A Welsh council faces a conflict of interest because its head of ICT strategy is also its senior information risk owner (SIRO), according to a local government watchdog.
The Welsh Audit Office has released an assessment of progress by Newport City Council on a set of recommendations produced in 2013.
The report said that that although ICT arrangements in general have improved, some areas remain a cause for concern.
Related content
ICO flags areas for improvement at Islington
White paper: A data management advisory note
“The council has made progress in addressing our recommendations on ICT, but there are still weaknesses in some governance arrangements and uncertainty on its plans for continuity should an unforeseen event occur,” the report said.
In particular, the report criticised the fact that one officer currently holds the three roles of:
- Head of customer and information service – providing strategic direction for delivery of ICT;
- SIRO for the Council – taking overall ownership of the council’s information risk policy; and
- Chair of the information governance group – scrutinising actions on the annual risk report and responses to information security incidents.
The report said: “The combination of one person holding these three roles creates a conflict of interest in that one person oversees both service delivery and scrutiny of that service delivery.”
The council has acknowledged the conflict of interest inherent in this situation and has given an undertaking to make alternative arrangements, according to the auditor.
The report found that council staff feel confident and empowered to report security breaches, but were sometimes unclear on how to do so, and who to report them to.
In addition, the report also found that the council has still not tested its business continuity plans and “does not know if it would be able to maintain critical services in the event of a catastrophic failure of its critical IT systems”.
The auditor recommended that the council should test a scenario where both of its server rooms are not available “to determine how long it will take to set up an offsite server room and what effect this has on its timetable for restoring its critical systems”.