Agenda item

Invitees:

Councillor Dimitri Batrouni – Cabinet Member for Organisational Transformation
Rhys Cornwall – Strategic Director for Transformation and Corporate
Tracy McKim - Head of People, Policy and Transformation
Mark Bleazard - Digital Services Manager

The Head of Service introduced the report and noted that it was not a statutory report.

The Digital Services Manger gave a brief overview of the report and highlighted some key points.

Questions:

The Chair congratulated the Officers on including detail on the version and authors of the report but queried why this had only begun in April and asked whether there had been any previous versions.

·       The Digital Services Manager explained that the reports cover a period of a year and that they begin to write the report in April but noted that the team would be recording data throughout the year.

The Committee asked that the data be presented as percentages as well as figures to contextualise data.

The Committee queried why the Council had not been compliant with the PSN for a period of year and asked whether there were risks that had been associated with this.

·       The Digital Services Manager stated that the Council had not been formally compliant due to a late health check. The Digital Services Manager stated that the Council had been in the process of replacing the finance system which had created particular challenges but noted that although there had been a relatively small risk, there had been mitigation for this. The Digital Services Manager added that the check for the current year had already been put in place. 

·       The Digital Services Manger stated that an external provider carries out the health check and notes points of vulnerability. The Digital Services Manager added that when applying for compliance, it had not been accepted due to the listed vulnerabilities.

The Committee asked the Officers to state the vulnerabilities.

·       The Digital Services Manager listed some of the vulnerabilities and noted that the list appeared to be large due to the vulnerabilities being individually listed.

·       The Head of Service stated that there had been difficulties removing some of the vulnerabilities due to them having information systems on them.

·       The Digital Services Manager stated that although there were many on the list, they had all related to a singular system.

The Chair asked what shared systems had been in use with other Local Authorities and queried who had been determined to lead on these.

·       The Digital Services Manager stated that many of the Local Authorities would share a similar core infrastructure which had been driven by resilience as well as cost saving but noted that there would always be their own individual versions to avoid data concerns. The Digital Services Manager added that whilst in collaboration with SRS they had ensured that the Council had multiple different systems including the payroll system.

·       The Strategic Director noted that many authorities had moved to the Cloud but that they had their own system which would not be shared.

The Committee asked how regularly a third party is asked to administer a test.

·       The Digital Services Manager stated that this occurred annually.

·       The Committee queried whether this was frequent enough considering the speed that change happens in technology.

·       The Digital Services Manager stated that the annual test was due to a formal process but added that there were multiple and more frequent tests administered by SRS and explained that as well as tests the system was monitored at all times for malicious attacks.

The Committee asked how many ‘malicious attacks’ there had been.

·       The Digital Services Manager stated that there had not been any but added that it would be hard to quantify.

The Committee queried whether there had ever been a severe attack.

·       The Digital Services Manager stated that there had been a ransomware attack 7 years prior and before SRS were in place, but informed the Committee that there had been minimal consequences. The Digital Services Manager stated that they had put in place specific solutions due to this attack and that there had been many improvements made to the Council’s back-ups. The Digital Services Manager stated that they had also improved the meta-compliance simulations but noted that they wished to educate those who had clicked on any link.

·       The Strategic Director stated that the incident had been identified quickly and that the main impact that it had caused had been a system shut down rather than any data breach. The Strategic Director added that the Council had taken part in nation-wide simulated attacks and added that they had also been wary of the human reactions to these issues.  

The Committee queried whether the Officers were confident that the Council would be ok if there was another attack.

·       The Digital Services Manager stated that they were but added that this did not mean that they were complacent and explained that there had been a large amount of investment in that area.

·       The Head of Service informed the Committee that when there had been national events there are additional controls overlayed during that period.

The Committee queried whether there was a possibility of locking users from their accounts until they have completed their Meta-compliance course.

·       The Digital Services Manager informed the Committee that there is a course that all new starters are required to take prior to being given access and added that they had been focussing on encouraging uptake rather than removal of access but noted that it would be a possibility if needed.

·       The Cabinet Member stated that compliance was a huge issue that would be continued to be discussed and added that it was a learning process on how to improve. The Cabinet Member stated that although they would not be able to give 100% assurances they would be up to date on compliance.

The Committee referenced the publishing data section and noted that some of the documents were not up to date on the website.

·       The Digital Services Manager apologised and added that this was done via a process which should be done on an annual or quarterly basis.

The Committee queried the definition of a complex Subject Access Request and asked whether the Committee were planning on adding an additional table for complex SARs and what the consequences of not complying would be.

·       The Digital Services Manager state that the definition of a complex SAR was given by the Commissioner’s Office and added that they did not plan on recording them separately but that they would just be given a longer deadline. The Digital Services Manager stated that they could record the number of complex SARs.

The Committee asked for the number of complex SARs to be reported back to the Committee and queried whether it would be many.

·       The Digital Services Manager stated that they would have to check on the request as the number was not recorded automatically. The Digital Services Manager stated that there would not be many but that the majority of them come from Social Care.

The Committee asked what risks were associated with not hitting the set target.

·       The Digital Services Manager stated that the Commissioner’s Office would be able to enforce the Council to take action. The Digital Services Manager noted that the Council would then be required to clear the relatively small back log.

·       The Head of Service stated that there would be reputational risk and added that public trust was of high importance. The Head of Service added that the Council had not applied the exception to date which had meant that the target had been artificially deflated.

·       The Strategic Director informed the Committee that that the Commissioner’s Office publish the occasions where they have taken action and highlighted that the Council’s situation was different to these. The Strategic Director noted that the Council’s issues had been around social care provision where records are required to be kept for 99 years and are in a variety of formats.

·       The Digital Services Manager noted a further challenge was ensuring 3^rd party confidentiality.

The Committee queried where the records had been stored.

·       The Digital Services Manager stated that the majority of records were kept electronically and that the older records had been housed in a variety of places and added that this had caused logistical challenges.

The Committee queried what the Cyber Stock Take had covered and asked whether the results were available.

·       The Digital Services Manager stated that it was a self-assessment that had been carried out across Wales and noted that it had been done in conjunction with SRS due to their involvement in the technical controls. The Digital Services Manager informed the Committee that there was a Cyber Security Group WARP that operated across Wales and noted that they would learn lessons from other partners and local authorities. The Digital Services Manager noted that they had chased the results and that it would depend on the timings which report it would be included in but highlighted to the Committee that they had done well in previous years.

The Committee asked about the time scale for the Audit Wales Final Report.

·       The Digital Services Manager stated that they did not know when it would be returned but that it was likely to be soon and added that they had provided further information a month prior which they expected the report to consider.

·       The Head of Service noted that the report would be part 2 but that they would be able to provide a summary.

The Chair requested that the most up to date report to be provided to the Committee.

·       The Head of Service noted that as the report was not done by all local authorities as it was not a statutory report the Audit Wales timeframe would not align.

·       The Strategic Director noted that the report would be a generic one and added that the information could leave them vulnerable if shared but stated that elements from the report could be given. 

The Committee noted that online training may not be sufficient and praised the use of the phishing simulations and queried how many had individuals had fallen victim to it.

·       The Digital Services Manager noted that it was important to not be too extreme but added that even one would be too many.  The Digital Services Manager noted that the aim had been to educate rather than to punish. The Digital Services Manager noted that they had done multiple types which had been subtly different and noted it would be hard to compare them.

·       The Head of Service informed the Committee that 9.2% of users had clicked on the link but that 4% had then put in data and added that the 4% were then required to take training.

The Committee queried the reliance on digital data and asked what would happen if there were to be a complete failure in the Civic Centre.

·       The Digital Services Manager stated that there are non-corruptible back ups and that there are different copies which are maintained for different lengths of time.

·       The Strategic Strategic Director stated that this had been covered by Civil Contingencies and that there was a disaster recovery plan in place.

The Committee stated their concern for an unredacted email that had been sent and queried whether there had been training following this.

·       The Digital Services Manager stated that every incident and the actions needed would be looked at on an individual level and added that Newport Council had reported very few incidents.

·       The Cabinet Member wished to thank the Committee for their questions and insights.

Conclusions:

The Committee welcomed the report and thanked Officers for their knowledge and expertise.

·       The Committee welcomed the Officer’s offer of providing articles containing more information on cases of ICO action.

·       The Committee asked for a summary of the Audit Wales report be circulated. If the current year is unavailable for this, the Committee were content to receive information from a previous year as to improve their understanding of the purpose of the report.

·       The Committee asked for more information regarding the Cyber Stock Take and examples be provided. If the current year is unavailable for this, the Committee were content to receive information from a previous year as to improve their understanding of the report.

·       The Committee recommended contextualising data with percentages.

·       The Committee recommended the inclusion of specific “particularly complex” SAR numbers in future reports.

·       The Committee recommended that stronger responses to incomplete training be considered.

The Committee felt that there was significant overlap between the Information Risk Report and the Annual Digital Report and asked that Officers consider merging the reports.