Issue - meetings
Data Protection and Information Security Update Report
Meeting: 28/09/2023 - Corporate Governance and Standards Committee (Item 28)
28 Data Protection and Information Security Update Report 
PDF 83 KB
Additional documents:
Minutes:
The Committee considered a report from the Information Governance Officer that provided an update on developments in data protection and information security within the council since the last report in October 2022. The report also covered details of data breaches in 2022-23, key risks for the Council, and objectives for the coming twelve months.
During the debate, the following points were made:
· Concern was expressed over the delay in removing legacy hardware and operating systems and the volume of priorities being placed on ICT. In response to a question as to how the work was prioritised, the Information Governance Officer commented that work was prioritised according to the level of risk involved, and availability of both financial and staffing resources. It was hoped that the removal of legacy hardware and operating systems would be completed in the next six to twelve months. Progress on this would be shared with councillors.
· Officers acknowledged that, contrary to the comment in the report that there were no Climate Change/Sustainability implications, there were clearly sustainability implications associated with the disposal of legacy hardware, and energy use associated with new hardware and greater energy efficiency associated with increased cloud hosting.
· In response to a request for an update on the review of ICT security policies, it was confirmed that this was still ongoing.
· It was noted that the number of data breaches recorded in 2022-23 was commendably low.
· In response to a question, the Information Governance Officer confirmed that no distinction was currently made in respect of ICO notifications due to data breaches between notifications required under GDPR and those required under the Network and Information Systems rules. It was confirmed that this could be something that could be looked into in future.
The Committee
RESOLVED: That the update report be noted.
Reason:
To ensure that the Committee is kept up to date with developments in the Council’s data protection and information security framework.
Meeting: 06/10/2022 - Corporate Governance and Standards Committee (Item 35)
35 Data Protection and Information Security Update Report PDF 93 KB
Additional documents:
Minutes:
The Committee considered a report from the Information Governance Officer that provided an update on developments in data protection and information security within the council since the last report of April 2022. The report covered governance successes, information assurance successes and objectives for the coming six months.
During the debate, the following points were made:
· In response to concerns over the poor take-up of cybersecurity training and the need to ensure that those who need the training actually receive it, the Information Governance Officer commented that he had highlighted the need for the training at the Privacy and Information Group, and that, since the report had been written, a number of officers had received the training. Further emails would be sent to publicise the training.
· It was suggested that the uptake of the training by both officers and councillors should be monitored, and the details reported to the Committee in the next report
The Committee
RESOLVED: That the update report be noted, and that the report be presented annually to the Committee in future.
Reason:
To ensure that the Committee is kept up to date with developments in the Council’s data protection and information security framework.
|
Action: |
Officer to action: |
|
To include in the next report details of the uptake of cybersecurity training by both officers and councillors
|
Information Governance Officer |
|
To provide the update report annually in future.
|
Information Governance Officer/Democratic Services and Elections Manager |
Meeting: 21/04/2022 - Corporate Governance and Standards Committee (Item 68)
68 Data Protection and Information Security Update Report PDF 219 KB
Additional documents:
Minutes:
The Committee considered a report from the Information Governance Officer that provided an update on developments in data protection and information security within the council since the last report of September 2021. The report covered governance successes, information assurance successes and objectives for the coming six months.
Details of progress made with the objectives identified in the previous update report to the Committee in September 2021, that were not referred to in the report on the agenda were set out on the Supplementary Information Sheet.
During the debate, the following points were made:
· A request for further, more detailed information to be provided in future reports including commentary on the Council’s performance in relation to data security – in particular whether there had been any breaches of data security and, if so, details of any such breach and measures put in place to prevent a recurrence. It was confirmed that there had been no serious breaches of data security.
· In response to a question as to how the Council ensures data security with staff working remotely and a suggestion that the Council should test its data security measures periodically with staff with, for example, trial phishing emails, the Information Governance Officer confirmed that during the pandemic staff were alerted on a number of occasions to data security risks whilst working from home; he also indicated that measures to test staff awareness would be considered in future.
· It was suggested that the cybersecurity training for staff should also include councillors.
· It was noted that the timescale for conducting external and internal security penetration tests of council-wide systems, was this year as part of the annual penetration testing.
The Committee
RESOLVED: That the update report be noted.
Reason:
To ensure that the Committee is kept up to date with developments in the Council’s data protection and information security framework.
|
Action: |
Officer to action: |
|
· To provide more detailed information in future reports including commentary on the Council’s performance in relation to data security – in particular whether there had been any breaches of data security and, if so, details of any such breach and measures put in place to prevent a recurrence.
· To provide cybersecurity training for councillors.
|
Information Governance Officer
Information Governance Officer/Democratic Services and Elections Manager |
Meeting: 23/09/2021 - Corporate Governance and Standards Committee (Item 32)
32 Data Protection and Information Security Update Report PDF 221 KB
Additional documents:
Minutes:
The Committee considered a report from the Information Governance Officer that provided an update on developments in data protection and information security within the council since the last report of April 2021. The report covered governance successes, information assurance successes and objectives for the coming six months.
During the debate, the following points were made:
· Whether the Council was insured against any financial penalty for a breach of the GDPR provisions.
· Request for progress on the objectives in the report to be set out in the next report to the Committee, together with a confidential appendix showing the risk register in respect of data protection and information security.
· Whilst the review of the policy of redacting photographs in respect of Planning applications published on the Council’s website and replacing it with a policy of only redacting photographs that contained personally identifiable data or images was welcomed, it should not be considered as a “success”.
The Committee
RESOLVED: That the update report be noted.
Reason:
To ensure that the Committee is kept up to date with developments in the Council’s data protection and information security framework.