Agenda item

Annual Report of the Senior Information Risk Owner (SIRO)


A report of the Head of Strategy, Information and Governance was presented to advise the Corporate Affairs and Audit Committee of arrangements in place to ensure the proper governance of information within the Council, progress made within the 2021 calendar year, risks and issues arising, and priorities for 2022.


The report provided assurance to the Committee that information governance (IG) policy and practice within the Council was in line with legal obligations, and consistent with the principles of good governance.


The last annual report to this Committee (29 April 2021) set out eight key priorities to reduce information risk for the 2021 calendar year and beyond.   During this period the COVID-19 pandemic persisted, and again associated restrictions resulted in some delays to planned activity, as relevant employees were either re-directed to emergency response or otherwise unable to progress work, for example, due to the unavailability of the workplace.


As such, work on these, and other priorities identified during 2021 and set out within this report, would complete during 2022.  Nevertheless, good progress was made in many areas during the year, as summarised in the submitted report, including:


  • Cyber security posture.
  • ICO consensual audit.
  • Information Governance Framework.
  • Statutory Information Requests.
  • Physical access.
  • Historic paper records.
  • Surveillance Policy.
  • Alignment of major ICT projects and information governance requirements.
  • Information Strategy progress.
  • Changes to information asset registers.
  • Information security.
  • Cyber security.
  • Records management.
  • Data protection.
  • Surveillance.
  • Information Requests.
  • Assessment of information risk.


Key priorities for 2022 to address the issues and risks outlined in the report were as follows:


  • review the Council’s approach to cyber security and continuity/ recovery plans in line with changes to National Cyber Security Centre guidance and the Government’s National Cyber Strategy for 2022-2030, focusing on zero-day, internet-facing application and supply chain attacks, particularly in view of the ongoing situation in Ukraine.


  • continue to improve the Council’s responsiveness to information requests through use of enhanced 365 tools and increased resourcing of the central team.


  • continue to improve the Council’s surveillance practice by implementing in full the provisions of the Surveillance Policy.


  • develop an Integrated Operations Strategy for the Council, fully aligning all existing operational strategies including the Information and ICT strategies.


  • launch the Council’s revised Information Governance Framework to staff, focusing in particular on those with specific roles in the framework – IAOs, system owners and Information Asset Assistants.


  • ensure that the move to and operation of Fountain Court is undertaken in line with the Council’s Premises Security and Access policy to avoid loss of or unauthorised access to information.


  • ensure that key ICT projects for 2022 including the migration from the Council’s existing EDRMS to Microsoft SharePoint and the review of the Council’s website are fully aligned with the Information Governance Framework and progress the aims of the Council’s Information Strategy.


The Committee were advised that the Annual CCTV report would be presented to the Committee when completed.


Key messages would continue to be communicated to staff via re-induction, staff training, Information Asset Owners and other means in order to ensure improved information risk management.


AGREED that the report was received and noted.

Supporting documents: