Issue - meetings

The Report of the Chief Information Officer

The Interim Chief Information Officer provided a report and presentation to to provide an update on the implementation the General Data Protection Regulation (GDPR) and the progress being made towards ISO27001.

It was noted that with regard to the implementation of actions and changes in readiness for the General Data Protection Regulation (GDPR) on the 25 May 2018, the Council had made good progress in identifying, assessing and implementing the changes required to meet its obligations associated with the new data protection legislation.

The Interim Chief Information Officer noted that November 2017 a formal GDPR Project Board had been established and that an action plan had been implemented based on the twelve work streams recommended by the Information Commissioners Office regarding the implementation of GDPR. The Interim Chief Information Officer advised that the Project Board had met regularly to assess progress and to review and update the GDPR action plan. To date it was reported that significant progress had been achieved and the action plan was providing an effective framework for delivering and embedding further improvements relating to information management and data protection.

The Interim Chief Information Officer advised that the Council has been tracking its Information management arrangements and compliance against the Information Security Management Standard ISO27001:2013 (Standard). The ISO27001:2013  standard was a more comprehensive set of controls covering not just technical controls but addressing areas related to GDPR such as physical security, human resources, training, information classification, supplier management and compliance with legal and contractual requirements. The Interim Chief Information Officer advised that the progress the Council had made in relation to management and due diligence around its IT systems and supplier contracts had had a positive impact on some control areas within the standard.

The Interim Chief Information Officer noted that consideration was being given in regard to applying for external assessment against the ISO27001 standard and added that achieving certification would demonstrate the Council’s professional approach to ICT management which would be a positive achievement as the Council sought further commercialisation opportunities in the future.

Members of the Group supported the ambition of the Council for applying for the ISO27001 accreditation and the Chairman noted that this was an internationally recognised assessment and suggested that the Council should consider applying for a UKAS accreditation.

It was RESOLVED that the report be noted.