audit on the actions taken via the recommendations tracking software. It is Management’s responsibility to ensure that the action plan is implemented; Internal Audit will chase up on Management for updates and to ensure that the recommendations are being implemented and that there is sufficient evidence thereof. If that is not the case, then the matter will be reported back to the Committee.

The Head of Function (Council Business)/Monitoring Officer and SIRO confirmed that the Corporate Information Governance Manager is responsible corporately for implementing the Action Plan.

•           With regard to delivering the Internal Audit Operational Plan for 2018/19, the Committee noted that there remains a shortfall of 50 days in the available time for audit work meaning that the Red and Amber Residual Risks in the Corporate Risk Register are not likely to receive 100% coverage. The Committee noted that this was due to reduced resources with the Service carrying two vacancies and a long-term sickness absence. This being the case, the Committee was concerned that capacity constraints are preventing the Internal Audit Service from discharging its responsibilities fully; and although the Committee acknowledged that the Service is making best efforts to manage the situation by prioritising and by use of the contingency, it remained concerned that the Service is not able to cover Red and Amber Residual risk areas with the breadth and depth that it otherwise would were it fully resourced, and was concerned also by implications of the reduced coverage for managing these risk areas and the potential for risks escalating.

The Head of Audit and Risk said that the Council’s Corporate Risk Register is monitored quarterly by the Senior Leadership Team and the risks contained within it are continuously evaluated and re-evaluated as circumstances change. Senior Managers also monitor risks on an ongoing basis.  As can be seen from the Operational Plan in Appendix A the corporate risk rating for some Red/Amber areas has been de-escalated and/or the risk been deleted due to the residual risk reducing. The Internal Audit Service will still maintain strategic oversight of the areas that it does not plan to cover in depth and if any issues are identified then it will make arrangements to examine those areas more closely. The Officer said that she was now able to report that the Service has recruited two new members of staff, one of whom will commence in post in August and the other in October; they are bringing to the posts experience and a diverse skills set. 

It was resolved that having considered the information and the assurance provided both verbally and via the written reports, the Audit and Governance Committee -

•           Notes Internal Audit’s latest progress in terms of its service delivery, assurance provision, reviews completed, performance and effectiveness and in driving improvement.

•           Approves the arrangements for the review of its terms and conditions.

ADDITIONAL ACTION: None but the Committee notes that a planned update report on GDPR is scheduled to be presented to its September meeting.