Agenda item

6.1

The Senior Information Management Officer and Data Protection Officer (Srah Green) stated that the report gave an overview of the information governance arrangements and performance at Sheffield City Council for the financial year 2022/23.

6.2

2022/23 was the fifth financial year in which the General Data

Protection Regulation (GDPR) and the Data Protection Act (DPA) 2018 have been in force. The Council has continued to work to ensure compliance with the law and an ongoing GDPR Action Plan is in place.

6.3

Subject Access Requests (SARs) were when citizens made a request, to be provided with personal information which the Council held on that individual. In 2022/23, the Council handled 809 SARs. 294 were withdrawn or abandoned by the customer and 515 were

actioned. 338 of these were answered in time. The overall SAR performance figure for 2022/23 was 65.6%. The Information Commissioner’s Office (ICO) contacted the Council concerning 14 separate complaints by data subjects about their SARs in 2022/23. The majority of these cases concerned situations where individuals had complained to the ICO because they had not been provided with the information they had requested within the statutory timeframe.

6.4

The Council was legally required to respond to requests for information under the Freedom of Information Act 2000 (FOIA) and the Environmental Information Regulations 2004 (EIR). Responses must be made within 20 working days, subject to some exceptions. Each response must confirm if the information was held and then either provide the information or explain the reasons why it cannot be

disclosed (exemptions/exceptions). In 2022/23, the Council received 1586 requests and answered 82.12% in time. This was a decrease on the number of information requests received in 2021/22, of 112 requests. The response rate is an improvement on the 76.22% achieved in 2020/21 but fails to meet the Information Governance Board’s target of 95% of requests answered in time. The ICO sets the acceptable compliance rate at 90%.

6.5

The Council was required to publish certain information on its website or open data sites. The Council was committed to open data to support its transparency agenda and routinely published information about its services, key decisions, and expenditure.

6.6

In 2022/23, 442 incidents were logged through the Council’s

information security incident process, 352 of these incidents were

classed as personal data breaches. Most of these breaches involved customer personal data and were caused by human error with emails or post being delivered to the wrong person. Of these breaches, three were considered to meet the risk threshold and were reported to the Information Commissioner’s Office.

6.7

Information security was about the protection of information or, more specifically, its confidentiality, integrity, and availability. The Council was required to take appropriate security measures to protect information, particularly personal data, from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to information transmitted, stored, or otherwise processed. This was increasingly including the protection of critical infrastructure, which is connected to the internet, or other networks, such as 4G or 5G.

6.8

The Council continued to provide guidance, training, and awareness,

explore better use of information technology to automate records management processes (especially retention and disposal), and gain a better understanding of management responsibility to own the information processed within their service area.

6.9

Information security training was mandatory. For the Council’s desk-based staff 96.1% had completed the learning and 38.6% of deskless staff had completed the learning. 95.35% of Social Care staff completed the training in time for the 2022/23. Additionally, there had been training of discrete groups such as Foster Carers, student Social Workers, elected Members, Children and Families staff, ICT, communication and information governance for cyberattacks, and intelligence sharing with the police.

6.10

Members of the Committee asked questions and the following responses were provided: -

6.11

The Senior Information Management Officer and Data Protection Officer explained that in regard to Directed Surveillance, an application would be made to the Magistrates for any surveillance work carried out withing the organisation. She added that the Council made 4 requests in the calendar year 2022.

6.12

The Senior Information Management Officer and Data Protection Officer stated that Officers did not follow up with customers as to why they had withdrawn their SAR.

6.13

The Senior Information Management Officer and Data Protection Officer explained that as the Council was required to publish certain information online, the Council did this via its website or on Data Mill North and ArcGIS.

6.14

The Senior Information Management Officer and Data Protection Officer explained that following the ICO Audit, the Council will focus on supporting different services to ensure as much information as possible was published.

6.15

The Senior Information Management Officer and Data Protection Officer stated that the Council met its compliance rate in 2019 in relation to FOIAs and were progressing each year. The Council was committed to reach its compliance as soon as possible.

6.16

The Senior Information Management Officer and Data Protection Officer confirmed she had not benchmarked against other authorities therefore was unable to say whether 352 security incidents were a high or low figure for an authority this size.

6.17

The Senior Information Management Officer and Data Protection Officer stated that the pandemic affected the response time for dealing with SARs as employees were re-directed to other services during that period.

6.18

The Senior Information Management Officer and Data Protection Officer explained that when there was a data breach, a risk assessment was immediately undertaken to determine the level of severity. If the severity level was reached, then the Council had 72 hours to report the breach to the ICO.

6.19

The Senior Information Management Officer and Data Protection Officer confirmed the Council had not been a victim of a major cyber security breach although we had to be prepared for one. She added there was an IT security team that was focused on this particular risk.

6.20

The Senior Information Management Officer and Data Protection Officer believed there will be a reduction in the number of FOI requests due to the Council publishing as much data online as possible. Customers can be signposted to the relevant pages online. She mentioned that the Council usually received larger number of requests when there was either a change in policy or something in the news which interested or concerned people of Sheffield.

6.21

The Senior Information Management Officer and Data Protection Officer explained the process of dealing with an FOI request. A request from a member of the public could be sent to any officer within the Council, it was there duty to understand that was a request for information and therefore forward the request onto the FOI team. The FOI team would then review that request and then send that on to the relevant services which hold that information which had been requested. Those services will have an internal deadline for gathering that information and providing it to the FOI team. The FOI team have 20 days to respond to the member of public, they can extend that if necessary although it can not be extended beyond 40 days.

6.22

RESOLVED: That the Audit and Standards Committee noted the annual information governance update.