South Ribble Council data protection problems revealed in damning audit report

Blunders highlighted by the council’s own internal audit team include documentation being left in unsecured communal areas or on display on unattended desks.

The findings were presented to a meeting of the authority’s governance committee, which also heard concerns over how the council measures its performance.

Separately, members were told that South Ribble’s external audit for 2018/19 has not yet been completed because of “key value for money and governance issues”.

In response to the reports, council leader Paul Foster - whose Labour group took control of the authority last May - and interim chief executive Gary Hall both committed to rectifying the problems.

Mr. Hall raised concerns about the council’s data protection standards shortly after being drafted in from neighbouring Chorley Council last summer.

“Senior leaders within the organisation need to recognise the importance of proper data management...but it's not seen as a priority. If that had been in place, some of these things wouldn’t have happened,” Mr. Hall said.

“You can see [the problem] - you just have to walk around the office and it’s obvious.”

Internal auditors carried out data protection checks at the council’s headquarters at the Civic Centre in Leyland, both during the working day and after staff had gone home.

“We identified boxes [containing] personal data stored in open areas like the photocopying room - and applications for food licences and apprenticeships left on desks,” explained the authority’s interim head of audit Janice Bamber.

“The clear desk policy was not imposed, so people were leaving stuff [out] when they went home.

“Confidential waste was put in sacks, but then left and not sent for shredding. When we clear areas out, we are not then getting a shredder in straight away,” said Ms. Bamber, who added that only staff to whom someone’s personal data is relevant to their job should be privy to it.

The internal audit report concluded that the issues meant only “limited assurance” could be offered as to whether the authority was complying with the General Data Protection Regulations (GDPR), which came into force in May 2018 and state that an organisation must have a “lawful basis” for processing data.

It described “significant weaknesses” in implementing the full suite of GDPR rules and said that the process was still incomplete 20 months after it should have been - although record management policies have now been strengthened.

The meeting heard that locked cupboards are available to store private material - but Ms. Bamber revealed that even her sensitive job role did not give her automatic access to one when she started work at the authority in 2018.

Ten data breaches were found to have occurred since the regulations were introduced - but none were deemed serious enough to be referred to the independent regulator, the Information Commissioner’s Office (ICO). However, the publicity surrounding the council’s previously lax data protection controls could yet prompt an ICO audit.

The committee heard that staff were more security conscious about information stored digitally - with most found to be locking their computers when they leave their desks.

But Conservative former cabinet member Colin Clark said that the authority had been “very slow off the mark” in getting to grips with what the legislation required.

“I work voluntarily for another organisation and we had training on this well over a year ago before it actually came in,” he noted.

Committee chair Ian Watkinson said “serious issues” had been raised, but that members could be reassured that “a lot is being done to put them right”.

A 19-point action data protection action plan is poised to be agreed - but Mr. Hall warned that it would be a “work-in-progress” to change “the culture” at the council when it comes to data protection.

WHAT IS GDPR?

The General Data Protection Regulations are EU rules that were incorporated into the UK's existing data protection regime in May 2018 - and will continue to apply after Brexit.

They are designed to protect the personal data of living individuals and place duties on "data controllers" - those organisations that collect and use personal information.

Data protected by the regulations does not have to be private. The information could be public knowledge or refer to a person’s professional life - and yet might still be personal data.

The "processing" of data includes collecting, storing, using, analysing, disclosing or deleting it - and is covered by the regulations.

The Information Commissioner's Office (ICO) enforces data protection laws and can impose fines if they are breached. The ICO drew up a 12-point plan advising organisations how to prepare for GDPR, but South Ribble Borough Council found that it had not been complying with it in full. .

QUESTION MARK OVER QUALITY

A separate internal audit focused on the quality of information used by South Ribble Borough Council to assess its own performance as a local authority.

A second “limited assurance” rating was handed out after issues were identified with the verification of the data on which the judgements are based.

Out of a sample of 21 performance indicators, 10 were found to have been inaccurately reported because of deficiencies with data collection, while the soundness of a further five could not be confirmed after the source data was not retained.

Interim chief executive Gary Hall told the governance committee: “You can put a system in place, but you’re then reliant on those within the system to act appropriately.

“In this instance, some senior leaders within the organisation haven’t taken responsibility for the data quality policy and ensuring checks and balances were in place.”

A nine-point action plan has been devised to prevent a repeat of the issues identified.

AUDIT STILL UNFINISHED

External auditors have still not signed off their assessment of South Ribble Borough Council for 2018/19 - while they await the outcome of an investigation by the authority’s own internal audit team.

Simon Hardman, engagement manager for accountancy firm Grant Thornton, said his staff had finished much of their work - but would be unable to finalise it until completion of a council report into “key areas around value for money and governance”.

South Ribble’s interim monitoring officer Dave Whelan said the internal audit process had recently concluded, but that he couldn’t “be too specific about it” at this stage.

“In light of that work, we’re going to have to revisit the annual governance statement [produced by the council] - and the first phase of that will start imminently.

“A refreshed statement will need to be agreed by the committee and then signed off by the chief executive and leader - and it’s only at that stage when external audit can complete their work,” Mr. Whelan said.

WHAT THE LEADER SAYS

In a statement, South Ribble Borough Council leader Paul Foster said a governance review had been “high on the agenda” of the Labour group since it secured control of the authority at last May’s elections.

“Following our extensive review, it is clear there are a number of legacy issues being brought forward to the governance committee - and this is just the start.

“We welcome the audits and we recognise and accept there have been failings. We are now dedicated to rectifying problems and making sure we deliver the first-class service our residents should expect.

“I’m confident officers will now work with the management plans to improve our processes going forward.”

‘NO EXCUSES - WE’LL PUT IT RIGHT’

Gary Hall - South Ribble Borough Council’s interim chief executive since the permanent post-holder, Heather McManus, went on what was described by the authority as “special leave” last May - said residents deserved transparency over the shortcomings identified in the internal audits.

“There have been notable failings in our management of GDPR and our performance management processes and for this we apologise.

“We make no excuses about this; we simply promise to put it right - and this process starts right now.”

“In respect of GDPR, we will take the findings of the report on board and will implement the actions in the associated management report immediately.

“Our focus now is on the 19 proposed actions from the report and making sure we implement them as thoroughly and as diligently as possible. We are determined for this to change; and to change very quickly.

“The findings of an internal audit report showed that the performance measures we currently work towards are not fit for purpose.

“The performance of the council is something we ought to be able to track and monitor regularly and easily. This allows us to tell how well - or how poorly - we are performing so we can do something about it.

“We rely on high quality performance monitoring to identify areas where improvement is needed, but we are failing to paint a full enough picture of the council’s achievements and shortcomings to adequately report back to the council’s senior management and agree on next steps.

“This is something we are absolutely determined to put right [and are] completely dedicated to seeing drastic improvements as soon as possible,” Mr. Hall said.