The Committee considered the report of the Director of Resources updating the following Council policies due to the addition of new hardware and software following the recent transformation project. Members were advised that the revised policies would provide clear requirements for system usage within the Council both for Members and Officers:
· ICT Acceptable Use (attached as Appendix 1 to the report);
· Email and Communications (attached as Appendix 2);
· Information Security (attached as Appendix 3).
It was noted that if approved these amended policies would meet the requirements of a recent internal network security audit recommendation
A lengthy debate ensued, during which a number of questions were raised by Members and information provided by Officers, including:
· Members were advised how data, which included emails and texts, sent on behalf of the Council belonged to that organisation. Therefore, following specific authorisation and in response to a particular need (which had to be identified), IT were able to implement a monitoring check on a specific email account, for example. In response to further questions the Officer provided further information on the process involved and recent monitoring carried out.
· It was noted that other documents such as Human Resources policies along with the Code of Conduct for Members were also relevant and some matters mentioned by Members would fall within the remit of these documents rather than IT policies.
· It was clarified that personal devices belonged to the user and the Council would not have access to these, however the Council would control any data accessed on that device through a Maldon District Council (MDC) portal.
· In response to a suggested amendment that Members should be informed if their emails were being looked at, the Director of Resources advised that he was happy to include that within the policy as long as there was no legal practice against it.
· The Council as a data controller had to comply with the Data Protection Act 2018 which ensured that the Council kept data safe and only held it for as long as needed.
· Some information was held for seven years on the IT systems, although some planning information was kept for up to 50 years.
During the debate the Officer provided some best practice guidance on the use of out of office email notifications when a person was away from their computer for a period of time. In response to questions the Officer agreed to ensure that the wording within the policy was reviewed.
In response to a question, the Director of Resources advised that he would seek clarification from the Data Protection Officer regarding confidential emails sent by a resident to a Councillor being monitored by the Council.
Councillor K M H Lagan proposed that the policies not be adopted, amended by Officers and brought back to the Committee for approval. This proposal was duly seconded. Councillor Lagan advised that amendments should include a section in each policy for Members as there were differences between Members and Officers and if Members emails were being monitored the Member in question should be informed up front. Members were reminded at this point that the Director of Resources would seek a legal view on some of the matters raised and advise the Committee accordingly.
Following further discussion, Councillor Lagan clarified his proposal, that Officers review the policies and amendments raised by this Committee, once amended they send the amended policies round to Members for comment before them being brought back to the next Strategy and Resources Committee. This was duly seconded and agreed by assent.
RESOLVED that Officers review the following policies taking in to consideration the comments and amendments raised by Members and the revised policies be brought back to the next meeting of this Committee:
· ICT Acceptable Use;
· Email and Communications;
· Information Security.