Audit and Governance Committee

14th April 2021



Report of the Director of Governance





Corporate Governance Report  

1.      Summary

1.1    This report provides Members with updates in respect of:

·        Information governance performance

·        Information Commissioners Office (ICO) decision notices from last report February 2021 to date of this report

·        Local Government and Social Care Ombudsman (LGSCO) and Housing Ombudsman cases from last report in February 2021 to date of this report

·        The new 4Cs

·        NHS Digital data security and protection toolkit

·        Review of the council’s RIPA policy and procedures


2.      Information Governance Performance


2.1    The council publishes performance data on timeliness for responding to requests made under Freedom of Information Act (FOI), Environmental Information Regulations (EIR) and Data Protection Act subject access to records requests (SARs), via the York Open Data platform via the below link.


2.2    From feedback at Committees in November 2020 and in February 2021, we have provided the reports in a graphical format at Annex 1.


2.3    There has been an improvement in the combined FOI and EIR timeliness of responses from 81.68% in the previous reporting quarter (October to December 2020) to 83.50% in this reporting quarter January to March 2021.    Also there has been a significant improvement in timeliness of SAR responses over the same reporting quarters from 72.73% to 90.00%.


2.4    The yearly performance figures for both April 2019 to March 2020 and April 2020 to March 2021 are shown on page 2 of Annex 1.  The comparison of the annual figures show that despite there being only a very small decrease in number of requests received during covid 19 restrictions and the council’s response to those, there has only been a small drop in our overall annual performance for timeliness of responses for FOIs, EIRs and SARs.


2.5    Since the last report to Committee, work is still not yet complete across different information governance networks and groups in the Yorkshire and Humberside region regarding sharing of performance information that is informative and useful.  I will continue to update the Committee on the progress of the regional work when available.


3.      ICO decision notices


3.1    If someone is unhappy with the response they receive in relation to an FOI, EIR or SAR request, or if they want to raise a complaint under data protection legislation in relation to the rights of individuals, there is an opportunity to seek an internal review and then to complain to the ICO. The ICO publishes their decision notices and their full reports are available on the following link


| Search | ICO


3.2    Since the last report in February 2021, there have been no published decision notices by the ICO


4.      Ombudsmen cases


5.1    Local Government and Social Care Ombudsman (LGSCO) decisions and recommended actions, from the last report to Committee in February 2021, to the date of this report are shown at Annex 2.  There were no Housing Ombudsman Services decisions during this time.


5.2    Of the eight cases investigated and determined by the LGSCO, four were closed after LGSCO’s initial enquiries and four were upheld with recommendations and/or remedies shown in Annex 2 in the actions column.

5. 4   The Corporate Governance Team continue to work with the Corporate Management Team, Directorate Management Teams as well as with individual service areas to identify areas for improvement or shared learning opportunities. 


6.      The new 4Cs


6.1    Following the approval of both Audit and Governance Committee and Customer and Corporate Services Scrutiny Management Committee, the updated Corporate Complaints and Feedback policy and procedures was implemented on 1st April 2021.  The 4Cs (complaints, concerns, comments and compliments) toolkit sees us move from a hierarchical and rigid three stage process, which is increasingly being criticised; to a more effective process that is responsive to both the nature of the complaint and to individual complainant’s needs and uses an assessment method to grade complaints at grade 1 or grade 2 with appropriate timescales.


6.2    We are working with business intelligence team on the new performance and quality reports and will provide the format and content of these in the next Corporate Governance Report to Committee in July, for your comments and feedback.  We will then make any further amends to the new style report and populate it,  for the next report due in September 2021.


7.      NHS Digital data security and protection toolkit  


7.1    We have submitted and published the council’s annual assessment, including evidence for this toolkit.  This annual assessment is for all health, care and social care organisations to ensure they can demonstrate that they are putting into practice the 10 data security standards recommended by the National Data Guardian. 


7.2    We have successfully maintained the required assurance level and an action plan for April 2021 to March 2022 will be produced and monitored through Governance Risk and Assurance Group (GRAG) and report provided to Committee as part of this Corporate Governance report.


8.      Review of RIPA policy and procedures


8.1    This policy and procedures applies the provisions of the Regulation of Investigatory Powers Act 2000 (RIPA) as it relates to covert surveillance and certain covert powers under RIPA and the Investigatory Powers Act 2016 (IPA).  These are available to the council and can be used in appropriate circumstances, in accordance with the requirements of the legislation, to support the delivery of our functions.   The review underway is to ensure we have effective and efficient processes (including the provision of training) in place for the operation of the council’s actions with regard to covert surveillance and Covert Human Intelligence Sources (CHIS) and that we meet the Investigatory Powers Commissioner’s Office (IPCO) requirements for these.  We will provide an update on this in a future report to Committee.


8.2    Training will be provided to council staff who will be responsible for making any applications under these provisions and also those who will authorise them in May 2021.


9.      Consultation

Not relevant for the purpose of this report.


10.    Options    

Not relevant for the purpose of this report.

11.    Analysis

Not relevant for the purpose of this report.


12.    Council Plan

12.1  The council’s information governance framework offers assurance to its customers, employees, contractors, partners and other stakeholders that all information, including confidential and personal information, is dealt with in accordance with legislation and regulations and its confidentiality, integrity and availability is appropriately protected.

13.    Legal Implications

The Council has a duty to comply with the various aspects of data protection, privacy and information governance related legislation.


14.    Risk Management

The council may face financial and reputational risks if the information it holds is not managed and protected effectively.  For example, the ICO can currently impose civil monetary penalties up to 20million euros for serious data security breaches.  The failure to identify and manage information risks may diminish the council’s overall effectiveness and damage its reputation.  Individual(s) may be at risk of committing criminal offences.


15.    Recommendations

Members are asked:

·        To note the details contained in this report.

Contact Details


Author: Lorraine Lunt

Information Governance & Feedback Team Manager   

Telephone: 01904 554145


Chief Officer Responsible for the report: Janie Berry, Director of Governance










Report Approved



31st March  2021





Wards Affected:  List wards or tick box to indicate all





For further information please contact the author of the report




Annex 1 – FOI/EIR/SAR performance

Annex 2 – Ombudsmen cases


Background Information

Not applicable