Corporate Affairs and Audit Committee Minutes

Corporate Affairs and Audit Committee Minutes

Thursday 8 February 2018
3:30 p.m.
Mandela Room, Town Hall, Middlesbrough

Attendance Details

D Rooney, (Chair), Brady, Lewis, Walkington, Walters, Rathmell (As Substitute for Councillor Hubbard)
Councillor McGloin
J Bromiley, L Henman, D Johnson, A Johnstone, S Lightwing, P Schofield, M Shepherd, J Shiel, P Stephens
Apologies for absence:
were submitted on behalf of Councillor Hubbard
Declarations of interest:

There were no Declarations of Interest at this point in the meeting

Item Number Item/Resolution

The minutes of the meeting of the Corporate Affairs and Audit Committee held on 7 December 2017 were taken as read and approved as a correct record.


The Chair made the following statement and requested that it was minuted:


"It is extremely disappointing that a Councillor who has applied as a substitute to this Committee has decided he does not need to attend the required training.  It is noted that every other Member of the Committee has taken this responsibility seriously.  By declining the training, Councillor Rathmell has demonstrated contempt for the Committee, its Members and Officers."


A joint report of the Strategic Director Finance, Governance and Support and the Director of Environment and Commercial Services was presented to provide an annual review of the corporate approach to the management of Health and Safety. The report included details of the outcome of a service review and the subsequent action plan created to improve the effectiveness of Health and Safety within the Council.

The report aimed to provide assurance to the Corporate Affairs and Audit Committee that Health and Safety and Health and Wellbeing policies and practices within the Council were in line with legal obligations and consistent with the principles of good practice.

Health and Safety management was the collective responsibility of all Elected Members and Officers of the Council. The Council's approach to Health and Safety management was articulated through the Health and Safety Policy. The Health and Safety Policy defined the Council's legal duty, outlined the objectives and benefits of effective Health and Safety management and set out the different roles and responsibilities held by Elected Members, Managers, Employees and the Health and Safety Unit. In addition to the Policy, the Corporate Health and Safety Committee, chaired by an Executive Member, met on a quarterly basis.

Operational Health and Safety procedures, risk assessments, method statements and the reporting of accidents or near miss incidents were recorded through the use of standardised documentation.

In January 2017 the Health and Safety Unit transferred from Human Resources to the Strategic Asset Management team within the Directorate of Environment and Commercial Services. A review of the Service was undertaken and a new Health and Safety Manager was appointed in October 2017 to provide effective management and leadership of the team. The Manager was supported by four generic Health and Safety Advisors (2.5 FTEs).

As well as the Corporate Health and Safety Committee, the Council had three Joint Consultative Committees within Education, Social Care, and Environment and Commercial Services. Health and Safety was also an agenda item at the regular Corporate Trade Union meetings. Further work would be undertaken to understand the effectiveness of those forums in strengthening the culture of health and safety across the organisation. LMT had agreed to include Corporate Health and Safety as an agenda item to be regularly discussed and continue this theme through their own DMTs and SMTs to demonstrate that health and safety was a strategic driver and part of the organisation's culture.

A Health and Safety presentation had been developed for Executive Leaders to refresh them on their understanding of their legal duty in ensuring Health and Safety was an important part of the organisation's culture and governance. Meetings had been held with colleagues from Policy and Performance to develop a risk register and performance information that would provide clear oversight of Health and Safety management within the organisation.

Further work would be undertaken in 2018/2019 and an Action Plan had been developed, a copy of which was attached at Appendix 1 to the submitted report. In relation to the Action Plan it was highlighted that where commercial opportunities with academies and other external clients existed, they would be evaluated and developed where possible throughout the year.


With regard to Health and Wellbeing, the Council's Managing Health and Wellbeing Policy and procedures provided the framework for the range of health and wellbeing services currently offered to employees. Sickness absence rates were high with an outturn figure for 2016/2017 as 9.59 FTE (4.32%) and had continued to rise throughout 2017 with an expected outturn for 2017/2018 estimated at around 10.68 FTE.   (It was clarified post-meeting that the target for 2017/2018 was set at 4.69% of lost working time to take account of the implementation of the new HR Pay system).


It was noted that from April 2018, Managers would take responsibility for inputting sickness absence information directly into the portal. Whilst HR continued to work closely with managers to reduce sickness absence levels it was recognised that there would be a transition stage with managers inputting sickness absence and checks would be in place to assess any impact.

The Council signed up to the Extra Life initiative in 2017 which sought to address health inequalities in Middlesbrough, increase life expectancy rates and offered health improvement opportunities aimed at reducing preventable, long term illnesses. As an employer, the Council had achieved 'Continuing Excellence' standard in the North East Better Health at Work Awards and was seeking to improve the health and wellbeing offer for its employees.


It was confirmed that the Staff Health Survey that had been carried out was entirely voluntary for employees and responses were anonymised. The results of the survey would be used to inform health and wellbeing initiatives throughout the year.

Details of Health and Wellbeing activities offered in 2017/2018 and those planned for 2018/2019 were listed in the submitted report.

The proposed approach to Health and Safety and Health and Wellbeing would ensure that Corporate Health and Safety and Human Resources provided the Council with guidance and advice, with effective oversight of the organisation's management approach, while effectively empowering managers and employees to own Health and Safety and Health and Wellbeing in line with the Middlesbrough Manager/employee model, focussed on empowerment and enabling self-serve.

AGREED as follows that:

1. The outcome of the Annual Review and content of the report was received and noted.
2. The proposed Health and Safety Action Plan 2018/2019 was endorsed.


The Annual Report of the Senior Information Risk Owner was presented to advise Corporate Affairs and Audit Committee of arrangements in place to ensure the proper governance of information within the Council, progress made within the last year, risks and issues arising, and priorities for the next twelve months.

The report aimed to provide assurance to the Committee that information governance policy and practice within the Council was in line with legal obligations, and consistent with the principles of good governance. The Council held a significant amount of information about Middlesbrough and its residents. In line with the forthcoming Information Strategy, the Council would continue to ensure that the right information was made available to the right users (including local communities and partners) at the right time, to support the achievement of its aims and priorities.

The Council was subject to a range of legal obligations in relation to Information Governance, most notably under the Data Protection Act 1998 (DPA), Freedom of Information Act 2000 (FOI), and the Environmental Information Regulations 2004 (EIR), the details of which were provided in the submitted report.

The legal framework for data protection would be updated with the advent of the European Union’s General Data Protection Regulation (GDPR) which would come into force on 25 May 2018, replacing existing EU directives and overriding the DPA. GDPR provided a number of rights for individuals which would bring significant impacts for all data controllers and processors.


The work of the Council involved several discrete data controllers, all of whom had individual legal responsibilities under GDPR: the Council as a corporate body, Elected Members, the Local Safeguarding Children Board; the Local Safeguarding Adults Board; the Youth Offending Team; the Electoral Registration Officer and Registrars.


Under GDPR the size of potential fines would increase significantly, from £500,000 to up to £20 million for serious breaches.


An organisation chart detailing the Council’s Information Governance Framework, under which all corporate information assets were managed, included at paragraph 15 of the submitted report.


The Council had a range of policies and procedures in place to promote compliance with the law and best practice in relation to Information Governance. This information was published on the Council's intranet and would be reviewed in line with General Data Protection Regulation (GDPR). All staff with access to a device were required to undertake mandatory Information Governance training as part of their induction process. The training was recently refreshed and had been completed by 2,070 employees and partners. Managers were supported to train those staff without access to a device.

The Council submitted its self-assessment against v.14 of the Information Governance Toolkit to NHS Digital in March 2017. Arrangements were assessed as 'satisfactory, with improvement plan' at 67%. Half of north east Councils have achieved an overall 'satisfactory' rating to date. The key area for improvement for the Council related to the use of NHS numbers in all applicable systems. Work was ongoing to ensure that at least 90% of care records included the client's NHS number. The Council would make its 14.1 Information Governance Toolkit submission by the end of March 2018.

In September 2017, LMT agreed the development of a new asset based Information Strategy, supported by digital solutions, to allow the Council to fully exploit its data in pursuit of its objectives. In the support of the development and implementation of this strategy, all Information Governance functions were transferred to the Head of Strategy, Information and Governance, who was also designated as SIRO. Both the SIRO and designated deputy had now been trained to the level required by the Information Governance Toolkit.

Following the transfer, the Tees Valley Audit and Assurance Service (TVAAS), was commissioned to undertake a review of GDPR preparedness by the new SIRO, with findings to be reported to a future meeting of the Corporate Affairs and Audit Committee. Since the review was commissioned, a project plan for GDPR had been put in place, supported by a multi-disciplinary team. The majority of the remaining recommendations from the review would be addressed in the delivery of this project. In addition, a dedicated Data Protection Officer had been appointed to lead on this issue from March 2018.

Following the 'WannaCry' ransomware attack on the NHS last year, the Council's ICT team assessed the risk to the Council and took further steps to mitigate the likelihood of a successfully attack on the Council's network. Significant work has also been undertaken to improve the Council's disaster recovery capability. Work had also been undertaken to embed the approach to privacy impact assessment required under GDPR for all new systems, with nine completed. The Head of ICT Service had provided assurance of the Council's compliance with the National Cyber Security Centre's '10 Steps to Cyber Security' guidance. Further work would be undertaken in 2018 to assess cyber security risks in relation to infrastructure and current and planned applications.

During 2017, 48 data protection incidents were reported to the Information Governance and Compliance Team for investigation, compared with 52 in 2016. Of these, 4 were reported to the Information Commissioner's Office (ICO) because it was judged that they met the reporting threshold, compared with 1 in 2016. Those incidents comprised two instances of data posted to the incorrect recipient, one theft of paperwork from a third party provider to the Council, and one cyber security misconfiguration. None of these were acted upon by the ICO.

The importance of raising awareness amongst staff in relation to reporting incidents immediately was highlighted. The new criteria for reporting stipulated that incidents must be reported within two hours.

To put this in context, during 2016/2017 around 2,400 incidents were reported to the ICO across all sectors, a 26.5% increase on the previous year, with nine incidents resulting in a financial penalty. 10.3% of incidents were received from local government, a slight rise from the previous year. This, and the Council's understanding of the position within neighbouring local authorities, suggested that the Council was disproportionately represented in the ICO's data and this issue would be reviewed further in 2018.

The majority of all reported incidents were due to human error, rather than cyber-attack or common theft - over 50% of incidents within the Council were the result of data being incorrectly sent to the wrong recipient. Information on common breach causes had been used to create the 'Information Governance is ACE' campaign to all staff and to date the video had been viewed 700 times.

Implementation of the Council's forthcoming Digital Strategy will provide opportunities to reduce such human error considerably, not least through the reduction in paper records. The Council currently has over 20m sheets of paper archived at several different locations. Though there was limited concern while this material was at rest, the ongoing reconfiguration of the Council's operational estate meant that much of the material was likely to be in transit over the next year. This would need to be carefully managed. Retention schedules and the forthcoming strategy would see this volume of records diminish over time.

There was no national benchmarking data on numbers of information requests received by local authorities, but as many were sent to all or groups of local authorities, it was reasonable to assume that the numbers received by the Council was not uncommon. Overall, the number received by the Council rose 9% in 2017, largely attributable to the significant increase in EIRs relating to certain land and property transactions involving the Council.

The volume of information requests placed a considerable burden on all of those involved in responding to them. Despite this, the timeliness of responses to FOI and EIR requests exceeded the current UK Government average. SARs and FOI reviews were historically less timely due to the level of complexity involved. The focus going forward would be to reduce the number of requests by proactively publishing commonly requested information on the 'Open Data' section of the Council's website.

In summary, current arrangements were largely satisfactory in relation to current requirements, but a significant amount of work was required within a short time-frame to ensure preparedness for GDPR. This work was now underway, and resources were available to support delivery.

Over the coming twelve months, the clear priority from an Information Governance perspective was to ensure that plans to ensure compliance with GDPR were effectively implemented and communicated, focussing on updating policies and procedures and staff training. The Constitution and Members' Development Committee would be asked to consider whether, given their status as data controllers, all Elected Members should be required to undertake mandatory information governance training.

Once in post, the Data Protection Officer would assume responsibility for this work, reporting to the SIRO. In the interim, work would be led directly by the SIRO. It was anticipated that the Council would need to report progress to the ICO and other regulators such as the Care Quality Commission during the year, and TVAAS would undertake a follow-up review as part of the 2018/2019 Audit Plan. This activity was key to addressing the principal information governance risk currently facing the Council. The Information Risk Register would be updated in 2018 in line with the output from work on GDPR, and the review of cyber security arrangements outlined above.

Work would also continue to develop and implement a new Information Strategy for the Council, supported by a restructured Strategy, Information and Governance Service.

A review of data protection breach investigations would be undertaken and lessons disseminated across the organisation. Plans within the Council's forthcoming Digital Strategy, including an upgrade of the Council's Electronic Document and Records Management System and the implementation of digital mail and the scanning strategy would do much to eliminate incidents arising from human error.

Management information relating to information requests would be improved significantly, and used to inform the proactive publication of datasets to reduce the burden of response on the organisation.

AGREED as follows that:

1.   the report was received and noted.

2.   the Committee endorsed a proposal to request the Constitution and Members' Development Committee to consider whether all Elected Members should be required to undertake mandatory information governance training.


A report of the Strategic Director Finance, Governance and Support was presented for Members of the Corporate Affairs and Audit Committee to review and approve the Council's Anti-Money Laundering Policy and Procedures.

The Internal Audit Report on the Counter Fraud and Policy Framework was received by the Committee on 7 December 2017 and recommended that the Council's approach to anti-money laundering was reviewed and made available to staff on the intranet. A copy of the proposed Anti-Money Laundering Policy and Procedure was attached to the submitted report for the Committee's consideration and approval.

The Policy included references to the most recent legislation which the Government kept under review to ensure that controls existed to minimise money laundering activity and funding of terrorism. The Council was exposed to relatively low risk of money laundering activity, however it was important that staff were aware of the Policy as there was an obligation placed on everyone to report suspicions of money laundering or terrorist financing. It was an offence not to report such suspected activity.


Any suspicion of money laundering should be reported to the Head of Financial Governance and Revenues using the appropriate reporting form.

When approved, the Policy would be publicised to all staff via the weekly bulletin and added to the Intranet for reference. Staff handling cash, who were most likely to be exposed to money laundering activity, would have the policy specifically drawn to their attention. The Policy would be reviewed in three years' time, notwithstanding any change to current legislation.

Fraud awareness training for relevant staff would be provided by the Council's bankers: Nat West, before the end of the current financial year.

AGREED that the Anti-Money Laundering Policy and Procedures were approved.


A report of the Director of Finance, Governance and Support was presented to report the outcome of the annual review of the Local Code of Corporate Governance.  A copy of the local Code of Corporate Governance was attached to the submitted report at Appendix 1.


Regular reviews of the Code were necessary to ensure that the Council was assessing its governance arrangements against industry best practice as described by CIPFA relevant codes of practice.  The annual review schedule was in place to ensure that changes to the relevant codes of practice were quickly reflected within the code.


The Corporate Affairs and Audit Committee was advised that no changes were required to the local Code of Corporate Governance as a result of this annual review, as there had been no change to the CIPFA Solace guidance 'Delivering Good Governance' (2016) which was used to inform the current Code, adopted in 2017.  This was recommended since the current local Code of Corporate Governance already reflected recognised best practice and was in line with the Council's commitment to review the local Code in line with best practice as described by CIPFA Solace.


If agreed, the Annual Governance Statement, due to be provided to the Corporate Affairs and Audit Committee in May 2018 for consideration, would be an assessment against this local Code of Corporate Governance.   In addition, copies of the Code on the Council's intranet and website would be updated.


It was noted that a new report format had recently been rolled out across the Council and training would be provided for Officers on how to write good reports, setting out information clearly and including Equality Impact Assessments.

AGREED as follows that:

1.  The outcome of the Annual Review was noted.

2.  The current local Code of Corporate Governance was not amended as a result of the Review.


The Corporate Affairs and Audit Committee received a report and presentation which provided an update on the work of the Organisational Development (OD) Team. 


The need for an organisational development resource was identified as part of the Corporate Peer Review process and was subsequently included as an action in the Corporate Improvement Plan.  The OD function was set up in October 2016 with appointment of a Manager, who had since developed the OD Team to ensure it could meet the needs of the organisation.


The submitted report and presentation (attached at Appendix 1) detailed the nature of the OD related activities in relation to culture change, and the talent management and development that had taken place over the last 12 months and outlined the focus of the activities of the OD team for the next 12 months.


There were two main aspects to the organisational development work: driving and facilitating the organisational change needed through cultural engagement, whilst also ensuring robust performance management was in place, supported by an appropriately skilled workforce, with a strong talent pipeline to deliver future services that were fit for purpose.


Many of the objectives of the OD Team were included in the People Strategy, which was managed as a Level 1 Project via the Project Management Office.  However, the OD work extended beyond this in responding to individual service needs for interventions to improve team working and performance management and providing individual coaching to managers, where a specific need was identified.


The presentation provided information in relation to activities to support the delivery of organisational change through cultural engagement and work undertaken on talent management and workforce development over the past 12 months.  The presentation also focussed on OD activities for the next 12 months and its role in laying the foundations for the ambition of achieving the Sunday Times Best Companies to Work For in 2020.


Members also viewed the Corporate Engagement video as part of the presentation.


AGREED as follows that:

1.  The report and presentation were received and noted.

2.  The Corporate Affairs and Audit Committee noted and supported the planned OD activities for the next 12 months.

Powered by E-GENDA from Associated Knowledge Systems Ltd