🚨 Data Protection goes code red on Highland Council's Internal Audit Plan for 2026/2027. 🚨
31 May 2026
Please provide the following information in relation to the Council’s internal audit plan for 2026/2027 and in relation to “Data Protection” appearing at the top of the newly added audits with a high priority and risk score of 37:
1. A copy of the formal Terms of Reference, Audit Brief, or Scoping Document issued to the internal audit team defining the parameters and objectives of the 30-day Data Protection audit and any other related working papers.
2. All internal correspondence (emails, teams chat logs), briefing notes, or reports generated by Audit and Risk teams detailing the methodology, mathematical calculation, or administrative justification used to escalate the Data Protection risk score to 37.
2.1 Please include all correspondence between the Chief Exec, Monitoring Officer, Assistant Chief Executive of Corporate, s.95 Officer, Chief Audit Executive, Corporate Audit Manager, Data Protection Officer, ICT staff, legal staff and the Assessor & Depute Assessor of the HWIVJB relating to internal audit of Data Protection matters.
2.2 Please include any correspondence between the Council and any external parties such as the External Auditor, the ICO etc in relation to the internal audit of Data Protection.
3. Copies of any active Non-Compliance Registers, Gap Analysis reports, or Data Flow Inventories compiled by the internal audit team or Information Governance department regarding the data processing infrastructure between The Highland Council and the Highlands & Western Isles Valuation Joint Board (VJB).
4. Any formal Internal Risk Appraisals or Legal Briefings assessing the council’s corporate liability regarding active regulatory investigations or enforcement notifications from the UK Information Commissioner’s Office (ICO).
5. Copies of all current risk register entries related to Data Protection, ICT and Freedom of Information.
6. Copies of all Risk Amendment Forms, Change Request logs, and Risk Evaluation templates generated between 1 February 2026 and 27 May 2026 relating to the alteration, escalation, or amendment of the Data Protection risk profile on the Corporate Risk Register.
7. All minutes, operational notes, and action logs from internal management meetings, including but not limited to the Chief Officers’ Board, Corporate Risk Management groups, or internal audit planning sessions, where the decision to amend the Data Protection risk score to 37 was formally discussed or approved.
8. The exact qualitative and quantitative criteria matrix used to calculate the impact and likelihood scores that resulted in the final risk score designation of 37 for Data Protection.
9. Fee notes/invoices and instruction letters & authorisations of any external legal advice undertaken in relation to Data Protection by the Highland Council since 1 September 2024.
10. Referring to my recent FOI, FS-Case-798209673, and in reference to GIAS standard 7.1, given that the Chief Audit Executive Donna Sutherland is also the Strategic Lead for Data Protection and her line manager, Stewart Fraser is also the Chief Legal Officer, whose in-house team is involved in ongoing data protection litigation, can the Council please provide the documentation or reports supplied to the Audit Committee about actual impairments reported, safeguards in place and information as to which independent third party will be appointed to oversee assurance activities. Please also provide any methodologies the Council has in place to meet the standards of 7.1 of the GIAS.
