Appendix A
Information Governance Framework
Deputy Chief Executive
V1.0
4 October 2016
Information Governance Framework V1.0 4 October 2016 Page 2 of 26
ContentsPage
1. Introduction 3
2. Information Governance Policy Statement 4
3. Legal and Regulatory Framework 4
4. Scope 5
5. Roles and Responsibilities 5
6. Main Themes for Improvement 6
6.1 Information Governance Management 6
6.2 Data Quality 7
6.3 Information Compliance 8
6.4 Information Security 10
6.5 Information Sharing 12
6.6 Records Management 13
7. Information Governance Work Plan 15
Information Governance Framework V1.0 4 October 2016 Page 3 of 26
1. IntroductionThis Information Governance Framework and its Work Plan present Eden District Council (“the Council”) with an opportunity to establish a robust structure for managing its information assets but also a significant challenge. This document contains a large number of actions, some quite ambitious, addressing a wide range of issues and involving all staff and Members to some extent. The Work Plan therefore spans two years, from October 2016 to September 2018. It will run largely concurrently with the Digital Transformation Project, to both inform and be informed by its development.
Information is an Asset
Information is a valuable asset, vital for the efficient management of services and resources. It is needed to inform policy development and make evidence based decisions. Information is important in terms of making improvements to service delivery and helping the Council to respond more flexibly to changing customer needs.
The Council receives, generates, uses and stores vast amounts of data, in many different forms, including: emails, its website, files stored on laptops/PC hard drives, on Sharepoint and on servers, databases and application software and also hard copy paper files and maps. The extent and types of information held on Eden residents, businesses and organisations places a great responsibility on the Council to ensure it has robust policies, procedures and systems in place to protect it.
The Council’s approach to managing its information assets has not been particularly well co-ordinated in the past. A number of policies and procedures exist but they have been developed largely in isolation, at different times and by different people. There has been no overarching framework or policy to draw them together.
The Council’s Service Innovation Board identified the need for improved data governance and data sharing in 2015, to support and enable the Digital Transformation Project. This resulted in the creation of the Information Governance Manager post through a restructure, implemented with effect from 1 April 2016.
What is Information Governance?
Information Governance is a term used to describe how organisations, including local authorities ensure that statutory, regulatory and best practice requirements are met when they collect, store, use and share information in their possession.
An Information Governance Framework is a multidisciplinary term that encompasses a wide range of functions, policies, procedures and systems. This Framework will provide the Council with a coherent structure to ensure that legal and best practice standards are met and continuously assessed.
The table below shows the six aspects of Information Governance included in this Information Governance Framework:
Information Governance Management;
Data Quality;
Information Compliance;
Information Security;
Information Governance Framework V1.0 4 October 2016 Page 4 of 26
Information Sharing; and
Records Management.
2. Information Governance Policy StatementThe Council recognises information as a valuable asset in the provision and effective management of its services and resources. It is of paramount importance therefore that information is processed within a framework designed to support and enable appropriate Information Governance.
All information users (staff, Members, contractors and partners) will take responsibility for managing information in accordance with this Information Governance Framework and with all policies, procedures, guidance and systems developed to support it.
Information must be managed using sound processes. The Council will ensure that it:
Conforms to all legal and statutory requirements;
Holds all information securely;
Holds all personal information confidentially;
Obtains information fairly and lawfully;
Records information accurately and reliably;
Uses information effectively and ethically;
Shares information appropriately and lawfully;
Makes available non-confidential information wherever possible to the public via the Council’s website (Open Data); and
Reviews and disposes of information and records no longer required securely.
3. Legal and Regulatory FrameworkThere are a number of legal obligations placed upon local authorities relating to the use of information, including personally identifiable information. The Council needs to ensure these legal and best practice standards are met and continuously assessed:
Data Protection Act 1998;
Electronic Communications Act 2000;
Environmental Information Regulations 2004;
Freedom of Information Act 2000;
Human Rights Act 1998;
Public Records Act 2011;
Regulations of Investigatory Powers Act 2000; and
Reuse of Public Sector Information Regulations 2005.
The General Data Protection Regulation (2018) which will come into force on 25 May 2018 will place additional responsibilities on the Council and could quite significantly increase demand on the Council’s resources.
Information Governance Framework V1.0 4 October 2016 Page 5 of 26
4. ScopeThis Framework applies to:
All information, regardless of format held and processed by the Council;
All information systems operated or managed by the Council;
All information shared by the Council with third parties, including partner organisations and contractors;
Any individual processing information held by the Council; and
Any individual requiring access to information held by the Council.
5. Roles and ResponsibilitiesMatters relating to Information Governance come under the Resources Portfolio. Progress on the Information Governance Framework Work Plan will be reported to the Resources Portfolio Holder.
The Chief Executive as Head of Paid Service, together with Senior Management Team have overall responsibility for ensuring the delivery of an effective Council-wide approach to Information Governance.
The Council’s Director of Finance is the Senior Information Risk Owner (SIRO). The SIRO is concerned with the management of all information assets and information risks. The SIRO is responsible for fostering a culture for protecting data and for managing information risks and incidents. All breaches of information security should be reported to the SIRO. The SIRO is heading-up the Service Innovation Board in overseeing the Digital Transformation Project.
The Deputy Chief Executive is the Council’s Data Protection Officer. He is responsible for co-ordinating the needs of Data Protection across the Council and for ensuring compliance with the requirements of the Data Protection Act.
The Information Governance Manager is responsible for producing the Information Governance Framework and Work Plan, for co-ordinating the implementation and monitoring progress of the Work Plan, for ensuring relevant policies, procedures, protocols and guidance are in place, for advising staff and Members and for arranging training.
Each Senior Manager is an Information Asset Owner, accountable for information assets within their service area. They should be able to understand how the information asset is held, used and shared and address any associated risks. However, all staff and Members are responsible for the data and information they generate, handle and dispose of.
The responsibilities for delivering specific actions under this Framework are indicated in the Work Plan table on pages 15 to 26.
Information Governance Framework V1.0 4 October 2016 Page 6 of 26
6. Main Themes for ImprovementThere are six main themes for the improvement of Information Governance under this Framework and it is expected there will be a degree of cross-over between them.
6.1 Information Governance Management
Information Governance Management is the management of Information Governance at a corporate, managerial and operational level across the organisation. It provides the necessary ownership, accountability and support required to ensure the development, implementation and promotion of the required Information Governance infrastructure.
The current situation (as at mid September 2016)
The Council has identified that its management of Information Governance in the past has not always been given the attention it deserves. However, this is now being addressed, with the creation of an Information Governance Manager post and an acknowledgement that Information Governance must be improved to support the work of the Digital Transformation Project. This planned improvement is supported by the adoption on an Information Governance Framework and Work Plan and annual reporting regime.
The Information Governance Framework encompasses a wide range of different policies, procedures, processes, protocols and guidance and these need to be consistent with each other and kept up to date and relevant. A regime for monitoring, reviewing and updating is to be introduced.
A training programme will identify the various training levels required for different staff and Members and will set out the Council’s expectations for working practices and behaviours related to Information Governance. Also, clear guidance on the Council’s approach to the various aspects of Information Governance will be made readily available to all staff. All staff will be made aware of their responsibilities relating to Information Governance, particularly with regard to Access to Information, Data Protection and Information Security and the duties they place on the Council.
Information Governance competencies, particularly with regard to Data Protection are already written into all job descriptions.
Areas to be addressed
The following areas are to be addressed under the heading of Information Governance Management and are expanded on in the Work Plan on page 15:
Introduce an Information Governance Framework;
Produce an annual Information Governance report at the end of each financial year;
Review existing Information Governance policies, protocols, processes, procedures and guidance and establish a regime to regularly monitor, review and update them;
Implement an Information Governance training and awareness raising programme; and
Recruit a Data Transparency Assistant on a temporary, part time basis.
Information Governance Framework V1.0 4 October 2016 Page 7 of 26
6.2 Data Quality
Data Quality is an assessment of the fitness of data to serve its purpose in a given context. Data is generally considered high quality if it is fit for its intended uses in operations, decision making and planning. It is important to ensure the accuracy, coverage, timeliness and completeness of data so that staff, Members, contractors/partners and customers are able to trust the validity and authority of information sources and have confidence that it is up to date and accurate.
The current situation (as at mid September 2016)
The Council has a Data Quality Statement, which is available on the website. This is a short policy statement which is reviewed biennially and is next due to be reviewed in March 2018.
The Council reports around 50 separate data sets to the Government under the Single Data List, which is a list of all the data that local authorities are required to submit to central Government departments in a given year. In addition, the Council has selected a number of Key Performance Indicators for the monitoring of its own corporate health and these are reported internally to Management Team every six months.
For some time, contractors and partner organisations have been required to sign the Council’s Third Party Data Quality Protocol. The protocol template has been included or appended to contract and service level agreement documentation. However, there is no way of enforcing the protocol and at best it is only of use insofar as raising awareness of data quality issues.
Areas to be addressed
The following areas are to be addressed under the heading of Data Quality and are expanded on in the Work Plan on page 16:
Ensure the Data Quality Statement is reviewed and updated on a biennial basis;
Raise awareness of the Council’s Data Quality Statement and the expectations on staff;
Introduce a register of data the Council has a duty to provide to Government under the Single Data List;
Provide guidance on writing Data Quality requirements into contracts and agreements, where data is provided to the Council by third parties; and
Review the use and benefits of Third Party Data Quality Protocols.
Information Governance Framework V1.0 4 October 2016 Page 8 of 26
6.3 Information Compliance
Information Compliance is the process of conforming to certain information laws and regulations through the application of appropriate policies and procedures. The Council manages and processes large volumes of confidential and sensitive information about people and has a duty to deal with it lawfully and ethically.
The current situation (as at mid September 2016)
The Council has in place the following related policies, which are published on the website:
Access to Information Policy (Freedom of Information (FOI), Environmental Information Regulations and Data Protection (Subject Access Requests) - April 2016;
Complaints Procedure (webpage) - December 2015;
Data Protection Policy - April 2016;
Privacy Policy (webpage) - last updated June 2016; and
Regulation of Investigatory Powers Policy - December 2012.
The Access to Information Policy and Data Protection Policy were quite recently adopted and so are not in need of updating. However, staff would benefit from more detailed and practical guidance and training based on the policies. The Data Protection Policy is likely to require reviewing before May 2018, in preparation for the General Data Protection Regulation (2018).
It has been identified by staff responsible for managing Access to Information requests that there would be benefit in improving the existing process, which is unnecessarily convoluted. It is recommended that alternative systems are explored with a view to increasing the efficiency and robustness of processes for the management of Freedom of Information requests.
Two of the above procedures/policies only exist as web pages. It would be preferable for all Information Governance policies to be in a consistent format and to be subject to version control (webpages are not).
Areas to be addressed
The following areas are to be addressed under the heading of Information Compliance and are expanded on in the Action Plan on page 18:
Improve the process for handling Access to Information (FOI, EIR, Subject Access Requests);
Ensure any forms (including online forms) relating to Access to Information and Data Protection are consistent and comply with legislative requirements and the Council’s Information Governance policies;
Undertake Data Protection testing to ensure compliance;
Examine the requirements of the General Data Protection Regulation (2018) and the likely impact on the Council;
Provide procedures on Access to Information to relevant staff;
Review the Privacy Policy;
Information Governance Framework V1.0 4 October 2016 Page 9 of 26
Introduce a CCTV Policy and Code of Practice; and
Review the Complaints Procedure.
Information Governance Framework V1.0 4 October 2016 Page 10 of 26
6.4 Information Security
Information Security describes measures put in place to protect information assets and information systems from unauthorised access, use, disclosure, disruption, modification or destruction.
The current situation (as at mid September 2016)
The Council holds a valid PSN (Public Services Network) compliance certificate, demonstrating that the Council’s transmission and processing of personal information is carried out using a trusted secure network. The Council also completes and submits to the Cabinet Office an annual Assurance Notice, which evaluates the Council’s performance against standards set by the ‘CESG,’ the UK government's national technical authority for information assurance.
The roll-out of fully PSN compliant encrypted laptops to staff and Members between 2014 and 2016 has improved information security, particularly in terms of accessing the Council’s network remotely (from home or other premises). Non-corporate devices such as personal computers are no longer able to access the Council’s systems.
The Council has the following related policies in place:
Information Security Policy - 2012;
Internet and Email Acceptable Use Policy and Authorised User Agreement - 2012; and
IT Security and Confidentiality Requirements for Home/Mobile Working - 2012.
All staff and Members are required to sign the Authorised User Agreement to confirm that they will abide by the terms of the Information Security Policy and the Internet and Email Acceptable Use Policy. All new staff and Members receive information about Information Security during their induction.
The Digital Transformation Project currently under development will present opportunities to build-in a high level of security into the new digital platform (ESB Agile). These security measures will be designed in such a way as to protect both the Council’s information and that of customers accessing the Council’s systems. It is important that an ongoing dialogue is maintained between the people responsible for the Digital Transformation Project (IT and the Service Innovation Board) and those responsible for matters of Information Governance (within the Legal section).
The new digital platform could be subject to a Privacy Impact Assessment (PIA) during its development. PIA is a tool to help organisations identify the most effective way to comply with their Data Protection obligations and meet individuals’ expectations of privacy. An effective PIA allows organisations to identify and fix problems at an early stage, reducing the associated costs and damage to reputation which might otherwise occur. The Information Commissioner’s Office (ICO) provides guidance and a template.
Also, the Council needs to comply with PCI DSS, the Payment Card Industry Data Security Standard. This is a worldwide standard that was set up to help businesses and organisations process card payments securely and reduce card fraud. The way it does this is through tight controls surrounding the storage, transmission and processing of cardholder data that businesses handle. PCI DSS is intended to protect sensitive cardholder data. The Council’s
Information Governance Framework V1.0 4 October 2016 Page 11 of 26
current website and the new digital platform need to be PCI DSS compliant. An internal audit is being carried out into the Council’s compliance with PCI DSS during 2016-17.
Areas to be addressed
The following areas are to be addressed under the heading of Information Security and are expanded on in the Work Plan on page 21:
Update the Reporting of Security Incidents and Information Breaches policy and procedure;
Review and update the Information Security Policy and IT Security and Confidentiality Requirements for Home/Mobile Working policies;
Review and update the Internet and Email Acceptable Use Policy and Authorised User Agreement and Social Media Policy;
Establish an interface with the Digital Transformation Project for the duration of its development;
Consider undertaking a Privacy Impact Assessment on the new digital platform (ESB Agile) being developed under the Digital Transformation Project; and
Ensure card payments achieve compliance with PCI - DSS, the Payment Card Industry Data Security Standard.
Information Governance Framework V1.0 4 October 2016 Page 12 of 26
6.5 Information Sharing
Information Sharing is the exchange of data between different organisations, people and technologies, through the application of appropriate policies, procedures and protocols. Although maintaining confidentiality is vital, service delivery can sometimes be improved through the appropriate sharing of data. This requires the proper governance of information sharing practice across the Council (internally) and with partners (externally).
The current situation (as at mid September 2016)
Work has commenced to fulfil the Council’s requirements to publish data under the Local Government Transparency Code 2015. The Code sets out the minimum data the Council needs to publish, the frequency it should be published and how it should be published. Some of the required data is already available on the website and it will be added to it as other data sets become available. In publishing the data required under the Local Government Transparency Code 2015, certain Data Standards should be observed and the Local Government Association provides comprehensive guidance on meeting those standards.
There are a number of circumstances which involve the sharing of data with partner organisations and contractors. An example of this is the transfer of planning records to the Lake District and Yorkshire Dales National Park Authorities during the national park extensions in 2016, for which Data Sharing Agreements were drawn up. However, there is no list of the various Data Sharing Agreements across the Council.
There is currently no Information Sharing Protocol in place; such a protocol would assist in the production of any new arrangements and agreements. It would also also assist in emergency situations such as flooding incidents when agencies need to work closely together to protect the safety and wellbeing of residents.
The sharing of data internally within the Council could improve the efficiency of the Council’s services but there has been resistance from some staff in the past, mainly on the grounds of Data Protection. Clearer guidelines for staff would assist in allowing more internal sharing of data, as would the production of an Information Asset Register (so that staff are aware of what other data exists, where it is held and who is responsible for it). All data held on the new digital platform will be linked to a Unique Property Reference Number (UPRN) and a unique citizen reference, which will collectively eliminate duplication.
Areas to be addressed
The following areas are to be addressed under the heading of Information Sharing and are expanded on in the Work Plan on page 23:
Fulfil the Council’s obligations under the Local Government Transparency Code 2015;
Draw up and maintain a list of Data Sharing Agreements held across the Council;
Introduce an Information Sharing Protocol to provide a framework for agreeing terms; and
Conduct a review into the internal sharing of data.
Information Governance Framework V1.0 4 October 2016 Page 13 of 26
6.6 Records Management
Records Management is the practice of managing the records of an organisation throughout their life cycle, from the time they are created to their eventual disposal.
The current situation (as at mid September 2016)
The Council has a Business Continuity Plan (2016), which is available on the website. The Business Continuity Plan is an important tool that ensures services to the public (which require access to records) are maintained in the event of a major interruption at either the Town Hall or Mansion House.
An Information Management Strategy was produced in 2009 by the then IT Services Manager and this document is available on the website. The main thrust of the strategy is the migration to Sharepoint and the implications for document management.
The introduction of Document Management Systems at the Council has been beneficial in terms of sharing information internally, in reducing capacity demands on email and in providing a degree of version control. However, not all sections of the Council are using these systems (in part due to concerns around confidentiality) and there have also been some issues in terms of functionality. An audit and review of the Council’s document management practices would be beneficial in identifying any specific issues and this would be assisted by the production of an Information Asset Register. In fact the two exercises could be combined.
The Council does not have an Information Asset Register. There is currently no list of records, files or databases held by the Council. Staff will have knowledge of the different information assets retained in their sections but there is no corporate list. A comprehensive and definitive list of all information assets retained by the Council would help to identify areas of duplication and spot areas of potential risk such as loss of personal data. By understanding the nature of the Council’s information and where it is held, it will be possible to mitigate the risks more easily.
Currently the Council does not have an approved and adopted Records Management or Information Retention and Disposal Policy. Some work has been undertaken in this area in the past by IT staff and the Document Management Assistant and a draft policy and user guidelines are available (these could be revisited and further developed). A clear, workable policy and guidelines would greatly assist staff in knowing how to store different types of records, for how long and how to dispose of them securely.
Although some sections across the Council have their own system of Version Control of documents, there is no currently no official Council-wide system in place. This can occasionally result in old versions of documents and reports being circulated and consequently in confusion. A common system of version control across the Council would provide consistency and confidence in the Council’s documentation.
Areas to be addressed
The following areas are to be addressed under the heading of Records Management and are expanded on in the Work Plan on page 24:
Review document management practices across the Council;
Produce and maintain a corporate Information Asset Register;
Information Governance Framework V1.0 4 October 2016 Page 14 of 26
Assign Information Asset Owners (IAO);
Introduce a corporate Records Management Policy (including Document Retention and Disposal);
Introduce a corporate system of Version Control;
Introduce a Confidential marking policy; and
Ensure consistency between documents and information on the website and other formats of the same information.
Information Governance Framework V1.0 4 October 2016 Page 15 of 26
7. Information Governance Work Plan - October 2016 to September 2018Aspect of Information Governance
Action Target Outcome Resource Implications
Responsibility Deadline
IGM1: Introduce an Information Governance Framework
Approve, adopt and implement a Framework and two year Work Plan
There is a clear sense of direction, commitment and ownership
Officer time Information Governance Manager
SIRO
Data Protection Officer
Approval at Executive -4 Oct 2016
IGM2: Produce an annual Information Governance report at the end of each financial year
Monitor progress, outline keys issues and risks and identify areas for further improvement.
Report to Executive
Progress of the Work Plan is monitored and any constraints, risks and additional resource implications are identified.
Annual report approved at Executive
Officer time Information Governance Manager
SIRO
Data Protection Officer
End Jul 2017
Information Governance Management
IGM3: Review existing Information Governance policies, protocols, processes, procedures and guidance and establish a regime
Produce a comprehensive list, with details of the date documents were approved, where they can be found, who is responsible
All policies, protocols, processes, procedures and guidance are current, relevant and fit for purpose
Officer time Information Governance Manager
Member Services Team Leader
IT Services Manager
HR
End Mar 2017
Information Governance Framework V1.0 4 October 2016 Page 16 of 26
Aspect of Information Governance
Action Target Outcome Resource Implications
Responsibility Deadline
to regularly monitor, review and update them
for them and when due for renewal
IGM4: Implement an Information Governance training and awareness raising programme
Provide specialised external Data Protection and Freedom of Information training to managers, key staff and Members in 2017-2018 and cascade to other staff
A culture exists across the Council in which all staff, Members and third parties recognise the importance of Data Protection and Access to Information and positive practices are embedded in the work of the organisation
External trainer @ £3,000 in 2017-2018
Officer time
Information Governance Manager
Member Services Team Leader
HR
End Mar 2018
Post regular reminders on the bulletin board
IGM5: Recruit a Data Transparency Assistant on a temporary, part time basis
Data Transparency Assistant in post
There is greater capacity to undertake Information Governance activities
£8,000 government grant
Information Governance Manager
Deputy Chief Executive
HR
End Mar 2017
Data Quality DQ1: Ensure the Data Quality Statement is reviewed and
Approve and adopt the revised statement
Statement is current, relevant and fit for purpose
Officer time Information Governance Manager
Review date - March 2018
Information Governance Framework V1.0 4 October 2016 Page 17 of 26
Aspect of Information Governance
Action Target Outcome Resource Implications
Responsibility Deadline
updated on a biennial basis
DQ2: Raise awareness of the Council’s Data Quality Statement and expectations on staff
Provide guidance to staff through regular bulletins
Staff take ownership of and seek to improve the quality of data within their services
Officer time Information Governance Manager
Reminders to be issued every six months
DQ3: Introduce a register of data the Council has a duty to provide to Government under the Single Data List
Produce and maintain a list and make available to relevant staff
Staff take ownership of and seek to improve the quality of data provided to Government under the Single Data List
Officer time Information Governance Manager
Staff with responsibility for reporting data to Government
End Jun 2017
DQ4: Provide guidance on writing Data Quality requirements into contracts and agreements, where data is provided to the Council by third parties
Guidance is produced and is accessible to relevant staff.
(could be included in the Procurement Strategy)
Data Quality is assured wherever possible at the point of collection
Officer time Information Governance Manager
Assistant Director, Technical Services
Director of Finance
End Dec 2017
DQ5: Review the Produce (internal) The most effective Officer time Information End Dec 2017
Information Governance Framework V1.0 4 October 2016 Page 18 of 26
Aspect of Information Governance
Action Target Outcome Resource Implications
Responsibility Deadline
use and benefits of Third Party Data Protocols
report means of assuring the quality of data being provided to the Council by contractors and partner organisations is established
Governance Manager
Assistant Director, Technical Services
Director of Finance
IC1: Improve the system for handling Access to Information (FOI, EIR, Subject Access Requests)
Explore alternative systems and adopt the most efficient and appropriate for the Council’s needs
The process is efficient and fit for purpose
Officer time Information Governance Manager
Member Services Team Leader
IT
End Jun 2017Information Compliance
IC2: Ensure any forms (including online forms) relating to Access to Information and Data Protection are consistent and comply with legislative requirements and the Council’s Information
Review and update the forms and cross-reference the online forms with other formats of the same information
There is a consistent approach to providing information and all information is current, relevant and compliant
Officer time Information Governance Manager
Member Services Team Leader
Web Co-ordinator
Assistant Director Customer Services and Transformation
Data Protection Officer
End Jun 2017
Information Governance Framework V1.0 4 October 2016 Page 19 of 26
Aspect of Information Governance
Action Target Outcome Resource Implications
Responsibility Deadline
Governance policies
IC3: Undertake Data Protection testing to ensure compliance
Complete the ICO’s Data Protection Self Assessment Toolkit
Consider an internal Data Protection audit in 2017-2018
The Council’s processes, procedures and systems are compliant
Officer time Information Governance Manager
Assistant Director, Legal Services
Data Protection Officer
End Sep 2017
IC4: Examine the requirements of the General Data Protection Regulation (2018) and the likely impact on the Council
Report the likely impact and resource implications to Executive
The Council is compliant with the regulation when it comes into force on 25 May 2018
Officer time Information Governance Manager
Member Services Team Leader
Assistant Director, Legal Services
Data Protection Officer
End Oct 2017
IC5: Provide procedures on Access to Information to relevant staff
Produce procedures and make readily accessible
There is a clear and consistent approach to handling requests
Officer time Information Governance Manager
Member Services Team Leader
End Jun 2017
Reminders issued every six months
Information Governance Framework V1.0 4 October 2016 Page 20 of 26
Aspect of Information Governance
Action Target Outcome Resource Implications
Responsibility Deadline
IC6: Review the Privacy Policy
Condense the content of the existing webpage, with a link to a stand-alone PDF policy
There is a consistent approach to the Council’s suite of policies and Version Control
Officer time Information Governance Manager
Member Services Team Leader
Data Protection Officer
End Dec 2017
IC7: Introduce a CCTV Policy and Code of Practice
Produce, approve and adopt a policy and ensure relevant staff are aware of it
The Council’s CCTV systems are adequately managed and controlled and the information and images obtained are handled appropriately and lawfully
Officer time Information Governance Manager
Engineering Officer
Assistant Director, Legal Services
Data Protection Officer
End Jun 2017
IC8: Review the Complaints Procedure
Condense the content of the existing webpage, with a link to a stand-alone PDF document
Consider ways of simplifying the procedure for
There is clarity for customers and a clear and consistent approach for staff handling complaints.
There is a consistent approach to the Council’s suite of policies and Version
Officer time Secretary to Deputy Chief Executive
Information Governance Manager
Assistant Director, Legal Services
Deputy Chief Executive
End Dec 2017
Information Governance Framework V1.0 4 October 2016 Page 21 of 26
Aspect of Information Governance
Action Target Outcome Resource Implications
Responsibility Deadline
customers Control
IS1: Update the Reporting of Security Incidents and Information Breaches policy and procedure
Update the policy and procedure and ensure staff and Members are aware of it
A clear and accessible procedure exists that ensures any breaches are reported and addressed at the earliest opportunity
Officer time Information Governance Manager
IT Services Manager
SIRO
End Dec 2017
IS2: Review and update the Information Security Policy and IT Security and Confidentiality Requirements for Home/Mobile Working policies
Approve and adopt the revised policies
The policies are current, relevant and fit for purpose
Officer time Information Governance Manager
IT Services Manager
SIRO
End Dec 2017
Information Security
IS3: Review and update the Internet and Email Acceptable Use Policy and Authorised User Agreement and Social Media Policy
Approve and adopt the revised policy
The policies are current, relevant and fit for purpose
Officer time Information Governance Manager
Communication Officer
IT Services Manager
HR
End Dec 2017
Information Governance Framework V1.0 4 October 2016 Page 22 of 26
Aspect of Information Governance
Action Target Outcome Resource Implications
Responsibility Deadline
IS4: Establish an interface with the Digital Transformation Project for the duration of its development
Agree a regime for ongoing dialogue
Policies and procedures are in place which are consistent with and relevant and appropriate to the needs of the new digital platform
Officer time Information Governance Manager
IT Services Manager
End Dec 2016
IS5: Consider undertaking a Privacy Impact Assessment on the new digital platform (ESB Agile) being developed under the Digital Transformation Project
Assess the need for an Privacy Impact Assessment (using ICO guidance and template)
Privacy is ‘designed-in’ so that the platform complies with the Council’s Data Protection obligations and meets individuals’ expectations of privacy
Officer time Information Governance Manager
IT Services Manager
Service Innovation Board
In line with Digital Transformation Project
IS6: Ensure card payments achieve compliance with PCI - DSS, the Payment Card Industry Data Security Standard
The PARIS system is accredited and approved by the Payment Card Industry Council.
Staff taking card payments comply
Card payments are processed securely and sensitive cardholder data is protected
Officer time IT Services Manager
Senior Auditor
SIRO
Ongoing
Information Governance Framework V1.0 4 October 2016 Page 23 of 26
Aspect of Information Governance
Action Target Outcome Resource Implications
Responsibility Deadline
with PCI-DSS rules and requirements
ISH1: Fulfil the Council’s obligations under the Local Government Transparency Code 2015
Publish all required data sets on the Council’s website under Open Data
Government code is complied with and data is readily accessible and in the required format
Officer time Data Transparency Assistant
Information Governance Manager
Data Protection Officer
End Dec 2017
ISH2: Draw up and maintain a list of Data Sharing Agreements held across the Council
Produce list and make available to staff
Risks are adequately monitored
Officer time Information Governance Manager
IT Services
End Sep 2017
Information Sharing
ISH3: Introduce an Information Sharing Protocol to provide a framework for agreeing terms
Produce and approve a protocol and make available to staff. The protocol could be further developed into a template agreement
Risks are minimised and agreements can be drawn up efficiently and relatively quickly
Officer time Information Governance Manager
IT Services Manager
SIRO
End Dec 2017
Information Governance Framework V1.0 4 October 2016 Page 24 of 26
Aspect of Information Governance
Action Target Outcome Resource Implications
Responsibility Deadline
ISH4: Conduct a review into the internal sharing of data
Produce a report summarising current practices, any constraints and the reasons for behaviours
There is a culture of transparency and co-operation between departments and sections and efficiencies are increased
Officer time Information Governance Manager
IT Services
End Sep 2018
RM1: Review document management practices across the Council
Produce a report summarising current practices, highlighting any areas to be addressed
Processes, procedures and behaviours are identified and documented
Officer time Information Governance Manager
Document Management Assistant
IT Services
Assistant Director, Customer Services and Transformation
End Dec 2017Records Management
RM2: Produce and maintain a corporate Information Asset Register
Audit all of the Council’s information assets and create and maintain an Information Asset Register
There is ownership and accountability and clarity over what information the Council holds and where key datasets reside
Officer time IT Services
Information Governance Manager
In line with Digital Transformation Project
Information Governance Framework V1.0 4 October 2016 Page 25 of 26
Aspect of Information Governance
Action Target Outcome Resource Implications
Responsibility Deadline
RM3: Assign Information Asset Owners (IAO)
Designate IAO’s and provide them with guidance on their responsibilities
There is ownership and accountability in managing the Council’s information assets
Officer time Information Governance Manager
IT Services
Senior Managers
In line with Digital Transformation Project
RM4: Introduce a corporate Records Management Policy (including Document Retention and Disposal)
Produce, approve and adopt policy and procedures and make available to all staff.
Issue regular reminders
There is a clear, traceable policy and process for managing records and documents across the Council
Officer time Information Governance Manager
Document Management Assistant
Secretarial Support
Assistant Director, Customer Services and Transformation
IT Services
End Sep 2018
Reminders issued every six months
RM5: Introduce a corporate system of Version Control
Produce, approve and implement a policy and procedure notes
There is a clear and consistent process for managing Version Control across the Council
Officer time Information Governance Manager
Secretarial Support
Member Services Team Leader
IT Services
End Sep 2017
Reminders issued every six months
Information Governance Framework V1.0 4 October 2016 Page 26 of 26
Aspect of Information Governance
Action Target Outcome Resource Implications
Responsibility Deadline
RM6: Introduce a Confidential marking policy
Produce, approve and implement a policy and procedure notes
The status of documents is clear
Officer time Information Governance Manager
Secretarial Support
Member Services Team Leader
End Sep 2017
RM7: Ensure consistency between documents and information on the website and other formats of the same information
Staff to check and cross-reference the content of their webpages regularly (including documents)
There is a consistent approach to presenting information and all information provided is current and relevant
Officer time Web Co-ordinator
Information Governance Manager
Assistant Director Customer Services and Transformation
Ongoing
Top Related