Agenda item

That the Committee note the results of the ICO audit and the processes in place to monitor the agreed action plan to implement the recommendations made.

The Democracy & Governance Manager introduced a report on processes which had been put in place following the audit undertaken by the Information Commissioner’s Office (ICO) on Data Protection compliance.  He detailed the background to the audit which had been carried out with the agreement of the Council and the areas covered.  The report included a copy of the Executive Summary of the audit report together with details of actions to address the recommendations, which had also been submitted to the Corporate Resources Overview & Scrutiny Committee.  The audit had concluded that there was ‘reasonable assurance’ around the Council’s Data Protection processes and procedures, which was the second best of the four categories of audit opinion.

The Democracy & Governance Manager said that the overall conclusion was positive as a red risk had previously been allocated in the Strategic Assessment of Risks & Challenges (SARC).  He said that actions were now in place to address the recommendations, for example where the iTrent system would be utilised to update records of Data Protection training.

The Chair congratulated officers for their efforts in reaching a positive outcome.  The Chief Executive said that Data Protection covered many areas of the Council and the improvements to corporate arrangements would be made.  The Head of Legal & Democratic Services added that the ICO had identified the involvement of Internal Audit on Data Protection work as one of the areas of good practice in Flintshire.

Following a query from Councillor A. Woolley, it was explained that out of the 38 recommendations made by the ICO, 15 had been implemented to date whilst some required longer term actions.  The Democracy & Governance Manager had devised a folder system to help monitor how many recommendations had been implemented and signed off, which would be progressed at monthly meetings of the Data Protection team.  Involvement by Internal Audit would ensure that satisfactory progress was being made, culminating in a report to be agreed by the Corporate Management Team (CMT) for submission to the ICO by 17 January 2014.

In response to a query from Councillor G.S. Banks, the Democracy & Governance Manager explained that existing internal processes could be utilised to action some of the recommendations.  On training, Heads of Services were responsible for encouraging their teams to attend sessions with advice provided by the Data Protection team on the type of training required.  In respect of the Information Systems Examination Board Certificate in Data Protection, arrangements were now in place for three members of the Data Protection team to pursue this training.

Mr. P. Williams remarked that monitoring of actions was a key issue and suggested that the Committee receive a progress report in January 2014.  As work would be undertaken by Internal Audit at the end of the year to feed into the follow-up report to ICO, the Internal Audit Manager suggested that a report be brought to the Committee in March 2014.

RESOLVED:

That the Committee note the results of the ICO audit and the processes in place to monitor the agreed action plan to implement the recommendations made.