Agenda item

Annual Information Risk Report

Minutes:

Invitees:

Rhys Cornwall – Head of People and Business Change

Mark Bleazard – Digital Services Manager

Tariq Slaoui – Information Manager

 

The Head of Business and People Change provided the committee with a brief overview of the report and stated that it is the ninth annual Information Risk Report, which is not a statutory report but is done every year as a best practice approach to information management and security, fundamental for transparency. The report provided an overview of arrangements and highlights importance of information governance.

 

The Digital Services Manager acknowledged that the context of said report is at an unprecedented time where risk management is mainly from working from home which presents different challenges. For instance, the blurring of work and personal lives could increase the risk of staff being targeted by cyber criminals due to the unique circumstances that people find themselves in.

 

The officer went through specific highlights of the report and what they are required to deal with in terms of certain elements of compliance. The Public Services Network enables them to connect the network to manage their information and security appropriately, managed by the cabinet office. It was indicated that they had made two submissions that have bene unsuccessful which was a challenge and has been escalated with SRS.

 

The GDPR Data Protection Regulation is guidance for the council on how to handle the data. Members were advised that the council are comfortable that they are managing this information as an organisation should, it was mentioned that there are clear privacy notices on the website detailing how the council holds its data for openness and transparency.

 

A further element of compliance was the payment card facility, the council are compliant but they had some challenges a few years back. In order to resolve this, the team are working through a procurement exercise to work with experts and are confident that they are doing things well in terms of progress but will do things slightly differently over the next couple of months, this is an ongoing process which has been delayed due to a bereavement but the members were assured that the team are back and working on the project.

 

With regard to the data standards, the officer assured the committee that the Council is well tried and tested in terms of arrangements within the staff, for example, Head of Law and Regulation is the Senior Information Risk Owner, Head of People and Business Change is the operational head of team, an information governance group that they meet up with and the Digital Services Manager is the Protection Data Officer.

 

The officer explained that for 2021, they undertook a staff survey on GDPR and the results included within the report provided, noted that there is more work to follow up on and actions that will be taken from that.

 

The committee was advised of a positive mention that the digital team had a two years of service level agreement with local primary schools which was very beneficial for them and a great step as it encouraged lots of queries from them in terms of communication and awareness being raised.

It was explained to the members that the staff were identified as the weakest link for the security risks, therefore the council has a liability to get their staff well informed and educated as much as they possibly can. It was mentioned that they do regular sessions, mostly on teams, when they were in person they would be organised within the Civic Centre. The team will commence proper courses again, the officer told that the e-learning course on GDPR has been excellent as a large number of staff have brushed up their knowledge.

 

The officer acknowledged that with the staff survey that they need to do more analysis on what is important and communication will be a big part of that. Members were advised that the next risk management issue would be situations where important paperwork goes astray, confidential emails being sent to the wrong recipient. The committee was informed that the team has an action plan for such situations.

 

The Digital Services Manager reported that they share responsibility with data controllers as part of the Track and Trace Service, designated joint resource with Public Health Wales. The committee was informed that the amount of data is minimal but due to the issue that was reported to the information commissioner’s office which was publicised, the Public Health Wales team were transparent by releasing a statement to ensure the public were aware of risks.

 

In terms of technology solutions, the committee was informed that they are quite well placed with people working remotely but are changing their solutions with secure email systems such as egress for an example. It was explained that when the report was written they were in a process of moving to a different solution which has now been resolved.

 

The IT Partnership with Shared Resources Services proposed a security opposition centre and a security information management system. Such systems would log activity and concerns about the network with individuals to support. Members were advised that they are now at a place to agree a budget for this plan to enhance the Council’s current security arrangements which will change the remote working situation and bring about security benefits for VPN. Ransomware was mentioned as a huge threat in both public and private sectors but the team are well aware of this and they are working on the solution to mitigate the risk of remote working and cyber risk.

 

Members of the Committee were then informed that the team had a great response to providing information on Freedom of Interest requests, as they exceeded their target this year.

 

The Digital Services Manager went on to highlight that staff did experience issues with subject access requests which were personal data queries, indicating that they missed the target on that. This was primarily due to the issue of physical access to the records as a result of workers being remotely working. The committee was assured that this will improve going forward into the next half of the year.

 

The Committee asked the following:

·         A Member expressed concern on making the information more readily available to everybody on the website in terms of Freedom of Interest requests. With regard to subject access requests, the member further queried the main reason for why members of the public request them. The Member further noted the website outage issue and asked if that could happen again.

 

The Head of People and Business Change explained that many for Freedom of Interest requests are from companies when looking for commercial opportunities and the council try to put them on the website in an allocated FAQ area to prevent staff from going through the same lengthy curation process when the work has already been undertaken to answer it.

 

With regard to the website outage, the Head of Service replied that generally the IT structure is very stable, at 99.4% of the time, but the outages are for a variety reasons, mostly out of the council’s control. The officer could not give a guarantee that it would not happen again but reassured members that measures with the capital refresh plan with Shared Resources Services on the infrastructure will alleviate the systems. This has been agreed by Cabinet in October to move the date to roadmap for high resilience in place to mitigate such situations.

 

With regard to the subject access requests, the Information Manager responded by pointing out they are requests under a certain legislation data protection act as from 2018 it become a statutory requirement to respond to such requests within one month. This goes for private sector also, not just public sector. In terms of the reason why, they get a multitude of reasons but the most common reasons mentioned were social services records for a child they need information on, education records, and history of payments of council tax. The department receives various ad-hoc requests in addition to these. Information services then pass this request to the relevant service area to collate and respond accordingly within the law.

 

·         A Member enquired if possible for more transparency around Freedom of Information requests and reiterated that the substantial website outage caused problems across the council.

 

The Information Manager responded by referring to the Transparency page which is on the council website as it entails commonly asked FOI’s. For example, pupil numbers in a school and in past cases, and business rates but due to a court case they do not do that now. The officer explained that they cannot put every single individual request online but it is something that they review as they need to consider the consequences that could arise from it and the resources it would realistically take. Members were advised that the team update these quarterly depending on what data it is set on.

 

The Digital Services Manager directed the member to the newport.gov Transparency page and echoed the Head of People and Business Change’s comments that the website outage issue was unusual and they recognised that it had a big impact. The data structure was old which may have caused issues but explained that new equipment has been bought and the team undertake capital refreshes which help with reducing issues.

 

The officer went on to explain that the overall resilience would be the move to the cloud however the officers could not guarantee that there will not be any down time but however such providers are well equipped for providing solutions.

 

·         A Member commented on how the stakes are high with fines if an organisation discloses information by breaching data rules, and asked if the council would be fined £20 million if the same happened to them.

 

The Head of People and Business Change responded with confirming the figure but clarified with the committee that the figure mentioned was the highest fine that has ever been charged, which was against British Airways for a notable data breach. This was more than £20 million with euros based on turnover. The original proposed fine was actually significantly higher than that but it was reduced to 20 million due to the pandemic’s impact on the sector and noted that this fine highlighted the risk involved with breaches.

 

·         A Member expressed concern that the organisation would have to pay that price by upping their costs and passing it on to their paying customers. The member enquired whether the same could happen with the council, and if it did, would they apply higher rates to the public if ever fined with a breach?

 

The Digital Services Manager confirmed that the council is a Local Authority Body which does not profit and realistically, councils would not be looking at that scale of fine. The council is at the stage of prevention and does not treat data vigilantly just because of a financial penalty, it is because they are handling very sensitive data of their local residents.

 

The officer stressed that the reason they are there is to service residents and it would be a matter for Council to debate if incorporating a data breach fine needed to be repaid via taxpayers.

 

In contrast, if the council committed a large breach, they would not be looking at a fine large enough to make the council do anything drastic and there are arrangements in place to ensure that they do not end up in such a situation.

 

·         A Member commented on the fact that the weak link of this is human error, which is down to the staff. They queried whether in dire straits, would a disgruntled member of staff release information, seemingly by accident?

 

The Head of People and Business Change acknowledged that both staff and members alike make error in judgement and that it will always be the most difficult in process of procedures to resolve. The committee was advised that the council has measures in place to ensure that a breach would not happen.

 

The officer pointed out that £300,000 is the highest that a corporation has had to pay and the fine should not be the factor that drives vigilance.

 

·         The committee referred to the report and outlined the fact that the council does not know how much sensitive data they are holding. The members queried whether there was a method in place to sift through what the council does hold and what it does not hold?

 

The Digital Services Manager commented that the team has a good idea of what information they hold, they have more breadth of services as they have an asset data system.

The council holds details of what data is held within the council whether it is health data or sensitive personal data. The officer stressed that they are looking to expand that further not just with the primary systems but some of the smaller data systems which would mitigate a risk of a potential breach.

 

·         A Member noted the stock take mentioned within the report. The committee asked how the council does a stock take and asked the officers to confirm what a good score would entail.

 

In response, the Digital Services Manager asserted that a cyber-stock take is done across Wales and the local authorities and takes the form of self-assessment. The Council is provided with a score on those particular areas.

 

The team highlighted previous concerns about ransomware and as a result of the stock-take the Council’s resilience to ransomware was boosted.

 

The officer recognised that they need more staff awareness training to make them aware of their obligations such as through online courses as there is always more that they can do to mitigate such risks. 

 

·         The committee asked that when the council undertakes the self-assessment if we are scored by a third-party.

 

The Digital Services Manager confirmed this and that this is done for Wales centrally. The team provide responses and they analyse and compare different organisations and are able to advise on different departments with governance arrangements. With cyber security, there are lots that organisations do but when those risks increase, organisations need to do more so it is best to have them assessed centrally and hear what they perceive to be best practice on those areas.

 

·         A Member of the committee asked the officer what did the council score on the self-assessment.

 

The Digital Services Manager could not recall the exact score but was confident that it was above average across the authorities.

 

·         The committee then referred to page 67 for the table including the number of incidents. Members enquired if that was part of the process.

 

The Digital Services Manager replied by stating it was not, as they do a self-assessment on particular areas by asking about their procedures. Not about the activity or how many incidents/breaches have been reported.

 

·         The Committee commented on the uniqueness of agile working and queried whether over the last 12 – 15 months of staff working remotely and relying on their own Wi-Fi, would cause any concern in terms of cyber-attacks?

 

The Digital Services Manager explained that theoretically it would be a higher risk to an extent. However it was explained that the council had people working from home previously prior to the pandemic so the technical solution remains that when emails are sent, the data is encrypted from end to end. The data is scrambled and cannot be intercepted, just the same as in the office so in reality there is not an increased risk.

 

Head of People and Business Change added to this by explaining that there are certain risks with staff working in remote locations but not necessarily the IT side of it was the risk. The council discourage paper records and are more focused on IT provisions. The officer highlighted that it is safer than an individual leaving confidential paper records somewhere, as if somebody left their work laptop elsewhere the multi-authentication log in procedure would mean that nobody can access the records on the drive. One requires a technical solution while the other requires awareness and vigilance training.

 

The Digital Services Manager noted the recent central government breach of a staff member leaving critical government information at a bus stop. This ultimately reiterated the point that human error is where mistakes are made, where the challenges lie.

 

·         A Member of the committee referred to the payment card industry and noticed that in the report it mentions that our compliance has lapsed. The committee asked if they could have more information on what that means and what potential risks come with that. The committee also noted that it states in the report that the projects should be completed by Summer but the action plan stipulates that it will not be ready until Autumn.

 

The Digital Services Manager noted he would resolve which of those would be a more appropriate date and will report this accordingly. In terms of PCI standards, they are not mandated by law but it is seen as best practice The officer noted the bigger risk is in human error such as staff writing down card numbers.

 

Members were advised that the risks are small because the processes and technical solutions are in place however the officer mentioned that there will be gaps such as issues of segregation of card traffic on the wider network.

 

·         The Committee queried for a wider Public Relations perspective as the public want more reassurance that when making a payment online, it will be safe. Due to more services being paid online such as council tax bills, it would be good practice that the council could get this arranged in August as the report states and not wait until October time.

 

The Head of People and Business Change reiterated that with card payments to providers, the council go through PCI compliance. There would be a negligible risk associated with it and it is best practice to operate on the most secure practice models for data security. The officer explained that the timescales have changed because as the Digital Services Manager said earlier in the meeting, that once the council gets through the procurement exercise they will be able to get external support to get over the line with some technical issues.

 

The lead officer mentioned that there was a bereavement within the task force which resulted in time losses and the Digital Services Manager agreed that this impacted on the timeline but this is also due to ensuring best practice to get expert advice.

 

·         The committee asked with regard to the GDPR Survey. What was the percentage of staff who responded to the survey and how did the team determine the staff to sample?

 

The Digital Services Manager gave an approximate figure of 15% of staff that had responded. They are looking at trends but overall they have received a better response this time around.

Members were advised that the survey was published to all staff through bulletins on the intranet and therefore did not sample as such with the usual practice of making it voluntary for people to complete the survey.

 

·         Members queried whether the team could take a more focused management approach to this to determine who the key people are that would have access to these records.

 

In response, the Digital Services Manager clarified that this is complimentary to the work. For instance, Head of People and Business Change has operational responsibility for this area, Head of Law and Regulation has the senior information risk owner side of it and there is an information governance group which looks at these issues strategically and meets quarterly. The team review major incidents and look at training programmes.

The GDPR staff survey was to get more of a grassroots staff opinion on how the digital team are doing and what their perceived issues were. It is designed to complement all of the existing kind of people and processes that could have an impact on GDPR.

The officer stressed they want to ensure they inform the organisation accordingly with regular messages sent out.

 

·         A member of the committee queried whether there has been any work on the legacy records being sorted and catalogued.

 

The Digital Services Manager confirmed that they have a facility within the Civic building with modern records, where archived records are stored with around 5000 boxes worth of files are in there. Members were informed that there is a smaller amount of storage that needs to be resolved and the digital team are in a process of trying to organise this. Until recently, the digital staff did not have the capacity to store some records due to the retention policy but were able to destroy a few records in order to have room to store what is currently needed to be kept.

 

·         The Committee recognised that some of the data does not expire such as personal historic information and asked if it would be a reasonable request to keep these as they could be passed on to future generations? Members appreciated the enormity of the problem of storing this much information.

 

The Digital Services Manager responded and stated that there are different retention timelines on different types of records. Social services records can be held for up to 99 years. The officer agreed that is a bigger challenge and previous quotes to scan the whole room would cost hundreds of thousands of pounds but it is something the team would have to consider for the future use of the building.

Members were then advised that they do need to maintain some records and this equates to around 3000 boxes worth. Due to the usage of electronic storage of the last 7-8 years, the amount of paper stored has been reducing slowly but they have a bulk of social care and historical records that are vital to be kept.

The Chair and Committee thanked the officers for their comprehensive introduction and answers.

 

Supporting documents: