Minutes:
The Committee considered a report from the Information Governance Officer that provided an update on developments in data protection and information security within the council since the last report in September 2023. The report also covered details of data breaches in 2023-24, key risks for the Council, and objectives for the coming twelve months.
During the debate, the following points were made:
· Reassurance was requested that notwithstanding the delay in removing legacy hardware and software, measures were still being taken to ensure that services were able to operate using out of date hardware and software.
· In response to an enquiry as to whether there were protocols and processes in place to ensure that there could be no, or very limited, opportunity for breaches involving very sensitive data, and of those breaches that did take place, whether it was because the processes were not really necessary, because it did not involve sensitive information, the Information Governance Officer confirmed that the action taken generally depended on the severity of the breach. This would include the volume and nature of the personal information that had been compromised. For example, disclosure of a person’s name, email address, or telephone number would not be considered to be as sensitive as a person’s medical condition, or previous criminal convictions. Most data breaches that had occurred at the Council involved inadvertent disclosure of non-sensitive personal information.
· Request for assurance that the ICT Team is able to meet all the priorities that were currently being set for them within their existing resources available.
· Welcome the detail now provided in these reports and support for separate annual reports on data protection and information security in future.
Having considered the report, the Committee
RESOLVED:
(1) That the update report be noted.
(2) That future reports are separated so that there is an annual report on data protection and an annual report on information security.
Reasons:
· To recognise that the Committee has reviewed the developments that had occurred since the last report was presented on 28 September 2023 and ensure that the Committee remained aware of the Council’s data protection and information security framework.
· The Data Protection Officer (Information Governance Officer) and the Information Assurance Officer sit in different directorates as a result of reorganisation within the Council and it was therefore no longer appropriate to have a single report covering these areas. It will support good governance to have reports which focused on the separate and distinct areas and ensure sufficient consideration was given to both.
Action: |
Officer to action: |
(a) To provide separate annual reports on data protection and information security in future.
(b) To provide assurance that, notwithstanding the delay in removing legacy hardware and software, measures were still being taken to ensure that services were able to operate using out of date hardware and software.
(c) To provide assurance that the ICT Team is able to meet all the priorities that were currently being set for them within their existing resources available. |
Information Governance Officer/ Information Assurance Officer
Lead Specialist ICT
“ “ “ |
Supporting documents: