City of York Council (Logo)


Audit and Governance Committee

Meeting date:


Report of:

Director of Governance

Portfolio of:

Cllr Douglas
Leader, responsible for Strategy, Policy, and Partnerships

Audit and Governance Committee Report: Corporate Governance Performance Report

Subject of Report


1.   This report provides Members with updates in respect of:

·        Corporate Governance performance report

·        Information Commissioners Office cases

·        Ombudsmen cases

·        Potential new and emerging data protection and digital information legislation   


Policy Basis


2.   Having appropriate processes and procedures in place to ensure the council

·        investigates and responds to complaints (corporate, adults social care and children’s social care), comments, compliments and concerns, and Ombudsmen cases

·        manages and monitors valid and in time responses to all FOI and EIR requests and other requests for information or information disclosure

·        provides support, advice and guidance for data protection and privacy compliance

·        provides assurance to customers, employees, contractors, partners, and other stakeholders that all information, including confidential and personal information, is dealt with in accordance with legislation and regulations and its confidentiality, integrity and availability is appropriately protected.


3.   Compliance is aligned to the current and draft Council Plan which is part of the council’s corporate code of governance. This also then aligns with the 10-year Plan (York 2032) such as performance management and service planning.


Recommendation and Reasons


4.   Members are asked:


4.1        To note the details contained in this report.

4.2        To provide any comments or feedback from this report.


Reason: So that Members are provided with details and current performance from the Corporate Governance Team.





5.   Corporate Governance Performance report


5.1    The full performance indicators are available on York Open Data at 


5.2    Please see the performance report for Quarters 1, 2, 3 and 4 covering April 2023 to March 2024 at Annex 1.


5.3    As set out in report to Committee in February, the performance report has changed. This is from comments and feedback, guidance published by the ICO on collecting and reporting on key data and the ongoing configuration, build and testing of performance reports following the implementation of a change to the case management system.


5.4    The ongoing configuration, build and testing for performance reporting is taking longer than anticipated due to priorities and deadlines for the CGT’s caseload and impacts on this from our staffing resource and capacity. We will continue to progress this work to provide more detailed reporting going forward.


5.5    However I can confirm the performance data reported to this Committee and published for FOI/EIR does meet the legislative requirements set out in part 8.5 of the section 45 code of practice as well as the additional ICO guidance How to report on your performance on handling requests for information under FOIA 2000 | ICO such as the number of requests subject to FOIA or EIR, the time period that the data is split into and performance against statutory timescales for FOI/EIR.


5.6    There has been a continuous and sustained improvement in both the number of FOI/EIR and data protection subject access to records (SAR) requests responded to within the statutory timescale each quarter throughout the full year reporting period of March 2023 to April 2024.


5.7    There has been an increase in this quarter of the number of complaints received and dealt with under the children’s social care services legislation

·        The Children Act 1989 Representations Procedure (England) Regulations 2006


5.8    There has been a decrease in number of complaints received and dealt with under the adults’ regulations.

·        The Local Authority Social Services and National Health Service Complaints (England) Regulations 2009


5.9    The numbers of complaints received are influenced by factors such as increased demand on council services and the restrictions the current budget and financial circumstances are placing on these services.


6.   Information Commissioner’s Office cases


6.1    The progress of our improvement plan following the now fully complied with requirements from the ICO enforcement notice, is published on the council website at Information Commissioner’s Office (ICO) enforcement notice and improvement plan – City of York Council


6.2    There have been no published decision notices about the council’s handling and responding to FOI/EIRs by the ICO since the last report to Committee in February 2024. There has also been no other ICO regulatory action against the council. You can find out more about what actions the ICO can take at Action we've taken | ICO


7.   Ombudsmen cases


7.1    There were no Housing Ombudsman Services (HOS) cases and fourteen LGSCO cases with decisions since the last report to Committee in February 2024 to date this report was prepared. Details of all the decisions including recommendations, remedies and actions are shown at Annex 2.


7.2    The following were the findings and decisions determined by the LGSCO:

·        Three were closed after initial enquiries with no further action

·        Three were closed as out of the jurisdiction of the LGSCO

·        Five were not upheld with either no fault or no further action

·        One was premature

·        Two were upheld with fault and injustice


7.3    The CGT undertakes ongoing work with CMT, Directorate Management Teams as well as with individual service areas to ensure that we share learning opportunities across the council and to identify areas for improvement from Ombudsmen cases.


8.   Data protection and digital information bill


8.1        The bill is currently in the Committee stage of the House of Lords and is expected to be passed in May and come into force shortly afterwards.


8.2        It will make changes to the current legislation and regulations shown below


·        UK GDPR

·        Data Protection Act 2018 (DPA 18)

·        Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR)


8.3        The likely changes are not on the same scale as for the implementation of GDPR pre-2018. However, the CGT has started this work and planning for the potential changes such as


·        Review and update policies and procedures to ensure they reflect new or amended requirements

·        Developing and implementing of a training plan

·        Developing and implementing of a communications plan


8.4        Updates will be provided in future reports to this Committee however some of the potential changes to the current requirements are shown in Annex 3.


Consultation Analysis


9.      No consultation was undertaken for this report. However, feedback from reports to CMT, meetings and discussions with managers informs this report.


10.    Where required, internal and/or external consultation will be conducted to progress the work and actions required to comply with the improvement plan in response to the ICO enforcement notice.


Risks and Mitigations


11.    The council has a duty to comply with the various aspects of complaints, data protection, privacy, and information governance related legislation. Failing to comply with these can result in Regulators and/or Ombudsmen taking actions against the council such as reprimands, enforcement action, monetary fines, financial remedies for individuals. Often these decisions and actions are published on the Regulator or Ombudsmen websites, as well as doing press releases and statements. This can lead to reputational damage, reduce the council’s overall effectiveness as well as a loss of trust in the council.


12.    In some circumstances individual members of staff may be at risk of committing criminal offences for example if they knowingly or recklessly breach data protection legislation and compliance requirements or deliberately destroy, alter, or conceal a record after it has been requested.


13.    Data protection impact assessments (DPIAs) are an essential part of our accountability obligations and is a legal requirement for any type of processing under UK GDPR. Failure to conduct a DPIA when required may leave the council open to enforcement action, including monetary penalties or fines. However, as there is no personal data, special categories of personal data or criminal offence data being processed for this performance report, there is no requirement to complete a DPIA.


Contact details


14.    For further information please contact the authors of this Report.





Lorraine Lunt

Job Title:

Information governance and feedback manager/DPO

Service Area:

Governance and Monitoring


01904 554145

Report approved:




Background papers


No papers but listed below the links to background information shown in the report 


section 45 code of practice


How to report on your performance on handling requests for information under FOIA 2000 | ICO


Information Commissioner’s Office (ICO) enforcement notice and improvement plan – City of York Council



·        Annex 1 – Performance report (no pages are exempt)

·        Annex 2 – Ombudsmen cases (no pages are exempt)

·        Annex 3 - Data protection and digital information bill (no pages are exempt)



DPIAS - Data protection impact assessments

ICO - Information Commissioner’s Office

CMT – Council Management Team

CGT – Corporate Governance Team

UK GDPR – United Kingdom General Data Protection Regulation

DPA 18 - Data Protection Act 2018

PECR - Privacy and Electronic Communications (EC Directive) Regulations 2003

HOS - Housing Ombudsman Service

LGSCO – Local Government and Social Care Ombudsman

FOI – Freedom of Information Act

EIR – Environmental Information Regulation

SAR – (Data) Subject Access Request