Agenda item

Senior Information Risk Owner (SIRO) and Information Governance Annual Report

To consider a report from the Assistant Director – Organisational Change (copy enclosed)



Members considered a report from the Assistant Director – Organisational Change which provided them with an update relating to the responsibilities of the Cumbria County Council Senior Information Risk Owner (SIRO) and outlined activity and performance related to information governance for the period 1 April 2022 to 31 December 2022.


The report provided assurances that information risks had been effectively managed and where improvements had been implemented.


The County Council continued to be committed to effective information governance, with robust arrangements in place to ensure the council complied with legislation and adopted best practice. Governance arrangements were closely monitored to ensure systems, policies and procedures were fit for purpose, accommodated new working procedures and that all staff and elected members understood the importance of information governance and security so that good practice was everyone’s business and embedded as part of the Council’s culture.


The Assistant Director informed members that ICT security and cyber risks continued to present an increasing global, national and local challenge to all organisations and the Council was no different.  Arrangements to manage these risks were outlined in this report.


Throughout the year, data protection and information governance had remained high profile with the SIRO Group meeting weekly to manage risks and drive performance improvements wherever possible.


The SIRO Annual Report outlined these areas of performance in detail, showing trends against previous years and provided assurance of arrangements in place for the transfer of County Council information assets to the two new Unitary Councils at vesting Day on 1 April 2023.


The Assistant Director drew members’ attention to the data breach management and reporting and gave assurance that all concerns relating to potential data breaches were promptly investigated.  During the period 1 April 2022 to 31 December 2022 there were 164 potential data breaches recorded and investigated. Members noted that the number of breaches had been reduced since the previous year.


One of the members referred to the loss of corporate memory and how the County Council would deal with this given that the Council would be disaggregating on 1 April.


The Assistant Director informed members there were 3 elements to corporate memory, hard records, electronic records and human knowledge.  He was leading the ICT workstream for LGR and this had been considered by colleagues.  All files and records would still exist for both organisations as part of the Day 1 readiness, with full migration taking place at a later date.  The greatest risk to the corporate memory was officer memory and the best way to ensure this was passed on was via a thorough handover between staff.  It was difficult to capture this type of corporate memory but staff were working hard to try to minimise the gaps.


Members then asked questions about Freedom of Information requests and subject access data, and the Assistant Director assured members this would still be available post vesting day.


Members asked about the risk of cyber attacks both for the County Council and for the two new unitary councils going forward.  The Assistant Director said the risk of a cyber attack was very real, but he reassured members that the County Council now had a dedicated team in place that constantly monitored this. 


The Assistant Director took the opportunity to say a sincere thank you and express his appreciation for all the work, commitment and council wide cultural improvements the County Council had made as a result of elected members, officers and partners working together to protect data, information and ICT security and strive for best practice for the benefit and protection of the community.


The Chair took the opportunity to formally acknowledge the investment made by the Council in information risk and governance and was delighted to note that the number of data breaches had been reduced, especially given the pressure all staff have been under during the past 18 months, whilst dealing with local government reorganisation.


RESOLVED,     that members


(1)      note the content of the 2022 SIRO Annual Report attached as Appendix 1 of the report;

(2)      acknowledge as part of the County Council SIRO responsibilities, the SIRO, Deputy SIRO Officers, Data Protection Officer and wider ICT and Information Security professionals have invested significant time to ensure the County Council systems processes and governance arrangements are in place to transition the data and information assets that are required for the business operations of Cumberland and Westmorland & Furness Unitary Councils securely and safety from the County Council and place on record their thanks..


Supporting documents: