|
|
|
|
|
|
|
|
|
Meeting: |
Audit and Governance Committee |
|
Meeting date: |
12/11/2025 |
|
Report of: |
Director of Governance and Monitoring Officer |
|
Portfolio of: |
Cllr Claire
Douglas |
Audit and Governance Committee
Report:
Information Governance Team (IGT) Report
Subject of Report
1. This report is to provide a briefing to Members in respect of performance for Quarter 1 covering April to June 2025 and Quarter 2 covering July to September 2025 performance for the different types of requests for information received.
Policy Basis
2. Having appropriate processes and procedures in place to ensure the council
· manages and monitors valid and in time responses to all FOI and EIR requests and other requests for information or information disclosure
· provides support, advice and guidance for data protection and privacy compliance
· provides support, advice and guidance for covert surveillance undertaken by the council
· provides assurance to customers, employees, contractors, partners, and other stakeholders that all information, including confidential and personal information, is dealt with in accordance with legislation and regulations and its confidentiality, integrity and availability is appropriately protected.
3. Regular performance reporting aligns with both the current and draft Council Plan, forming part of the council’s corporate code of governance. This also supports the 10-year Plan (York 2032) for performance management and service planning.
Recommendation and Reasons
4. Members are asked:
(i) To note the performance details contained in this report and provide any comments or feedback.
Reason: So that Members are provided with details and current performance from the Corporate Governance Team.
Background
Performance – information governance
5. Annex 1 presents the Information Governance performance scorecard for Quarters 1 and 2 of 2025/26, alongside comparative data from 2024/25, 2023/24, and 2022/23.
6. A total of 1,190 requests were received in Q1 and Q2 of 2025/26. These included FOI, EIR, SARs, and other information requests such as those from the police for investigative purposes.
7. We have successfully sustained improvements in the percentage of FOI and EIR responses completed within statutory timescales. Notably, we met the ICO’s 95% timeliness target for combined FOI and EIR responses in both Q1 and Q2.
8. While there was a slight dip in the percentage of SARs responded to in time in Q2 compared to Q1, performance remains significantly improved compared to previous years. The minor decline is likely due to an increase in complex requests, particularly those involving children’s or adults’ social care records, care leavers, and staff-related cases.
9. A snapshot of FOI, EIR, and SAR Requests for Q1 & Q2 is shown below
|
Request type |
Total requests |
% responded in time |
|
FOI and EIR |
924 |
96.1% |
|
SAR |
114 |
90.0% |
10. The sustained improvement in FOI and EIR response times is a significant achievement, reflecting the ongoing commitment and collaboration between the IGT and service areas across the council.
12. Since the last report to Members and up to the preparation of this report, there has been:
· Four ICO decision notices issued regarding the council’s handling of FOI/EIR requests. Three were not upheld and one was partly upheld and not upheld. You can find the full decision notices on the ICO website at Decision notices | ICO and also at Annex 2.
· No regulatory or escalated actions have been taken by the ICO in relation to FOI/EIR.
13. Two personal data breaches were reported to the ICO since the last CMT update. Investigations were conducted by IGT, and findings with evidence, were submitted to the ICO. To date, one case has been closed with confirmation that the council took all necessary actions. We await the outcome of the second case. IGT continues to support staff, managers, and Chief Officers as needed.
14. Following the completed transfer of complaints, IGT is working with Business Intelligence to enhance reporting. This includes responding to feedback from CMT and the Audit and Governance Committee, and expanding reporting to cover additional areas of IGT’s work, such as:
· FOI and EIR case themes
· Data Protection Impact Assessments (DPIAs)
· Privacy Notices
· Internal and external data sharing arrangements and data processing schedules for contracts
· Records Management
· Covert Surveillance
· CCTV (public spaces, buildings, body-worn cameras, etc.)
Consultation Analysis
15. No consultation was undertaken for this performance report. However, feedback from reports to CMT, meetings and discussions with managers informs this report and where required, internal and/or external consultation will be conducted to support any actions arising from Committee.
Risk and Mitigations
16. The council has a duty to comply with the various aspects of data protection, covert surveillance, and information governance related legislation. Failing to comply with these can result in Regulators taking actions against the council such as reprimands, enforcement action, monetary fines, financial remedies for individuals. Often these decisions and actions are published on the Regulator websites, as well as doing press releases and statements. This can lead to reputational damage, reduce the council’s overall effectiveness as well as a loss of trust in the council.
17. In some circumstances individual members of staff may be at risk of committing criminal offences for example if they knowingly or recklessly breach data protection legislation and compliance requirements or deliberately destroy, alter, or conceal a record after it has been requested.
18. Data protection impact assessments (DPIAs) are an essential part of our accountability obligations and is a legal requirement for any type of processing under UK GDPR. Failure to conduct a DPIA when required may leave the council open to enforcement action, including monetary penalties or fines. However, as there is no personal data, special categories of personal data or criminal offence data being processed for this performance report, there is no requirement to complete a DPIA.
Wards Impacted (optional section)
19. Not applicable for this report.
Contact details
20. For further information please contact the author of this Report.
Author
|
Name: |
Lorraine Lunt |
|
Job Title: |
Information governance and feedback manager/DPO |
|
Service Area: |
Governance and Monitoring |
|
Telephone: |
01904 555719 |
|
Report approved: |
Yes |
|
Date: |
4 November 2025 |
Background papers
Links to background information shown in the report
https://data.yorkopendata.org/group/transparency
How to report on your performance on handling requests for information under FOIA 2000 | ICO
Annexes
Annex 1 – Information Governance performance report
Annex 2 – Full ICO decision notices
Abbreviations used in this report
IGT – Information Governance Team
ICO - Information Commissioner’s Office
FOI – Freedom of Information Act
EIR – Environmental Information Regulation
SAR – (Data) Subject Access Request