Norfolk County Council CIO renegotiates terms on HPE contract and beefs up cyber security

Norfolk County Council is better equipped to deal with data breaches after it completed an audit from the Information Commissioner's Office, according to CIO Geoff Connell.

Connell, who took over as head of ICT and information management in August 2016, tells IT Pro that his two main objectives since joining the council have been to work with the ICO on the audit, and to work with one its biggest providers HPE to renegotiate terms on its contract for the troubled Digital Norfolk Ambition' project.

Cyber security

Norfolk Council does not have a good record when it comes to data breaches; it was fined 80,000 by watchdogs in 2012 after a social worker hand-delivered highly sensitive child welfare information to the wrong address. The council recorded 59 breaches between 2011 and 2014, with one of the most shocking incidents being when confidential files containing details of adults and children was left in a filing cabinet which was sold following an office move.

But after an audit completed by the ICO in January, Connell believes the council is much better prepared.

"We had to do quite a lot of work to improve our processes and we're well on track with that to make sure we have the right information sharing agreements in place," he says.

Connell emphasises that the audit is not a compulsory programme to catch the council out, but is instead an optional audit to help the organisation to improve its policies.

The council has now resolved its historical data loss cases and has implemented new policies, procedures and awareness training. It is the latter, which Connell believes is most crucial.

"Of course you need policies but if people don't know what they are or how to use them then it's no good," he states.

He will be testing staff by sending out phishing e-mails to see who clicks on malicious' links the idea is to understand what more can be done to train staff.

Cyber security is something Connell has also been focused on in his role as president of SOCITM. He wants to put together activities for local authorities within the new national cyber security centre.

"It's a really important focus area for local authorities it's not just about making sure we're in good shape, but that we can join up and work with central government agencies and other public sector organisations safely," he states.

Connell is passionate about data being shared across public sector organisations more easily. He says that it would enable social workers to know about medicines that people are on, and hospitals to know what social care arrangements have been made.

"Up until now, this has all been on an ad hoc basis. We need to make it more systematic and share data when it is appropriate to do so," he says.

But as public sector organisations are funded separately, and budget cuts continue to be made across the board, it makes it increasingly difficult for all parts of the public sector to continue to invest in technology that can help with data-sharing. By work together, the money could be spent more efficiently.

"For example, councils spend a lot of money on technology that helps elderly people to live more independently in their homes, such as IoT, but if local authorities are spending the money then health organisations save the money. Likewise if care homes aren't being adequately funded it is difficult for elderly people to be discharged from hospitals.

"So we need to have ways of working that enable joint investment," he says.

Renegotiating terms with HPE

Connell is in charge of Digital Norfolk Ambition' a 26m IT transformation project which one councillor referred to as a "looming catastrophe" in an interview with the Eastern Daily Press.

The project was signed back in December 2013 with HPE, Microsoft and Vodafone as the three key suppliers but it has been beset by issues such as an increase in costs, a build-up of delays and technical issues with laptops.

In order to solve some of these problems, Connell has held talks with HPE to reshape the agreement.

"We only have another year and half on the contract and we've agreed certain things we don't want to do with them anymore that we will take in-house, and other things which they're doing well which we will continue with but ultimately we need to be planning to exit from that contract," he states.

Despite the need to move away from the contract, Connell has been satisfied with how HPE have dealt with the contract review.

"Give them credit, they were flexible and they've recognised that times have changed and that not everything will pan out as you'd expect it to. It's important that vendors are able to alter the contract scope to ensure it is most cost-effective," he says.

Indeed, HPE is not one of the big vendors that Connell would say it hard to work with.

"There are some vendors that are notoriously difficult when it comes to licensing because they have complexity that you may call borderline fraud because they are simply inflexible," he states.

"Some view their products as cash cows so they're taking money and not reinvesting it, and some that don't keep up to date with patching, browsers and versions of different products we use so it's difficult for us to keep up to date," he adds.

Connell says that it is up to public sector organisations to work together to help to shift this kind of behaviour from these big vendors, either by buying from other suppliers or lobbying through user groups.