Agenda item

Information Governance: Annual Report of the Senior Information Risk Owner (SIRO) 2020/21

To present the report of the Senior Information Risk Owner (SIRO).

Minutes:

The Annual Report of the Senior Information Risk Owner (SIRO) for 2020/21 was presented for the Committee’s consideration. The report set out the SIRO’s statement and overview of the Council’s compliance with the legal requirements and relevant codes of practice in handling corporate information and, at Appendices 1 to 7 provided key data about the Council’s information governance including contact with external regulators, security incidents and breaches of confidentiality or near misses, and Freedom of Information requests and complaints during the period.

 

The Director of Function (Council Business)/Monitoring Officer and designated Senior Information Risk Owner (SIRO) reported on the main points from the Annual Report as follows –

 

·         The Council’s processes and practices under the Regulation of Investigatory Powers Act 2000 (RIPA) were inspected by the Investigatory Powers Commissioners Office during the period covered by the report. The inspection was favourable and no formal recommendations were made. Although the Council makes responsible but limited use of RIPA, the relevant roles, policies procedures and training are necessary and must be in place.

·         The Council was contacted by the Information Commissioner’s Office (ICO) in respect of 2 data protection complaints. While the matters were not ultimately investigated by the ICO, the Council was asked to review its responses to the complainants and take any appropriate steps to ensure the complaints were dealt with fully. The complaints have been reviewed and the matters concluded. One appeal was lodged with the ICO in this period which was upheld.

·         The Office of the Surveillance Camera Commissioner (OSCC) oversees compliance with the Surveillance Camera Code of Practice. The Council has been using the Surveillance Camera Commissioner's CCTV specific Data Protection Impact Assessment (DPIA) since 2019/20 and it is now used by the Council whenever a new CCTV system is proposed. Whilst the Council had no contact with the OSCC during the period of the report, a great deal of work has been undertaken in that time to strengthen arrangements including addressing the governance gaps surrounding historic CCTV systems which existed before the introduction of the SCC Code. During the period of the report, CCTV users and managers were trained in the data protection elements of using CCTV.

·         During the year, 30 data security incidents were recorded by the Council comprising of 28 Level 0 -1 (near misses or confirmed incidents but no need to report to ICO/other regulators) and 2 Level 2 incidents (data security incidents that must be reported to the ICO because of the risk presented by the incident).

·         A total of 736 FOI requests was received during the period 1 April, 2020 to 31 March, 2021 comprising of 5,397 individual questions. A breakdown of the requests per service and by applicant type is provided in Appendix 3 of the report. Of the 736 requests, 5 resulted in an internal review of the responses made by the Council the outcomes of which are as outlined.  At its September, 2020 meeting the Committee discussed the possibility of the Council making more information routinely available in order to better manage the impact of FOI requests. To assess whether the Council’s routine publication of information is an effective factor in minimising the impact of FOI requests, a self-assessment tool was prepared and circulated to the Council’s services with all but the Resources function participating in the self-assessment. The outcome of the self-assessment is set out in Appendix 8 and confirms that it is unlikely that the publication of information reduces the number of requests since routine publication of documents rarely provides the context that FOI applicants require. There is also evidence to suggest that published information results in additional requests.

·         A total of 5 Data Protection Act complaints were received during the year of the report of which 4 were investigated but were not upheld. In these four instances it was found that the Council’s processing was considered to be lawful and the data subject rights were not compromised.

·         A total of 24 Subject Access Requests were received; of the 22 SARs responded to, 78% of the responses were sent within deadline. Two SARs are on hold subject to the receipt of the necessary evidence and one was received at the end of the reporting period and was therefore not due a response within the period of the report. These requests can be complex and addressing them is often time consuming. A methodology has been developed and training provided.

·         A Data Protection Work Plan was developed in the months following the implementation of the new data protection legislation in 2018 and has been reported to this Committee. All elements of that work plan have long since been completed apart from the two elements outlined in the Table at Appendix 6 which are both attributable to the Learning Service; these outstanding elements relate to the need to review the use of consent as a lawful ground for processing and to develop and monitor the Council’s Article 30 ROPA.

·         A schedule of Information Governance training is provided at Appendix 7; 90% of the staff targeted have undertaken training during the period of the report and Heads of Service will be encouraged to target the remaining 10% in the current reporting period.

·         Owing to the demand for operational advice, the Council’s information governance capacity is being invested in providing direct support to clients in accordance with the key obligations of data protection meaning there is no longer capacity for any non-essential strategic and corporate initiatives. It is therefore proposed that rather than reporting on the progress of services with action plans, future attention will shift to seeking assurance from Heads of Services as Information Asset Owners on key compliance areas.

·         That it is the SIRO’s conclusion that there is significant documented evidence to demonstrate that the Council’s data protection and information governance arrangements are good. This assessment is based on the information governance systems, processes, policies and training that the Council has in place which provide assurance that the Council is aware of the risks and has taken appropriate and reasonable steps to mitigate those risks. The SIRO also considers that information governance is embedded within the operational culture of the Council. However there remain two areas where further work is necessary in connection with the uncompleted tasks falling to the Learning Service and CCTV Data Protection Impact Assessments.

·         In the coming year the focus will be on supporting services with specific cases and providing ongoing training; the past year has seen the evolution of new, different and often pioneering ways of working in connection with Covid 19 including on a regional and national basis which will demand time and attention. In addition, a specific package for Heads of Service is being developed in tandem with a statement of assurance system which will be underpinned by appropriate training.

 

The Committee in considering the annual report and the level of compliance and risk which it reflects, raised the following points –

 

·         The actions needed and might practicably be taken to enable the SIRO to come to a conclusion that the Council’s data protection and information governance arrangements are very good or excellent. The Committee also sought clarity on the criteria against which the assessment of service performance is made. The Monitoring Officer/SIRO advised that should the priorities and areas of focus as outlined be achieved and the quality assessment of these areas prove satisfactory than it may be possible to upgrade the evaluation of the Council’s arrangements. Last year was the first year the SIRO deemed it possible to designate the Council’s arrangements as good so the direction of travel is positive. In terms of assessing services’ performance, it is intended to work with the Heads of Services and Directors to develop specific criteria. The Monitoring Officer/SIRO highlighted that while there is no precedent for such work among local authorities which the Council can draw upon, areas of performance in relation to training, supervision, complaints and turnaround times will be considered and many of the corporate elements will be applied to services individually the aim being to identify any weaknesses at service level so that they can then be addressed.

·         The Committee noted that the Learning Service as at March, 2021 remained non-compliant with regard to implementing actions in relation to completing the consent audit and ROPA related work; the Committee queried whether the SIRO was able to provide an update on any developments that may have taken place in the intervening period. The Monitoring Officer/SIRO confirmed that the situation remains unchanged despite the matter being raised with the Learning Service on several occasions including in a number of meetings and despite the support of Governance and Audit Committee in doing so. The Learning Service states that it has a number of priorities and that the elements highlighted are not uppermost among them. Responding to a further question, the Monitoring Officer/SIRO confirmed that the outstanding work is statutory with it being an expectation therefore that the Learning Services complies.

 

In light of the clarification above, it was proposed that in order to obtain assurance on this matter the Learning Service be asked to report to the Committee’s next meeting at the latest with clarification of its arrangements for completing the outstanding work encompassing the consent audit and the Record of Processing Activities.

 

It was resolved –

 

·         To accept the SIRO’s statement.

·         To note that the longstanding consent audit in the Learning Service remains uncompleted.

·         That the Committee endorses the Council’s development of its GDPR Article 30 Record of Processing Activities be supported by the Learning Service;

·         That the Learning Service report to the Committee’s next meeting at the latest with clarification of its arrangements for completing the outstanding work as described above i.e. the consent audit and the Record of Processing Activities.

·         That the SIRO’s future reports to the Governance and Audit Committee report on assurances received by the SIRO from the Heads of Service as Information Asset Owners.

 

Supporting documents: