Agenda and minutes

There were no apologies from Councillors.

There were no declarations of interest.

Cllr Bennett disputed minute 25/5/Civ and requested a correction as follows (deleted text struck through, inserted text underlined):

      i.         Councillor Bennett:

a.    Suggested a Green Councillor could sit on the Independent Remuneration Panel (IRP).

b.    Queried if all Suggested it was good practice to ensure all relevant information had been given to the IRP to make recommendations and then to accept the panel’s recommendations.

c.    Circumstances had changed since the IRP did their work – should they revise the recommendation Suggested the recommendations should only be disputed if members felt the circumstances had changed since the panel made their recommendations.

The minutes of the meeting held on 30 June 2025 were then approved as a correct record and signed by the Chair.

There were no public questions.

The Committee received a report from the Chief Audit Executive.

The Chief Audit Executive said the following in response to Members’ questions:

      i.         Cyber security was one of the top risks facing Councils. The continuous pace of change of the threats made it difficult to provide full assurance.

    ii.         Counter-fraud training was not mandatory but could be considered. 

   iii.         The Council’s Generative AI policy was available to all staff and had been in place for some time. The policy included disclosures, confidentiality and general use of AI. The Chief Operating Officer confirmed that the policy was in place across all 3C Shared Services and agreed to send the policy to all committee members.

  iv.         It would not be easy to come up with like-for-like comparisons with other authorities, but would investigate whether there were any best practice areas that the council could adopt to make comparisons.

    v.         Global Internal Audit Standards in the UK public sector took effect on 1 April but there was no expectation for organisations to be fully compliant at this date, only to be working towards full compliance. The team completes a continuous internal assessment to the standards, and this will be followed by validation from a suitably qualified and independent assessor. The team had completed a readiness assessment to identify actions to be compliant with the new standards, and the Council was in a strong position.

  vi.         The team was made up of five people, plus two vacant apprenticeship posts would be advertised in future when the new scheme is launched.

 vii.         Current use of AI in internal audits and for automation of routine tasks, such as planning and research, was used with publicly available data.

viii.         Risk management was an important control to manage any gaps in reporting, along with using education as prevention rather than recovery.

  ix.         Confirmed the use of Tascomi software system for licensing and environmental health functions.

    x.         The Data Protection Officer and Information Governance Manager added that the last business continuity exercise took place in June 2025, with disaster recovery principles tested regularly.

Unanimously resolved to note the report.

The Committee received a report from the Data Protection Officer and Information Governance Manager.

The Officer clarified that the higher incident rate was down to better reporting and better staff awareness.

A typographical error was noted on page 35 of the agenda pack – point 4.6 should read ‘decrease’ and not ‘increase’.

The Data Protection Officer and Information Governance Manager said the following in response to Members’ questions:

      i.         A tiered approach would be taken for staff who have been involved in the simulated phishing exercises, utilising training within specified timeframes. Where individuals were repeatedly being caught out, then the root cause would be investigated.

    ii.         The number of reported phishing attempts was increasing, which demonstrated an improved level of staff awareness.

   iii.         With regard to Freedom of Information (FOI) data, the delays were evenly spread. Officers did not capture the cause of delays but they would like to build that into the system to work on the causes in future. When a request was not responded to in time, it would be passed to the Information Commissioner’s Office (ICO) and a decision notice issued. Failure to respond would lead to the ICO compelling the release of the data.

  iv.         Services would notice if they were repeatedly being asked for the same set of data and a picture could be obtained of areas of public interest.

    v.         It would not be possible to compare the Council’s number of FOI and data rights requests with authorities other than those with whom the service is shared.

  vi.         Acknowledged that further breakdown and analysis of FOI requests and trends would be useful.

Unanimously resolved to note the contents of the report.

The Committee received a report from the Chief Operating Officer.

The Chief Operating Officer said the following in response to Members’ questions:

      i.         Recognised the challenge of compiling the quarterly performance report in a short timeframe and explained that it would use data that would make it relevant, meaningful and understandable before publication.

    ii.         Planned to discuss content with Members and would consider suggestions for changes or additions but was confident that the anticipated timeframes could be met.

   iii.         Officers were looking at a suite of performance indicators to provide an overview of the seven strategic risk areas, with a level of granularity that would explain the areas in more detail.

  iv.         Benchmarking information could be included where it was easy to obtain.

Unanimously resolved to:

      i.         Note the development of the new quarterly performance report for Cabinet and its role in supporting the Council on its Local Code of Governance.

    ii.         Note the updated financial thresholds in the Risk Management Framework.

The Committee reviewed the workplan and made the following suggestions:

      i.         Could an update be provided on the external audit.

    ii.         That the Civic Protocols and updates report includes the Council’s flag policy.

   iii.         That the review of the Council Constitution addresses protocols for one committee inviting another committee to attend and speak at meetings.

  iv.         The committee should consider Local Government Reorganisation in relation to civic matters such as the mayoralty.