Agenda item

To present the report of the Head of Function (Council Business)/Monitoring Officer.

The report of the Senior Information Risk Owner (SIRO) which provided an analysis of the key information governance (IG) issues for the period from 1 April, 2017 to 31 March, 2018 was presented for the Committee’s consideration. The report also provided an update on the Council’s progress with its GDPR Implementation Plan covering the period from 25 May, 2018 to 31 July, 2018.

The Corporate Information Governance Manager reported that the report provides an overview of the Council’s compliance with legal requirements in handling corporate information including compliance with the Data Protection Act, 1998; the Freedom of Information Act, 2000 and the Regulation of Investigatory Powers Act, 2000 (Surveillance) and the relevant codes of practice. The report also includes assurance of on-going improvement in managing risks to information during 2017-18 and identified future plans. It sets out the Council’s contact with external regulators and provides information about security incidents, breaches of confidentiality or “near misses” during the relevant period. He highlighted the main points as follows –

•           That non-compliance with data protection legislation is likely to be the primary information risk for the Council. Consequently, much progress has been made to develop awareness about personal data risks in order to introduce mechanisms to manage the risk in accordance with best practice and in anticipation of data protection reform. Additionally, the Council has identified risks around personal data in its corporate and service risk registers

•           The Council recognises that there are number of risks to the security of information as listed in the report and that harm and distress to individual(s), financial penalties, enforcement actions, adverse publicity and loss of confidence in the Council are also risks associated with its personal data assets. Therefore, as well as technical and physical measures to protect the Council’s information, a range of technical and organisational safeguards are in place against information risks; these range from suitable IG policies and procedures and encrypted ICT equipment to data protection training , IG KPIs and procedures for recording data security incidents and learning therefrom.

•           That with regard to the General Data Protection Regulation (GDPR), Section 5.1 of the report outlines progress to 31 March, 2018 i.e. the period covered by the SIRO’s report which saw the development of the Council’s plans to implement the GDPR and also the subsequent work undertaken since 31 March, 2018 up to 31 July 2018 to implement GDPR including the 5 stage implementation plan. The Officer confirmed that all the requirements under each of the 5 stages have been met. In relation to training under Stage 5 of the process, the report shows the take-up to 31 July, 2018 of the e-learning module introduced in May, 2018 by each the Council’s services.  As at 31 July, a total of 747 staff or 43%, had completed the module. Evidence of training in combination with evidence of policy acceptance provides measurable assurance for the Council.

•           That Policy Acceptance is a safeguard for the Council because it provides evidence that staff have read and understood the policy. The Council’s Data Protection Policy was made mandatory for acceptance between 4 June, 2018 and 2 July, 2018 and the acceptance rate was 83%. The Data Protection Policy remains open for acceptance.

•           That the Council has established its policy management system, Policy Portal which serves as a library of policies since November, 2016.The policy acceptance function was introduced in April, 2017 and provides assurance that key IG policies are being read, understood and formally accepted by individual members of staff. The availability of the Policy Portal has also made the task of monitoring data protection compliance post- 25 May, 2018 significantly easier. Acceptance rates for each of the mandatory policies – Clear Desk Policy, Records Management Policy and Data Classification Policy – was 95%.

•           That the Policy Portal relies on the Council’s Active Directory which now includes around 1,000 active users following the inclusion of the Learning Service. However, the amount of staff who do not have Active Directory is estimated at around 686. ADE users with email accounts occupy Microsoft Client Access Licences which are expensive. The provision of any IT equipment to facilitate access would also have cost implications. Whilst providing AD accounts for all staff would be technically possible, it would be too costly and therefore not a current priority.

•           That during the period of the report, the Council monitored specific IG KPIs some on a monthly and others on a quarterly basis. (Section 5.9 of the report). It also publishes its access to information data on its website on a quarterly basis.

•           That 19  Level 0 to Level 1 data security incidents were recorded during the period  i.e. incidents classified as near misses or confirmed as data security incidents which do not need to be reported to the Information Commissioner’s Office (ICO) and other regulators (from 33 in the previous report). One Level 2 incident was recorded i.e. a data security incident that must be reported to the ICO and other regulators as appropriate. Details are provided in Appendix A to the report.

•           That based on the information collected for the period which the report covers, the SIRO considers that there is significant documented evidence to demonstrate the following –

•           the Council’s arrangements for IG and data protection compliance are reasonably effective

•           the Council has successfully met the challenge of implementing the new data protection legislation and it operates in a compliant way;

•           the Council has processes in place to demonstrate compliance to the ICO and it complies with the GDPR’s accountability principle;

•           Data protection remains and is always likely to remain a medium risk to the Council because of the sensitivity of the personal data it processes which varies between the services.

The Committee considered the information presented and made points as follows –

•           The Committee noted that as of 31 July, 2018 only 43% of staff had taken up the e-learning module for data protection learning with some services in a less compliant position than others e.g.  Adults’ Services and Highways, Property and Waste Services. The Committee sought clarification of whether arrangements have been made to ensure that all staff undertake the training and whether a target date has been set by which it is expected this will be completed. 

The Corporate Information Governance Manager said that whilst the report refers to the position up to 31 July, progress has and is continuing to be made since that time. Heads of Service are responsible for ensuring that their staff complete the e-learning module although as the report discusses, some groups of staff within certain services – e.g. Home Carers within Adults’ Services and Transport and Recycling Centre staff in Highways, Property and Waste services are experiencing access issues because they are not Active Directory users and are therefore not included in the process hence the lower compliance rates for these services.

•           The Committee noted that the Corporate Information Governance Board (CIGB) established in 2014 to address IG issues may report matters directly to the Council’s Senior Leadership Team (SLT). The Committee sought clarification of any circumstances where this has been found to be necessary and whether given the significance of the Information Governance function within the Council, the SLT should in any case be kept informed as a matter of course.

The Corporate Information Governance Manager said that since May, 2018 the Council is statutorily required to ensure that reporting lines to the SLT are open and accessible; historically data security incidents have been reported to the SLT along with related issues such as logjams in training for example. Currently so as to keep the reporting process proportionate, the SLT is kept updated on a periodic basis.

•           The Committee noted that Data Protection training will form part of the induction process for new staff. The Committee sought clarification of whether this provision will be available to all new staff in services such as Adults’ Services for example where access/attendance  issues have been identified in relation to specific groups of staff particularly off-site staff such as Home carers.

The Corporate Information Governance Manager said that as the report acknowledges the Policy Portal’s reliance on the Council’s Active Directory has been recognised as a compromise from the outset because staff who do not use AD are omitted from the process. However, a meeting is planned for the end of September to look at various options for services so affected.

•           The Committee noted that 22 Level 0 -1 Data Security incidents were recorded during the reporting period. The Committee sought clarification of whether after the completion of training the number of incidents will reduce and/or data security will improve.

The Corporate Information Governance Manager said that due to the nature of the risks associated with data protection e.g. human error, it is unlikely that the number of data security incidents will reduce to zero. Conversely, the recording of data security incidents demonstrates both awareness of the need to report such incidents and the effectiveness of the reporting process which are important in the context of information governance.

It was resolved to accept the report and to note its contents and to take assurance from the Senior Information Risk Owner’s conclusions about the effectiveness of the Council’s arrangements for Information Governance for the period covered by the Annual Report 2017/18.

NO ADDITIONAL ACTION WAS PROPOSED