Audit report raises concerns about York Council data security

A report due to be considered by a Council committee next week reveals continuing concerns about the security of personal data held by the Council.

The auditor says,

Whilst good progress continues to be made (on Information Security & GDPR) , further improvements are required to ensure compliance with the council’s policies for handling and storing personal and confidential information. There are also a number of issues still outstanding, relating to actions agreed in July 2019, following a GDPR readiness audit. These actions relate to policies, guidance, contract clauses; the information asset register; privacy notices; mandatory data protection training; management information on data security incidents”.

No further details are provided and the level of vulnerability of Council customers to data breaches is not explored.

On the impact of Coronavirus on the Councils activities the auditor is similarly vague. He says,

This opinion is however qualified, in light of the current coronavirus pandemic and the impact of this on the council. The opinion is based on internal audit work undertaken, and substantially completed, prior to emergency measures being implemented as a result of the pandemic.

These measures have resulted in a significant level of strain being placed on normal procedures and control arrangements. The level of impact is also changing as the situation develops.

 It is therefore not possible to quantify the additional risk arising from the current short term measures or the overall impact on the framework of governance, risk management and control”.

NB. Another report, to the same meeting, claims to address the impact of the health crisis on the Councils activities. Unfortunately, it adds little to what has already been published and singularly fails to quantify the exposure that the Councils projects and revenue finance actually face.