·         To update Audit and Governance Committee Members formally, on the actions and improvement undertaken, and those proposed to be undertaken, by the Knowledge and Information Service in response to the KPMG internal audit report dated 26th April 2013. 

·         To update the Committee formally on the initial findings of the Information Commissioner’s Office consensual data protection audit 30th April – 2nd May 2013.

Further to minute 67 of the last meeting, the Committee received a report that provided a formal written response to the Internal Audit review of Data Protection dated 26 April 2013.  The report also highlighted the findings of the Information Commissioner’s Office (ICO) consensual Data Protection audit of 30 April - 2 May 2013.

The Equality, Human Rights and Partnership Manager, having recently taken on the management of this area, presented the report of the Knowledge and Information Services Manager.  The Committee was advised that the Information Governance Team had undertaken substantial work following the Internal Audit review, both in advance of the ICO audit and subsequently.  A number of recommendations overlapped and an action plan and programme of work had been developed.  Attention was drawn to the following areas:

1.       Personal data audit: An overview was provided of the actions undertaken and in progress, including the compilation of an Information Asset Register.

2.       Security breach incidents: It was noted that 80 Data Protection incidents had been logged since June 2012, with a further five reported since agenda publication.  The ICO had commented that the level of reporting was encouraging, as this reflected the high visibility of the new Information Governance Team and the fact that appropriate systems were in place to capture incidents.

It was reported that generic mandatory training was being developed, with further bespoke training for specific teams.  In particular, high priority would be given to training for Section 75 staff prior to their return into the Council from Wye Valley NHS Trust.

3.       Downloading sensitive and confidential data: A key piece of work was being undertaken to address both device and software security issues.

4.       Communication of Data Protection Act issues:  The Information Governance Team continued to develop relationships with management teams and representatives to develop broader understanding and points of contact for support.

In response to a question from a Committee Member, the Assistant Director People, Policy and Partnerships (hereafter ‘Assistant Director’ in these minutes) commented that two issues arose from staff movements and turnover.   Firstly, there was a need to ensure that individuals only had access to those systems they needed to use as part of their current roles, this would be addressed through strengthened HR processes.   Secondly, there was a need to ensure that mandatory training was completed within a short time of commencing a new role, this would be delivered and recorded through online modules.  It was acknowledged that further work was required on the eLearning platform.

A Committee Member commented that Councillors had to register as data controllers with the ICO for an annual fee and questioned whether this should be borne by Councillors themselves or by the authority.

A Committee Member said that managers had to take responsibility for their areas and staff needed to be brought to account if they failed to fulfil their duties.  The Assistant Director said that the lack of mandatory training in this area was a significant issue for the authority but this was being addressed and there would be much greater clarity about expectations going forward.  She added that organisational awareness and learning was essential; an example was given of a member of staff who had been responsible for a breach through human error but was now one of the best champions for information governance within the Council.  Nevertheless, some members of staff had been disciplined about serious breaches.

In response to a question from the Chairman, the Information Governance Principal Officer recognised that over 80 Data Protection incidents was a high number but it did reflect that the culture was changing and staff felt able to report incidents.  It was recognised that breaches involving private and personal information could cause significant distress and the authority was transparent about incidents that had occurred and did all it could to support affected individuals.

A Committee Member commented on a number if issues, including: reports should be written for as wide an audience as possible; a removal media policy would not be as effective as physically blocking ports on devices; a question was asked about Human Rights in terms of the protection of personal data; and a question was asked about the timescale for the ‘Managing Information Safely’ delivery plan.

In response, the Information Governance Principal Officer advised that: software was available to prevent unauthorised use of removal media and this was being explored by Hoople ICT; it was confirmed that the Human Rights Act 1998 included a ‘right to privacy’, although this was a qualified right in that the state could intervene in certain circumstances, such as to prevent disorder or crime; the ICO had identified a timescale of March 2014, recognising that there was a lot of work and behavioural change required to ensure that improvements were embedded.

In response to question from a Committee Member, the Assistant Director advised that the Council was expected to have an Information Asset Register; this should provide an understanding of the critical information held, how it was being held and for how long it was being held for.  It was acknowledged that the use of the term ‘asset’ was a misnomer as there was no intrinsic value; the register was essentially a list of types of information and associated levels of security.

A Committee Member commented that information had to be secure and handled appropriately, nevertheless there were potential risks for safeguarding if professionals could not get access to information and share it with other agencies.  The Assistant Director advised that Cabinet was to receive a report shortly about an opportunity to engage with the Public Sector Network (PSN) which enabled public sector organisations to use networking services across geographical boundaries, subject to stringent security standards; subject to approval, a West Midlands PSN would also provide opportunities for collective procurement.

The Chairman of the General Overview and Scrutiny Committee, referring to information held by retailers, commented that the public sector was lagging behind the private sector in terms of the collection, distribution and use of information.  He added that the key objective should be to get the right information, to the right people, at the right time.

The Chief Officer: Finance and Commercial noted: the comprehensive report and input from officers; the considerable work that had been undertaken by the Information Governance Team to address the issues; and, previewing the next agenda item, the importance of this area to overall governance assurance.  The Assistant Director paid tribute to the work of the team, particularly to the significant contributions made by Anthony Sawyer and Helen Worth.

RESOLVED:  That

(a)     The report be noted;

(b)     The actions proposed in order to address the recommendations of the Internal Audit review with respect to the Data Protection Act 1998, be supported and endorsed; and

(c)     The actions proposed in order to address the areas of improvement identified in the second draft of the ICO consensual audit with respect to the Data Protection Act 1998, be supported and endorsed.