Agenda item

The Executive Director Communities and ICT Manager will submit a report providing details of the Authority’s position in relation to information security breaches and cyber incidents reported and investigated in quarter four of the 2016/17 financial year with comparisons for the whole of the 2016/17 financial year and the previous financial year 2015/16.

The Executive Director Communities and ICT Manager submitted a joint report providing details of the Authority’s position in relation to information security breaches and cyber incidents reported and investigated in quarter four of the 2016/17 financial year with comparisons for the whole of the 2016/17 financial year and the previous financial year 2015/16.

Mr D Robinson (Head of ICT) and Ms M John-Ross (Service Director Children’s Social Care and Safeguarding) attended the meeting to present the report and to answer Members questions.

The report indicated that there were three reporting regimes; reporting to the Information Commissioner’s Office for the most serious incidents; reporting via the information governance toolkit for adults’ social care and public health most serious incidents; and internal reporting and investigation.  Detailed guidance on the reporting regimes was outlined within an appendix to the report.

In relation to Information Security:

·         there had been 46 incidents (both actuals and weaknesses and third party incidents) which had required investigation.  This represented a significant increase compared to previous years which was attributable, in part, to the fact that increased awareness had been raised through policies, via SMT and through staff communications and training

·         the fourth quarter actual incidents and weaknesses, subject to internal investigation were also detailed by Directorate, Business Unit and type

·         the highest number of actual incidents (12) related to ‘disclosure in error’ and in the main related to the use of emails which had been sent to the wrong recipient/contact group, where incorrect recipients had been copied in or were not encrypted. 

·         the report also gave details of where such incidents breached the various principles of the Data Protection Act

·         no incidents had been reported to the Information Commissioner in Quarter 4 but in the 2016/17 financial year four incidents had been reported.  In addition, in April 2017 two further incidents had been reported.  These were not to be investigated as arrangements had been put in place for the Council to review its handling of personal data

·         a summary of lessons learned and action taken was provided

·         there had been 9 third party incidents in relation to schools, foster carers, Berneslai homes and members of the public.  These had been reported to Information Governance and investigated by relevant parties

In relation to cyber incidents:

·         a summary of the ‘attempts’ and ‘attacks’ was provided by quarter for the 2016/17 financial year together with a definition for each type of ‘incident’

·         there had been a decrease in the number of phishing email calls being processed some of which was due to internal staff levels.  In the current quarter there had been a significant increase which was attributable to the catching up of the backlog.  In addition, there had been a marked increase in the amount of phishing and malicious emails being received

·         the Council was actively blocking and preventing access to more links, email addresses and websites as part of a proactive approach with regular updates appearing in the weekly staff newsletter.  This was also partly in response to advice from government about the increased risk around election time

·         phishing software was being used and allowed the service to offer training to staff immediately and automatically.  This should further raise awareness and was seen as the next step forwards in terms of training, with this being more focused than the general Information Security Training that had to be completed by all staff and Elected Members

In response to questioning, the following matters were raised:

·         It was noted that the Executive Director Core Services acted as the senior risk officer for the Authority and was also chair of the Information Governance Board which was a high level  group of senior officers which had oversight of all Information Governance Issues.  It was also noted that the Service Director Children’s Social Care and Safeguarding was the Caldicott Guardian with responsibility for Information Governance and for ensuring privacy and confidentiality in this area

·         Specific reference was made to the work of the Information Governance Board in raising awareness of Information Governance issues and of the action to be taken to a potential data breach/weakness

·         The Service Director Children’s Social Care and Safeguarding made specific reference to the breaches that had occurred within her service and to the robust action that had been taken to address issues identified

·         The Head of ICT reported that this was the first year that the Authority had captured details about cyber-attack and, therefore, there was no comparative date available.  He commented, however, that the number of incidents reported throughout the year was increasing largely as a result of improved staff awareness.  In relation to cyber-attacks, those that had been ‘successful’ were as a result of staff clicking on links in emails but these had been picked up quickly

·         The Director of Core Services together with the Service Director gave a brief explanation of which parties were informed (and why) following breach of Information Security.  Information about breaches came from a variety of sources; from staff, who were generally quite open about reporting incidents; or from third parties who had received information in error.  The authority then took appropriate action to minimise any ensuing risks and raise awareness of issues in order to prevent further breaches.  It was important to take a proportionate response and for lessons to be learned from weaknesses identified

·         There was no evidence that any of the Authority’ data bases had been penetrated although this was always a danger

·         The Director of Core Services reported on the current criteria for reporting incidents to the Information Commissioner and to the fact that new arrangements were being introduced which would, if future, require all breaches to be reported.  Appropriate guidance was available on the Commissioner’s website

·         The Service Director reported that her service was looking to send all reports etc. via email rather than by post.  Such emails would be encrypted and support would be provided to those who required it to open such emails

·         It was noted that whilst the number of staff employed had reduced, this did not necessarily mean that this was the reason for an increase in  the number of Information Security breaches or that this would result in a greater number of breaches in the future.  Staff within each service was responsible for ensuring that contact information was correct and kept up to date.  There had been increased investment in IT equipment so that staff could work in a more mobile way, could quickly update information and thereby improve efficiency

RESOLVED  that the report be received and Ms M John-Ross and Mr D Robinson be thanked for attending the meeting and for answering Members questions.