Agenda item

Mr R Winter (Data Protection Officer) and Ms S Hydon (Head of Service Design and Compliance) gave a presentation which presented a 6-monthly update on Data Protection and Information Governance Compliance.

 

The presentation covered four themes, Records Management, Incident Management, Smart Working and Cyber Security.  Mr Winter outlined the Data Protection issues identified within each area and Ms Hydon outlined the procedures and processes that had been put in place to ameliorate any issues or concerns.

 

Particular reference was then made to the following:

 

·         Records Management:

o   The digitisation of records

o   The general review needed by Business Units

o   Physical records held in Council buildings

o   The impact on the ability to respond promptly to Freedom of Information and Subject Access requests

o   An audit to be undertaken of records management and document retention in 2021/22

 

The benefits of homeworking meant that there was less use of paper which meant there was less likely to be a records/data breach and records were being digitised where possible. 

 

The Council currently had 22,200 boxes of documentation currently in storage as well as a significant amount of microfiche.  The digitisation of these documents was ongoing. 

 

Work was also ongoing to index digitised records so that they were easily retrievable, and the Records Manager was looking at retention of records so that those no longer needed were destroyed securely.

 

The Information Asset Management Record had been updated so that the location of and information about records held was known.

 

Shared and network drives had been migrated into SharePoint with appropriate naming conventions making it easier and quicker to retrieve information.

 

Mandatory Training had been provided and elements of records management were included within Information Governance Training.

 

A new approach ‘Easy File’ had been developed in relation to employee/HR records.  The Data Protection Impact Assessment Template had been updated to include records management.

 

·         Incident Management

o   There were still relatively low numbers and were decreasing but there was always room for learning and improvement

o   The majority of incidents related to ‘disclosure in error’ by email and post

o   The Data Protection Officer would review this area during 2021/22 to ensure that the response by Business Units was appropriate, timely and avoided repeat incidents

 

The number of breaches this quarter was from this quarter last year.  This may be attributable to home working where it was sometimes easier to concentrate with fewer distractions or the fact that people were using paper less.  There was, however, still the chance of emails going amiss.

 

The use of the IT DigITal Hub meant that incidents were easily reported so that appropriate action could be initiated by the Information Governance Team.  A brief outline of the action taken to give support and reassurance to staff was outlined and it was noted that staff were mortified that such a mistake had been made.

 

All lessons learned were captured and this informed future actions.

 

The Service had a good relationship with the Information Commissioner in relation to significant breaches, although this was very rare.

 

Appropriate training was provided for Elected Members and officers every 8-2 weeks and focused on any areas of concern.  In addition, a mandatory training dashboard had been introduced which allowed managers to identify who and who had not done training on time.

 

An Incident Dashboard enabled managers and Service Directors to see breaches or near misses.

 

In order to address emails being sent to the wrong recipient, an intelligence had been built into the email client which provided a prompt and questioned whether or not the recipient was correct.

 

·         Smart Working - the Smart Woking initiative which had been in place had been expediated as a result of the pandemic and this had highlighted some important Data Protection and Information Governance issues and linked to records management.  As a result, the policies and guidance around smart working were under review

 

Smart Working was a corporate programme and how Information Governance Supported that was around policies.  The Mobile Device policy had been reviewed and a new ‘Bring your own device’ policy had just been approved which would be launched later in the summer.

 

The concept of ‘Barnsley is our office’ was becoming embedded and as part of that all IT devices had been updated and a lot of work had been undertaken around digital skills and giving people the right skills and tools to work anywhere safely.

 

·         Cyber Security

o   Hackney, Redcar and Cleveland Councils had been victims of significant cyber security attacks

o   Staff were usually the gateway to such incidents

o   Phishing, whaling and password security issues were areas where there was a need to be vigilant, to minimise risks and train people to be aware of vulnerabilities

o   The Data Protection Officer was currently undertaking an assurance review focusing particularly on the first 12 months of the Data Security Strategy to examine how effective it had been and examining whether the key milestones had been achieved

 

This was an area of key focus.  The Hackney, Redcar and Cleveland Councils had been hit by a ransomware attack and it had taken several months for all the systems to be all brought back on line and even today they were still experiencing issues with some legacy systems.

 

Generally speaking cloud hosting solutions were found to be more robust to attack and in the Council a ‘Cloud Where Appropriate’ Strategy had been adopted and SAP, one of the most critical systems, was being migrated over from a legacy system.

 

All the Security Team were Microsoft assured/cloud accredited which gave additional assurance.

 

A new Information Security Management Solution had been introduced and this linked to the contracts register so should any suppliers make any changes to their systems the Council would know about it and could be assured that there was no impact on the security systems and controls in place.

 

PSN (public Service Network) was the main accreditation tool and ensured that secure systems were in place.  Any areas that failed the PSN test had either been upgraded or their use discontinued.

 

Succumbing to a Phishing attack was generally one of the Key areas of vulnerability and one of the easiest ways to allow cyber criminals onto any network.  Users were tested regularly and phishing and whaling campaigns were undertaken.  Subsequent to the exercises, anyone clicking on the links in error were advised of what they should have done and were required to undertake a mandatory training course.

 

The Service had also undertaken a password cracking exercise recently to test compliance with the Council’s Password Policy.

 

Finally, the Service had singed up to the National Cyber Security Centre initiatives which assisted with proactive monitoring and early warning of issues.

 

The Data Protection Officer than gave a brief overview of DPO Assurance Reviews planned and DPO activity undertaken during 2020/21.

 

In the ensuing discussion, the following matters were highlighted:

 

·         The Data Protection Officer reported that either he or Internal Audit undertook assurance reviews where these were not of a technical nature.  Regular penetration testing and numerous health checks were undertaken throughout the year.  External accreditation providers were used including central government

·         Staff were encouraged to use the ‘bcc’ function in emails to prevent third party email addresses being given out inadvertently.  The Egress security system issued prompts in relation to this

·         Last year the authority stopped over 8,000 phishing and cyber attacks and these came from all over the world.  One had been successful but had been stopped immediately

·         The Council would always follow National Cyber Security Centre guidance and not look to pay a ransom.  The main focus was to stop an attack in the first place and to have business continuity arrangements in place should they be needed

·         There were no repeat individual offenders although there had been repeat incidents from Teams.  This was largely human error and additional training was always provided.  If an individual continued to do something wrong that would be taken up as a capability issue.  Previous concerns raised with the Information Commissioner had all come back with no action recommended as the processes and procedures in place were seen to be robust

·         The Executive Director Core Services briefly reported on the plans being prepared for agile working following the easing of lockdown.  A hybrid approach was being adopted to allow a mix of home and office-based working.  These plans were being prepared within the context of the need to secure and sustain the economy of the town.  A set of principles was being devised entitled ‘Barnsley is our office’ but it was recognised that for some professions home working was not and never had been an option.  It was unlikely that the former ways of working would resume exactly the same as before the pandemic and the authority was looking at the future use of office space and potential savings to be made

·         Reference was briefly made to the arrangements in place and being introduced in order to ensure data and information security in relation to remote working

 

RESOLVED that the presentation be received and noted and that Mr Winter and Ms Hydon be thanked for attending and for answering Members questions.