Audit and Governance Committee


29th June 2022


Report of the Director of Governance





Corporate Governance Report  

1.      Summary

1.1    This report provides Members with updates in respect of:

·        Corporate Governance performance indicators update

·        Information Commissioners Office (ICO) published decision notices

·        Ombudsman cases from last report in April 2022 to date of preparing this report on 16th June 2022.

·        NHS Digital data security and protection toolkit



3.      Corporate Governance Performance Indicators Update


3.1    The performance indicators report for the full reporting year April 2021 to March 2022 are attached at Annex 1. 


3.2    We identified a wider set of indicators and datasets which are now included on the regular external publication of information through York Open Data. 


3.3    Updated indicators linked to the Council Plan are now published on York Open Data.   These are

·        IG22a - % of Grade 1 4Cs Complaints responded to 'In Time' – which is available at


·        FOI02 - FOI & EIR % Requests responded to In time - (YTD) – which is available at


3.4    We are working with internal audit to provide improved quality assurance and monitoring of FOI and EIR responses which will also assist the Corporate Governance Team to identify in a timelier way, specific support, and guidance to managers across the council.


3.5    We have made improvements in the number of corporate complaints (4Cs) responded to in time, as well as in adults social care complaints compared to last year 2021 to 2022. 


3.6    We have maintained over 80% in time performance for responding to both FOIs and EIRs and continue to work with service areas to improve this further.


3.7    We are working closely with managers across the council to provide additional targeted support and guidance where we have identified areas for improvement in both complaints and information governance handling. 


4. ICO published decision notices


4.1    If someone is unhappy with the response they receive in relation to an FOI, EIR or SAR or if they want to raise a complaint under data protection legislation in relation to the rights of individuals, there is an opportunity to seek an internal review and then to complain to the ICO. The ICO publishes their decision notices and full reports on their website.


4.2    From date of the previous report to Committee up to date of preparing this report on 16th June 2022, there was one published decision notice. The summary of this is at Annex 2 and the full report can be found at

ic-84867-h4v1.pdf (


4.3    This decision notice was in respect of an Environmental Information Regulation (EIR) request and whilst the ICO found that the council was correct in its use of some exceptions to withhold the information from parts of the request, it found against the council for other parts


5.      Ombudsmen cases


5.1    Local Government and Social Care Ombudsman (LGSCO) decisions from the last report to Committee in are shown in Annex 3.  There were no Housing Ombudsman Services decisions during this time.


5.2    Of the eleven cases determined by the LGSCO, one was not upheld and seven were closed after the LGSCO’s initial enquiries as either out of their jurisdiction or no further action needed. There were three cases that were upheld and had recommendations and/or remedies.  Details of the recommendations and /or remedies are shown at Annex 3.

5.3    The Corporate Governance Team undertakes ongoing work with the Corporate Management Team, Directorate Management Teams as well as with individual service areas to ensure that we share learning opportunities across the council and to identify areas for improvement from Ombudsmen cases.


6.      NHS Digital data security and protection toolkit 


6.1    The council must submit and publish an annual assessment, including evidence for this toolkit.  All organisations that have access to NHS patient data and systems must use this toolkit to provide an annual assurance with evidence, that they are practising good data security and that personal information is handled correctly.


6.2    It also allows all health, care and social care organisations to ensure they can demonstrate that they are putting into practice the 10 data security standards recommended by the National Data Guardian. 


6.3    We are on track to maintain the required assurance level and publish by 30th June 2022.  An update will be provided to Committee as part of a future Corporate Governance report.


6.4    For next year’s annual submission, we will be working closely with internal audit to provide further assurances and assertions of our data security and data protection controls and evidence, against the requirements of the Toolkit.  There is a framework for independent assessors and auditors that outlines how evidence items could be tested including how they should use their professional judgement and knowledge of the organisation being assessed.  Outcomes from this work will be provided to this Committee in future reports.


7.      Consultation

Not relevant for the purpose of this report.


8.      Options    

Not relevant for the purpose of this report.

9.      Analysis

Not relevant for the purpose of this report.


10.    Council Plan

10.1  The council’s corporate governance service offers assurance to its customers, employees, contractors, partners, and other stakeholders that all information, including confidential and personal information, is dealt with in accordance with legislation and regulations and its confidentiality, integrity and availability is appropriately protected.

11.    Legal Implications

11.1 The Council has a duty to comply with the various aspects of complaints, data protection, and privacy and information governance related legislation.


12.    Risk Management

12.1  The council may face financial and reputational risks if the information it holds is not managed and protected effectively or if it does not respond to complaints effectively.  For example, the ICO can currently impose civil monetary penalties for serious breaches and / or take enforcement actions.  Ombudsmen can impose financial remedies and/or individuals may be at risk of committing criminal offences.  The failure to identify and manage information risks or respond to complaints effectively, may diminish the council’s overall effectiveness and damage its reputation. 


12.    Recommendations

12.1              Members are asked:

12.1.1               To note the details contained in this report.

12.1.2               To provide any further feedback for future reporting










Contact Details


Author: Lorraine Lunt

Information Governance & Feedback Team Manager   

Telephone: 01904 554145


Chief Officer Responsible for the report: Janie Berry, Director of Governance








Report Approved


16th June 2022





Wards Affected:  List wards or tick box to indicate all




For further information please contact the author of the report




Annex 1 – Corporate Governance performance indicators summary

Annex 2 – Information Commissioner’s Office (ICO) published decision notice

Annex 3 – Ombudsmen cases


Background Information

Not applicable