Agenda item
Information Commissioner's Office Audit
This report outlines the position with the Information Commissioner’s Office (ICO) data protection audit and the Council’s action plan to address the findings from the audit. The report also lists the outcome of similar audits conducted at other Local Authorities recently.
I have attached an executive summary of the report.
Minutes:
The Committee considered a report which outlined the position with the Information Commissioner’s Office (ICO) data protection audit and the Council’s action plan to address the findings from the audit. The audit was to assess the Council’s compliance with the Data Protection Act (DPA). Peter Gadsdon (Director of Performance, Policy and Partnerships) and Raj Seedher (Information Governance Manager) attended the meeting to present the report and respond to queries. The Director stated that the ICO audit was in respect of security of personal data; subject access requests; and data sharing.
Members heard that the audit provided an overall conclusion of Limited Assurance (Amber grading) which meant that there was a limited level of assurance that processes and procedures were in place to comply with data protection. The audit identified considerable scope for improvement in existing arrangements to reduce the risk of non-compliance with the DPA. The Director highlighted the significant ones and the actions proposed to address them as follows:
Improved technical controls for portable memory devices. Measures were being put in place to block the use of portable devices such USB pen drives from the network in order to improve security of confidential data.
Annual mandatory refresher training for all staff and contractors would replace the current training required every four years.
The target for complying with the SAR statutory timeframes, currently set at 80% for 2015 would be increased to 95% for 2016.
Pater Gadsdon continued that progress on the action in the plan to address the recommendations in the ICO report were being monitored by the Information Governance Group which would discuss implementation and report to the Corporate Management Team (CMT).
In the discussion that followed, members raised questions about security of confidential data when officers were working from home, how freedom of information requests were being dealt with and also enquired about measures that the department had in place to prevent hacking into the Council’s network system.
Raj Seedher responded that when working from home, the information was encrypted and stored centrally in the system which prevented accidental or deliberate breach of confidentiality. The prerequisite for a code number generated by the ‘authenticator’ was an additional measure to counter incidents of hacking. He added that a thorough review of the use of paper to be replaced with electronic devices for effective control was being put in place with an upgrade to a new system, “Mosaic”. Members were advised that through the use of iCasework, freedom of information requests were being managed efficiently. In order to safeguard the Authority’s financial portals, risk impact and security assessments coupled with robust penetration tests were being carried out to a level that matched industry best practice. The Director added that the Authority’s software systems were being constantly upgraded to maintain security and integrity which was further enhanced with a quarterly departmental penetration tests and, annually through compliance with Sector Network code of connection standards. He also drew members’ attention to benchmark figures with other London Boroughs as set out in the appendix attached to the report.
RESOLVED:-
(i) that the Action Plan to address the audit recommendations;
(ii) that it be noted that the Executive Summary of the ICO audit will be published on the ICO website.
Supporting documents:
- Audit Panel Report ICO Audit Jan2016 V0 1, item 7. PDF 212 KB
- LBoB - executive summary, item 7. PDF 188 KB