The Annual Report of the Senior Information Risk Owner was presented to advise Corporate Affairs and Audit Committee of arrangements in place to ensure the proper governance of information within the Council, progress made within the last year, risks and issues arising, and priorities for the next twelve months.
The report aimed to provide assurance to the Committee that information governance policy and practice within the Council was in line with legal obligations, and consistent with the principles of good governance. The Council held a significant amount of information about Middlesbrough and its residents. In line with the forthcoming Information Strategy, the Council would continue to ensure that the right information was made available to the right users (including local communities and partners) at the right time, to support the achievement of its aims and priorities.
The Council was subject to a range of legal obligations in relation to Information Governance, most notably under the Data Protection Act 1998 (DPA), Freedom of Information Act 2000 (FOI), and the Environmental Information Regulations 2004 (EIR), the details of which were provided in the submitted report.
The legal framework for data protection would be updated with the advent of the European Unions General Data Protection Regulation (GDPR) which would come into force on 25 May 2018, replacing existing EU directives and overriding the DPA. GDPR provided a number of rights for individuals which would bring significant impacts for all data controllers and processors.
The work of the Council involved several discrete data controllers, all of whom had individual legal responsibilities under GDPR: the Council as a corporate body, Elected Members, the Local Safeguarding Children Board; the Local Safeguarding Adults Board; the Youth Offending Team; the Electoral Registration Officer and Registrars.
Under GDPR the size of potential fines would increase significantly, from £500,000 to up to £20 million for serious breaches.
An organisation chart detailing the Councils Information Governance Framework, under which all corporate information assets were managed, included at paragraph 15 of the submitted report.
The Council had a range of policies and procedures in place to promote compliance with the law and best practice in relation to Information Governance. This information was published on the Council's intranet and would be reviewed in line with General Data Protection Regulation (GDPR). All staff with access to a device were required to undertake mandatory Information Governance training as part of their induction process. The training was recently refreshed and had been completed by 2,070 employees and partners. Managers were supported to train those staff without access to a device.
The Council submitted its self-assessment against v.14 of the Information Governance Toolkit to NHS Digital in March 2017. Arrangements were assessed as 'satisfactory, with improvement plan' at 67%. Half of north east Councils have achieved an overall 'satisfactory' rating to date. The key area for improvement for the Council related to the use of NHS numbers in all applicable systems. Work was ongoing to ensure that at least 90% of care records included the client's NHS number. The Council would make its 14.1 Information Governance Toolkit submission by the end of March 2018.
In September 2017, LMT agreed the development of a new asset based Information Strategy, supported by digital solutions, to allow the Council to fully exploit its data in pursuit of its objectives. In the support of the development and implementation of this strategy, all Information Governance functions were transferred to the Head of Strategy, Information and Governance, who was also designated as SIRO. Both the SIRO and designated deputy had now been trained to the level required by the Information Governance Toolkit.
Following the transfer, the Tees Valley Audit and Assurance Service (TVAAS), was commissioned to undertake a review of GDPR preparedness by the new SIRO, with findings to be reported to a future meeting of the Corporate Affairs and Audit Committee. Since the review was commissioned, a project plan for GDPR had been put in place, supported by a multi-disciplinary team. The majority of the remaining recommendations from the review would be addressed in the delivery of this project. In addition, a dedicated Data Protection Officer had been appointed to lead on this issue from March 2018.
Following the 'WannaCry' ransomware attack on the NHS last year, the Council's ICT team assessed the risk to the Council and took further steps to mitigate the likelihood of a successfully attack on the Council's network. Significant work has also been undertaken to improve the Council's disaster recovery capability. Work had also been undertaken to embed the approach to privacy impact assessment required under GDPR for all new systems, with nine completed. The Head of ICT Service had provided assurance of the Council's compliance with the National Cyber Security Centre's '10 Steps to Cyber Security' guidance. Further work would be undertaken in 2018 to assess cyber security risks in relation to infrastructure and current and planned applications.
During 2017, 48 data protection incidents were reported to the Information Governance and Compliance Team for investigation, compared with 52 in 2016. Of these, 4 were reported to the Information Commissioner's Office (ICO) because it was judged that they met the reporting threshold, compared with 1 in 2016. Those incidents comprised two instances of data posted to the incorrect recipient, one theft of paperwork from a third party provider to the Council, and one cyber security misconfiguration. None of these were acted upon by the ICO.
The importance of raising awareness amongst staff in relation to reporting incidents immediately was highlighted. The new criteria for reporting stipulated that incidents must be reported within two hours.
To put this in context, during 2016/2017 around 2,400 incidents were reported to the ICO across all sectors, a 26.5% increase on the previous year, with nine incidents resulting in a financial penalty. 10.3% of incidents were received from local government, a slight rise from the previous year. This, and the Council's understanding of the position within neighbouring local authorities, suggested that the Council was disproportionately represented in the ICO's data and this issue would be reviewed further in 2018.
The majority of all reported incidents were due to human error, rather than cyber-attack or common theft - over 50% of incidents within the Council were the result of data being incorrectly sent to the wrong recipient. Information on common breach causes had been used to create the 'Information Governance is ACE' campaign to all staff and to date the video had been viewed 700 times.
Implementation of the Council's forthcoming Digital Strategy will provide opportunities to reduce such human error considerably, not least through the reduction in paper records. The Council currently has over 20m sheets of paper archived at several different locations. Though there was limited concern while this material was at rest, the ongoing reconfiguration of the Council's operational estate meant that much of the material was likely to be in transit over the next year. This would need to be carefully managed. Retention schedules and the forthcoming strategy would see this volume of records diminish over time.
There was no national benchmarking data on numbers of information requests received by local authorities, but as many were sent to all or groups of local authorities, it was reasonable to assume that the numbers received by the Council was not uncommon. Overall, the number received by the Council rose 9% in 2017, largely attributable to the significant increase in EIRs relating to certain land and property transactions involving the Council.
The volume of information requests placed a considerable burden on all of those involved in responding to them. Despite this, the timeliness of responses to FOI and EIR requests exceeded the current UK Government average. SARs and FOI reviews were historically less timely due to the level of complexity involved. The focus going forward would be to reduce the number of requests by proactively publishing commonly requested information on the 'Open Data' section of the Council's website.
In summary, current arrangements were largely satisfactory in relation to current requirements, but a significant amount of work was required within a short time-frame to ensure preparedness for GDPR. This work was now underway, and resources were available to support delivery.
Over the coming twelve months, the clear priority from an Information Governance perspective was to ensure that plans to ensure compliance with GDPR were effectively implemented and communicated, focussing on updating policies and procedures and staff training. The Constitution and Members' Development Committee would be asked to consider whether, given their status as data controllers, all Elected Members should be required to undertake mandatory information governance training.
Once in post, the Data Protection Officer would assume responsibility for this work, reporting to the SIRO. In the interim, work would be led directly by the SIRO. It was anticipated that the Council would need to report progress to the ICO and other regulators such as the Care Quality Commission during the year, and TVAAS would undertake a follow-up review as part of the 2018/2019 Audit Plan. This activity was key to addressing the principal information governance risk currently facing the Council. The Information Risk Register would be updated in 2018 in line with the output from work on GDPR, and the review of cyber security arrangements outlined above.
Work would also continue to develop and implement a new Information Strategy for the Council, supported by a restructured Strategy, Information and Governance Service.
A review of data protection breach investigations would be undertaken and lessons disseminated across the organisation. Plans within the Council's forthcoming Digital Strategy, including an upgrade of the Council's Electronic Document and Records Management System and the implementation of digital mail and the scanning strategy would do much to eliminate incidents arising from human error.
Management information relating to information requests would be improved significantly, and used to inform the proactive publication of datasets to reduce the burden of response on the organisation.
AGREED as follows that:
1. the report was received and noted.
2. the Committee endorsed a proposal to request the Constitution and Members' Development Committee to consider whether all Elected Members should be required to undertake mandatory information governance training.