Agenda item

A report of the Head of Governance Policy and Information was presented to advise the Audit Committee of arrangements in place to ensure the proper governance of information within the Council, progress made within the 2023 calendar year, risks and issues arising, and priorities for 2024/25.

 

The Council created, protected, managed, shared and disclosed information in line with a complex legal framework.  The report dealt principally with information governance arrangements relating to the following, and the risks arising from:

 

• Data Protection Act 2018 (DPA).

·        UK General Data Protection Regulation 2016 (UK GDPR).

·        Privacy and Electronic Communications Regulations 2003 (as amended).

·        Environmental Information Regulations 2004 (EIR).

·        Freedom of Information Act 2000 (FOI).

·        Regulation of Investigatory Powers Act 2000 (RIPA).

·        Protection of Freedoms Act 2012 (PoFA).

 

The Council’s activity in this area was largely regulated by the Information Commissioner’s Office (ICO), with the Investigatory Powers Commissioner’s Office (IPCO) acting as the regulatory body for RIPA, and compliance with the Surveillance Camera Code of Practice and the relevant provisions of PoFA encouraged by the Biometrics and Surveillance Camera Commissioner.

 

The Head of Governance Policy and Information acted as the Council’s SIRO/ Senior Responsible Officer (SRO) for Biometrics and Surveillance and RIPA, and was the owner of the Council’s Information Strategy.  The SIRO advised the Chief Executive and the Council’s management team on information risk, reporting quarterly to the internal risk management group and annually to the Leadership Management Team (LMT) and Audit Committee.

 

The report provided an overview of compliance, issues and risks in 2023 in the following areas:

 

• Information Governance Framework.
• The Information Strategy.
• Data Protection.
• Information Security.
• Cyber Security.
• Records Management.
• Surveillance Policy.
• Public Information and Information Requests.
• Physical Access and Building Security.

 

During 2024, a refresh of the Information Strategy would be undertaken to:

 

• Focus on refreshing the assessment of the health of Council data.
• Identify the improvement transformation required to enable the Council’s delivery of transformation activity.
• Refresh the Information Governance Policy Framework to reflect emerging opportunities and risk, for example, opportunities around use of artificial intelligence and policy safeguards that would need to be put in place.

 

The Council’s data protection activity over 2023 had continued to focus on incidents and rights requests. Other data protection activity over 2023 had involved cyclical reviews and updates to information sharing agreements and privacy notices. 

 

Mandatory training compliance had declined to 91% with areas for improvement identified in Children’s Services, partly due to staff turn-over, and Regeneration Services, where plans for alternative training approaches for large groups of casual staff in cultural and creative services were being developed. 

 

The final two recommendations from the 2020 ICO consensual audit of the Council were implemented.  Analysis of ICO published statistics for receipt of any complaints and concerns, up to June 2023, showed Middlesbrough Council ranked 115^th equal out of 118.  Within 2023, there were no complaints or breaches referred to the Council by the ICO and of the four reports made to the ICO about the Council, all were closed with no further action.

 

In relation to Information Security, details of the numbers of personal data breaches and ICT/other security incidents were provided at paragraph 4.11 of the report.  Six personal data breaches were reported to the ICO in 2023.  Following investigation, the ICO had not taken any further action in respect of these incidents.  An update of actions taken in relation to Cyber Security and Records Management were also detailed in the submitted report.   

 

The Council continued to operate an integrated Surveillance Policy which set out how and when surveillance would be authorised, conducted, reviewed and reported.  Training in 2023 had focused upon appropriate determination in using the policy and the differences between RIPA and non-RIPA processes.  The policy was last reviewed by the Executive Member for Finance and Governance in December 2023, and would next be reviewed in December 2024.

 

The report provided statistical data in respect of Public Information and Information Requests.  In 2023, 102 individuals made Subject Access Requests (SARs); there were 1295 FOI requests, which represented a 2.29% increase on 2022; and 70 EIR requests.  Details regarding the content and performance measurement of these were outlined to the Committee.  

 

Regarding physical access and building security, the Committee was advised that the Council had a range of policies and procedures in place which managed building security and access to Council sites, along with a building manager model.  Following a series of incidents, recommendations had been made about changes to building security measures and practices.  Subject to the outcomes of any wider building asset portfolio decisions, further recommendations were possible.

 

The key priority during 2024 was to review the Information Strategy of the Council to ensure that the operational aims of the Council aligned with the strategic vision set by Members and the organisation’s direction of travel, particularly in relation to the on-going work around budget and governance.

 

The second priority of the organisation was the successful delivery of transition to SharePoint, which would transform how the Council stored, shared and used data on a day-to-day basis.  Information governance considerations were embedded within the scope of the project to ensure that the benefits of SharePoint were maximised while ensuring a robust approach to information governance and security.

 

A Member referred to paragraph 4.9 of the report and queried the analysis of ICO published statistics for the receipt of any complaints and concerns, up to June 2023; Middlesbrough Council was ranked 115^th equal out of 118.  In response, it was clarified that this was positive as 115^th was at the lower end of the scale, meaning that very few people had complained.

 

A Member queried the process for closing complaints and the associated checks and balances.  In response, the steps involved in the complaints procedures were outlined to the Committee, which involved progression into stages two and three, with the option for complainants to also approach the Local Government and Social Care Ombudsman should they have wished.  It was indicated that an annual complaints report would be provided to the Audit Committee in August 2024.

 

A Member referred to paragraph 4.24 of the report and queried whether the cyber security exercise had been carried out by the Local Government Association (LGA).  In response, it was explained that this needed to be rescheduled, and would take place in August 2024.

 

A Member referred to paragraph 4.13 of the report and queried the work being undertaken to prevent future personal data breaches.  In response, it was explained that the Data Protection Officer would carry out an investigation into any such breach to determine whether it was the consequence of a system or individual error.  Remedial work, as appropriate to the cause, would then be carried out.  The outcome of such investigations were reported to LMT.

 

A Member referred to paragraph 4.21 of the report in respect of a Cyber Security Training Strategy.  The Committee was informed that this would ensure that staff were educated appropriately regarding modern cyber threats, and their associated risks and options for mitigation.  The planned refresh would allow for officers to maintain pace with the way the Council operated.

 

A Member referred to the issue of tailgating in respect of building security and queried the work taking place to prevent this.  The Committee was advised that this included regular communications to staff to highlight this issue; incident logging; the establishment of a policy; and building security audits.  It was indicated that this had been a particular issue at Fountains Court, which had resulted in outside lighting provision being changed and the situation closely managed.

 

NOTED