Issue - meetings

The Committee received the Annual Report of the Senior Information Risk Owner (SIRO), which provided an overview of the Council’s information governance arrangements, including data protection compliance, information security incidents, and the progress made in strengthening controls and assurance over the past year.

The Head of Policy, Governance and Information outlined key developments over the reporting period, explaining that there had been increased organisational focus on information security, asset management and cyber resilience.  Arrangements for data handling, incident reporting and response had been strengthened, and the implementation of audit recommendations was underway alongside planned improvements to governance processes.  In addition, ongoing work was being undertaken to improve Subject Access Request compliance and timeliness across service areas.

The report also highlighted the role of the Senior Information Risk Owner in ensuring effective risk management, accountability and assurance across all information governance activity.

During discussion the following points were raised:

·        Members noted that security incidents had almost doubled, driven primarily by increased reporting of loss and theft of ICT equipment and loss of access cards, rather than increased cyber-attacks.

·        Officers confirmed that access cards are deactivated immediately when reported lost, and that additional security measures were being introduced to better protect Council assets.

·        Members also noted the current Subject Access Request compliance rate of 72%.  The Head of Policy, Governance and Information explained that while no benchmarking with other local authorities was planned, work was ongoing to improve timeliness and response rates.

·        A Member referenced the Redcar and Cleveland Borough Council cyber-attack as a reminder of the ongoing risks to local authorities, and Officers confirmed that lessons learned had been incorporated into local arrangements and disaster recovery planning.

·        Members were satisfied with the information presented and did not request further additional assurances at that stage.

AGREED that the Audit Committee:

1.     Noted the position in respect of information governance as set out in the Annual Report of the Senior Information Risk Owner (SIRO) and the arrangements in place to manage the associated risks.

2.     Considered the information provided and was satisfied that it provided sufficient assurance that information governance arrangements are appropriate.