Agenda item

To present to Full Council an update on proposals for IT changes. The ongoing work is aimed at reaching an outcome whereby members can undertake their role effectively, whilst ensuring that information held by the Council, is safe, secure and compliant with relevant legislation. This work will also include looking at various different IT solutions and the associated costs.

Council considered a report of the Portfolio Holder for Corporate Finance and Governance, which presented to it an update on proposals for IT changes. That ongoing work was aimed at reaching an outcome whereby Members could undertake their role effectively, whilst ensuring that information held by the Council was safe, secure and compliant with relevant legislation. This work would also include looking at various different IT solutions and the associated costs.

Council was aware that, like all modern twenty-first century organisations, it was reliant upon information, data and digital services to deliver its services.  The Council securely stored and held guardianship over some 60 terabytes of residents’, customers’, visitors’, Members’ and Officers’ personal and special category data. To put that into context, 60 terabytes of data represented the equivalent of 390 million document pages.

It was recognised that Members were reliant upon access to their emails to undertake their role as a Councillor.  Members also had a responsibility to ensure that the sometimes sensitive personal or organisational information that they were sent was kept safely and confidentially.

It was reported that throughout 2018-2021 the Council’s IT Service had implemented and achieved compliance with increasing NCSC technical security standards. The UK had adopted its UK Data Protection Act 2018 and UK General Data Protection Regulation (GDPR) legislation on 25 May 2018. The key Principles of UK Data Protection legislation required that the data was stored: lawfully, fairly and transparently, adequate and relevant and limited to what was necessary, accurate and where necessary kept up to date, kept for no longer than was necessary in a form which permitted identification of data subjects, ensuring ‘integrity and confidentiality’ protecting against unauthorised or unlawful processing and against accidental loss/ destruction/ damage through using appropriate security.

Council was informed that the Department of Levelling Up, Housing and Communities (DLUHC) had commenced local authority security resilience audits in 2021.  In December 2021 the DLUHC ‘Health Check’ scan had identified the Council’s auto-forwarding of emails practice as a risk and had recommended that the practice be phased out as soon as possible. Those DLUHC local government cyber-security audits were being rolled-out to all authorities during 2023.

The original proposal to cease the auto-forwarding of emails had also emerged from an information governance / GDPR review undertaken by Internal Audit. The associated review, which supported that approach, had been undertaken in line with the Council’s existing risk management processes and had included input from the Council’s Data Protection Officer, Section 151 Officer, Internal Audit Manager and Senior Information Risk Owner (SIRO).

Members were made aware that Internal Audit’s findings and the DLUHC audit had been considered and agreed by the Audit Committee who after considering the matter at its January 2020 meeting, had resolved that:

“The Committee supports the implementation, as soon as possible, of the proposal set out within the report for providing the necessary IT equipment and training to Members to ensure that only Council equipment is used when conducting Council business in order to reduce the financial and reputational risk associated with processing personal data.”

Subsequently, the March 2022 Corporate Risk Register had reported the need to cease the practice of auto-forwarding of Councillors’ emails.

Council was advised that the UK Data Protection legislation (6th Principle) required that information and data were processed in a manner that ensured appropriate security of the personal data including protection against unauthorised or unlawful processing and against accidental loss/ destruction/ damage through using appropriate technical or organizational measures (integrity and confidentiality).  In all matters of council business, the Council was the Data Controller and had legislative responsibility to ensure, and to evidence, that information was being managed and protected in accordance with the principles of the legislation.

The risk of cyber-attack was not new, but it was escalating in terms of frequency, severity and complexity. To counter those sophisticated attacks the Council’s protected domain used a range of best of breed, commercial-grade security services from multiple vendors.

It was noted that the original proposal of ceasing auto-forwarding of emails had been met with concern from some Members as they felt that it might curtail their ability to access information and fulfil their role. Therefore, the Portfolio Holder had instructed Officers to explore different solutions (including some new processes of creating an app for Members to be able to access their emails securely on their own devices), whilst being mindful of ensuring the security of such information and protection against cyber-attacks.

The Resources and Services Overview and Scrutiny Committee had included Cyber-security in their work programme. In consultation with the Chairman of that Committee, (Councillor M E Stephenson), it was proposed that their remit be extended to include the issue of Members’ access to their information and the alternative solutions available, mindful of the recommendations of the Audit Committee and the issues of confidentiality, Data Protection and cyber security.  All Members would have the opportunity to have an input into this and any recommendations would be brought back to a future Council meeting.

As this Council had all-out elections in May 2023, it was proposed that any and all changes would be implemented for the newly elected Council.

It was also proposed that a workshop be scheduled for all Members to highlight the requirements of Data Protection and the prevalent issues of cyber breaches and security requirements. This would assist in mitigating the risks of breaches.

In terms of the proposed review by the Resources and Services Overview and Scrutiny Committee, it was highlighted that the Council’s existing adopted Risk Management Framework sought to address a number of key elements such as the identification of risks, the analysis of those risks and whether they could be ‘tolerated’ or needed to be ‘treated etc., with the latter including reviewing potential options. With the above in mind, it was felt logical / pragmatic to structure the proposed review around those existing risk management principles, which formed part of the original work undertaken by Officers and the Audit Committee. That approach would also complement a wider review of various cyber related issues as part of the Cyber Assessment Framework recently published by the National Cyber Security Centre (NCSC) that had been considered at the first meeting on 27 October 2022 of the Resources and Services Overview and Scrutiny Committee’s Cyber Security Task and Finish Group.

Members were invited to submit any comments or thoughts on the subject of cyber security and email forwarding for the Resources and Services Overview and Scrutiny Committee Task and Finish Working Group to take into consideration.

During the debate on this matter, Councillors G V Guglielmi, Talbot, Turner, Baker, I J Henderson, Clifton, Miles, Porter, Scott, Chapman BEM and Stock OBE addressed the Council.

With the acquiescence of the Chairman, Councillor G V Guglielmi read out a statement on behalf of the Chairman of the Audit Committee (Councillor Coley) who had been unable to attend the meeting.

It was moved by Councillor G V Guglielmi, seconded by Councillor Stock OBE and:-

RESOLVED that –

1.    Full Council acknowledges that the ongoing risk of the Council, in acting as Data Controller, could potentially be in breach of the Data Protection Act 2018 remains, whilst the auto-forwarding of Councillor emails practice continues; 

2.    the Resources and Services Overview & Scrutiny Committee extend its work programme of cyber security to include reviewing the different proposals of Members’ access to emails, in line with the Council’s Risk Management Framework, and make recommendations to Cabinet and Council along with relevant costings;

3.    such proposals be mindful of the recommendations of the Audit Committee, Data Protection Act requirements and cyber security;

4.    a workshop be scheduled for all Members to ensure awareness of the requirements of the Data Protection Act 2018 and cyber security; and

5.    the implementation of any and all changes required be planned for no later than 1st April 2023 in readiness for the commencement of the new Council, following the elections in 2023 and that the new Councillors be given the training as detailed in 4 above.