Meeting: |
Audit and Governance Committee |
Meeting date: |
04/09/2024 |
Report of: |
Director of Governance and Monitoring Officer |
Portfolio of: |
Cllr
Claire Douglas |
Audit and Governance Committee
Report: Corporate
Governance Team Report
Subject of
Report
1. This report provides Members with updates in respect of:
· New internal governance arrangements
· Corporate Governance performance report
· Information Commissioners Office cases
· Ombudsmen cases, complaint handling codes and assessment
· Local Government and Social Care Ombudsman (LGSCO) annual letter and performance
· NHS Data Security and Protection (DSP) Toolkit – self assessment for 2023-2024
· Investigatory Powers Commissioner (IPCO) inspection including Audit and Governance Committee’s “fit for purpose” review of the covert surveillance policy and procedures and data report
Policy Basis
2. Having appropriate processes and procedures in place to ensure the council
· investigates and responds to complaints (corporate, adults social care and children’s social care), comments, compliments and concerns, and Ombudsmen cases
· manages and monitors valid and in time responses to all FOI and EIR requests and other requests for information or information disclosure
· provides support, advice and guidance for data protection and privacy compliance
· provides support, advice and guidance for covert surveillance undertaken by the council
· provides assurance to customers, employees, contractors, partners, and other stakeholders that all information, including confidential and personal information, is dealt with in accordance with legislation and regulations and its confidentiality, integrity and availability is appropriately protected.
3. Compliance is aligned to the current and draft Council Plan which is part of the council’s corporate code of governance. This also then aligns with the 10-year Plan (York 2032) such as performance management and service planning.
Recommendation and Reasons
4. Members are asked:
(i) To note the new internal governance arrangements in this report and provide any comments or feedback
(ii) To note the performance details contained in this report and provide any comments or feedback.
Reason: So that Members are provided with details and current performance from the Corporate Governance Team.
(iii) To note the details for the IPCO inspection and provide any comments or feedback on how you may want to conduct the “fit for purpose” review of the covert surveillance policy and procedures and data report
Reason: So that Members are provided with a future report on the council’s use of covert surveillance and complete their review of the policy and procedures as required by the IPCO
Background
5. New internal governance arrangements
6. The council has refreshed its internal governance arrangements to bring greater clarity about accountability and responsibility, together with establishing governance arrangements that will support delivery of the savings plan and transformation programme (known as Working as One City).
7. The internal governance arrangements aim to support better informed decision making in line with the council plan priorities, clearer lines of responsibility and accountability, greater capacity for strategic oversight, greater clarity about performance management leading to improved outcomes, and greater visibility for officers to know who to engage with and when. See Annex 1.
8. A list of the council’s key internal governance arrangements is shown as a diagram with an explanation of each meeting in Annex 2. These are the internal governance arrangements that report into the Corporate Management Team. The project assurance group have mapped governance of all projects to the new arrangements to ensure monitoring and accountability of the council’s projects is clear.
9. Five new boards are being established:
· Adults Ambition and Assurance Board to steer the continued improvement journey in Adults Social Care, supporting actions to be safe and effective.
· Corporate Improvement Board to steer the Working as One City Programme, Corporate Improvement Action Plan and monitor progress of savings plans.
· Core Services Performance Board to monitor performance of transactional services to ensure customer experience continues to improve.
· City Developments Board to oversee deliver of major capital programmes and The Local Plan (once adopted)
· Corporate Governance Board to oversee and quality assure decision reports prior to recommending CMT oversight or Executive approval.
10. Existing internal governance arrangements have also been refreshed to ensure recommendations or strategic oversight is provided by the appropriate internal Board.
11. Corporate Governance Performance report
12. The full performance indicators are available on York Open Data at https://data.yorkopendata.org/group/transparency
13. Please see the performance report for Quarter 1 covering April to June 2024 at Annex 3.
14. As set out in report to Committee in February, the performance report has changed. This is from comments and feedback, guidance published by the ICO on collecting and reporting on key data and the ongoing configuration, build and testing of performance reports following the implementation of a change to the case management system. There are also the additional performance figures that Committee asked for at the last meeting.
15. I can confirm the performance data reported to this Committee and published for FOI/EIR does meet the legislative requirements set out in part 8.5 of the section 45 code of practice as well as the additional ICO guidance How to report on your performance on handling requests for information under FOIA 2000 | ICO such as the number of requests subject to FOIA or EIR, the time period that the data is split into and performance against statutory timescales for FOI/EIR.
16. The council received a total of 588 requests for information from 1st April 2024 to 30th June 2024. These include FOI, EIR, SARs and other requests for information such as requests from the police for information that we may hold for an investigation etc. This is an increase in requests of 83 (just over 15%) from the same reporting period in 2023/24 when we received 505. This indicates an ongoing increase in requests being received. A snapshot for % of in time performance is shown in table below.
|
% in time Q1 2024/25 |
% in time for full year 23/24 |
% in time for full year 22/23 |
SARs |
46% |
72% |
64% |
Requests for information |
88% |
97% |
99% |
FOIs & EIRs |
98% |
89% |
86% |
17. Whilst we are achieving a high % of responses being completed within the statutory timescales for FOI, EIRs and other information requests, it is important to remain vigilant about this, given that the ICO enforcement notice for FOI/EIRs ended in March 2024.
18. To address the % of SAR responses being completed in time, we have restarted the work with service areas and managers to look at opportunities to make improvements. This will include on a case-by-case basis, ensuring where it may be appropriate to extend the response timescale is considered in a timely way. It is important to note that the ICO provides clear guidance for when extending the timescale may be appropriate and that this cannot be solely because the individual requests a large amount of information.
19. For complaints and feedback for the same period there were a total of 287 cases received and dealt with under the procedures for adult social care (ASC) complaints, childrens social care (CSC) complaints, corporate complaints and corporate complaint not Housing. This is a decrease in total received from the same period last year which was 501. A snapshot is shown in the below table.
|
Q1 - 24/25 -total received |
Q1 - 24/25 - % in time |
% in time for full year 23/24 |
% in time for full year 22/23 |
Corporate complaints |
278 |
52% |
86% |
95% |
ASC |
1 |
0% |
54% |
56% |
CSC |
8 |
33% |
67% |
72% |
21. Information Commissioner’s Office cases
22. There have been no published decision notices by the ICO about the council’s handling and responding to FOI/EIRs on their website since the last report to Committee.
23. There have also been no other ICO regulatory action against the council. You can find out more about what actions the ICO can take at Action we've taken | ICO
24. Ombudsmen cases, complaint handling codes and assessment
25. There have been no Housing Ombudsman Services (HOS) cases, and seven LGSCO cases with decisions, between the last report to Committee in May 2024 and the date this report was prepared. Details of all the decisions including recommendations, remedies and actions are shown at Annex 5.
26. The following were the findings and decisions determined by the LGSCO:
· Two were closed after initial enquiries with no further action
· Two were closed as out of the jurisdiction of the LGSCO
· One was not upheld with either no fault or no further action
· Two were upheld with fault and injustice
27. The CGT undertakes ongoing work with CMT, Directorate Management Teams as well as with individual service areas to ensure that we share learning opportunities across the council and to identify areas for improvement from Ombudsmen cases.
28. The council has recently submitted the regular Housing Ombudsman Service (HOS) Complaint Handling Code assessment. This was based on the current published annual assessment completed in October 2023, on the council website at Housing Ombudsman Self Assessment – City of York Council
29. For the LGSCO complaint handling code, the timescale to comply with this is April 2026. We are continuing the work on the possible implications and impacts from the launching of this Code including taking part in various network group discussions with the Ombudsman, completing the consultation, to ensure the council adopts the code into our complaints handling policies and procedures as soon as possible and will provide updates on our progress to CMT, Audit and Governance Committee etc.
30. Local Government and Social Care Ombudsman published annual performance report
32. This year in their annual letter – see Annex 6, the LGSCO did not comment on or identify issues or areas of concern for the council, as they have done in previous years.
· Year on year decrease in cases being raised to the LGSCO – see figures for both received and decided. The decrease of received cases compared to last year is 23% and, on the year, before, this is 31%
· Year on year decrease in % of cases being upheld by the LGSCO. Although LGSCO has published that 78% of cases were upheld, their calculation uses only the total number of cases where their decision was either upheld or not upheld. If calculated using the total number of cases where they made a decision, that figure falls to 17.07% upheld.
· For the satisfactory remedy provided by the authority quoted for York of 0% with a similar organisation average of 13%. Again, this measures only the cases with an upheld decision (so for this report, it was 7 cases) where we have not already put in place the remedies their investigation finds. Whilst they do have a recording category of “Upheld: fault – no further action, organisation already remedied” and “Upheld: fault & inj– no further action, organisation already remedied,” this was not used for any of the 7 upheld cases. However, it is important to note that of the 17 cases “closed after initial inquiries” with the reason of “No worthwhile outcome achievable by investigation”, a number of these will be because the council has already taken appropriate action through our own complaints’ investigations, findings, and remedies. This may also be part of the reasons for the year-on-year decrease in cases being received by the LGSCO.
· The opportunities to improve the % for satisfactory remedy provided by the authority will be investigated as part of the ongoing work we do with service areas and managers. We are also going to raise through the LGSCO liaison worker and regional complaints group to explore any areas we can learn from to improve this.
34. By date of preparing this report, I have not been able to conduct any comparison analysis with other LAs. This work will be done and provided in future reports to this Committee.
35. NHS Data Security and Protection (DSP) Toolkit – self assessment for 2023-2024
36. Confirmation of the required “standards” being met for the annual NHS DSP assessment is attached at Annex 9. It is also published at Organisation Details (dsptoolkit.nhs.uk)
37. It is an annual requirement to submit evidence to show how we perform against the National Data Guardian’s 10 data security standards and applies to all organisations thathave access to NHS patient data and systems to provide assurance that they are practising good data security, and that personal information is managed correctly.
38. This year internal audit completed a “thematic review” of our submission and evidence and provided a “memorandum” with their findings and recommendations. These have either been completed prior to publishing our annual evidence to the NHS DSP toolkit or will be taken forward in the next improvement action plan which is reported to and monitored through the Governance Risk and Assurance Group (GRAG) which includes the council’s registered Caldicott Guardian.
39. Investigatory Powers Commissioner (IPCO) inspection including Audit and Governance Committee’s “fit for purpose” review of the covert surveillance policy and procedures and data report
40. The council was notified in May 2024 of the three yearly inspection by the IPCO regarding our compliance with the Regulation of Investigatory Powers Act 2000 and the Investigatory Powers Act 2016.
41. Service areas and managers that use these powers, supported gathering the evidence and information to provide the written submission response to the IPCO by their deadline and the onsite inspection has now been confirmed for Monday 23rd September 2024.
42. The preparation and actions required ahead of the onsite inspection is underway and the outcomes and recommendations from the inspection will be reported to CMT, GRAG and to Audit and Governance Committee.
43. The annual report on the council’s use of covert surveillance, given the timing of the IPCO inspection, will be in a future report to Committee so that it includes any of the inspection outcomes and recommendations.
44. Also, as Members may recall from the training provided to Committee in November 2023, given the timing of the IPCO inspection, the requirement for Committee to conduct a “fit for purpose” review of the covert surveillance policy and procedures will be covered in a future report to ensure that it covers any of the inspection outcomes and recommendations.
Consultation Analysis
45. Internal governance arrangements were refreshed following the consultation with the workforce and Trade Unions during May that informed the Corporate Improvement Action Plan; and with Corporate Management Team.
46. No consultation was undertaken for the other items in this report. However, feedback from reports to CMT, meetings and discussions with managers informs this report and where required, internal and/or external consultation will be conducted to progress the work and actions required to comply with the improvement plan in response to the ICO enforcement notice.
Risks and Mitigations
47. The council has a duty to comply with the various aspects of complaints, data protection, covert surveillance, and information governance related legislation. Failing to comply with these can result in Regulators and/or Ombudsmen taking actions against the council such as reprimands, enforcement action, monetary fines, financial remedies for individuals. Often these decisions and actions are published on the Regulator or Ombudsmen websites, as well as doing press releases and statements. This can lead to reputational damage, reduce the council’s overall effectiveness as well as a loss of trust in the council.
48. In some circumstances individual members of staff may be at risk of committing criminal offences for example if they knowingly or recklessly breach data protection legislation and compliance requirements or deliberately destroy, alter, or conceal a record after it has been requested.
49. Data protection impact assessments (DPIAs) are an essential part of our accountability obligations and is a legal requirement for any type of processing under UK GDPR. Failure to conduct a DPIA when required may leave the council open to enforcement action, including monetary penalties or fines. However, as there is no personal data, special categories of personal data or criminal offence data being processed for this performance report, there is no requirement to complete a DPIA.
Wards Impacted (optional section)
50. Not applicable for this report.
Contact details
51. For further information please contact the authors of this Report.
Author
Name: |
Lorraine Lunt |
Job Title: |
Information governance and feedback manager/DPO |
Service Area: |
Governance and Monitoring |
Telephone: |
01904 554145 |
Report approved: |
Yes |
Date: |
05/08/2024 |
Background
papers
No background papers but listed below the links to background information shown in the report
https://data.yorkopendata.org/group/transparency
How to report on your performance on handling requests for information under FOIA 2000 | ICO
Housing Ombudsman Self Assessment – City of York Council
Organisation Details (dsptoolkit.nhs.uk)
Annexes
Annex 1 – Internal governance arrangements
Annex 2 – A-Z of meetings
Annex 3 – Corporate Governance performance
Annex 4 – Ombudsmen cases
Annex 5 – LGSCO annual letter
Annex 6 – LGSCO performance
Annex 7 – LGSCO performance breakdown
Annex 8 – NHS DSP certificate
Abbreviations used in this report
DPIAS - Data protection impact assessments
GRAG – Governance Risk and Assurance Group
CMT – Council Management Team
CGT – Corporate Governance Team
UK GDPR – United Kingdom General Data Protection Regulation
DPA 18 - Data Protection Act 2018
PECR - Privacy and Electronic Communications (EC Directive) Regulations 2003
HOS - Housing Ombudsman Service
LGSCO – Local Government and Social Care Ombudsman
ICO - Information Commissioner’s Office
IPCO – Investigatory Powers Commissioner’s Office
FOI – Freedom of Information Act
EIR – Environmental Information Regulation
SAR – (Data) Subject Access Request
DSP - NHS Data Security and Protection Toolkit
ASC - Adult social care
CSC - Childrens social care