26
Appendix A Information Governance Framework Deputy Chief Executive V1.0 4 October 2016

Information Governance Framework

  • Upload
    others

  • View
    24

  • Download
    0

Embed Size (px)

Citation preview

Page 1: Information Governance Framework

Appendix A

Information Governance Framework

Deputy Chief Executive

V1.0

4 October 2016

Page 2: Information Governance Framework

Information Governance Framework V1.0 4 October 2016 Page 2 of 26

ContentsPage

1. Introduction 3

2. Information Governance Policy Statement 4

3. Legal and Regulatory Framework 4

4. Scope 5

5. Roles and Responsibilities 5

6. Main Themes for Improvement 6

6.1 Information Governance Management 6

6.2 Data Quality 7

6.3 Information Compliance 8

6.4 Information Security 10

6.5 Information Sharing 12

6.6 Records Management 13

7. Information Governance Work Plan 15

Page 3: Information Governance Framework

Information Governance Framework V1.0 4 October 2016 Page 3 of 26

1. IntroductionThis Information Governance Framework and its Work Plan present Eden District Council (“the Council”) with an opportunity to establish a robust structure for managing its information assets but also a significant challenge. This document contains a large number of actions, some quite ambitious, addressing a wide range of issues and involving all staff and Members to some extent. The Work Plan therefore spans two years, from October 2016 to September 2018. It will run largely concurrently with the Digital Transformation Project, to both inform and be informed by its development.

Information is an Asset

Information is a valuable asset, vital for the efficient management of services and resources. It is needed to inform policy development and make evidence based decisions. Information is important in terms of making improvements to service delivery and helping the Council to respond more flexibly to changing customer needs.

The Council receives, generates, uses and stores vast amounts of data, in many different forms, including: emails, its website, files stored on laptops/PC hard drives, on Sharepoint and on servers, databases and application software and also hard copy paper files and maps. The extent and types of information held on Eden residents, businesses and organisations places a great responsibility on the Council to ensure it has robust policies, procedures and systems in place to protect it.

The Council’s approach to managing its information assets has not been particularly well co-ordinated in the past. A number of policies and procedures exist but they have been developed largely in isolation, at different times and by different people. There has been no overarching framework or policy to draw them together.

The Council’s Service Innovation Board identified the need for improved data governance and data sharing in 2015, to support and enable the Digital Transformation Project. This resulted in the creation of the Information Governance Manager post through a restructure, implemented with effect from 1 April 2016.

What is Information Governance?

Information Governance is a term used to describe how organisations, including local authorities ensure that statutory, regulatory and best practice requirements are met when they collect, store, use and share information in their possession.

An Information Governance Framework is a multidisciplinary term that encompasses a wide range of functions, policies, procedures and systems. This Framework will provide the Council with a coherent structure to ensure that legal and best practice standards are met and continuously assessed.

The table below shows the six aspects of Information Governance included in this Information Governance Framework:

Information Governance Management;

Data Quality;

Information Compliance;

Information Security;

Page 4: Information Governance Framework

Information Governance Framework V1.0 4 October 2016 Page 4 of 26

Information Sharing; and

Records Management.

2. Information Governance Policy StatementThe Council recognises information as a valuable asset in the provision and effective management of its services and resources. It is of paramount importance therefore that information is processed within a framework designed to support and enable appropriate Information Governance.

All information users (staff, Members, contractors and partners) will take responsibility for managing information in accordance with this Information Governance Framework and with all policies, procedures, guidance and systems developed to support it.

Information must be managed using sound processes. The Council will ensure that it:

Conforms to all legal and statutory requirements;

Holds all information securely;

Holds all personal information confidentially;

Obtains information fairly and lawfully;

Records information accurately and reliably;

Uses information effectively and ethically;

Shares information appropriately and lawfully;

Makes available non-confidential information wherever possible to the public via the Council’s website (Open Data); and

Reviews and disposes of information and records no longer required securely.

3. Legal and Regulatory FrameworkThere are a number of legal obligations placed upon local authorities relating to the use of information, including personally identifiable information. The Council needs to ensure these legal and best practice standards are met and continuously assessed:

Data Protection Act 1998;

Electronic Communications Act 2000;

Environmental Information Regulations 2004;

Freedom of Information Act 2000;

Human Rights Act 1998;

Public Records Act 2011;

Regulations of Investigatory Powers Act 2000; and

Reuse of Public Sector Information Regulations 2005.

The General Data Protection Regulation (2018) which will come into force on 25 May 2018 will place additional responsibilities on the Council and could quite significantly increase demand on the Council’s resources.

Page 5: Information Governance Framework

Information Governance Framework V1.0 4 October 2016 Page 5 of 26

4. ScopeThis Framework applies to:

All information, regardless of format held and processed by the Council;

All information systems operated or managed by the Council;

All information shared by the Council with third parties, including partner organisations and contractors;

Any individual processing information held by the Council; and

Any individual requiring access to information held by the Council.

5. Roles and ResponsibilitiesMatters relating to Information Governance come under the Resources Portfolio. Progress on the Information Governance Framework Work Plan will be reported to the Resources Portfolio Holder.

The Chief Executive as Head of Paid Service, together with Senior Management Team have overall responsibility for ensuring the delivery of an effective Council-wide approach to Information Governance.

The Council’s Director of Finance is the Senior Information Risk Owner (SIRO). The SIRO is concerned with the management of all information assets and information risks. The SIRO is responsible for fostering a culture for protecting data and for managing information risks and incidents. All breaches of information security should be reported to the SIRO. The SIRO is heading-up the Service Innovation Board in overseeing the Digital Transformation Project.

The Deputy Chief Executive is the Council’s Data Protection Officer. He is responsible for co-ordinating the needs of Data Protection across the Council and for ensuring compliance with the requirements of the Data Protection Act.

The Information Governance Manager is responsible for producing the Information Governance Framework and Work Plan, for co-ordinating the implementation and monitoring progress of the Work Plan, for ensuring relevant policies, procedures, protocols and guidance are in place, for advising staff and Members and for arranging training.

Each Senior Manager is an Information Asset Owner, accountable for information assets within their service area. They should be able to understand how the information asset is held, used and shared and address any associated risks. However, all staff and Members are responsible for the data and information they generate, handle and dispose of.

The responsibilities for delivering specific actions under this Framework are indicated in the Work Plan table on pages 15 to 26.

Page 6: Information Governance Framework

Information Governance Framework V1.0 4 October 2016 Page 6 of 26

6. Main Themes for ImprovementThere are six main themes for the improvement of Information Governance under this Framework and it is expected there will be a degree of cross-over between them.

6.1 Information Governance Management

Information Governance Management is the management of Information Governance at a corporate, managerial and operational level across the organisation. It provides the necessary ownership, accountability and support required to ensure the development, implementation and promotion of the required Information Governance infrastructure.

The current situation (as at mid September 2016)

The Council has identified that its management of Information Governance in the past has not always been given the attention it deserves. However, this is now being addressed, with the creation of an Information Governance Manager post and an acknowledgement that Information Governance must be improved to support the work of the Digital Transformation Project. This planned improvement is supported by the adoption on an Information Governance Framework and Work Plan and annual reporting regime.

The Information Governance Framework encompasses a wide range of different policies, procedures, processes, protocols and guidance and these need to be consistent with each other and kept up to date and relevant. A regime for monitoring, reviewing and updating is to be introduced.

A training programme will identify the various training levels required for different staff and Members and will set out the Council’s expectations for working practices and behaviours related to Information Governance. Also, clear guidance on the Council’s approach to the various aspects of Information Governance will be made readily available to all staff. All staff will be made aware of their responsibilities relating to Information Governance, particularly with regard to Access to Information, Data Protection and Information Security and the duties they place on the Council.

Information Governance competencies, particularly with regard to Data Protection are already written into all job descriptions.

Areas to be addressed

The following areas are to be addressed under the heading of Information Governance Management and are expanded on in the Work Plan on page 15:

Introduce an Information Governance Framework;

Produce an annual Information Governance report at the end of each financial year;

Review existing Information Governance policies, protocols, processes, procedures and guidance and establish a regime to regularly monitor, review and update them;

Implement an Information Governance training and awareness raising programme; and

Recruit a Data Transparency Assistant on a temporary, part time basis.

Page 7: Information Governance Framework

Information Governance Framework V1.0 4 October 2016 Page 7 of 26

6.2 Data Quality

Data Quality is an assessment of the fitness of data to serve its purpose in a given context. Data is generally considered high quality if it is fit for its intended uses in operations, decision making and planning. It is important to ensure the accuracy, coverage, timeliness and completeness of data so that staff, Members, contractors/partners and customers are able to trust the validity and authority of information sources and have confidence that it is up to date and accurate.

The current situation (as at mid September 2016)

The Council has a Data Quality Statement, which is available on the website. This is a short policy statement which is reviewed biennially and is next due to be reviewed in March 2018.

The Council reports around 50 separate data sets to the Government under the Single Data List, which is a list of all the data that local authorities are required to submit to central Government departments in a given year. In addition, the Council has selected a number of Key Performance Indicators for the monitoring of its own corporate health and these are reported internally to Management Team every six months.

For some time, contractors and partner organisations have been required to sign the Council’s Third Party Data Quality Protocol. The protocol template has been included or appended to contract and service level agreement documentation. However, there is no way of enforcing the protocol and at best it is only of use insofar as raising awareness of data quality issues.

Areas to be addressed

The following areas are to be addressed under the heading of Data Quality and are expanded on in the Work Plan on page 16:

Ensure the Data Quality Statement is reviewed and updated on a biennial basis;

Raise awareness of the Council’s Data Quality Statement and the expectations on staff;

Introduce a register of data the Council has a duty to provide to Government under the Single Data List;

Provide guidance on writing Data Quality requirements into contracts and agreements, where data is provided to the Council by third parties; and

Review the use and benefits of Third Party Data Quality Protocols.

Page 8: Information Governance Framework

Information Governance Framework V1.0 4 October 2016 Page 8 of 26

6.3 Information Compliance

Information Compliance is the process of conforming to certain information laws and regulations through the application of appropriate policies and procedures. The Council manages and processes large volumes of confidential and sensitive information about people and has a duty to deal with it lawfully and ethically.

The current situation (as at mid September 2016)

The Council has in place the following related policies, which are published on the website:

Access to Information Policy (Freedom of Information (FOI), Environmental Information Regulations and Data Protection (Subject Access Requests) - April 2016;

Complaints Procedure (webpage) - December 2015;

Data Protection Policy - April 2016;

Privacy Policy (webpage) - last updated June 2016; and

Regulation of Investigatory Powers Policy - December 2012.

The Access to Information Policy and Data Protection Policy were quite recently adopted and so are not in need of updating. However, staff would benefit from more detailed and practical guidance and training based on the policies. The Data Protection Policy is likely to require reviewing before May 2018, in preparation for the General Data Protection Regulation (2018).

It has been identified by staff responsible for managing Access to Information requests that there would be benefit in improving the existing process, which is unnecessarily convoluted. It is recommended that alternative systems are explored with a view to increasing the efficiency and robustness of processes for the management of Freedom of Information requests.

Two of the above procedures/policies only exist as web pages. It would be preferable for all Information Governance policies to be in a consistent format and to be subject to version control (webpages are not).

Areas to be addressed

The following areas are to be addressed under the heading of Information Compliance and are expanded on in the Action Plan on page 18:

Improve the process for handling Access to Information (FOI, EIR, Subject Access Requests);

Ensure any forms (including online forms) relating to Access to Information and Data Protection are consistent and comply with legislative requirements and the Council’s Information Governance policies;

Undertake Data Protection testing to ensure compliance;

Examine the requirements of the General Data Protection Regulation (2018) and the likely impact on the Council;

Provide procedures on Access to Information to relevant staff;

Review the Privacy Policy;

Page 9: Information Governance Framework

Information Governance Framework V1.0 4 October 2016 Page 9 of 26

Introduce a CCTV Policy and Code of Practice; and

Review the Complaints Procedure.

Page 10: Information Governance Framework

Information Governance Framework V1.0 4 October 2016 Page 10 of 26

6.4 Information Security

Information Security describes measures put in place to protect information assets and information systems from unauthorised access, use, disclosure, disruption, modification or destruction.

The current situation (as at mid September 2016)

The Council holds a valid PSN (Public Services Network) compliance certificate, demonstrating that the Council’s transmission and processing of personal information is carried out using a trusted secure network. The Council also completes and submits to the Cabinet Office an annual Assurance Notice, which evaluates the Council’s performance against standards set by the ‘CESG,’ the UK government's national technical authority for information assurance.

The roll-out of fully PSN compliant encrypted laptops to staff and Members between 2014 and 2016 has improved information security, particularly in terms of accessing the Council’s network remotely (from home or other premises). Non-corporate devices such as personal computers are no longer able to access the Council’s systems.

The Council has the following related policies in place:

Information Security Policy - 2012;

Internet and Email Acceptable Use Policy and Authorised User Agreement - 2012; and

IT Security and Confidentiality Requirements for Home/Mobile Working - 2012.

All staff and Members are required to sign the Authorised User Agreement to confirm that they will abide by the terms of the Information Security Policy and the Internet and Email Acceptable Use Policy. All new staff and Members receive information about Information Security during their induction.

The Digital Transformation Project currently under development will present opportunities to build-in a high level of security into the new digital platform (ESB Agile). These security measures will be designed in such a way as to protect both the Council’s information and that of customers accessing the Council’s systems. It is important that an ongoing dialogue is maintained between the people responsible for the Digital Transformation Project (IT and the Service Innovation Board) and those responsible for matters of Information Governance (within the Legal section).

The new digital platform could be subject to a Privacy Impact Assessment (PIA) during its development. PIA is a tool to help organisations identify the most effective way to comply with their Data Protection obligations and meet individuals’ expectations of privacy. An effective PIA allows organisations to identify and fix problems at an early stage, reducing the associated costs and damage to reputation which might otherwise occur. The Information Commissioner’s Office (ICO) provides guidance and a template.

Also, the Council needs to comply with PCI DSS, the Payment Card Industry Data Security Standard. This is a worldwide standard that was set up to help businesses and organisations process card payments securely and reduce card fraud. The way it does this is through tight controls surrounding the storage, transmission and processing of cardholder data that businesses handle. PCI DSS is intended to protect sensitive cardholder data. The Council’s

Page 11: Information Governance Framework

Information Governance Framework V1.0 4 October 2016 Page 11 of 26

current website and the new digital platform need to be PCI DSS compliant. An internal audit is being carried out into the Council’s compliance with PCI DSS during 2016-17.

Areas to be addressed

The following areas are to be addressed under the heading of Information Security and are expanded on in the Work Plan on page 21:

Update the Reporting of Security Incidents and Information Breaches policy and procedure;

Review and update the Information Security Policy and IT Security and Confidentiality Requirements for Home/Mobile Working policies;

Review and update the Internet and Email Acceptable Use Policy and Authorised User Agreement and Social Media Policy;

Establish an interface with the Digital Transformation Project for the duration of its development;

Consider undertaking a Privacy Impact Assessment on the new digital platform (ESB Agile) being developed under the Digital Transformation Project; and

Ensure card payments achieve compliance with PCI - DSS, the Payment Card Industry Data Security Standard.

Page 12: Information Governance Framework

Information Governance Framework V1.0 4 October 2016 Page 12 of 26

6.5 Information Sharing

Information Sharing is the exchange of data between different organisations, people and technologies, through the application of appropriate policies, procedures and protocols. Although maintaining confidentiality is vital, service delivery can sometimes be improved through the appropriate sharing of data. This requires the proper governance of information sharing practice across the Council (internally) and with partners (externally).

The current situation (as at mid September 2016)

Work has commenced to fulfil the Council’s requirements to publish data under the Local Government Transparency Code 2015. The Code sets out the minimum data the Council needs to publish, the frequency it should be published and how it should be published. Some of the required data is already available on the website and it will be added to it as other data sets become available. In publishing the data required under the Local Government Transparency Code 2015, certain Data Standards should be observed and the Local Government Association provides comprehensive guidance on meeting those standards.

There are a number of circumstances which involve the sharing of data with partner organisations and contractors. An example of this is the transfer of planning records to the Lake District and Yorkshire Dales National Park Authorities during the national park extensions in 2016, for which Data Sharing Agreements were drawn up. However, there is no list of the various Data Sharing Agreements across the Council.

There is currently no Information Sharing Protocol in place; such a protocol would assist in the production of any new arrangements and agreements. It would also also assist in emergency situations such as flooding incidents when agencies need to work closely together to protect the safety and wellbeing of residents.

The sharing of data internally within the Council could improve the efficiency of the Council’s services but there has been resistance from some staff in the past, mainly on the grounds of Data Protection. Clearer guidelines for staff would assist in allowing more internal sharing of data, as would the production of an Information Asset Register (so that staff are aware of what other data exists, where it is held and who is responsible for it). All data held on the new digital platform will be linked to a Unique Property Reference Number (UPRN) and a unique citizen reference, which will collectively eliminate duplication.

Areas to be addressed

The following areas are to be addressed under the heading of Information Sharing and are expanded on in the Work Plan on page 23:

Fulfil the Council’s obligations under the Local Government Transparency Code 2015;

Draw up and maintain a list of Data Sharing Agreements held across the Council;

Introduce an Information Sharing Protocol to provide a framework for agreeing terms; and

Conduct a review into the internal sharing of data.

Page 13: Information Governance Framework

Information Governance Framework V1.0 4 October 2016 Page 13 of 26

6.6 Records Management

Records Management is the practice of managing the records of an organisation throughout their life cycle, from the time they are created to their eventual disposal.

The current situation (as at mid September 2016)

The Council has a Business Continuity Plan (2016), which is available on the website. The Business Continuity Plan is an important tool that ensures services to the public (which require access to records) are maintained in the event of a major interruption at either the Town Hall or Mansion House.

An Information Management Strategy was produced in 2009 by the then IT Services Manager and this document is available on the website. The main thrust of the strategy is the migration to Sharepoint and the implications for document management.

The introduction of Document Management Systems at the Council has been beneficial in terms of sharing information internally, in reducing capacity demands on email and in providing a degree of version control. However, not all sections of the Council are using these systems (in part due to concerns around confidentiality) and there have also been some issues in terms of functionality. An audit and review of the Council’s document management practices would be beneficial in identifying any specific issues and this would be assisted by the production of an Information Asset Register. In fact the two exercises could be combined.

The Council does not have an Information Asset Register. There is currently no list of records, files or databases held by the Council. Staff will have knowledge of the different information assets retained in their sections but there is no corporate list. A comprehensive and definitive list of all information assets retained by the Council would help to identify areas of duplication and spot areas of potential risk such as loss of personal data. By understanding the nature of the Council’s information and where it is held, it will be possible to mitigate the risks more easily.

Currently the Council does not have an approved and adopted Records Management or Information Retention and Disposal Policy. Some work has been undertaken in this area in the past by IT staff and the Document Management Assistant and a draft policy and user guidelines are available (these could be revisited and further developed). A clear, workable policy and guidelines would greatly assist staff in knowing how to store different types of records, for how long and how to dispose of them securely.

Although some sections across the Council have their own system of Version Control of documents, there is no currently no official Council-wide system in place. This can occasionally result in old versions of documents and reports being circulated and consequently in confusion. A common system of version control across the Council would provide consistency and confidence in the Council’s documentation.

Areas to be addressed

The following areas are to be addressed under the heading of Records Management and are expanded on in the Work Plan on page 24:

Review document management practices across the Council;

Produce and maintain a corporate Information Asset Register;

Page 14: Information Governance Framework

Information Governance Framework V1.0 4 October 2016 Page 14 of 26

Assign Information Asset Owners (IAO);

Introduce a corporate Records Management Policy (including Document Retention and Disposal);

Introduce a corporate system of Version Control;

Introduce a Confidential marking policy; and

Ensure consistency between documents and information on the website and other formats of the same information.

Page 15: Information Governance Framework

Information Governance Framework V1.0 4 October 2016 Page 15 of 26

7. Information Governance Work Plan - October 2016 to September 2018Aspect of Information Governance

Action Target Outcome Resource Implications

Responsibility Deadline

IGM1: Introduce an Information Governance Framework

Approve, adopt and implement a Framework and two year Work Plan

There is a clear sense of direction, commitment and ownership

Officer time Information Governance Manager

SIRO

Data Protection Officer

Approval at Executive -4 Oct 2016

IGM2: Produce an annual Information Governance report at the end of each financial year

Monitor progress, outline keys issues and risks and identify areas for further improvement.

Report to Executive

Progress of the Work Plan is monitored and any constraints, risks and additional resource implications are identified.

Annual report approved at Executive

Officer time Information Governance Manager

SIRO

Data Protection Officer

End Jul 2017

Information Governance Management

IGM3: Review existing Information Governance policies, protocols, processes, procedures and guidance and establish a regime

Produce a comprehensive list, with details of the date documents were approved, where they can be found, who is responsible

All policies, protocols, processes, procedures and guidance are current, relevant and fit for purpose

Officer time Information Governance Manager

Member Services Team Leader

IT Services Manager

HR

End Mar 2017

Page 16: Information Governance Framework

Information Governance Framework V1.0 4 October 2016 Page 16 of 26

Aspect of Information Governance

Action Target Outcome Resource Implications

Responsibility Deadline

to regularly monitor, review and update them

for them and when due for renewal

IGM4: Implement an Information Governance training and awareness raising programme

Provide specialised external Data Protection and Freedom of Information training to managers, key staff and Members in 2017-2018 and cascade to other staff

A culture exists across the Council in which all staff, Members and third parties recognise the importance of Data Protection and Access to Information and positive practices are embedded in the work of the organisation

External trainer @ £3,000 in 2017-2018

Officer time

Information Governance Manager

Member Services Team Leader

HR

End Mar 2018

Post regular reminders on the bulletin board

IGM5: Recruit a Data Transparency Assistant on a temporary, part time basis

Data Transparency Assistant in post

There is greater capacity to undertake Information Governance activities

£8,000 government grant

Information Governance Manager

Deputy Chief Executive

HR

End Mar 2017

Data Quality DQ1: Ensure the Data Quality Statement is reviewed and

Approve and adopt the revised statement

Statement is current, relevant and fit for purpose

Officer time Information Governance Manager

Review date - March 2018

Page 17: Information Governance Framework

Information Governance Framework V1.0 4 October 2016 Page 17 of 26

Aspect of Information Governance

Action Target Outcome Resource Implications

Responsibility Deadline

updated on a biennial basis

DQ2: Raise awareness of the Council’s Data Quality Statement and expectations on staff

Provide guidance to staff through regular bulletins

Staff take ownership of and seek to improve the quality of data within their services

Officer time Information Governance Manager

Reminders to be issued every six months

DQ3: Introduce a register of data the Council has a duty to provide to Government under the Single Data List

Produce and maintain a list and make available to relevant staff

Staff take ownership of and seek to improve the quality of data provided to Government under the Single Data List

Officer time Information Governance Manager

Staff with responsibility for reporting data to Government

End Jun 2017

DQ4: Provide guidance on writing Data Quality requirements into contracts and agreements, where data is provided to the Council by third parties

Guidance is produced and is accessible to relevant staff.

(could be included in the Procurement Strategy)

Data Quality is assured wherever possible at the point of collection

Officer time Information Governance Manager

Assistant Director, Technical Services

Director of Finance

End Dec 2017

DQ5: Review the Produce (internal) The most effective Officer time Information End Dec 2017

Page 18: Information Governance Framework

Information Governance Framework V1.0 4 October 2016 Page 18 of 26

Aspect of Information Governance

Action Target Outcome Resource Implications

Responsibility Deadline

use and benefits of Third Party Data Protocols

report means of assuring the quality of data being provided to the Council by contractors and partner organisations is established

Governance Manager

Assistant Director, Technical Services

Director of Finance

IC1: Improve the system for handling Access to Information (FOI, EIR, Subject Access Requests)

Explore alternative systems and adopt the most efficient and appropriate for the Council’s needs

The process is efficient and fit for purpose

Officer time Information Governance Manager

Member Services Team Leader

IT

End Jun 2017Information Compliance

IC2: Ensure any forms (including online forms) relating to Access to Information and Data Protection are consistent and comply with legislative requirements and the Council’s Information

Review and update the forms and cross-reference the online forms with other formats of the same information

There is a consistent approach to providing information and all information is current, relevant and compliant

Officer time Information Governance Manager

Member Services Team Leader

Web Co-ordinator

Assistant Director Customer Services and Transformation

Data Protection Officer

End Jun 2017

Page 19: Information Governance Framework

Information Governance Framework V1.0 4 October 2016 Page 19 of 26

Aspect of Information Governance

Action Target Outcome Resource Implications

Responsibility Deadline

Governance policies

IC3: Undertake Data Protection testing to ensure compliance

Complete the ICO’s Data Protection Self Assessment Toolkit

Consider an internal Data Protection audit in 2017-2018

The Council’s processes, procedures and systems are compliant

Officer time Information Governance Manager

Assistant Director, Legal Services

Data Protection Officer

End Sep 2017

IC4: Examine the requirements of the General Data Protection Regulation (2018) and the likely impact on the Council

Report the likely impact and resource implications to Executive

The Council is compliant with the regulation when it comes into force on 25 May 2018

Officer time Information Governance Manager

Member Services Team Leader

Assistant Director, Legal Services

Data Protection Officer

End Oct 2017

IC5: Provide procedures on Access to Information to relevant staff

Produce procedures and make readily accessible

There is a clear and consistent approach to handling requests

Officer time Information Governance Manager

Member Services Team Leader

End Jun 2017

Reminders issued every six months

Page 20: Information Governance Framework

Information Governance Framework V1.0 4 October 2016 Page 20 of 26

Aspect of Information Governance

Action Target Outcome Resource Implications

Responsibility Deadline

IC6: Review the Privacy Policy

Condense the content of the existing webpage, with a link to a stand-alone PDF policy

There is a consistent approach to the Council’s suite of policies and Version Control

Officer time Information Governance Manager

Member Services Team Leader

Data Protection Officer

End Dec 2017

IC7: Introduce a CCTV Policy and Code of Practice

Produce, approve and adopt a policy and ensure relevant staff are aware of it

The Council’s CCTV systems are adequately managed and controlled and the information and images obtained are handled appropriately and lawfully

Officer time Information Governance Manager

Engineering Officer

Assistant Director, Legal Services

Data Protection Officer

End Jun 2017

IC8: Review the Complaints Procedure

Condense the content of the existing webpage, with a link to a stand-alone PDF document

Consider ways of simplifying the procedure for

There is clarity for customers and a clear and consistent approach for staff handling complaints.

There is a consistent approach to the Council’s suite of policies and Version

Officer time Secretary to Deputy Chief Executive

Information Governance Manager

Assistant Director, Legal Services

Deputy Chief Executive

End Dec 2017

Page 21: Information Governance Framework

Information Governance Framework V1.0 4 October 2016 Page 21 of 26

Aspect of Information Governance

Action Target Outcome Resource Implications

Responsibility Deadline

customers Control

IS1: Update the Reporting of Security Incidents and Information Breaches policy and procedure

Update the policy and procedure and ensure staff and Members are aware of it

A clear and accessible procedure exists that ensures any breaches are reported and addressed at the earliest opportunity

Officer time Information Governance Manager

IT Services Manager

SIRO

End Dec 2017

IS2: Review and update the Information Security Policy and IT Security and Confidentiality Requirements for Home/Mobile Working policies

Approve and adopt the revised policies

The policies are current, relevant and fit for purpose

Officer time Information Governance Manager

IT Services Manager

SIRO

End Dec 2017

Information Security

IS3: Review and update the Internet and Email Acceptable Use Policy and Authorised User Agreement and Social Media Policy

Approve and adopt the revised policy

The policies are current, relevant and fit for purpose

Officer time Information Governance Manager

Communication Officer

IT Services Manager

HR

End Dec 2017

Page 22: Information Governance Framework

Information Governance Framework V1.0 4 October 2016 Page 22 of 26

Aspect of Information Governance

Action Target Outcome Resource Implications

Responsibility Deadline

IS4: Establish an interface with the Digital Transformation Project for the duration of its development

Agree a regime for ongoing dialogue

Policies and procedures are in place which are consistent with and relevant and appropriate to the needs of the new digital platform

Officer time Information Governance Manager

IT Services Manager

End Dec 2016

IS5: Consider undertaking a Privacy Impact Assessment on the new digital platform (ESB Agile) being developed under the Digital Transformation Project

Assess the need for an Privacy Impact Assessment (using ICO guidance and template)

Privacy is ‘designed-in’ so that the platform complies with the Council’s Data Protection obligations and meets individuals’ expectations of privacy

Officer time Information Governance Manager

IT Services Manager

Service Innovation Board

In line with Digital Transformation Project

IS6: Ensure card payments achieve compliance with PCI - DSS, the Payment Card Industry Data Security Standard

The PARIS system is accredited and approved by the Payment Card Industry Council.

Staff taking card payments comply

Card payments are processed securely and sensitive cardholder data is protected

Officer time IT Services Manager

Senior Auditor

SIRO

Ongoing

Page 23: Information Governance Framework

Information Governance Framework V1.0 4 October 2016 Page 23 of 26

Aspect of Information Governance

Action Target Outcome Resource Implications

Responsibility Deadline

with PCI-DSS rules and requirements

ISH1: Fulfil the Council’s obligations under the Local Government Transparency Code 2015

Publish all required data sets on the Council’s website under Open Data

Government code is complied with and data is readily accessible and in the required format

Officer time Data Transparency Assistant

Information Governance Manager

Data Protection Officer

End Dec 2017

ISH2: Draw up and maintain a list of Data Sharing Agreements held across the Council

Produce list and make available to staff

Risks are adequately monitored

Officer time Information Governance Manager

IT Services

End Sep 2017

Information Sharing

ISH3: Introduce an Information Sharing Protocol to provide a framework for agreeing terms

Produce and approve a protocol and make available to staff. The protocol could be further developed into a template agreement

Risks are minimised and agreements can be drawn up efficiently and relatively quickly

Officer time Information Governance Manager

IT Services Manager

SIRO

End Dec 2017

Page 24: Information Governance Framework

Information Governance Framework V1.0 4 October 2016 Page 24 of 26

Aspect of Information Governance

Action Target Outcome Resource Implications

Responsibility Deadline

ISH4: Conduct a review into the internal sharing of data

Produce a report summarising current practices, any constraints and the reasons for behaviours

There is a culture of transparency and co-operation between departments and sections and efficiencies are increased

Officer time Information Governance Manager

IT Services

End Sep 2018

RM1: Review document management practices across the Council

Produce a report summarising current practices, highlighting any areas to be addressed

Processes, procedures and behaviours are identified and documented

Officer time Information Governance Manager

Document Management Assistant

IT Services

Assistant Director, Customer Services and Transformation

End Dec 2017Records Management

RM2: Produce and maintain a corporate Information Asset Register

Audit all of the Council’s information assets and create and maintain an Information Asset Register

There is ownership and accountability and clarity over what information the Council holds and where key datasets reside

Officer time IT Services

Information Governance Manager

In line with Digital Transformation Project

Page 25: Information Governance Framework

Information Governance Framework V1.0 4 October 2016 Page 25 of 26

Aspect of Information Governance

Action Target Outcome Resource Implications

Responsibility Deadline

RM3: Assign Information Asset Owners (IAO)

Designate IAO’s and provide them with guidance on their responsibilities

There is ownership and accountability in managing the Council’s information assets

Officer time Information Governance Manager

IT Services

Senior Managers

In line with Digital Transformation Project

RM4: Introduce a corporate Records Management Policy (including Document Retention and Disposal)

Produce, approve and adopt policy and procedures and make available to all staff.

Issue regular reminders

There is a clear, traceable policy and process for managing records and documents across the Council

Officer time Information Governance Manager

Document Management Assistant

Secretarial Support

Assistant Director, Customer Services and Transformation

IT Services

End Sep 2018

Reminders issued every six months

RM5: Introduce a corporate system of Version Control

Produce, approve and implement a policy and procedure notes

There is a clear and consistent process for managing Version Control across the Council

Officer time Information Governance Manager

Secretarial Support

Member Services Team Leader

IT Services

End Sep 2017

Reminders issued every six months

Page 26: Information Governance Framework

Information Governance Framework V1.0 4 October 2016 Page 26 of 26

Aspect of Information Governance

Action Target Outcome Resource Implications

Responsibility Deadline

RM6: Introduce a Confidential marking policy

Produce, approve and implement a policy and procedure notes

The status of documents is clear

Officer time Information Governance Manager

Secretarial Support

Member Services Team Leader

End Sep 2017

RM7: Ensure consistency between documents and information on the website and other formats of the same information

Staff to check and cross-reference the content of their webpages regularly (including documents)

There is a consistent approach to presenting information and all information provided is current and relevant

Officer time Web Co-ordinator

Information Governance Manager

Assistant Director Customer Services and Transformation

Ongoing