One of the organisation's core purposes is to deliver public services that meet the needs of our communities – now and in the future. In order to make sure that we are actually meeting the needs of our customers with services they value and at a cost we can afford we need to embrace change and transformation. This transformation is at the heart of this digital strategy. As such this digital strategy is essentially a customer strategy, enabled by technology and supported by a range of complementary skills, including IT, business analysis, data analytics, marketing and digital communications.

This purpose and challenge needs to be at the heart of our organisation as it goes forward. Digital is a critical enabler for any transformation agenda and the benefits to our customers and the Council itself are significant. Our customers are clear that they want increased options to transact online. As far back as the 2010 there were clear messages from the public about making savings by services being delivered online with a reduction in the number of buildings people have to visit. This has the potential to reduce property overheads but also has the advantage of moving to more colocation of complementary services.

The Council’s approach to reform and transformation is set out in our Corporate Plan. This digital strategy sets out in more detail the approach we will take to delivering on those commitments. In particular, it articulates our commitment to delivering services that our customers value and that are efficient and effective. To achieve this, we will commit to transformation that focuses on customers´ needs, expectations and experiences through the consistent application of a design process and framework.

The digital strategy we are pursuing has three key elements:

  • Leadership
  • Services redesigned to maximise use of digital, improve customer services and reduce costs
  • Rock solid technology

These three elements mirror the digital strategy for local government published last year by the Local Government Digital Office. All Council services need to focus on how they can use technology at all levels to improve services, communicate, engage with citizens more effectively and reduce costs. To achieve this, leadership from senior officers and elected members is required, alongside solid technology platforms that our citizens and our employees will trust and use.

By delivering on digital the following outcomes will be achieved:

  • Citizens will choose to use digital to find information, engage with the Council, access services and self-serve – and they will trust it
  • Services will be transformed to include digital delivery based on data analytics and new services will be digital first and by design
  • Savings will be realised through more efficient processes, channel shift and a reduction in legacy systems
  • Increasingly, internal transactions will become digital

The key benefits to the Council and our communities are:

  • Services will be more efficient, responsive and standardised
  • Overly bureaucratic processes that underpin services will be reviewed and streamlined
  • Decisions on service delivery will be based on sound evidence from our customers
  • There will be more flexibility to customers and communities in the way they engage with the Council
  • Our workforce will be more mobile, flexible and able to serve our customers timeously in their communities and therefore less reliant on physical buildings
  • Improving access to our data about our services will empower our communities.

Our strategy will reflect the national strategy in that it is agile, flexible and able to respond quickly to changing circumstances and needs. We therefore will not be preparing a normal paper-based action plan but will, through the delivery of projects that underpin each of the three priorities, look to support the Council in achieving the transformation and efficiencies it requires.

Our approach will be supported by and informed by our work with the Local Government Digital Office. The LGDO supports local government in its digital transformation journey – working with 31 Councils to support them to deliver better services in the best way possible by sharing resources and skills.

To date, work on digital service delivery within the Council has been taken forward using existing resources supported by training, upskilling or employing temporary staff, however we know the Council’s continued move to digital service delivery, covering online transactional services, communication, engagement, etc. will become the new norm. We need to determine the resources and the skills that are required to support this fundamental transformation. Elected members and Services have become more engaged in current activity and energised about potential future developments. In additional, digital has emerged as a strong theme in the Council of the Future engagement sessions, to the extent that it is identified as one of four key priorities. This is to be welcomed; however this needs to be tempered by recognition that the resources to deliver on expectations are limited and what can be achieved will be directly related to available resources.

It must be stressed that our move towards a digital council is not just about service delivery but about how we engage with all our communities. As we reduce our physical presence in communities, we need to find different ways to engage with citizens not only to deliver services to them but also to address issues that are important to them and their communities. Our move to a Digital Council must recognise this change in engagement and communications. This is supported by the introduction of the Advice hubs and outreach service that provides targeted face to face support for who need our help most whilst promoting self service to those who have the means and ability to self serve.

Leadership

In terms of digital leadership, this means having clarity about the services we provide and how they will be delivered in the future to meet the needs of our customers and making sure transformational projects are being put in place to deliver that change. It means ensuring that employees are digitally skilled to use appropriate technology to deliver services in response to customer need, but also to take advantage of the opportunities technology gives us to understand what those needs are through data analysis, behaviour tracking and digital engagement.

Digital leadership means

  • The Council will embrace the digital strategy and realise its benefits
  • Our people i.e. citizens, employees and leaders will have the skills and culture to embrace digital
  • Our Council will have the capacity and capacity to deliver digital transformation
  • Our Council will have capacity for research and development

Leaders within the organisation must understand the new norm and make sure they have the vision to transform their services. Leaders must understand that digital is not about moving existing services online but a total redesign of services based on the needs of citizens and supported by digital capabilities.

The Council participated in an independent digital maturity self assessment last year. This was facilitated by the Local Government Digital Office and involved all Directors, Heads of Service and Managers within the Council. This highlighted a number of issues that need to be addressed including:

  • Lack of knowledge and the art of the possible
  • Assumption that digital is solely an issue for ICT
  • Acknowledgement of the potential to use technology to deliver better services
  • No clarity about who is responsible for digital transformation
  • Need for reverse mentoring – senior managers not comfortable with technology or its potential
  • Our customers are using technology to gather information and transact online – we are a step behind where our customers need and expect us to be
  • Lack of resources to deliver on our ambitions
  • Lack of skills and investment; and
  • Critically, the lack of coherent and challenging governance

A summary of the outputs of the digital maturity self assessment are attached at Appendix 1. The summary findings are being used in two ways

  • To inform the contents of this strategy
  • To provide a benchmark by which to measure progress over the time of this strategy

The assessment carried out by the LGDO showed that digital transformation is not uniformly understood across the Council. Work needs to be done to articulate this vision and ensure a clear understanding of digital principles is full embedded across the organisation, particularly at manager level.

Transforming Services by Design

The services we deliver need to be designed around the citizen - their needs and expectations. To do this we must radically rethink what we deliver and the way we deliver those services. Currently the majority of our services are delivered on a traditional model that is based on face-to-face engagement focussed on buildings. This neither meets the changing demands of many of our citizens, nor is it affordable. Where we do seek to improve what we deliver, we often approach this improvement from the perspective of the organisation, rather than the needs and expectations of the people who want to use our services. In addition, service redesign is not undertaken across the organisation in accordance with a set of consistent principles, leading to a fragmented and confusing experience for our service users.

Our Corporate Plan sets out clearly the expectation that we will change and reform what we deliver to be customer-focussed, efficient and effective. This means looking at services from the perspective of the customer – across organisational boundaries and historical structures – clearly defining what the problems are and simplifying our customer journeys. We want to provide a consistent experience for the customer, whether they are interacting with us online, via the contact centre or in person at one of the Hubs. This means we must challenge existing practices if we are to truly transform our delivery.

We must:

  • Set and define standards of good service design and apply them to a whole service approach i.e. look at services from the customers perspective – not by span of management
  • Help services build a new norm that will make services easier to join up – a new shared digital infrastructure
  • Make sure we develop the people and skills to make this happen

The definition of a service is something people use but do not own. Service design is the act of shaping those services and experiences so that they work for the people that use them. It is about bringing design and disruptive techniques to an organisation to reimagine services from a customer perspective.

This approach to service redesign is critical to digital transformation. We cannot digitally transform services without fundamental redesign. This means thinking differently and delivering differently, an approach which has underpinned our approach to the redesign of advice services, resulting in the Hub model. In this redesign we sought to understand firstly who uses our services, why they used them and then clarified if those people were actually our core customers. This analysis helped us understand that the people using our existing services were not those who needed most support. This understanding led to further engagement with those who potentially needed support but were not accessing it, with a redesign based on their needs. This redesign was developed in parallel with the provision of alternative channels for those who would be displaced in this redesign.

This example demonstrates transformation does not necessarily mean providing services online. It does mean changing services based on customer needs and using technology to support that change.

Taking this into account, our current approach to changing services is not deep enough. Some of our processes are historic, with work-arounds built on top of work-arounds. Redesign needs to start with users, not digitising existing processes that have on the whole been developed to suit the organisation.

Considerable work has already been undertaken as part of the technology strategy to build a foundation that will support digital transformation of services.

A critical part of this was the complete redevelopment of the Council’s website.

The website is the front-end platform for the delivery of online services to our customers and is subject to constant revision and redevelopment to improve the customer journey. This has been recognised by SOCITM which awarded the site the maximum four stars in its 2018 review, one of only five Councils in Scotland and 38 in the UK to achieve this.

In December 2016 we launched My Falkirk. This is our citizens’ account, delivered through the national My Account platform and supported by the Firmstep application. As well as being used directly by citizens themselves, the system is being used by customer services advisors in frontline offices and by the contact centre so is effectively an integrated CRM solution for the Council. Around 40 transactions are now available via My Falkirk and all of these are directly integrated to the back office.

To date nearly 25,000 My Falkirk accounts have been created by customers and over 118,000 online transactions have been carried out via the system. Based on SOCITM’s model transaction costs of £8.62 for face-to-face, £2.83 by phone and 15p for online, the cost of these transactions would have been £1,142,115, £335,986 by phone and reduced to £17,808 online. While this is just an illustration based on generic costs, it clearly demonstrates the benefits to the Council of being able to deliver more fully-integrated services online.

Increasing the number of services offered via My Falkirk is dependent on a number of factors including:

  • The benefits of each project to customers
  • The resources assigned to service design, web enablement and process review tasks; and
  • The resources Services put into user acceptance testing and sign off

Key to the success of My Falkirk is the consistent approach to service design. To date, we have found that many internal processes require thorough review to ensure that the customer journey is as clear and intuitive as possible, informed by customer need and underpinned by agreed principles for service design.

The Director of Design and Service Standards for the UK Government has recently published a template of principles and these are attached at Appendix 2. It is recommended that the Council adopts these principles and uses them consistently to redesign our approach to service delivery.

Dundee City Council is leading on this work strand for the Local Government Digital Office and learning from their approach will inform how we take this forward.

To support this we will look to adopt a clear framework for ensuring our approach to transformation is consistent with these principles and underpinned by robust technology. This will be through the development of the Scottish Government’s Digital First Service Standards. This gives us a core set of questions to assess our approach to technology and indeed use of resources. It allows projects to be assessed against 22 criteria that include issues such as user research, content design, product assessment, technical specification, sustainability security etc. One of product of this digital strategy will be clarity about what the Councils expectations are with regards digital transformation with this framework supporting services in that transition.

Rock Solid Technology

How we deliver our services is changing significantly. To support this underpinning technology must be reframed to be agile, flexible, secure and robust. We will have people accessing services in very different ways and our infrastructure must allow for this change and progression. We used to rely on buildings to deliver services, now we rely on technology. This means investment in infrastructure and support. Our technology must give firm and secure foundations for future service delivery.

Our infrastructure has served us well for years and has undergone significant changes to allow us to move to the next phase of transformation and change. This means moving away from rigid systems and networks to connected, consistent, agile and secure approach. This will also mean using industry and sector norms rather than bespoke solutions, we will also be more proactive in ensuring consistency in delivery and approach across the organisation.

Over the last number of years we have put in place the foundations for change. Some of these significant developments are set out in Appendix 3.

Over the coming years we will have an even greater reliance on technology to support the delivery of services and in some instances to deliver services. This may include:

  • using the internet of things i.e. network of physical devices, vehicles, home appliances and other connected items, to deliver more intelligent solutions and providing data to allow us to monitor more actively services
  • artificial intelligence solutions potentially undertaking some of our repetitive processes
  • delivering education, tele heath and tele care in very different ways
  • supporting a virtual and mobile workforce to connect with citizens, communities and colleagues

We need to also use technology to engage more with our communities not just in service delivery but in understanding the things that matter to them and the decisions that affect their lives. This means being more creative about our use of technology while at the same time making sure our systems and data is secure.

Our use of technology has to be planned. We need to make sure that we are applying a rigorous framework to all our digital projects. To this end we will be looking to develop the Scottish Government’s Digital Service Standards in conjunction with services to ensure we have a robust framework for assessing our changes in our technology environment. These standards will seek to assess projects against criteria such as:

  • Understanding of user needs in line with design principles
  • Simplicity and usability
  • Channel shift – move to on line
  • Consistent user experience – consistency across applications and throughout a transaction – however that transaction takes place
  • Data driven – using evidence from citizens and transactions to drive change and improvement
  • Sustainability and continuously improving
  • Technology appraisal including security, PEN testing etc.
  • Information governance – making sure our systems have robust standards of governance
  • Green ICT – reducing our carbon footprint, reusing technology etc.
  • Data hosting and data centres – minising cost of hosting systems etc while maximising security and resilience
  • Performance management – making sure our systems are producing information that is being used to monitor and review what we are delivering, to whom, at what cost and for what effect
  • Operational acceptance - Are we making sure users are involved in working the system in the way intended.

This assessment framework will be developed over the coming months to ensure that our technology solutions are fit for purpose not just now but in the future.

What Do we need to do to become a Digital Council?

To understand where we are on the journey to delivering digital services, a self assessment was undertaken in partnership with the Local Government Digital Office to asses our digital maturity. This outlined the following challenges for the Council:

  • Understanding what digital is and how we manage change
    • Ensuring our governance arrangements are fit for purpose and deliver on this strategy in a way that drives change
  • How we manage demands on limited resources needs to be strengthened
  • Ensuring a consistent approach to our systems and network if we are to provide joined up service
    • Balancing on-going maintenance and development
    • Articulating the vision through a clear strategy
    • Applying principles of service design consistently, robust and with energy
  • Capacity for digital transformation needs to be increased
    • Our main delivery through our policy, technology and improvement teams needs to be strengthened and made more resilient
    • The capacity of our support to make sure technology is safe, secure and working needs to be increased
    • The skills of our staff need to be developed
    • The skills of our communities to use the technology needs improved
    • Investment in the right technology
  • Need to have capacity for research and innovation
    • Change and forward thinking is critical to ensure we are delivering services in a way our customers expect and need. We therefore need capacity in this key area
    • Our change and transformation needs to start with the citizen. We will therefore support services through the application of service redesign principles to re think what services we deliver and how we deliver them

To address these challenges we need to do things differently and we need to resource change.

Leading a Digital Council

To become a digital council we must have leaders that support digital first and by design. Our leaders, service managers and politicians will:

  • Make sure that digital expertise is central to our decision-making and that all technology decisions are approved by the appropriate person or committee. This will ensure that we are using our collective purchasing power to stimulate a speedy move towards change
  • Have visible, accessible leaders throughout the organisation who support those who champion this strategy to try new things and work in and amongst colleagues
  • Support our workforce to share ideas and engage in communities of practice by providing the space and time for this to happen
  • Try new things, from new digital tools to experiments in collaboration with other organisations
  • Champion the continuous improvement of cyber security practice to support the security, resilience and integrity of our digital services and systems

Delivering a Digital Council

To support the delivery of a digital council our improvement, information, technology and digital teams will make sure that we support the Council and services to:

  • Research how to reuse existing user research, service design, common components, and data and technology standards before starting to design or procure something new. This will be through the application of the Scottish Government’s digital design principles
  • Build capacity in service design, so that each service we transform is quality controlled against our national service standard where appropriate
  • Ensure every new technology solution procured must operate according to the technology code of practice, putting us in control of our service data, using open standards where they exist and contributing to their creation where they don’t
  • Share knowledge about digital projects particularly where there is an opportunity for potential reuse or collaboration with others
  • Work together to establish the trust frameworks we need to safely analyse and share personal data. This will allow us to better serve our shared customers and reduce the need to ask citizens for the same information multiple times
  • Work together to create common solutions that allow us to check people’s eligibility for services in real time with their consent
  • Take inspiration and ideas from a wide range of sources, and participate individually in communities of practice and interest outside the organisation (for example, the Local Government Digital Office, and related networks and events)
  • Make sure we have the right skills to deliver and benefit from digital services – from those that support this ambition to those that use our services

Supporting a Digital Council

To ensure we are supporting our digital ambitions with an appropriate rock solid technology we will:

  • Establish an IT network and security group to ensure we comply required external accreditation and the Scottish Government Public Sector Cyber Resilience plan to keep our people and information safe and secure
  • Seek to provide appropriate training and support to services to increase the pace of delivery of new technology and ensure that staff has the necessary training and support to use the new technology effectively
  • Create drop in points so that technology can be issued or replaced when faulty quickly
  • Expand our customer support so that it is available out with usual office hours and that our support better reflects the needs of a changing mobile and flexible work force
  • Ensure we utilise our technology estate effectively, efficiently and consistently across the Council
  • Restructure the existing IT resources and support to allow us to concentrate on the delivery of projects
  • Plan our ICT infrastructure better with the introduction of a Enterprise Architect role
  • Deliver a business case for Office365 that allows us to move to support a more mobile workforce with the tools they need to collaborate and be productive
  • Develop a strategy to increase the resilience of our technology through a move to externally hosted cloud based solutions
  • Support our services to deliver for their customers
  • Ensure we have a sound approach to research and development

Service design

Services are what you use, but do not own.

Service design is the act of shaping those services and experiences so that they work for the people that use them.

Double diamond design process

Divided into four distinct phases – Discover, Define, Develop and Deliver – the Double Diamond is a simple visual map of the design process.

In all creative processes a number of possible ideas are created ('divergent thinking') before refining and narrowing down to the best idea (‘convergent thinking’), and this can be represented by a diamond shape. But the Double Diamond indicates that this happens twice – once to confirm the problem definition and once to create the solution.

One of the greatest mistakes is to omit the left-hand diamond and end up solving the wrong problem.

15 principles of good service design

A good service must:

Enable a user to complete the outcome they set out to do

A good service enables a user to do the thing that they set out to do from start to finish – be that start a business or learn to drive – in as much of a seamless stream of events as possible. This includes the moment that a user is considering a task to the moment they have completed it – and any necessary steps or support, change or amendment thereafter.

Be easy to find

The service must be able to be found by a user with no prior knowledge of the task they set out to do. For example someone who wants to 'learn to drive' must be able to find their way to ‘get a driving licence’ as part of that service unaided.

Clearly explain its purpose

The purpose of the service must be clear to users at the start of using the service. That means a user with no prior knowledge must understand what the service will do for them and how it will work.

Set the expectations a user has of it

The service must clearly explain what is needed from the user in order to complete the service and what they can expect from the service provider in return. This includes things like how long something will take to complete, how much it will cost, or if there are restrictions on the types of people who can use the service.

Be agnostic of organisational structures

The service must work in a way that does not unnecessarily expose a user to the internal structures of the organisation providing the service if those structures run contrary to the task a user is trying to achieve.

Require the minimum possible steps to complete

A good service requires as minimal interaction from a user as possible to complete the outcome that they’re trying to achieve. Sometimes this will mean proactively meeting a user’s needs without them instigating an interaction with your organisation. This may occasionally mean slowing the progress of a service in order to help a user absorb information or make an important decision.

Be consistent throughout

The service should look and feel like one service throughout – regardless of the channel it is delivered through. The language used should be consistent as should visual styles and interaction patterns.

Have no dead ends

Regardless of whether or not a user is eligible for suitable for a service, the service should direct all users to a clear outcome. No user should be left behind, or stranded within a service without knowing how to continue, or being provided an easy route to do so.

Be usable by everyone, equally

The service must be usable by everyone who needs to use it, regardless of their circumstance or abilities. No user should be adversely unable to use the service more than any other.

Respond to change quickly

The service should respond quickly and adaptively to a change in a user’s circumstance and make this change consistently throughout the service. For example, if a user changes their phone number online, their phone number should be recognised in a face to face service.

Work in a way that is familiar

People base their understanding of the world on previous experiences. If there’s an established custom for your service that benefits a user, your service should confirm to that custom. For example, users who have signed up to a new service often expect an email confirmation acknowledging their sign up. Avoid customs that negatively affect your user (such as pre-selecting a ‘send me marketing emails’ tick- box) or following customs that are inefficient or outdated.

Encourage the right behaviours from users and staff

The service should encourage safe, productive behaviours from users and staff that are mutually beneficial. For users, the service should not set a precedent for behaviours that may put the user at harm in other circumstances – for example, providing data without knowing the use of that data. For Staff, this means they should not be incentivised to provide a bad service to users, for example through short call handling time targets.

Clearly explain why a decision has been made

When a decision is made within a service, it should be obvious to a user why this decision has been made and clearly communicated to the user at the point the decision has been made. A user should also be given a route to contest this decision if they need to.

Make it easy to get human assistance

A service should always provide an easy route for users to speak to a human about an issue if they need to.

Require no prior knowledge to use

A service should not use language that assumed any prior knowledge of the service from the user.

Update on Technology Strategy

Since approving the Councils technology strategy in 2014, we have been progressing 3 priorities of:

  • Customer access
  • Flexible and collaborative working
  • Well managed information

Telephony

The Council recently started the significant step of replacing all its telephony – from mobile and desk based phones to the call management system that supports front line service delivery. This change will ensure customer calls made to the Council's telephone number will be handled in a different way, ensuring that all calls will be directed appropriately.

Combining the new telephony system with the flexibility of mobile working will also allow employees to receive calls wherever there are based, tying in with agile working and again maximising service accessibility for customers. By unifying our communications, the telephony system will provide further functionality including

  • video conferencing
  • the ability to link telephony with calendars showing staff availability
  • instant messaging - allowing for collaboration opportunities between staff and reducing the need for email

All of which increases flexibility for employees and our customers alike.

Flexible and Collaborative Working

In December 2014, the Council took the decision to make a substantial investment in mobile and flexible technology. Undertaking this ambitious project meant the Council would be able to deliver services to our customers in an agile way away from fixed desks and buildings, taking services directly to where they are most needed. To achieve this major change, significant challenges had to be overcome. Information had to be managed in a secure way, minimising risks to our customers by ensuring their data is handled appropriately. This meant many of the applications in use by services needed to be changed to work through a central, secure system and supported by the technology which would allow that to happen. The technology the Council invested in to achieve this is provided by a world leading security organisation (Citrix) and is used by many public and private organisations across the world. This technology change means that most officers can access their desktops remotely and thus the systems they use daily over a secure network. The approach provides a different approach to the way we are able to deliver our services by putting our customers’ need to the forefront of service delivery. It provides the Council with greater flexibility in the way we manage and use our property assets. By enabling a review of our property portfolio, we can significantly in contribute to the financial savings the Council requires to achieve.

Additionally our investment in mobile and flexible working technology has minimised the need to replace or upgrade desk top computers. As a result the Councils PC replacement programme has ended providing a significant annual saving to the Council.

Replacement of Social Work System

One of the Council’s more important systems – our Social Work Information System - will be replaced this year. This change will significantly improve the service that can be provided to our most vulnerable citizens by providing real time information to workers. This new system will also allow us to share information securely and appropriately with partners to support better collaboration and thus outcomes. The system provides the opportunity to bring information together in a way which was never previously available. Families and acquaintances can be easily linked together providing an overall picture of a social work case, offering increased risk management and valuable information for officers and our partners. It is anticipated, after implementation and training, the go-live period will be the second quarter of 2019.

Wi-Fi

We are undertaking a programme of providing a more flexible network for our staff so that they will be able to connect to our network from any building. This will also be used to allow the public to access Wi-Fi and thus connect to Council and other services from our buildings.

Security

A principled approach to digital services must be founded in providing a secure and trusted environment. To facilitate this, the Council has invested significant effort in developing a robust patching and upgrading regime and supports our business. As we become ever dependant on technology as the foundation of our service delivery, then we must be more diligent in our approach to security. This must not be at the expense of agile, flexible and joined up services.

The Scottish Government Public Sector Cyber Resilience Action Plan rightly places ever more burdens on the council in managing the ever present risk.

Information security policy

Information security is the protection of information (in any form including hand- written, typed, video, paper based or electronic) from a wide variety of threats. The purpose of this is to minimise business risk, ensure business continuity, support information sharing, achieve organisational objectives, develop business opportunities and protect information relating to people.

Aim of the Policy

The purpose of this policy is to ensure:

  • Confidentiality of information: making sure that information is accessible only to those authorised to have access.
  • Integrity of information: safeguarding the accuracy and completeness of information and data processing methods.
  • Availability of information: making sure that authorised users have access to information and assets when required.
  • Protection of people: making sure personal information is safe.
  • Regulatory compliance: making sure that the Council meets its regulatory and legislative obligations. See Appendices 1 and 2.

Policy Scope

This policy concerns information in all forms printed, handwritten or verbal; stored on paper or stored electronically; transmitted by post, fax or transmitted electronically, carried on paper or on PCs, laptops, tablets, smartphones, blackberries, or USB devices.

This policy applies to all employees and elected members whether working in Council premises, working at home, or when mobile working. It also applies to employees of external organisations who use, or access, the Council's Information and Communications Technology (ICT).

Policy Statement

Information security is an essential enabler in helping the Council meet its objectives. Security risks must be managed effectively, collectively and proportionately to achieve a secure and assured working environment. The Council’s processes and procedures must reflect the principles, governance and responsibilities set out below.

Principles

Data must have an appropriate level of protection applied at all times

Much of the information handled by the Council relates directly to individuals and it is important their information is protected from loss or theft either accidentally or deliberately.

A risk based approach must be adopted

It is important that controls are applied in a proportionate way so that information is protected in a way which does not hamper business process and costs/benefits are optimised.

Information security must be a priority in all partnerships

Good security is crucial to building trust with partners and those with whom we share information. All data sharing initiatives should consider security at the outset and, where personal data is involved, take a data protection by privacy and design approach. This will include the use of data protection impact assessments at the outset of initiatives where there is a high risk to the privacy of individuals. All data sharing will be governed by formal written agreements.

Ownership, and access to information and rights to it, must be clearly defined, controlled and reviewed through formal processes

Owners of information must carry out regular reviews of user access rights and in particular must withdraw rights promptly when staff leave or change roles. A hierarchy of information ownership should be created in the event that information owners leave or change roles so that continuity of information ownership is maintained.

Plan for the unexpected

Regardless of vigilance, vulnerabilities will be found, new attacks will take place and the surprising will happen. Processes must be flexible enough to cope with the unexpected. Security defences must be layered so as to provide cover should one layer fail and risks from single points of failure must be managed. Business continuity plans must be prepared and tested where appropriate.

Security by design for the whole lifecycle

Security should be built in from the start, not bolted on later, to avoid expensive redesign or vulnerabilities. All initiatives must consider security at the outset and, where personal data is involved, take a data protection by privacy and design approach, including the use of data protection impact assessments at the outset where there is a high risk to the privacy of individuals. During the operational life of an asset, processes and procedures should be maintained, resources monitored, future capacity needs planned for and changes strictly controlled. At the end of an asset’s life it should be disposed of carefully as insecure disposal can expose confidential information.

All employees and elected members are accountable for their actions

Information security responsibilities must be clearly defined and communicated. Training provision should be in accordance with corporate arrangements. All user access accounts must be identifiable with an individual. Segregation of duties is an important information security control mechanism that should be used where appropriate. Individuals must act in accordance with this policy, and the other policies listed in Appendix 3. Failure to do so may result in disciplinary action. All breaches of these policies will be fully investigated.

Governance and Responsibilities

In order to ensure security of information, the following governance arrangements are required within the Council to make sure the organisation meets its business aims and objectives.

The Corporate Management Team (CMT) recognises the importance of information security to the organisation and directs the Council’s strategy, setting the overall direction and making sure resources for implementation.

The Director of Corporate and Housing Services is the Council’s Senior Information Risk Owner (SIRO) and has lead responsibility to ensure that organisational information risk is properly identified and managed in the Council and that appropriate assurance mechanisms exist. The Council’s Financial Regulations provide that the Director of Corporate and Housing Services is responsible for the issue of this policy. Also, in terms of the Financial Regulations, the Director, in consultation with the Chief Governance Officer, is responsible for ensuring that proper privacy and security is maintained in respect of information held on manual or computer records, and that the requirements of relevant legislation are complied with.

The Information Management Working Group (IMWG) is chaired by the Chief Governance Officer and seeks to:

  1. promote the effective management of all Council information in all formats throughout its lifecycle, to meet operational, legal and evidential requirements
  2. support the Council in identifying and managing its information needs, risks and responsibilities
  3. ensure an information risk management policy and framework is in place and overseen

The IT Security Group is chaired by the Head of Policy Technology and Improvement and has the following responsibilities:

  1. in conjunction with the IMWG, the promotion of Information Security throughout the Council
  2. the review and recommendation for the approval of all IT-security related policies and procedures
  3. compliance and certification through external assurance schemes such as PSN and Cyber Essentials, (iv) review and monitoring of IT

security incidents, their cause, resolution and future prevention, and (v) providing technical input to the DPIA assurance process.

The Head of Performance, Technology and Improvement has overall responsibility for the security of the Council’s corporate technology systems and network.

The Data Protection Officer is responsible for monitoring the Council’s compliance with data protection legislation and with its policies in relation to the protection of personal data.

The Corporate Risk Management Group (CRMG) is chaired by the Head of HR and Business Transformation (who is also a member of CMT). The CRMG receives regular reports on information asset and cyber security risk management and makes sure that appropriate control objectives and key controls are established to address any weaknesses identified.

Information Asset Owners (IAOs) are identified as Directors or Heads of Service at a service area level and will be accountable for ensuring that the risks in relation to the assets are identified and managed according to the appropriate level of security. This includes user access management. IAOs must also clearly define data retention and disposal requirements.

Internal Audit will regularly review information security matters through its audit programme. This will serve to inform the risk management approach and promote continuous improvement of policy.

All staff and elected members are responsible for protecting information in accordance with this policy.

Information Security Incidents

An information security incident is an event that has, or could have, resulted in loss or damage to information, or an event which is breach of this policy. This includes but is not limited to:

  • The loss of an unencrypted memory stick
  • Theft or loss of data held in electronic format
  • A break-in to Council premises
  • Paper files going missing
  • Disclosure of confidential information
  • Unauthorised access to a system
  • Unauthorised use of information
  • Cyber attack

Information security incidents must be reported as set out in the Information Security Incident Reporting Procedure.

Review of Policy

This policy will be reviewed every 3 years or sooner if required by changes to legislation, technology or Council policy.

The SIRO will be responsible for ensuring the review of this policy.

Appendices

Digital strategy appendices