Agenda item

Report of the Executive Director of Resources

The Committee considered a report of the Executive Director of Resources, which set out the findings of the audit and maturity assessment, the actions identified and progress against the actions in respect of the Information Management Strategy.

The Committee noted that the report was also to be considered by the Cabinet Member for Policy and Leadership at his meeting scheduled for 28^th July 2016.

The report indicated that the Council’s Information Management Strategy was approved by the Cabinet in March 2016.  Information Management was becoming increasingly critical to the way the public sector did business as services became integrated and sought to gain better outcomes with fewer resources and digitalised the way services were delivered.  It was acknowledged that information was one of the authority’s greatest assets and its usage was a major responsibility.  There was an expectation by the citizens of Coventry and the Council’s customers that the authority could be trusted to manage and protect information provided.  The Information Management Strategy would ensure that the Council exploited information as a strategic asset, used recognised best practice, legislation and technology to minimise requests for information and to maximise the opportunities of information intelligence to share future services and evaluate the effectiveness of existing ones.

To assist with the development and delivery of the Strategy, it was felt helpful to understand the state of information governance across the Council so that improvement actions could be identified.  In October 2015, the Information Commissioner (ICO) conducted a data protection audit of Children’s Social Care and Revenues and Benefits.  The audit considered governance arrangements, training and awareness of data sharing arrangements.  The ICO met with the Senior Information Risk Owner, Acting Monitoring Officer, Caldicott Guardian, Assistant Director for ICT, Transformation and Customer Service, as well as managers and officers within the two service areas. 

The Audit concluded that the Council had “very limited assurance that processes and procedures are in place and deliver data protection compliance”.  It was important to note that the audit provided only a snap shot of assurance levels at the time of the audit.  It took limited account of the Council’s strategic aims and direction of travel, which were in place and in the process of being implemented.  The audit did identify the key policies in place, the development of a toolkit / handbook for employees and the communications campaign as areas of good practice.  A copy of the ICO Audit’s executive summary was appended to the report.

The Council considered the ICO’s recommendations and included these within the action plan, which was also appended to the report submitted. Out of 77 actions, 8 had been completed, 50 were in progress and 19 were still to be commenced. The majority of these were dependent on the completion of other actions.

The Committee noted that the ICO will conduct a follow up audit towards the end of 2016/early 2017 to assess progress against the recommendations. The Council was well on track to have implemented the majority if not all of the actions in advance of this audit.  By implementing these actions, the Council would significantly increase its assurance rating.

Since the scope of the ICO Audit was relatively limited and in order to refine the entire approach to how the Council managed and used information effectively, the Council proactively engaged Information Management Specialists, In-Form Consult (IFC) to conduct a maturity assessment of information management arrangements across the Council.

IFC assessed the Council’s maturity level as low-medium. Across the areas considered, maturity was either at a formative (level 2) or developing stage (level 3) with level 1 being the lowest and 5 being the highest.  IFC considered the maturity assessment to be a cause for optimism and not unlike similar local government organisations and no area scored a lowest level of 1.  This demonstrated that the Council already had a good basis to work from and gave confidence it would be able to progress quickly in transformation of its approach to information.

IFC used the maturity assessment to create a roadmap/action plan identifying key work streams and activities required to implement the Council’s vision for information management. There was some overlap between the activities’ identified by IFC and the ICO audit.  A copy of the road map was attached at Appendix 3 to the report.

The Members discussed the concerns that had been raised by ICO audit and the IFC assessment and requested that a further report on progress with the actions be submitted to their next meeting.

RESOLVED that the Audit and Procurement Committee:-

1.  Note the outcome of the ICO Audit and In-form Consult Maturity Assessment.

2.  Note the progress to date on the ICO Audit and Maturity Assessment Action Plans.

3.  Request that Officers bring a further report to the Committee on the outcome of the follow up audit by the Information Commissioner.

4.  Decided not to make any other recommendations to the Cabinet Member.

5.  Request a further report on progress with the two action plans arising from the Information Commissioner audit and the In-Form Consult assessment, to be submitted to the next meeting on 26th September, 2016.