Skip to content

Agenda item

Information Governance Annual Report

Report of the Director of Business Change and Information.



The Committee received a report of the Director of Business Change and Information Solutions which aimed to provide assurance around the policies, processes and practices employed to ensure the Council met those requirements.



The Senior Information Management Officer, Sarah Green, stated that the Council had worked hard to ensure that requirements are met through various frameworks and the UK GDPR action plan.



The Council had handled 326 Subject Access Requests (SAR) in 2020/21, in which 170 were answered in time. This meant the overall SAR performance figure had dropped from 85% to 52%. This was due to the suspension of request handling in response to the COVID-19 pandemic.



Additional Resource had been put in place to focus on SAR’s and improve performance.



The Council had received 1543 Freedom of Information Requests (FOI) in 2020/21, in which 64% were answered in time. The response rate the previous year was 93%. The Information Governance Board’s target response rate was 95%. It was added that failure to comply with the target response rate, could mean the Council has to pay a fine or carry out an inspection although this was unlikely as the response rate was increasing.



The Council had introduced sensitivity labels, which had to be identified before sending an email or working on a document. Sensitivity labels classify the Council’s data to show how sensitive it is. This helps reduce risks and protect data.



In 2020/21 there was 262 incidents logged through the Council’s information security incident process. 109 of these were personal data breaches, most were human error with emails or post. 8 of the breaches were considered to meet the risk threshold and were reported to the Information Commissioners Office (ICO).



The Council had several Information Governance training modules available for staff. The main one was the Information Governance training which is rolled out each year to staff and was mandatory. A new mandatory data protection module was added to the Sheffield Development Hub in January 2021, in which 88% of council employees has carried out as of December 2021.



Members of the Committee asked questions and the following responses were provided: -



Sarah Green confirmed that staff were redeployed through the pandemic to support other areas in the Council which impacted on response times for SAR’s. It was mentioned that all those members of staff are now back in post.



Sarah Green informed the Committee that staff had carried out additional training on security when working from home therefore she was confident that staff understood the differences when in a different work environment.



New training for Officers and Members was currently ongoing, this would aim to improve response rates as it would inform people on what to look out for and how to respond appropriately in the required timeframe.



Sarah Green stated that some of the recommendations from the ICO following the 8 breaches reported were generic. Other recommendations were specific and related to that breach. Examples were given of generic recommendations, these were:

  • Deliver more training
  • Use stronger passwords
  • Not to leave information open for others to view



A Member of the Committee suggested the level of impact was recorded in future reports as 1 incident could have impacted several people therefore to severity would be more than what is currently shown.



The Chair thanked Sarah Green and Leon Kaplan for attending the meeting.



RESOLVED: That the Committee noted the annual information governance update.



Supporting documents: