information assurance and information sharing imks public sector forum 7 february 2011 clare...
TRANSCRIPT
Information Assurance and Information Sharing
IMKS Public Sector Forum 7 February 2011
Clare Cowling, Senior Information Governance Adviser
Transport for London
Transport for London (TfL)
• TfL was created in 2000 - its main role is to implement the Mayor's Transport Strategy for London and manage transport services across the Capital. These services include:– London's buses – London Underground – Docklands Light Railway (DLR) – London Overground – London River Services – Barclays Cycle Hire Scheme
• TfL also has a number of other responsibilities: – Managing the Congestion Charge – Maintaining 580km of main roads and all of London's
traffic lights – Regulating the city's taxis and private hire trade
2
Agenda
• What is information assurance?
• What does it mean in practice?
• What does it mean in terms of information sharing?
3
What is information assurance?• It is the practice of managing risks
related to the use, processing, storage, and transmission of information or data and the systems and processes used for those purposes.
• In other words identifying information risks and finding practical ways to mitigate them
4
What are the risks around sharing information?
• Security risk• Compliance risk• Reputational risk• Financial risk• Litigation risk• Business risk
5
What is the potential damage?• Looking silly, inefficient or secretive (damage
to reputation)
• Losing money (poor project or contract management, fines eg from the ICO)
• Inefficiencies (re-inventing the wheel)
• Time wasting (not being able to find anything)
• Safety compromised (using inaccurate or out of date information)
Risk mitigation through information and records management (IRM)
• Only accurate, up to date and relevant information held
• Easy to find information on request
• Confidence in the quality of our information
• Confidence that information is shared appropriately
• Information locations and information owners identified
• Redundant information destroyed
7
An example of poor IRM..• A subject access request by an individual for
their emails, transmitted while working at TfL, was received.
• An initial trawl revealed 14,000 emails dating back 10 years.
• A further trawl reduced this to 6,000, which then had to be evaluated to see which ones were relevant to the SAR, names redacted etc.
• The excessive cost of complying with this requirement (which is just one of many similar SARs) would have been avoided had a corporate strategy for deleting redundant emails been implemented.
8
An example of good IRM...
• TfL had an FOI request for some week-old congestion charging ANPR data (not relating to a contravention)
• We were immediately able to respond that we could not provide the data because the disposal policy for non-contravention footage is midnight of the following charging day
• So responding in full took a matter of minutes
9
Mitigating risk: IRM policies and procedures
• Information and Records Management Policy
• Information Access Policy
Complemented by:• Information Security Policy• Privacy and Data Protection
Policy• PCI DSS Standard• Information sharing agreements
10
Mitigating risk: information sharing agreements (1)
Overarching Information Sharing Protocol:
• Legal requirements
• Secondary disclosures of personal data
• Information access rights
• Data security
11
Mitigating risk: information sharing agreements (2)
Purpose specific Information Sharing Procedures:
• Description of the data to be shared
• Permitted uses of the data
• Legal basis
• Means of transfer or access
• Loss or unauthorised disclosures of data12
Mitigating risk: managing information security
• Knowing the security classification of a piece of information helps determine when and with whom you can share it
• Less likely to reveal confidential or personal data in error
• Comply with Principle 1 of the DPA
13
Mitigating risk: managing documents
• Document naming and version control standards
• Appropriate security classifications
• Appropriate storage
• Information owners identified
• Scheduled disposal of redundant documents
14
Mitigating risk: managing emailsMost business transactions
are still made by email
Rules are crucial on:• How to manage business
critical emails • Encryption or alternative
transmission processes for sensitive information
• Getting rid of redundant or irrelevant emails
15
Mitigating risk: managing social media• Employees
increasingly expect to use social media tools to conduct business
• Business critical data already lost or unavailable
• Inappropriate sharing of business - and personal - data
• Let’s get some rules in place!
16
Mitigating risk: managing digital records• Scanning to legal
admissibility standards• Digital migration and
preservation strategy• Appropriate file
formats• If you can’t access it
any more you can’t share it
• Comply with Principle 7 of the DPA
17
Mitigating risk: managing paper
The same rules should apply to paper and electronic records:
– Access– Security– Storage– Filing rules– Disposal
18
Mitigating risk: information disposal
• Important to produce a clear disposal policy as evidence of best practice
• Records disposal schedules – all formats
• Automated deletion from corporate databases
• Regular clear-outs of unstructured data
• Allocating responsibility for implementation
• Comply with principles 4 and 5 of the DPA
19
Mitigating risk: educating and communicating guidance on:
• Managing requests for information
• Managing records and information
• Appropriate information sharing and compliance
Because: the biggest information risk is people!
20
Integrating responsibilities• At TfL information governance, risk and compliance
fall within the remit of General Counsel alongside the corporate governance, legal and internal audit functions
• Specific responsibilities include:– Records management strategy and policy– FOI/EIR/DPA compliance– Privacy, data protection and data breach issues– Information security policy/classification scheme– Information sharing protocols– Information risk register
But everyone is responsible for managing information risk!
21
16 October 2006 22