To approve the revised ICT Acceptable Use Policy, which will require all Officers and Members to sign a declaration of acceptance to ensure full compliance, and to delegate authority to the Associate Director: IT and Cyber, in consultation with the Lead Member for Corporate Governance, to make minor changes to the policy including changes to management structure, typographical changes etc. 

1.     That the revised ICT Acceptable Use Policy which will require all Officers and Members to sign a declaration of acceptance to ensure full compliance be APPROVED, subject to an amendment to the section relating to Data Protection to add an additional sentence as follows: “Monitoring or accessing personal emails is in the council's legitimate interests and is to ensure that this policy on email/messaging/online communications and internet use is being complied with and/or the security of council ICT infrastructure. Monitoring or accessing personal emails may also be carried out where it is a task vested in the authority or a task carried out in the public interest such as for the prevention and detection of crime or fraud. For further information about how the data will be used please see the council’s Privacy Notice. With respect to this policy, personal email is any email sent or received using the council’s systems or equipment.”

2.     That authority be delegated to the Associate Director: IT and Cyber, in consultation with the lead Member for Corporate Governance, to make minor changes to the policy including changes to management structure, typographical changes etc.

34.1          The report of the Associate Director: IT and Cyber, circulated at Pages No. 65-73, attached, at Appendix 1, a revised ICT Acceptable Use Policy.  The Committee was asked to approve the revised policy, which would require all Officers and Members to sign a declaration of acceptance to ensure full compliance, and to delegate authority to the Associate Director: IT and Cyber, in consultation with the Lead Member for Corporate Governance, to make minor changes to the policy including changes to management structure, typographical changes etc.

34.2          The Lead Member for Corporate Governance advised that the current ICT Acceptable Use Policy was written in April 2019 and much had changed since that time in terms of the way ICT was used in the authority and the nature of work which now included remote and hybrid working.  Since the publication of the report, he had been able to discuss some of the content further with the Monitoring Officer and was suggesting a minor change to Page No. 72 in relation to the Data Protection section to clarify what was meant by personal email.  He confirmed that the policy would be relevant to Members as well as Officers; however, there was a distinction between the two as, although Members must be led by the Council rules and procedures, it was unclear what would happen if a Member did not sign the declaration of acceptance given that they still needed to be able to carry out their responsibilities as best as possible.  Notwithstanding this, he appreciated that the Council needed to have control and it was proposed that all Members sign the declaration as standard.  It would remain a living document in terms of how ICT was used and would be kept under review.

34.3           A Member raised concern that access to Council data would be restricted to Council-owned devices which would mean that Members could only use their iPads to access emails etc; other authorities used web-based applications and he would like to see Tewkesbury Borough Council being more forward thinking.  He questioned whether use would continue to be restricted to iPads if a web-based solution was introduced.  In response, the Associate Director: ICT and Cyber explained that the reason that access was restricted to Council-owned devices was in order to understand the security status of every device and know where the Council data was.  One of the major risks to the organisation was phishing emails and restricting access to Council-owned devices guaranteed security which could not be said for personal devices.  He recognised that other authorities had different approaches but Tewkesbury Borough Council was a small authority with an ICT team of eight.  The Member understood that Cheltenham Borough Council used a web-based system, as did other district authorities, and he suggested that two step authentication may help to overcome some of the concerns.  He felt that education was needed for Members in relation to phishing emails and, whilst he understood that the safest way was to keep access locked down, he did not think that was practical in terms of Officers and Members operating effectively.  As a dual-hatted Member, he had a tablet issued by Gloucestershire County Council and one issued by Tewkesbury Borough Council, a personal phone and a work phone – he was able to access County Council emails on his personal phone.  The Lead Member for Corporate Governance advised that the revised policy reflected the current position and was perfectly workable; should the Council decided to operate in a different way, the policy would need to be amended to reflect the new way of working.

34.4           The Chair indicated that he had spoken to a number of Members on this matter and, from his perspective, safety and protection of residents’ data should be paramount and there were examples locally of what could happen when this went wrong.  There may be further conversations to be had about how Members could be better supported in terms of equipment or cloud-based solutions etc.  He acknowledged the challenges faced by dual-hatted Members and those working full-time etc. and acknowledged that it was difficult to view certain documents, such as financial spreadsheets or planning applications, on the small screen of an iPad so suggested that discussions may be needed in that regard but this did not impact the policy at this stage.  The Associate Director: ICT and Cyber welcomed this suggestion and advised that the intention of the policy was to establish the here and now to ensure the authority and its data was as safe as possible.  If the Council was subject to a significant cyber-attack, which was one of the biggest risks to the organisation from a General Data Protection Regulation (GDPR) point of view, it was essential to know where the Council’s data was and what devices it was on.

34.5           A Member indicated that she fully supported the revised policy but felt there were some issues.  She was contacted by residents on her personal phone and had to tell them to call her on another number so that she was using a Council issued device which was not practical; she was no longer able to access Facebook on her Council phone which was necessary as she used social media for information.  The Business Transformation Team was looking at options for a case management system for Councillors but that was some way off and she expressed the view that Members needed laptops at the very least in order to be able to properly look at documents.  The Associate Director: ICT and Cyber advised that the policy did not intend to stop access to social media on Council owned devices for Members and he was happy for that to be installed onto those devices if they wished – if Members wanted to use any applications on their devices, provided they were for their role as a Councillor, the ICT team would be pleased to assist and he encouraged Members to take advice from the team on specific circumstances.  He recognised that Members and Officers needed to have the technology to be able to do their jobs; however, he pointed out that across the organisation there were people who used technology a lot and others who barely used it so it would be remise to issue the same kit to everyone when some only used their phone.  The policy did not prevent looking at alternative ICT provision but he stressed that one of the requirements of GDPR was to understand where data was at all times.  A Member expressed the view that this was an important policy but it was impossible to cover all scenarios; safety and security was paramount and if Members were in doubt about anything they should ask the ICT team.

34.6           It was proposed, seconded and