Agenda item

The Annual Report of the Senior Information Risk Owner (SIRO) was presented by the Head of Strategy, Information and Governance for Members to note the position in respect of information risk set out in the report, and propose any further steps that might be taken to promote good practice in information governance within the Council.

 

The report provided assurance to the Committee that information governance (IG) policy and practice within the Council was in line with legal obligations, and consistent with the principles of good governance.

 

The last annual report to the Committee (6 February 2020) set out six key priorities to reduce information risk for the 2020 calendar year and beyond.  Shortly after this, the UK was locked down in response to the COVID-19 pandemic, and at the time of writing significant restrictions remain in place.  As with all business areas, these restrictions resulted in delays to planned activity, as relevant employees were either re-directed to emergency response or otherwise unable to progress work, for example, due to the unavailability of the workplace.  Therefore, work on these, and other priorities identified during 2020 and set out within the report, would be completed during 2021. Nevertheless, good progress was made in the following areas during the year, as detailed in the submitted report:

 

·        Many of the actions from the 2019 ICO Consensual Data Protection Audit had been implemented or were in the process of being implemented. The ICO undertook a follow-up audit in December 2019 and its report was attached at Appendix 1 to the submitted report.

·        A key priority from the audit was to address procedural and resourcing issues around statutory information requests, notably Subject Access Requests. While some progress was made on this during the year a significant backlog remained. However, plans were in place to address this issue and there could be some confidence that issue would be resolved this year.

·        Another key priority was improving control over physical access to buildings to mitigate data breach or loss through unauthorised access. COVID-19 affected this risk in two ways: significantly restricting access to buildings and requiring the Council to clear all paper from office spaces with over one million pieces of paper being removed from the Civic Campus during the year.

·        Revised physical access arrangements would be put in place for re-occupation and communicated in the re-induction employees would undertake prior to returning in September.

·        This method would also be used to communicate the revised information governance framework.

·        The Council was in the process of moving to Microsoft 365 which would provide the opportunity to put in place appropriate controls and retention of email.

·        An internal audit of the Council’s CCTV arrangements was underway, which would inform the Council’s plan to implement a single approach across all schemes.

 

Other areas covered in the submitted report included:

 

·        Progress on the Information Strategy, including the policy register and those updated during the year.

·        Changes to information asset registers in the year, which were minimal.  A data quality audit within Children’s Services during the year yielded substantial assurance in line with ongoing improvements in that Directorate.

·        A significant amount of data sharing took place during the year as part of the pandemic response, together with a significant amount of data analysis. This should build confidence in both disciplines going forward.

·        Information security, principally cyber security and the cyber-attack on Redcar and Cleveland Borough Council and Middlesbrough Council’s positive response.

·        The significant escalation in global cyber security risk during 2020 due to SolarWinds and other attacks and the actions the Council was taking to address this increased risk, while dealing with the significant impact of COVID-19 on ICT, which was handled very well.

·        Significant improvements were made to the Council’s mail and print operation during the year, with controls around printing implemented and a ‘mail from desktop’ solution now in place.

·        Protection matters, including the impact of exiting the EU and data protection incidents during the year.

·        Incidents increased overall, particularly disclosures in error, some of which was likely attributable to additional and new work associated with the pandemic response.   However, the severity of incidents dropped, with no incidents reported to the ICO in year.

·        Statutory information requests showed significant growth in the year, but driven by CCTV disclosure, rather than by FOI/EIR as in previous years.  The volume of FOI/EIR requests and the timeliness of responses fell due to the pandemic and steps would be taken to recover performance this year.

·        The Council launched an Open Data site in the year to pre-empt data-based requests. This now had 1,000+ datasets on it and was regularly refreshed.

·        The Council continued to receive a number of complex and interrelated requests related to major projects and associated political decisions. Some requests also sought information for which Members themselves were the data controller and steps would be taken this year to provide Members with additional guidance and training on these issues.

·        Surveillance, particularly RIPA powers, were not used during the year. The Council was subject to a desktop inspection from the IPCO, the outcome from which was attached at Appendix 2 of the submitted report.

·        A comprehensive surveillance policy covering CCTV, RIPA, non-RIPA coverts surveillance and employee surveillance would be developed this year and from next year, surveillance would be the subject of a separate annual report.

·        Considering all of this, the Council’s information risk register had been updated and was attached at Appendix 3 to the submitted report.

In overall terms, the Council’s risk profile was broadly stable, but the Council needed to maintain vigilance in relation to cyber security, as well completing activity to permanently mitigate risks relating to breach of data rights and unauthorised access, and compliance with surveillance law.

Key priorities for 2021 to address the issues and risks outlined in the report were as follows:

 

·        Continue monthly monitoring of the Council’s cyber security posture and improvements and undertake a staff phishing exercise.

·        Implement the outstanding recommendations from the ICO Consensual Data Protection Audit.

·        Launch the Council’s revised Information Governance Framework to staff as part of the post-pandemic re-induction process, and enhance Elected Member training on information governance.

·        Continue to improve the Council’s responsiveness to information requests through the provision of real-time dashboards for senior managers.

·        Agree physical security policy and procedures for the Council’s office estate, implementing changes for re-induction and advising on design of the Council’s new Headquarters (HQ).

·        Agree a position in respect of digitising or rehousing the Council’s historic papers records as part of the new HQ project.

·        Complete and implement the revised Surveillance Policy and actions from forthcoming audit of CCTV.

·        Ensure that key ICT projects for 2021, including the migration to Microsoft Office 365, and the review of the Council’s website are aligned with the Information Governance Framework and progress the aims of the Council’s Information Strategy.

 

Key messages would continue to be communicated to staff via re-induction, staff training, Information Asset Owners and other means in order to ensure improved information risk management.

 

Responding the Members’ queries in relation to the number of visits to the Open Data Site and outstanding Subject Access Requests, Officers agreed to provide detailed information post-meeting. 

 

The Director of Finance confirmed that Middlesbrough Council had not had any financial liabilities in respect of the cyber-attack or the response, at Redcar and Cleveland Borough Council.

 

In relation to the number of staff responding to FOIs it was confirmed that there were two members of staff who triaged requests to the relevant officers. 

 

It was clarified that employees working from home had received advice and guidance in relation to data protection in order to minimise risk.  Prior to the Covid-19 pandemic lockdowns, Middlesbrough Council staff were already used to agile working procedures.

 

AGREED as follows:

 

1.     the information provided was received and noted.

2.     details of the number of visits to the Open Data site and outstanding Subject Access Requests would be circulated to Committee Members.