Audit and Governance Committee

17 February 2021

 

 

Report of the Director of Governance

 

 

 

 

Information Governance and Complaints

1.      Summary

1.1    This report provides Members with updates in respect of:

·        Information governance performance

·        Information Commissioners Office (ICO) decision notices from last report November 2020 to date of this report

·        Publishing of disclosure log

·        Local Government and Social Care Ombudsman (LGSCO) and Housing Ombudsman cases from last report November 2020 to date of this report

·        Other updates from information governance and complaints team

 

2.      Information Governance Performance

 

2.1    The council publishes performance data on timeliness for responding to requests made under Freedom of Information Act (FOI), Environmental Information Regulations (EIR) and Data Protection Act subject access to records requests (SARs), via the York Open Data platform via the below link. 

 

https://data.yorkopendata.org/group/freedom-of-information

 

2.2    At Committee in November 2020, we provided the reports in a graphical format and from the further comments provided, I have amended these into another style for further comments and feedback and they are at Annex 1.

 

2.3    There has been an increase to 555 in this reporting quarter (October to December 2020) for the combined number of FOI and EIR requests received, compared to 486 in July September 2020.   It is also an increase on the number we received last year between October to December 2019, which was 473 (not on Annex 1).

 

2.4    Given the impacts of covid 19 on resources and capacity as well as the increase in requests received, we continue to maintain an over 80% performance for responses being provided within the timescales set out in the legislation.  For October to December 2020, this was 81.68% and is only a small decrease from the same months in 2019 (not on Annex 1), of 84.84%. 

 

2.5    Since the last report to Committee, work is still not yet complete across different information governance networks and groups in the Yorkshire and Humberside region regarding sharing of performance information that is informative and useful.  I will continue to update the Committee on the progress of the regional work when available.

 

3.      ICO decision notices

 

3.1    If someone is unhappy with the response they receive in relation to an FOI, EIR or SAR request, or if they want to raise a complaint under data protection legislation in relation to the rights of individuals, there is an opportunity to seek an internal review and then to complain to the ICO. The ICO publishes their decision notices and their full reports are available on the following link

 | Search | ICO

 

3.2    Since the last report in November, the ICO has published one decision notice for the council and the summary is available at Annex 2.

 

3.3    This decision notice upheld the complaint and we have complied with the ICO’s findings.  We will ensure that the learning from this decision notice is applied to other relevant requests for information.

 

4. Publishing the disclosure log

 

4.1    We continue to monitor the published ‘disclosure log’ online in ‘plain text’ which meets the accessibility standards and to understand customer appetite and demand. The disclosure log complements the existing online form, which allows customers an easy online method to request information.  I will provide an update to Committee later this year.

 

5.      Complaints

 

5.1    Local Government and Social Care Ombudsman (LGSCO) and Housing Ombudsman decisions and recommended actions, from the last report to Committee in November, to the date of this report are shown at Annex 3.

 

5.2    There was one case determined by the Housing Ombudsman and six cases determined by the LGSCO in the time period of 7th November 2020 (date previous report to Committee was prepared) to date of this report. 

 

5.3    Of these seven cases, two were closed after the LGSCO’s initial enquiries and five were upheld with recommendations and/or remedies.  These are shown in Annex 3 under the actions column.  It is worth noting that in one upheld case the Ombudsman noted the council had already put in place the remedies.

5. 4   The team continue to work with the Corporate Management Team, Directorate Management Teams as well as with individual service areas to identify areas for improvement or shared learning opportunities. 

 

5.5    We are progressing with the implementation of the new corporate toolkit for the 4Cs – complaints, concerns, comments and compliments following this Committee’s unanimous support in November.  We have also now been to the Customer and Corporate Services Scrutiny Management Committee on 8th February 2021 who also supported the move to the new corporate toolkit. 

 

5.6    I will provide a report to both these Committees later this year on the performance of the new corporate toolkit.

 

6.      Other updates

 

6.1    The council’s Senior Information Risk Owner (SIRO) is now Janie Berry.  This role comes from Health and Social Care (Information Governance) measures that were identified to strengthen information assurance controls for information assets, and applies to all organisations completing the NHS Data Security and Protection Toolkit (DSPT) and processing NHS patient information.  This role works closely with other roles in the council e.g. Data Protection Officer (DPO), Caldicott Guardian (CG) and Information Asset Owner(s) and we are now working on an action and implementation plan, to ensure the SIRO can  

 

·        Lead & promote a culture that values, protects and uses information for the benefit of customers and staff

·        Advise the council on information risk issues

6.2    This will include regular reporting to ensure CMT are adequately briefed on information risk issues.  This SIRO report will be included as part of this report to Committee on at least an annual basis. 

 

6.3    Following on from the support and approval to implement the corporate toolkit for complaints, concerns, comments and compliments (the 4Cs) from April, previous comments and feedback on information governance performance reports and new requirements for a SIRO report, we are now working on what our performance report needs to contain and look like.  This template will be provided in the next report to Committee in July, and then from September onwards, Committee will receive the completed template for the relevant time period.  This gives us the opportunity to seek your comments on the new template as well as time to collate and analyse the first quarter information.  

 

6.4    We are continuing to work on embedding good records management across the council and have recently updated our file naming strategy as well as how to classify information which supports the wider work on Microsoft 365 rollout.   We also meet regularly with York Explore /Archives so that we can work together better in the areas of transferring records to them as well as digital records continuity and preservation.

 

6.5      As a public authority able to use investigatory powers, (Investigatory Powers Act 2016 but sometimes still referred to as RIPA from the Regulation of Investigatory Powers Act 2000) we are required to submit annual statistics on our level of use of these powers, to the Investigatory Powers Commissioner (IPCO).  This was completed and returned for the end of January 2021 deadline and go into the IPCO’s next Annual Report to Parliament. 

 

6.6    There are changes to this IPCO annual return required ahead of the next submission which means we need to include the statutory purpose or grounds for each use of investigatory powers we are given.  This will be included in the work that is underway with teams across the council, on the processes and procedures in place for managing and monitoring both RIPA and Covert Human Intelligence Source (CHIS) requests.

 

6.7    We will launch soon an online tool to support the completion of data protection impact assessments (DPIAs).  This will support our ability to evidence where and how we have integrated data protection into our processing activities and business practices, and so demonstrate “data protection by design and default”.   It will enable more robust and timely risk assessments to be undertaken and a more effective way to report on risks and ensure appropriate actions are taken to mitigate these risks.

 

6.8    The complaints, feedback and information governance team have recently updated their name to reflect their corporate role and are now the Corporate Governance Team and so, we are asking Committee if we can also change the title of this regular report to Corporate Governance Report

 

7.      Consultation

Not relevant for the purpose of this report.

 

8.      Options    

Not relevant for the purpose of this report.

9.      Analysis

Not relevant for the purpose of this report.

 

10.    Council Plan

10.1  The council’s information governance framework offers assurance to its customers, employees, contractors, partners and other stakeholders that all information, including confidential and personal information, is dealt with in accordance with legislation and regulations and its confidentiality, integrity and availability is appropriately protected.

11.    Legal Implications

The Council has a duty to comply with the various aspects of information governance related legislation.

 

12.    Risk Management

The council may face financial and reputational risks if the information it holds is not managed and protected effectively.  For example, the ICO can currently impose civil monetary penalties up to 20million euros for serious data security breaches.  The failure to identify and manage information risks may diminish the council’s overall effectiveness and damage its reputation.  Individual(s) may be at risk of committing criminal offences.

 

13.    Recommendations

Members are asked:

·        To note the details contained in this report.

·        To agree the change of title for this report.

 

Contact Details

 

Author: Lorraine Lunt

Information Governance & Feedback Team Manager   

Telephone: 01904 554145

 

Chief Officer Responsible for the report: Janie Berry, Director of Governance

 

 

 

 

 

 

 

 

 

 

 

Report Approved

Date

12 February 2021

 

 

 

 

Wards Affected:  List wards or tick box to indicate all

All

 

 

 

For further information please contact the author of the report

 

 

Annexes

Annex 1 – FOI/EIR/SAR performance

Annex 2 – ICO decision notices summaries

Annex 3 – Ombudsmen cases

 

Background Information

Not applicable