Minutes:
The Annual Report
of the Senior Information Risk Owner (SIRO) was presented by the Head of
Strategy, Information and Governance for Members to note the position
in respect of information risk set out in the report, and propose any further
steps that might be taken to promote good practice in information governance
within the Council.
The report provided assurance to the Committee that information
governance (IG) policy and practice within the Council was in line with legal
obligations, and consistent with the principles of good governance.
The last annual report to the Committee (6 February 2020) set out six
key priorities to reduce information risk for the 2020 calendar year and
beyond. Shortly after this, the UK was
locked down in response to the COVID-19 pandemic, and at the time of writing
significant restrictions remain in place.
As with all business areas, these restrictions resulted in delays to planned
activity, as relevant employees were either re-directed to emergency response
or otherwise unable to progress work, for example, due to the unavailability of
the workplace. Therefore, work on these,
and other priorities identified during 2020 and set out within the report,
would be completed during 2021. Nevertheless, good progress was made in the
following areas during the year, as detailed in the submitted report:
·
Many of the actions from the 2019 ICO Consensual Data
Protection Audit had been implemented or were in the process of being implemented.
The ICO undertook a follow-up audit in December 2019 and its report was
attached at Appendix 1 to the submitted report.
·
A key priority from the audit was to address procedural and
resourcing issues around statutory information requests, notably Subject Access
Requests. While some progress was made on this during the year a significant
backlog remained. However, plans were in place to address this issue and there could
be some confidence that issue would be resolved this year.
·
Another key priority was improving control over physical
access to buildings to mitigate data breach or loss through unauthorised
access. COVID-19 affected this risk in two ways: significantly restricting
access to buildings and requiring the Council to clear all paper from office
spaces with over one million pieces of paper being removed from the Civic
Campus during the year.
·
Revised physical access arrangements would be put in place
for re-occupation and communicated in the re-induction employees would
undertake prior to returning in September.
·
This method would also be used to communicate the revised
information governance framework.
·
The Council was in the process of moving to Microsoft 365
which would provide the opportunity to put in place appropriate controls and
retention of email.
·
An
internal audit of the Council’s CCTV arrangements was underway, which would inform
the Council’s plan to implement a single approach across all schemes.
Other areas covered in the submitted report included:
·
Progress on the Information Strategy, including the policy
register and those updated during the year.
·
Changes to information asset registers in the year, which
were minimal. A data quality audit
within Children’s Services during the year yielded substantial assurance in
line with ongoing improvements in that Directorate.
·
A significant amount of data sharing took place during the
year as part of the pandemic response, together with a significant amount of
data analysis. This should build confidence in both disciplines going forward.
·
Information security, principally cyber security and the
cyber-attack on Redcar and Cleveland Borough Council and Middlesbrough
Council’s positive response.
·
The significant escalation in global cyber security risk
during 2020 due to SolarWinds and other attacks and the actions the Council was
taking to address this increased risk, while dealing with the significant
impact of COVID-19 on ICT, which was handled very well.
·
Significant improvements were made to the Council’s mail and
print operation during the year, with controls around printing implemented and
a ‘mail from desktop’ solution now in place.
·
Protection matters, including the impact of exiting the EU
and data protection incidents during the year.
·
Incidents increased overall, particularly disclosures in
error, some of which was likely attributable to additional and new work
associated with the pandemic response. However,
the severity of incidents dropped, with no incidents reported to the ICO in
year.
·
Statutory information requests showed significant growth in
the year, but driven by CCTV disclosure, rather than by FOI/EIR as in previous
years. The volume of FOI/EIR requests
and the timeliness of responses fell due to the pandemic and steps would be
taken to recover performance this year.
·
The Council launched an Open Data site in the year to
pre-empt data-based requests. This now had 1,000+ datasets on it and was
regularly refreshed.
·
The Council continued to receive a number of complex and
interrelated requests related to major projects and associated political
decisions. Some requests also sought information for which Members themselves were
the data controller and steps would be taken this year to provide Members with
additional guidance and training on these issues.
·
Surveillance, particularly RIPA powers, were not used during
the year. The Council was subject to a desktop inspection from the IPCO, the
outcome from which was attached at Appendix 2 of the submitted report.
·
A comprehensive surveillance policy covering CCTV, RIPA,
non-RIPA coverts surveillance and employee surveillance would be developed this
year and from next year, surveillance would be the subject of a separate annual
report.
·
Considering all of this, the Council’s information risk
register had been updated and was attached at Appendix 3 to the submitted
report.
In overall
terms, the Council’s risk profile was broadly stable, but the Council needed to
maintain vigilance in relation to cyber security, as well completing activity
to permanently mitigate risks relating to breach of data rights and
unauthorised access, and compliance with surveillance law.
Key priorities for 2021 to address the issues and risks outlined in the
report were as follows:
·
Continue monthly monitoring of the
Council’s cyber security posture and
improvements and undertake a staff phishing exercise.
·
Implement the outstanding recommendations from the
ICO Consensual Data Protection Audit.
·
Launch the Council’s revised
Information Governance Framework to staff as part of the post-pandemic re-induction
process, and enhance Elected Member training on information governance.
·
Continue to improve the
Council’s responsiveness to information requests through the provision of
real-time dashboards for senior managers.
·
Agree physical security
policy and procedures for the Council’s office estate, implementing
changes for re-induction and advising on design of the
Council’s new Headquarters (HQ).
·
Agree a position in respect of
digitising or rehousing the Council’s historic papers records as part of
the new HQ project.
·
Complete and implement the revised Surveillance
Policy and actions from forthcoming audit of CCTV.
·
Ensure that key ICT projects for 2021, including
the migration to Microsoft Office 365, and the review of the
Council’s website are aligned with the Information Governance Framework and
progress the aims of the Council’s Information Strategy.
Key messages would continue to be communicated to staff via
re-induction, staff training, Information Asset Owners and other means in order
to ensure improved information risk management.
Responding the Members’ queries in relation to the number of visits to
the Open Data Site and outstanding Subject Access Requests, Officers agreed to
provide detailed information post-meeting.
The Director of Finance confirmed that Middlesbrough Council had not had
any financial liabilities in respect of the cyber-attack or the response, at
Redcar and Cleveland Borough Council.
In relation to the
number of staff responding to FOIs it was confirmed that there were two members
of staff who triaged requests to the relevant officers.
It was clarified
that employees working from home had received advice and guidance in relation
to data protection in order to minimise risk.
Prior to the Covid-19 pandemic lockdowns, Middlesbrough Council staff
were already used to agile working procedures.
AGREED as follows:
1.
the information
provided was received and noted.
2.
details of the
number of visits to the Open Data site and outstanding Subject Access Requests would be
circulated to Committee Members.
Supporting documents: