Agenda and minutes

There were no declarations of interest.

RESOLVED – That the minutes of the meeting held on 30 July 2018 were confirmed and signed by the Chairman.

Report of Ernst & Young.

Vishal Savjani, Ernst and Young, introduced the Annual Audit Letter for the year ended 31 March 2018.  The content of the Letter sections 1-5 had just been reported, minuted and approved.  Ernst and Young reported that they audited the accounts and provided a clean opinion and were satisfied with the arrangements for value for money.  At the time of the last meeting Ernst and Young had not completed the Annual Governance Accounts audit. This work had now been completed and there were no new issues to report.  Turning to Section 6 of the report, the key parts highlighted were the application of the new accounting standards due in the future.  The impact on the Council was summarised in the report and had implications for the Finance and Resources Team.

Members referred to Section 6 IFRS 16 Leases and asked if all leases were fully documented. 

RESOLVED: The interim Head of Internal Audit and Financial Services agreed to ask the Deputy Director of Finance and Resources if all leases were fully documented and report back to Members.

Report of Ernst & Young.

Vishal Savjani introduced this report drawing Members’ attention to the section on key questions for the Audit Committee.  Members asked if the Committee was in a position to answer these questions.  Mr Savjani stated the Director of Finance and Resources was aware of these questions and had taken them into consideration in producing the Medium Term Financial Strategy.  Members stated that they should reassure themselves that they could answer these questions.  In regard to interest rates, quoted on page 46 of the report, Members asked if there was an accepted norm.  Mr Savjani stated that he would go back to Ernst and Young’s experts in this field and let the Committee have a response.

RESOLVED: a) That the interim Head of Internal Audit and Financial Services request a written response to the key questions for the Audit Committee referred to in the report from the Director of Finance and Resources b) That Ernst and Young report back on the question regarding interest rates.

Presentation by the Head of Business Support.

Liann Stibbs, Access Manager, Information Governance Unit, gave a presentation on the General Data Protection Regulation (GDPR) and Data Protection Act (DPA) Act 2018.  This legislation replaced and amended the previous legislation and prepared the Council ready for the digital age.  The legislation came into force on 25 May 2018.  Fines had increased, for example, if personal data was lost the fine could be £17.5m.  Fines for public authorities would be lower than this, but higher than the previous maximum of £500,000. There was an onus that everyone knew what to do with data and if data was lost that people were aware of what to do to mitigate the risks.

People’s rights had also increased. They could request that their data was erased and that data processing was stopped.  If they disagreed with something a review could be undertaken.  There was much more onus on the individual to own their data.  Emails had reduced in number since May as people now had to opt in to receiving data in specific instances.  The Information Commissioner’s (IC) Office had issued guidance and assistance to ensure they could respond if a data breach occurred.

There was a dedicated unit at the Council that monitored emails outside working hours should a breach occur.  A review of what had happened was undertaken, and advice on the necessary steps to mitigate against any further breach. There was mandatory reporting to the IC’s office of 72 hours if a breach occurred.  There was a statutory position within the Council of a Data Protection Officer held by Tracy Thorley.  She would be aware of any serious breaches and was responsible for the Council’s Information Governance Strategy.

Transparency was key.  There were more requirements now for people to know what is happening to their data, and more control over what they consented should happen to their data. A Member questioned the relevance of some data that had been held in regard to him by a motoring organisation.  He was advised that he could ask why this data was being held through the IC’s office.

In terms of getting ready for the review, the government announced that they were going to write the GDPR but there was a lack of sufficient information and guidance for local authorities, so interpretation of the legislation had been left to those working in the information governance field supported by advice from the IC’s office.  The DPA had made changes in terms of adapting the GDPR for the UK, so reference was made to fraud, for example in respect of social services. Children’s consent is set at 13 years, in line with UK case law rather than the European standard.  The terms GDPR and DPA are currently used interchangeably, but after Brexit there would just be the DPA 2018. 

A gap analysis had been undertaken. The Authority generally complied with the legislation, but some key areas were identified.  Project leads had been identified beginning at a senior manager level to support the introduction  ...  view the full minutes text for item 38.

Report of the Director of Finance and Resources.

The Counter Fraud Audit Manager updated Members on progress with the NFI 2018. 

In two weeks’ time the Council would be uploading data to the Cabinet Office to undertake a data matching exercise principally involving public sector organisations. An increasing number of private organisations are taking part. The last NFI helped identify £300m of fraud including £145m in pension overpayments, £50m in benefit overpayments or fraud, the revoking of 234 concessionary travel passes and 31,000 blue badges were revoked or removed.  The Council’s participation this year will involve uploading data including payroll, creditor payments and creditor standing data, information from pensions and supported private care home residents, concessionary travel pass holders, blue badge holders and direct payment recipients. The data would be uploaded in line with GDPR and the DPA requirements.  Fair Processing Notices had been issued. Data would be uploaded from 8 October and the Council was hoping to have resultant interesting matches for the Council to look over from the end of January 2019.  The NFI report relating to the previous data matching exercise (NFI 2016) was available from the Cabinet Office and would be available on the Intranet shortly.

Members asked for clarification on how the £145,994 recovered in 2016 in Staffordshire compared with previous years.  The Counter Fraud Audit Manager stated that the information was available in the Annual Report that came to the Committee in June 2018.  Details would be circulated to Members.

Members asked for a differentiation between intentional or malicious fraud and unintentional fraud.  The Counter Fraud Audit Manager explained that this was taken into consideration, for example in cases where a resident was found to have two blue badges due to a recent house move. There was only an entitlement to one blue badge, and one would be cancelled.  No further investigation would take place. 

Members asked how we worked with local district councils in regard to this matter and asked if the £3,750 fee charged for County Council participation in the NFI could be shared between district and borough councils.

The Counter Fraud Audit Manager explained that there was a mandatory scale of fees that is different for each Council.  Each participating Council is charged a madatory fee set by the Cabinet Office.  Data is shared across all participating organisations including district councils.  Potential data matches between Councils are dealt with on a case by case basis.

Members were concerned that potentially there was a conflict between data protection and confidentiality and asked how such conflicts were resolved.  Members also stated that the time, effort and amount of money spent on detecting and preventing fraud was a concern compared with the financial return.  The point was made that fraud was not endemic. 

Members were reassured by the policy and process for retaining and releasing information at Staffordshire County Council.

RESOLVED: a) The report was received b) The previous years’ fraud recovery figures would be circulated to Members.

Members asked if, where the County Council had appointed independent investigators to investigate issues and there were financial implications relating to systemic or structural issues across the organisation, if these issues were routinely included in the Forward Plan.

The interim Head of Internal Audit and Financial Services stated that the items in the Forward Plan came from the external audit requirements and the internal audit plan.  The internal audit plan would look at the control environment across the organisation and may pick up these issues.

RESOLVED: the Forward Plan was agreed.

(Exemption paragraph 3)

(Exemption paragraph 3)

RESOLVED: The exempt minutes of the meeting held on 30 July were signed as a correct record.

(Exemption Paragragh 3)

Report of the Director of Finance and Resources.

Exemption Paragraph 3

(Exemption paragraph 3)

Verbal Update by the interim Head of Audit and Financial Services

Exemption Paragraph 3