Agenda item

(To receive a report by David Ingham (Head of Information Assurance), which presents the Information Assurance Annual Report 2019/20)

The Head of Information Assurance presented the Information Assurance Annual Report 2019/20, which summarised some of the key activity undertaken by the Information Assurance team during 2019/20.  It focused on three core domains: data protection; records management; and information security (including elements of cyber security).  Its purpose was to provide assurance to the Audit Committee, that the information assurance function was effective and responsive to challenges affecting the Council.

Three themes were highlighted:

• the focus on risk management;
• the need for continual improvement, both within the team and corporately; and
• the importance of positive engagement, for example with partners, suppliers and members of the public.

The Head of Information Assurance also highlighted that there were 259 security incidents during 2019/20. Of these, 89% had been due to human error, and were largely related to the unauthorised disclosure of information.  For context, each year six million emails were sent outside the organisation. 

The annual report also referred to engagement with the Information Commissioner's Office in two areas.  Firstly, there had been twelve complaints of data protection infringement, of which seven had been upheld and three partially upheld, but all had now been resolved to the satisfaction of the Information Commissioner's Office.  Secondly, twelve data breaches were also reported to the Information Commissioner's Office, all of which had been resolved.

The following issues were raised by members of the Committee:

• The 25 instances of lost data / hardware often related to the laptops being stolen from vehicles.   These losses were mitigated by the encryption of hardware, with all devices removed from the network. Processes were in place to check the loss of data from hard copy documents.   The number of instances had fallen compared to the previous year.
• There was a potential reputational risk from security incidents and unauthorised disclosure. Only data breaches reaching a threshold, namely, where it was likely to pose a risk to the individual concerned, were reported to the Information Commissioner's Office.  No concerns had been raised by the Information Commissioner's Office. Assurance was given that the Information Assurance Team was continually looking at ways of reducing the number of incidents and breaches.
• There was a request for the annual report to contain more information on the future focus of the Information Assurance Team, for example, hard copy legacy records.  There was also a risk that the impact of Covid-19 had led to the creation of records outside the document management processes, which would be addressed in the recovery phase.  In the meantime, guidance has been issued, for example to reducing paper copy formats outside the Council's offices.
• Council hardware items cannot be traced, as encryption was considered more appropriate to protect data, and the items could no longer connect to the network.
• Social workers were more likely to create manual records outside the organisation.  However, they tended to be used to these ways of working and were provided guidance on how to manage the information they held appropriately.
• The percentage of staff trained on information governance e-learning had fallen from 90% in 2018/19 to 86% in 2019/20, owing to the impact of Covid-19 during March 2020, when most members of staff were expected to complete their information governance training, but could not do so, owing to the pressure on the Council's network at that time. E-learning has been supported by face to face training for example, on cyber security and records managements.
• In terms of state sponsored cyber-security threats, the County Council was a target, albeit low-level.  Criminal activity, more specifically, phishing emails, represented the most prevalent threat, whereby an email to an individual member of staff would request sensitive information enabling the phisher to make financial gain or cause negative impact to the network.   Recent improvements to the Council's network had provided additional protection and further reduced the Council's exposure, although vigilance would continue to be required at all times.

RESOLVED

(1)         That the information assurance activity for 2019/20 be noted.

(2)         That the key activity designed to give the Audit Committee confidence that the information assurance function remained effective and relevant to the Council’s needs be noted.