The Information Governance Manager gave a power-point presentation in relation to Information Governance. Information Governance was an over-arching term used to cover managing information that was held in any form including creation, handling, sharing, storing and disposal.
Information Governance was not solely about reducing the risk to the Council, it was also about transformation for the future. Benefits included shared knowledge, reduction of physical and electronic storage, enabling secure mobile and home working, reducing the risk of releasing confidential information and providing a better service to the public.
The Council, Elected Members, employees and partner organisations all had a duty to ensure that both business and personal information was dealt with legally, securely, efficiently and effectively, in order to deliver the best possible services. It was vital to get people to take ownership and responsibility to deal with information securely and legally. In some cases people became immune to the sensitivity of the data they were working with and forgot how sensitive it was.
The Information Commissioner (ICO) had the power to issue monetary penalties of up to £500,000 for breaches of information and data security. Examples of penalties issued and prosecutions completed were highlighted in the presentation. So far over £1 million in fines had been issued to Local Authorities. The ICO publicised details of breaches and prosecutions to encourage people to take data security more seriously.
The two major issues identified within the Council were that there was no mandatory training on information governance and control and nobody responsible for the risk to the Authority for information governance issues and security. The Council had now appointed a Senior Information Risk Owner and Information Governance Manager. The Senior Information Risk Owner was responsible for setting strategic direction to ensure accountability throughout the Council. The Information Governance Managers role was to develop corporate standards and policies and provide operation advice and guidance to staff.
To date there had been two significant incidents within Middlesbrough Council and fifty incidents overall during 2012. In response to the significant incidents, the Council completed an investigation and sent an Action Plan to the ICO. The ICO agreed not to issue mandatory penalties.
An E-Learning programme was now available for all staff and an Information Strategy was being developed. Managers were responsible for ensuring that all staff undertook the training and the target for completion was the end of June 2013. An Incident Management Plan had been established to promote the fact that staff needed to report incidents and to raise awareness. Spot checks on desks and computer screens were also taking place. An Information Working Group had been established with a remit of agreeing an ongoing programme of work to improve Information Governance in all departments.
The Information Governance Team was developing a corporate information sharing protocol. The Council now worked with more partners than ever before and commissioned services from other organisations. Agreements would be put in place to ensure that information was shared securely and personal and confidential information was not shared with third parties.
During 2012 there had been 42 data protection and subject access requests and 1064 freedom of information and environmental information requests. There had been 24 Regulation of Investigatory Powers Applications (RIPA) and 52 information security incidents. The majority of RIPA applications had been for investigation of illegal cigarette and tobacco sales.
A tile had been published on the Lotus Notes system for all staff and Members providing further information, guidance and contact numbers for Information Governance.
AGREED that the information provided be received and noted.