Agenda item

To present the report of the Director of Function (Council Business)/ Monitoring Officer.

The report of the Director of Function (Council Business)/Monitoring Officer which provided the Senior Information Risk Owner’s view of the main Information Governance issues for the period 1 April 2024 to 31 March 2025 and current risks was presented for the committee’s consideration.

The Director of Function (Council Business)/Monitoring Officer presented an overview of the report and highlighted the key points. The overall figures for data breaches remains consistently low  which may indicate a lack of awareness of what constitutes a data breach resulting in matters that should be reported to the Interim Data Protect Officer being overlooked. Training needs to be refreshed and policies updated.

Although there are areas of good practice, the Council’s overall Freedom of Information Act request compliance rates remain low and always below the minimum requirements expected by the Information Commissioner (target 90%).This may be linked to an absence of current  publication schemes within services. Regular publication of information can reduce the burden of FOI requests on services by allowing exemptions to be applied for material that is already publicly available.

The level of corporate support for information governance is low compared to that in other local authorities. The Corporate Data Protection Officer role has remained vacant for an extended period despite several recruitment attempts, and it continues to be filled on an interim basis. The current interim officer has reviewed the Council’s position and produced a draft work programme. While full delivery of the programme depends on capacity, priority actions have been identified and are reflected in the report’s recommendations. An application for funding for a paralegal post has been submitted to allow the Corporate Data Protection Officer to focus on policy, strategy and training.

The FOIA related CRM project has finished, and a new broader project has commenced which will still allow use of the documentation already created along with several work streams in a more comprehensive information governance system.

In reviewing the report, the committee noted the position with regard to FOIA compliance and the failure over a 10 year period to meet the Information Commissioner’s 90% target. Members requested clarification of the process for dealing with FOIA requests within services.

The Director of Function (Council Business)/Monitoring Officer explained that capacity is an issue and is limited because FOIA and data management officers within services also deal with complaints alongside their day to day duties, with only one central corporate officer post supporting all services. Further work with services will help identify barriers and target intervention and training, but each service will need to determine whether it has the resources to support the work.

She further advised the committee that following discussion with the Chief Executive, she wished to offer an amendment to recommendation 2.3 of the report to read “that the quarterly Key Performance Indicators figures are amended so that they include compliance rates of individual services and this data is reported quarterly to the Leadership Team so that the Chief Executive can meet with any services that are under-performing in order to improve statutory compliance.”

Following discussion it was resolved to note the recommendations of the report as follows –

·      That focused data breach training be delivered to Freedom of Information Act Officers (FOIA Officers) to improve their awareness of what constitutes a data breach, how to report a data breach, and the mitigation measures that need to be taken in the event that a data breach is discovered.

·      That the Personal Data Security Incidents Policy and supporting Guidance be reviewed and updated before being relaunched internally with FOIA Officers. Such relaunch to be accompanied by specific training on the revised Policy and Guidance.

·      That the quarterly Key Performance Indicators figures are amended so that they include compliance rates of individual services and this data is reported quarterly to the Leadership Team so that the Chief Executive can meet with any services that are under-performing in order to improve statutory compliance

·      That services be requested to conduct an assessment of their publication schemes with a view to increasing reliance on s20 and s21 of the FOI (i.e. information which is intended for future publication or information which is already available).

·      That FOIA training be provided for FOIA Officers to include the appropriate application of exemptions.