Agenda item

To receive an update on progress.

A report by the Audit Manager on current developments in relation to Information Management and data security with particular reference to an audit of the Council’s arrangements for the processing of personal data carried out by the Information Commissioner’s auditors during July, 2013 was presented for the Committee’s consideration.

The Corporate Information Officer provided Members with a summary of the legislative background to information management and data security including the powers of the Information Commissioner and the financial penalties which can be imposed in cases of a breach of the Data Protection Act 1998. The Officer reported that significant control weaknesses with regard to the Council’s arrangements for information management, information governance and data security have been identified in a number of regulatory reports and the Annual Improvement report this year also highlighted this area as a limiting factor in the Council’s ability to improve. The Audit Committee has been kept informed of progress made in addressing these issues.  Following breaches of the Data Protection Act 1998 by the Council, formal undertakings were made by the Council under the Act with the Information Commissioner Officer in January 2011 and January 2012. As a result, the Council agreed to the IC’s Office undertaking a consensual audit of the Council’s arrangements for processing personal data. The fieldwork for the audit was carried out in the first week of July. The resultant report of the ICO’s auditors is likely to re-iterate and possibly add to the recommendations made in previous regulatory reports. However, the Council’s readiness to report to the Information Commissioner on these matters along with its reporting systems allowing for the prompt review of such occurrences  and identification of appropriate steps to reduce the risk have been recognised by the IC’s Office. The Officer informed the Committee that a project on information governance was initiated in anticipation of the Information Commissioner’s then forthcoming audit covering the specific areas noted in the report and the project’s work programme will include progressing the action plan that is expected for the Information Commissioner’s consensual audit.

Members considered the report and were keen to obtain assurance that the necessary resources are available to address the matters that have been identified as requiring attention and to allow for that process to be completed speedily. Given that non- compliance with data protection has been highlighted as one of the Council’s top risks the assumption is that significant funding will be allocated to this area. Members emphasised that having been prioritised, action on information management matters needs to be taken quickly and assurance given that the resources are in place and a timetable has been set that is expeditious. The Committee requested a further update at its September meeting.

The Audit Manager said that the Information Commissioner’s final report is expected to be issued in September and that the Senior Leadership Team will determine the level of resources required and available for addressing the recommendations arising therefrom. It was suggested that the Information Commissioner’s auditors be invited to address the September meeting of the Audit Committee on their perspective on the information management arrangements within the Council along with a representative of the SLT to provide a response to the report.

It was resolved to accept the report and to note its contents.

ACTION ARISING: Corporate Information Officer to invite the Information Commissioner’s auditors to the September meeting of the Audit Committee along with a representative of the SLT to provide a response to the IC’s report.