Report Template

Meeting:	Audit and Governance Committee
Meeting date:	22/05/2024
Report of:	Director of Governance
Portfolio of:	Cllr Douglas Leader, responsible for Strategy, Policy, and Partnerships

Audit and Governance Committee Report: Corporate Governance Performance Report

Subject of Report

1. This report provides Members with updates in respect of:

· Corporate Governance performance report

· Information Commissioners Office cases

· Ombudsmen cases

· Potential new and emerging data protection and digital information legislation

Policy Basis

2. Having appropriate processes and procedures in place to ensure the council

· investigates and responds to complaints (corporate, adults social care and children’s social care), comments, compliments and concerns, and Ombudsmen cases

· manages and monitors valid and in time responses to all FOI and EIR requests and other requests for information or information disclosure

· provides support, advice and guidance for data protection and privacy compliance

· provides assurance to customers, employees, contractors, partners, and other stakeholders that all information, including confidential and personal information, is dealt with in accordance with legislation and regulations and its confidentiality, integrity and availability is appropriately protected.

3. Compliance is aligned to the current and draft Council Plan which is part of the council’s corporate code of governance. This also then aligns with the 10-year Plan (York 2032) such as performance management and service planning.

Recommendation and Reasons

4. Members are asked:

4.1 To note the details contained in this report.

4.2 To provide any comments or feedback from this report.

Reason: So that Members are provided with details and current performance from the Corporate Governance Team.

Background

5. Corporate Governance Performance report

5.1 The full performance indicators are available on York Open Data at https://data.yorkopendata.org/group/transparency

5.2 Please see the performance report for Quarters 1, 2, 3 and 4 covering April 2023 to March 2024 at Annex 1.

5.3 As set out in report to Committee in February, the performance report has changed. This is from comments and feedback, guidance published by the ICO on collecting and reporting on key data and the ongoing configuration, build and testing of performance reports following the implementation of a change to the case management system.

5.4 The ongoing configuration, build and testing for performance reporting is taking longer than anticipated due to priorities and deadlines for the CGT’s caseload and impacts on this from our staffing resource and capacity. We will continue to progress this work to provide more detailed reporting going forward.

5.5 However I can confirm the performance data reported to this Committee and published for FOI/EIR does meet the legislative requirements set out in part 8.5 of the section 45 code of practice as well as the additional ICO guidance How to report on your performance on handling requests for information under FOIA 2000 | ICO such as the number of requests subject to FOIA or EIR, the time period that the data is split into and performance against statutory timescales for FOI/EIR.

5.6 There has been a continuous and sustained improvement in both the number of FOI/EIR and data protection subject access to records (SAR) requests responded to within the statutory timescale each quarter throughout the full year reporting period of March 2023 to April 2024.

5.7 There has been an increase in this quarter of the number of complaints received and dealt with under the children’s social care services legislation

· The Children Act 1989 Representations Procedure (England) Regulations 2006

5.8 There has been a decrease in number of complaints received and dealt with under the adults’ regulations.

· The Local Authority Social Services and National Health Service Complaints (England) Regulations 2009

5.9 The numbers of complaints received are influenced by factors such as increased demand on council services and the restrictions the current budget and financial circumstances are placing on these services.

6. Information Commissioner’s Office cases

6.1 The progress of our improvement plan following the now fully complied with requirements from the ICO enforcement notice, is published on the council website at Information Commissioner’s Office (ICO) enforcement notice and improvement plan – City of York Council

6.2 There have been no published decision notices about the council’s handling and responding to FOI/EIRs by the ICO since the last report to Committee in February 2024. There has also been no other ICO regulatory action against the council. You can find out more about what actions the ICO can take at Action we've taken | ICO

7. Ombudsmen cases

7.1 There were no Housing Ombudsman Services (HOS) cases and fourteen LGSCO cases with decisions since the last report to Committee in February 2024 to date this report was prepared. Details of all the decisions including recommendations, remedies and actions are shown at Annex 2.

7.2 The following were the findings and decisions determined by the LGSCO:

· Three were closed after initial enquiries with no further action

· Three were closed as out of the jurisdiction of the LGSCO

· Five were not upheld with either no fault or no further action

· One was premature

· Two were upheld with fault and injustice

7.3 The CGT undertakes ongoing work with CMT, Directorate Management Teams as well as with individual service areas to ensure that we share learning opportunities across the council and to identify areas for improvement from Ombudsmen cases.

8. Data protection and digital information bill https://publications.parliament.uk/pa/bills/cbill/58-03/0265/220265v2.pdf

8.1 The bill is currently in the Committee stage of the House of Lords and is expected to be passed in May and come into force shortly afterwards.

8.2 It will make changes to the current legislation and regulations shown below

· UK GDPR

· Data Protection Act 2018 (DPA 18)

· Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR)

8.3 The likely changes are not on the same scale as for the implementation of GDPR pre-2018. However, the CGT has started this work and planning for the potential changes such as

· Review and update policies and procedures to ensure they reflect new or amended requirements

· Developing and implementing of a training plan

· Developing and implementing of a communications plan

8.4 Updates will be provided in future reports to this Committee however some of the potential changes to the current requirements are shown in Annex 3.

Consultation Analysis

9. No consultation was undertaken for this report. However, feedback from reports to CMT, meetings and discussions with managers informs this report.

10. Where required, internal and/or external consultation will be conducted to progress the work and actions required to comply with the improvement plan in response to the ICO enforcement notice.

Risks and Mitigations

11. The council has a duty to comply with the various aspects of complaints, data protection, privacy, and information governance related legislation. Failing to comply with these can result in Regulators and/or Ombudsmen taking actions against the council such as reprimands, enforcement action, monetary fines, financial remedies for individuals. Often these decisions and actions are published on the Regulator or Ombudsmen websites, as well as doing press releases and statements. This can lead to reputational damage, reduce the council’s overall effectiveness as well as a loss of trust in the council.

12. In some circumstances individual members of staff may be at risk of committing criminal offences for example if they knowingly or recklessly breach data protection legislation and compliance requirements or deliberately destroy, alter, or conceal a record after it has been requested.

13. Data protection impact assessments (DPIAs) are an essential part of our accountability obligations and is a legal requirement for any type of processing under UK GDPR. Failure to conduct a DPIA when required may leave the council open to enforcement action, including monetary penalties or fines. However, as there is no personal data, special categories of personal data or criminal offence data being processed for this performance report, there is no requirement to complete a DPIA.

Contact details

14. For further information please contact the authors of this Report.

Author

Name:	Lorraine Lunt
Job Title:	Information governance and feedback manager/DPO
Service Area:	Governance and Monitoring
Telephone:	01904 554145
Report approved:	Yes
Date:	10/05/2024