Agenda item

To receive an update on the latest position with regard to Information Management and Governance.

An update report by the Head of Function (Council Business) summarising progress to date in taking forward the Information Governance Project was presented for the Committee’s consideration.

The Head of Function (Council Business) and SIRO reported on the context and background to the establishment of the Information Governance Project along with the requirements of the Data Protection legislation which underpins the project in relation to the lawful processing of personal data. The Officer brought the following matters to Members’ attention -

•           The DPA Action Plan for Improvement incorporates all previous regulatory activity with regard to Information Governance and Management.

•           The Information Governance Project Board as part of the Council’s Business Transformation programme is the vehicle for delivering the Action Plan and began work in November, 2013.The target completion date is August, 2014 when it will be replaced by a group of officers to ensure ongoing compliance

•           The audit of the Council’s compliance with the Data Protection Act by the Information Commissioner’s Officer in July 2103 will be repeated in the near future and failure to implement change could result in enforcement action being taken against the Council.

•           The implementation of the ICO’s recommendations from its July 2013 audit will mitigate against the risks of a serious breach of the Act. These have been distilled into five key themes.

•           Capacity has been awarded to the management of the project for ICT, HR and DP/Legal Support.

•           The absence of the Lead Operational Officer and designated Project Manager has hampered progress. Interim arrangements have been made to ensure movement on the Action Plan with particular focus on actions timed for November and December.

•           Four core policies have been prepared and endorsed by the Senior Leadership Team – Data Breach Policy, Privacy Impact Assessment Policy, Personal Data Classification Policy and Information Risk.

•           A review of outstanding recommendations from previous regulatory reports has been completed and those have either been assimilated into the Information Governance Project or will be added to it before its closure.

•           A review of the Authority’s standard contractual templates in relation to third parties who undertake work for the Authority is being undertaken following the completion of which the services will be required to review and renegotiate their existing contracts to ensure they include data protection provisions and terms.

•           Certain actions remain outstanding or have not commenced. These relate to ICT and Property and are connected with access and security, and with storage arrangements. The latter has resource implications.

•           Assurance can be given that appropriate arrangements have been put in place through the project and that progress has been made against targets in the Action Plan. At this point in time there remains some concern in respect of some timelines in relation to certain aspects of work not yet commenced.

•           The project’s timeframe provides some flexibility to enable slippage to be overcome. However, the Project is designed to be incremental meaning any additional slippage in the form of elements not completed to time will impact on other subsequent elements of the work.

•           The Information Governance Project Board will next meet on 9th January. A status report will be presented to the Business Transformation Board.

Members of the Audit Committee considered the information and they made the following points  –

•           Whether tasks identified in the Action Plan have designated owners to facilitate and ensure their delivery. It was noted that actions and the responsibility for them become more dissipated as they are extended outwards to the services.

•           Whether the Audit Committee is able to make an input to ensure key actions are brought back in line with the timescale.

•           Whether the project is being adequately resourced to ensure that matters identified as requiring action are remediated expeditiously and fully.

•           Concerns regarding the extent to which the situation has been allowed to escalate over time.

•           Whether breaches that have occurred are due to lack of training on the requirements of data protection or due to carelessness and disregard.

•           The imperative need for Heads of Service to take responsibility for data protection.

•           That addressing data protection issues and putting safeguards in place are a matter of priority.

•           The possibility of taking disciplinary action in response to and/or as a deterrent against future breaches.

•           That the Executive be apprised of the Audit Committee’s concerns regarding the situation and its views on the need to prioritise data protection issues in terms of time and resources; to consider disciplinary action as an option to responding to any future data protection breaches; to provide training to all staff on the range of data protection policies; to remind Heads of Service of their responsibilities with regard to data protection.

The Head of Function (Council Business) responded to the points made by expanding on the current and planned actions and their expected outputs and explaining the nature of those tasks not commenced and the risks attached to them.

The Chief Executive stated that historically capacity issues have been a factor in addressing data protection compliance. The Executive has responded positively to the requirements in terms of strengthening capacity to ensure the shortcomings identified are addressed. In general terms there needs to be a change of mindset within the Authority corporately so that compliance with data protection requirements becomes an integral part of the work of the Authority across all services.

It was resolved –

•           To note the report and the update provided.

•           To refer the Audit Committee’s concerns with regard to Data Protection compliance within the Authority to the Executive with the request that it considers and provides assurance to the Audit Committee on the following matters –

•           That an appropriate level of resources is allocated to ensure that shortcomings in data protection compliance are remedied fully and properly.

•           That disciplinary action be considered as an option in responding to any future data protection breaches.   

•           That the Authority’s staff are provided with training on all data protection policies.

•           That all Heads of Services are reminded of their data protection responsibilities within their respective services and the importance thereof.

ACTION ARISING: Audit Committee concerns to be reported to the Executive with a request for a response.