To receive an update following the recent decision of the Information Commissioner’s Office to issue the City Council with a Monetary Penalty Notice.
Minutes:
The Chair expressed concern that the Committee was first informed of the issue via the media rather than by officers.
The Managing Director stated that Members were informed together as soon as was possible. He explained that the Office of the Information Commissioner (ICO) had issued a notice of intent just before the Bank Holiday Weekend (29th May) and had allowed 48 hours for a response. He advised that the Council had made representation to the ICO appealing the penalty on the basis that the Council had taken appropriate action when they had become aware of the system failure. He further explained that the fact of the penalty having been applied was only discovered when the press release had been issued by the ICO. He commented that there had been no advance notice other than the aforementioned notice of intent, and a conservation with the Local Government Association concerning this conduct of the ICO was currently being held.
The Managing Director clarified the steps taken by the City Council after the incident in 2014. He confirmed that the Council believed that it had taken timely and robust action to remedy the vulnerability within the IT system and disputed the ICO’s finding that the Council had not taken reasonable steps. He explained that the request to apply the necessary software to remedy the vulnerability had been lodged on the 10th April 2014, via the IT help desk, the day it became available and the contractor had confirmed that it had been applied. He noted that it was not until July 2014 when the Council became aware that the software had not in fact been patched. He further noted that when the incident was reported the police began an investigation, a news blackout had been requested, and that as far as the Council were aware a criminal investigation was still on-going. He further explained that communication started with the IOC in December 2016 when a draft notice of intent to fine £175,000 was issued which was contested. He noted that the May notice of intent had reduced the fine by £75,000 but the evidence submitted by the Council appeared to have been disregarded without explanation. He informed the Committee that legal advice into the possibility of an appeal was being considered, acknowledging that the Council would forfeit the option for a further reduced fine if they proceeded with the appeal.
The Chair expressed disappointment that Members were not kept informed of developments during this period and noted that the Committee undertook its responsibility seriously.
Councillor Stephens noting that Councillor Pullen had been approach by the media on this issue commented that there was discrepancy in the dates for the supposed application of the patch software between the Council’s response and ICO’s findings. He further questioned why a process was not in place to monitor the contractor’s actions. He stated that as the contractor was at fault they should be made liable for the cost, noting that legal action could incur additional costs. He suggested that an independent review of Council’s patch application checking procedures be looked into by the Council’s external auditors to ensure that it was sufficiently robust and report back to Members.
The Managing Director responded that the ICO statement was factually incorrect as far as the contravention was concerned as the Council believed it had taken the required action on 10th April 2014. He explained that it would not be reasonable to check the work of IT professionals without specialist expertise. He reassured Members that a checking procedure with the current contractors was now in place.
Councillor Stephens commented that the patch not having been applied, no check made, and the time gap before final resolution would make it difficult to successfully challenge the ICO in court, commenting that early payment of the penalty may save the Council money.
In response to a query from Councillor Wilson as to whether there was a record of the request to the IT Service Desk, the Managing Director confirmed that the Council had a record of having requested the patch and this had been supplied to the ICO.
The Chair commented that some of the Committee were present at the time of the incident and recalled the atmosphere of confusion as the police investigation continued. In response to his query regarding the implications of the police investigations, the Managing Director responded that he was unsure if Gloucestershire Police were actively pursuing the investigation and resolved to make representations to them to ascertain the current status on the enquiry.
Councillor Morgan reported that if the contractor responsible was well-respected in the sector it would not want to risk reputational damage to their business if their failures were advertised. He questioned whether application of software patches was a common or exceptional occurrence. The Managing Director stated that software patch applications were a common occurrence, and that looking into the contractor’s actions was under consideration. He commented that the dispute with the ICO concerned a difference of opinion as to what constituted `reasonable steps’. Councillor Stephens reiterated that the Council did not have a procedure to check the actions of the contractor and that an external auditor would advise on whether the Council’s processes were reasonable.
The Chair thanked the Managing Director.
RESOLVED that: