Issue - meetings

SIRO Annual Assurance Report

Meeting: 16/03/2023 - Corporate Affairs and Audit Committee (Item 67)

67 Annual Report of the Senior Information Risk Owner (SIRO) pdf icon PDF 395 KB


A report of the Interim Head of Governance Policy and Information was presented to advise the Corporate Affairs and Audit Committee of arrangements in place to ensure the proper governance of information within the Council, progress made within the 2022 calendar year, risks and issues arising, and priorities for 2023.


The Council must create, protect, manage, share and disclose information in line with a complex legal framework.  The report dealt principally with information governance arrangements relating to the following, and the risks arising from:


           Data Protection Act 2018 (DPA);

           UK General Data Protection Regulation 2016 (UK GDPR);

           Privacy and Electronic Communications Regulations 2003 (as amended);

           Environmental Information Regulations 2004 (EIR);

           Freedom of Information Act 2000 (FOI);

           Regulation of Investigatory Powers Act 2000 (RIPA); and

           Protection of Freedoms Act 2012 (PoFA).


The Council’s activity in this area was largely regulated by the Information Commissioner’s Office (ICO), with the Investigatory Powers Commissioner’s Office (IPCO) acting as the regulatory body for RIPA and compliance with the Surveillance Camera Code of Practice and the relevant provisions of PoFA encouraged by the Biometrics and Surveillance Camera Commissioner.


The Interim Head of Governance Policy and Information acted as the Council’s Senior Information Risk Owner (SIRO)/Senior Responsible Officer (SRO) for Biometrics and Surveillance and RIPA, and was the owner of the Council’s Information Strategy.  The SIRO advised the Chief Executive and the Council’s management team on information risk, reporting quarterly to the internal risk management group and annually to Leadership Team and to the Corporate Affairs and Audit Committee.


The submitted report provided an overview of compliance, issues and risks in 2022 in the following areas:


           ICO Consensual Audit 2019 and 2020 recommendations.

           Information Governance Framework.

           Statutory Information Requests.

           Physical Access.

           Surveillance Policy.


Performance reporting showed an increase in FOI/EIR compliance and Members noted this positive improvement.


During 2023 a refreshed approach to Information Strategy would be developed alongside the refresh of the Strategic Plan to ensure the operational aims of the Council aligned with the Strategic vision set by Members.


The Council’s information asset registers were significantly developed in previous years and reviewed/consolidated with UK GDPR ‘Records of Processing Activity’ in 2019/20.  Various in-year updates by individual Information Asset Owners would need to be merged with changes as a result of the Council’s accommodation strategy, bulk transfer of records to digital formats, procurement of electronic systems – including the SharePoint Online migration and decommissioning of others.


In relation to Information Security, details of the numbers of personal data breaches and ICT/other security incidents were provided at paragraph 17 of the submitted report.  Only two personal data breaches were reported to the ICO in 2022.  Reported personal data breaches had decreased by 20% on the previously year, whilst ICT/other security incidents had increased, largely owing to more reports or lost or stolen ICT hardware devices.  An update of actions taken in relation to Cyber Security and Records Management  ...  view the full minutes text for item 67