Agenda item

To enable the Council to consider the recommendations of the Cabinet in relation to cyber security for the Council.

Further to the decisions of Council on 22 November 2022 (Minute 55 referred), Members received recommendations arising from the Overview and Scrutiny enquiry into cyber security together with the outcome of the consideration of those recommendations by Cabinet at its meeting held on 17 February 2023 (Minute 122 referred).

 

It was reported that, in accordance with the decision of Council on 22 November 2022 (referred to above), the Resources and Services Overview and Scrutiny Committee had extended its work programme enquiry into cyber security in order to include reviewing the different proposals of Members’ access to emails, in line with the Council’s Risk Management Framework.  That enquiry had been undertaken by a Task and Finish Group comprised of Councillors Clifton (Chairman), Amos, Coley, Griffiths and Wiggins.  The Task and Finish Group had met four times and had submitted its report to the Resources and Services Overview and Scrutiny Committee at a meeting of that Committee held on 1 February 2023. 

 

The Resources and Services Overview and Scrutiny Committee, pursuant to the decision of Council on 22 November 2022, had then submitted its recommendations arising from the cyber security enquiry to Cabinet on 17 February 2023 and also to this meeting of Council. That Committee had resolved –

 

“That Cabinet –

 

a)    requests, that as soon as is possible, the Human Resources and Council Tax Committee with appropriate officers looks at the salaries being offered for the advertised and unfilled senior IT posts, including cyber security senior technical positions;

 

b)    endorses that by 31 March 2023 a Portfolio Holder Cyber Security Working Group be established to periodically review the Council’s cyber security performance against the Cyber Assessment Framework (CAF) and/or emerging mandatory security improvements and requirements;

 

c)    requests that by 31 July 2023 the Council’s Information Retention Policy be reviewed/ revised with due regard to UK Data Protection Act 2018 data ‘minimisation’ ‘accuracy’ and ‘storage limitation’ and applied throughout the organisation;

 

d)    requests that by 31 May 2023 individual (non-generic) account access technologies be costed for accessing TDC terminals in locations such as leisure centres where numerous users sharing a terminal due to a retail environment operational need; 

 

e)    requests that, commencing no later than May 2023 following the election of the new Council, Cyber Security and Information Governance training for all Members after every election and for staff in their inductions be introduced with periodic refresher training for both which will be made mandatory;

 

f)     requests the Council’s Monitoring Officer to review existing Member guidance and explore Member training opportunities as to what constitutes party political activities in the context of using a TDC email account;

 

g)    endorses that as soon as possible the new Cyber Incident Response Plan (CIRP) be adopted.

 

That Cabinet recommends to Full Council that –

 

h)    post-May 2023 local elections under the newly elected Council that Members’ practice of auto-forwarding of emails be ceased;

 

i)     subject to the associated funding of £8,000 being identified, that the preferred Option 2 i.e. the provision of a standard council-managed mobile Smartphone in addition to a council-managed laptop be provided to those Members that want one to access emails and to be contactable when mobile; or

 

j)     as an alternative to i above, that should it not prove possible to fund the Smartphone costs centrally, then each Member requesting a standard council-managed mobile Smartphone be asked to fund the cost from their Allowances (circa two hundred pounds per annum).”

 

Cabinet had had before it at its meeting held on 17 February 2023 the following comments submitted by the Portfolio Holder for Corporate Finance & Governance:-

 

“I would like to thank the Committee for the work it has undertaken in setting up the task and finish group chaired by Councillor Clifton, who looked at the various aspects and complexities of cyber security in a relatively short period of time.

 

In respect of the recommendations a) to g), they reflect a pragmatic and reasonable approach to supporting the Council’s cyber security arrangements, so I am therefore supportive of taking the various activities forward in 2023/24.

 

Recommendations h) to j) of the Resources and Services Overview and Scrutiny Committee will be presented for consideration at Full Council on 2 March 2023 [Note: as set out above].

 

In respect of recommendation h), this reflects the position I have mentioned on a number of occasions over recent months. I appreciate the frustration that many Members have previously expressed, but I believe that the risk of continuing with the forwarding of emails to personal emails account is too great for various reasons, not least because of UK Data Protection legislation compliance, but also recognising freedom of information issues that have been highlighted by the ICO. Not only that, but the world of cyber security will keep evolving and there will be adverse consequences if we continued with current practices. We therefore need to remain alert to both current and future risks.

 

Furthermore, if a breach was to take place the Council would be potentially liable to hefty fines by the ICO.

 

I note that the following 4 options relating to how Members can access their Tendring District Council emails that were considered by the task and finish group:

 

1.      Use of council managed laptops only

2.      All members be provided with a Council managed smart phone

3.      Introduce a ‘Bring Your Own Device’ Service Framework

4.      A Member web ‘portal’ app

 

Whilst acknowledging the Committee’s practical recommendation of the provision of Council managed smartphones, in striking a pragmatic balance along with recognising how Members are increasingly reliant upon flexible access to their emails to effectively undertake their role as a Councillor, I would be supportive of exploring Option 4 above in more detail as a possible alternative. Although the provision of a mobile phone would provide a practical solution, I understand the frustration of some members where they are juggling more than one email account to reflect their ‘political’ roles with that of a being a ward Councillor along with trying to undertaking that role efficiently. The responsibilities of Portfolio Holders giving direction and making decisions within their individual areas has also been taken into account.

 

In recognition of the above, I am therefore proposing that Officers also explore in more detail the option of a Members’ ‘portal’ as a flexible way for Members’ to continue to use their own devices to access their Tendring District email account.

 

Following the Council’s consideration of the associated report at their meeting on 22 November 2022, the following resolution was agreed:

 

‘the implementation of any and all changes required be planned for no later than 1st April 2023 in readiness for the commencement of the new Council, following the elections in 2023 and that the new Councillors be given the training’.

 

My proposed approach will have an impact on the above, which is addressed in my recommendations.”

 

Having duly considered the recommendations submitted to Cabinet by the Resources & Services Overview and Scrutiny Committee, together with the response and recommendations of the Corporate Finance & Governance Portfolio Holder thereto, Cabinet had:-

 

“RESOLVED that –

 

a)  the Resources and Services Overview and Scrutiny Committee be thanked for the work they have undertaken and specifically the Members who participated in the associated task and finish group, chaired by Councillor Clifton;

 

b)  the Committee’s recommendations a) to g) are agreed and Officers be requested to undertake the associated activities as soon as practicable in 2023/24 in consultation with the Portfolio Holder for Corporate Finance and Governance;

 

c)   in respect of the Committee’s recommendations h) to i), it is recommended to Full Council that:

 

i)       although it is recognised that the provision of mobile phones would provide a practical solution to enable Members to access their Tendring email accounts, Officers be requested to also explore the alternative option of a Members ‘portal’ before a final decision can be considered;

 

ii)      subject to ci) above, a further report be presented to Cabinet as early as practicable in 2023/24 that sets out the outcome from the proposed review of the Members’ ‘portal’ option and recommendations are presented back to a future meeting of Full Council;

 

iii)     subject to ci) and cii) above, Full Council continues to acknowledge that the ongoing risk to the Council, in acting as Data Controller, could potentially be in breach of the Data Protection Act 2018 remains, whilst the auto-forwarding of Councillor emails practice continues; and

 

iv)     whilst the work in ci) and cii) is ongoing, all Members elected in May 2023 are advised of this and the Council’s Information Governance requirements through their induction programme.”

 

A copy of the published reference report (and its appendices) from the Resources and Services Overview & Scrutiny Committee to the Cabinet meeting held on 17 February 2023, were attached as appendices to the reference report from Cabinet (A.4).

 

It was moved by Councillor Stock OBE that –

 

(a)    although it is recognised that the provision of mobile phones would provide a practical solution to enable Members to access their Tendring email accounts, Officers be requested to also explore the alternative option of a Members’ ‘portal’ before a final decision can be considered;

 

(b)    subject to (a) above, a further report be presented to Cabinet as early as practicable in 2023/24 that sets out the outcome from the proposed review of the Members’ ‘portal’ option and that Cabinet’s recommendations arising therefrom are submitted to a future meeting of Full Council;

 

(c)    subject to (a) and (b) above, Full Council continues to acknowledge the ongoing risk to the Council that, in acting as Data Controller, it could potentially be in breach of the Data Protection Act 2018 and that risk will remain whilst the auto-forwarding of Councillors’ emails practice continues; and

 

(d)    whilst the above work in (a) and (b) is ongoing, all Members elected in May 2023 be advised of this and of the Council’s Information Governance requirements through their Members’ induction programme.

 

Councillor Clifton moved and Councillor Allenseconded that Councillor Stock’s motion be amended to read as follows:-

 

“That Council having considered the outcome of the enquiry into cyber security undertaken through the Resources and Services Overview and Scrutiny Committee determines to adopt the following as recommended by the Resources and Services Overview and Scrutiny Committee –

 

a)     it is recognised that the provision of mobile phones would provide a practical solution to enable Members to access their TDC email accounts and that under the newly elected Council from May 2023, the practice of auto-forwarding of TDC Member Emails to non TDC accounts be ceased and that:

 

i)       subject to the associated funding of £8,000 being identified, a standard council-managed Smartphone in addition to a council-managed laptop be provided to those Members that want one to access emails and to be contactable when mobile;

ii)      should it not prove possible to fund the Smartphone costs centrally, then each Member requesting a standard council-managed mobile Smartphone be asked to fund the costs from their allowances (circa two hundred pounds per annum);

 

b)     subject to a), Full Council continues to acknowledge the ongoing risk to the Council that, in acting as Data Controller, it could potentially be in breach of the Data Protection Act 2018 and that risk will remain whilst the auto-forwarding of Councillors’ emails practice continues.”

Councillors Coley, Knowles, Amos, Placey, M E Stephenson, Scott and Stock OBE all addressed the Council during the debate on Councillor Clifton’s amendment.

 

Councillor Stock OBE concurred with Councillor Clifton’s amendment and agreed to incorporate it within the original motion pursuant to the provisions of Council Procedure Rule 16.6 (Alteration of Motion).

 

Councillor Stock’s motion, as now amended, on being put to the vote was declared CARRIED.