Agenda item

Annual Report of the Senior Information Risk Owner (SIRO)


A report of the Interim Head of Governance Policy and Information was presented to advise the Corporate Affairs and Audit Committee of arrangements in place to ensure the proper governance of information within the Council, progress made within the 2022 calendar year, risks and issues arising, and priorities for 2023.


The Council must create, protect, manage, share and disclose information in line with a complex legal framework.  The report dealt principally with information governance arrangements relating to the following, and the risks arising from:


           Data Protection Act 2018 (DPA);

           UK General Data Protection Regulation 2016 (UK GDPR);

           Privacy and Electronic Communications Regulations 2003 (as amended);

           Environmental Information Regulations 2004 (EIR);

           Freedom of Information Act 2000 (FOI);

           Regulation of Investigatory Powers Act 2000 (RIPA); and

           Protection of Freedoms Act 2012 (PoFA).


The Council’s activity in this area was largely regulated by the Information Commissioner’s Office (ICO), with the Investigatory Powers Commissioner’s Office (IPCO) acting as the regulatory body for RIPA and compliance with the Surveillance Camera Code of Practice and the relevant provisions of PoFA encouraged by the Biometrics and Surveillance Camera Commissioner.


The Interim Head of Governance Policy and Information acted as the Council’s Senior Information Risk Owner (SIRO)/Senior Responsible Officer (SRO) for Biometrics and Surveillance and RIPA, and was the owner of the Council’s Information Strategy.  The SIRO advised the Chief Executive and the Council’s management team on information risk, reporting quarterly to the internal risk management group and annually to Leadership Team and to the Corporate Affairs and Audit Committee.


The submitted report provided an overview of compliance, issues and risks in 2022 in the following areas:


           ICO Consensual Audit 2019 and 2020 recommendations.

           Information Governance Framework.

           Statutory Information Requests.

           Physical Access.

           Surveillance Policy.


Performance reporting showed an increase in FOI/EIR compliance and Members noted this positive improvement.


During 2023 a refreshed approach to Information Strategy would be developed alongside the refresh of the Strategic Plan to ensure the operational aims of the Council aligned with the Strategic vision set by Members.


The Council’s information asset registers were significantly developed in previous years and reviewed/consolidated with UK GDPR ‘Records of Processing Activity’ in 2019/20.  Various in-year updates by individual Information Asset Owners would need to be merged with changes as a result of the Council’s accommodation strategy, bulk transfer of records to digital formats, procurement of electronic systems – including the SharePoint Online migration and decommissioning of others.


In relation to Information Security, details of the numbers of personal data breaches and ICT/other security incidents were provided at paragraph 17 of the submitted report.  Only two personal data breaches were reported to the ICO in 2022.  Reported personal data breaches had decreased by 20% on the previously year, whilst ICT/other security incidents had increased, largely owing to more reports or lost or stolen ICT hardware devices.  An update of actions taken in relation to Cyber Security and Records Management were also detailed in the submitted report.    The Council had a list of 16 countries from which internet traffic was blocked, following guidance from the National Cyber Security Centre.


The Council’s data protection activity over 2022 had involved strengthening governance of mandatory training and internal guidance, transparency obligations, information sharing arrangements, compliance checks on contractors and others, and data protection impact assessments (DPIA). Mandatory training compliance had improved with more directorates achieving and maintaining a rolling 95% of staff completions.  The Council’s suite of privacy notices had become more granular in line with ICO guidance and over 70 operational notices were now being maintained for individual services and thematic local authority functions.


A number of detailed agreements with a wide variety of partner organisations across various sectors, had been reviewed and updated or put in place to support lawful and ethical information sharing as part of normal service delivery.


Changes to streamline the DPIA process had ensured a balance is maintained between the efficiency of business management and the efficacy of risk controls.  Similarly, the approach to legally required compliance checks and contracts with suppliers and others had been streamlined and diversified to make sure that checks were proportional and targeted where needed.


The key priority during 2023 will be to refresh the Information Strategy of the Council.  As referenced within the body of this report, the refresh was timed to ensure that the new strategy reflected the refreshed strategic plan vision of the Council which would be delivered in 2023 to ensure the strategy aligned with that. 


The second priority of the organisation would be the successful delivery of transition to SharePoint.  SharePoint would transform how the Council stored, shared and used data on a day-to-day basis.  Information governance considerations were embedded within the scope of the project to ensure that the benefits of SharePoint were maximised while ensuring a robust approach to information governance and security.


AGREED as follows that the Corporate Affairs and Audit Committee:

1.     noted the position in respect of information risk set out in the report.

2.     would be provided with the list of 16 countries from which internet traffic was currently blocked.

Supporting documents: