Agenda item

To enable the Cabinet to consider the recommendations submitted to it by the Resources and Services Overview & Scrutiny Committee following the scrutiny of the Council’s cyber security by the Task and Finish Working Group on Cyber Security.

RESOLVED that –

a)     the Resources and Services Overview and Scrutiny Committee be thanked for the work they have undertaken and specifically the Members who participated in the associated task and finish group, chaired by Councillor Clifton;

b)     the Committee’s recommendations a) to g) are agreed and Officers be requested to undertake the associated activities as soon as practicable in 2023/24 in consultation with the Portfolio Holder for Corporate Finance and Governance;

c)      in respect of the Committee’s recommendations h) to i), it is recommended to Full Council that:

i)       although it is recognised that the provision of mobile phones would provide a practical solution to enable Members to access their Tendring email accounts, Officers be requested to also explore the alternative option of a Members ‘portal’ before a final decision can be considered;

ii)      subject to ci) above, a further report be presented to Cabinet as early as practicable in 2023/24 that sets out the outcome from the proposed review of the Members’ portal’ option and recommendations are presented back to a future meeting of Full Council;

iii)     subject to ci) and cii) above, Full Council continues to acknowledge that the ongoing risk to the Council, in acting as Data Controller, could potentially be in breach of the Data Protection Act 2018 remains, whilst the auto-forwarding of Councillor emails practice continues; and

(iv)  whilst the work in ci) and cii) is ongoing, all Members elected in May 2023 are advised of this and the Council’s Information Governance requirements through their induction programme.

Cabinet considered the recommendations submitted to it by the Resources and Services Overview & Scrutiny Committee following that Committee’s scrutiny of the Cyber Security Task and Finish Working Group’s report on its review of the cyber security risks, defences and mitigations the Council had in place, at its meeting held on 1 February 2023.

That Committee had recommended –

“That Cabinet –

a)    requests, that as soon as is possible, the Human Resources and Council Tax Committee with appropriate officers looks at the salaries being offered for the advertised and unfilled senior IT posts, including cyber security senior technical positions;

b)    endorses that by 31 March 2023 a Portfolio Holder Cyber Security Working Group be established to periodically review the Council’s cyber security performance against the Cyber Assessment Framework (CAF) and/or emerging mandatory security improvements and requirements;

c)    requests that by 31 July 2023 the Council’s Information Retention Policy be reviewed/ revised with due regard to UK Data Protection Act 2018 data ‘minimisation’ ‘accuracy’ and ‘storage limitation’ and applied throughout the organisation;

d)    requests that by 31 May 2023 individual (non-generic) account access technologies be costed for accessing TDC terminals in locations such as leisure centres where numerous users sharing a terminal due to a retail environment operational need; 

e)    requests that, commencing no later than May 2023 following the election of the new Council, Cyber Security and Information Governance training for all Members after every election and for staff in their inductions be introduced with periodic refresher training for both which will be made mandatory;

f)     requests the Council’s Monitoring Officer to review existing Member guidance and explore Member training opportunities as to what constitutes party political activities in the context of using a TDC email account;

g)    endorses that as soon as possible the new Cyber Incident Response Plan (CIRP) be adopted.

That Cabinet recommends to Full Council that –

h)    post-May 2023 local elections under the newly elected Council that Members’ practice of auto-forwarding of emails be ceased;

i)     subject to the associated funding of £8,000 being identified, that the preferred Option 2 i.e. the provision of a standard council-managed mobile Smartphone in addition to a council-managed laptop be provided to those Members that want one to access emails and to be contactable when mobile; or

j)     as an alternative to i above, that should it not prove possible to fund the Smartphone costs centrally, then each Member requesting a standard council-managed mobile Smartphone be asked to fund the cost from their Allowances (circa two hundred pounds per annum).”

Cabinet had before it the following comments submitted by the Portfolio Holder for Corporate Finance & Governance:-

“I would like to thank the Committee for the work it has undertaken in setting up the task and finish group chaired by Councillor Clifton, who looked at the various aspects and complexities of cyber security in a relatively short period of time.

In respect of the recommendations a) to g), they reflect a pragmatic and reasonable approach to supporting the Council’s cyber security arrangements, so I am therefore supportive of taking the various activities forward in 2023/24.

Recommendations h) to j) of the Resources and Services Overview and Scrutiny Committee will be presented for consideration at Full Council on 2 March 2023.

In respect of recommendation h), this reflects the position I have mentioned on a number of occasions over recent months. I appreciate the frustration that many Members have previously expressed, but I believe that the risk of continuing with the forwarding of emails to personal emails account is too great for various reasons, not least because of UK Data Protection legislation compliance, but also recognising freedom of information issues that have been highlighted by the ICO. Not only that, but the world of cyber security will keep evolving and there will be adverse consequences if we continued with current practices. We therefore need to remain alert to both current and future risks.

Furthermore, if a breach was to take place the Council would be potentially liable to hefty fines by the ICO.

I note that the following 4 options relating to how Members can access their Tendring District Council emails that were considered by the task and finish group:

1.            Use of council managed laptops only

2.            All members be provided with a Council managed smart phone

3.            Introduce a ‘Bring Your Own Device’ Service Framework

4.            A Member web ‘portal’ app

Whilst acknowledging the Committee’s practical recommendation of the provision of Council managed smartphones, in striking a pragmatic balance along with recognising how Members are increasingly reliant upon flexible access to their emails to effectively undertake their role as a Councillor, I would be supportive of exploring Option 4 above in more detail as a possible alternative. Although the provision of a mobile phone would provide a practical solution, I understand the frustration of some members where they are juggling more than one email account to reflect their ‘political’ roles with that of a being a ward Councillor along with trying to undertaking that role efficiently. The responsibilities of Portfolio Holders giving direction and making decisions within their individual areas has also been taken into account.

In recognition of the above, I am therefore proposing that Officers also explore in more detail the option of a Members’ ‘portal’ as a flexible way for Members’ to continue to use their own devices to access their Tendring District email account.

Following the Council’s consideration of the associated report at their meeting on 22 November 2022, the following resolution was agreed:

‘the implementation of any and all changes required be planned for no later than 1st April 2023 in readiness for the commencement of the new Council, following the elections in 2023 and that the new Councillors be given the training’.

My proposed approach will have an impact on the above, which is addressed in my recommendations.”

Having duly considered the recommendations submitted to Cabinet by the Resources & Services Overview and Scrutiny Committee, together with the response of the Portfolio Holder thereto:-

It was moved by Councillor G V Guglielmi, seconded by Councillor Stock OBE and:-

RESOLVED that –

a)     the Resources and Services Overview and Scrutiny Committee be thanked for the work they have undertaken and specifically the Members who participated in the associated task and finish group, chaired by Councillor Clifton;

b)     the Committee’s recommendations a) to g) are agreed and Officers be requested to undertake the associated activities as soon as practicable in 2023/24 in consultation with the Portfolio Holder for Corporate Finance and Governance;

c)      in respect of the Committee’s recommendations h) to i), it is recommended to Full Council that:

i)       although it is recognised that the provision of mobile phones would provide a practical solution to enable Members to access their Tendring email accounts, Officers be requested to also explore the alternative option of a Members ‘portal’ before a final decision can be considered;

ii)      subject to ci) above, a further report be presented to Cabinet as early as practicable in 2023/24 that sets out the outcome from the proposed review of the Members’ portal’ option and recommendations are presented back to a future meeting of Full Council;

iii)     subject to ci) and cii) above, Full Council continues to acknowledge that the ongoing risk to the Council, in acting as Data Controller, could potentially be in breach of the Data Protection Act 2018 remains, whilst the auto-forwarding of Councillor emails practice continues; and

(iv)  whilst the work in ci) and cii) is ongoing, all Members elected in May 2023 are advised of this and the Council’s Information Governance requirements through their induction programme.