information governance framework - eden district › media › 2276 › information... ·...

www.eden.gov.uk

Approved by: Executive

Date Approved: 4 October 2016

Review Frequency: Biennial (next update due: October 2018)

Responsible Officer: M Neal, Deputy Chief Executive

Information Governance Framework

Deputy Chief Executive

V1.0

4 October 2016

Information Governance Framework V1.0 4 October 2016 of 27

www.eden.gov.uk

Contents

Page

1. Introduction 3

2. Information Governance Policy Statement 4

3. Legal and Regulatory Framework 4

4. Scope 5

5. Roles and Responsibilities 5

6. Main Themes for Improvement 6

6.1 Information Governance Management 6

6.2 Data Quality 7

6.3 Information Compliance 8

6.4 Information Security 10

6.5 Information Sharing 12

6.6 Records Management 13

7. Information Governance Work Plan 15


www.eden.gov.uk

1. Introduction

This Information Governance Framework and its Work Plan present Eden District Council

(“the Council”) with an opportunity to establish a robust structure for managing its information

assets but also a significant challenge. This document contains a large number of actions,

some quite ambitious, addressing a wide range of issues and involving all staff and Members

to some extent. The Work Plan therefore spans two years, from October 2016 to September

2018. It will run largely concurrently with the Digital Transformation Project, to both inform

and be informed by its development.

Information is an Asset

Information is a valuable asset, vital for the efficient management of services and resources.

It is needed to inform policy development and make evidence based decisions. Information is

important in terms of making improvements to service delivery and helping the Council to

respond more flexibly to changing customer needs.

The Council receives, generates, uses and stores vast amounts of data, in many different

forms, including: emails, its website, files stored on laptops/PC hard drives, on Sharepoint

and on servers, databases and application software and also hard copy paper files and

maps. The extent and types of information held on Eden residents, businesses and

organisations places a great responsibility on the Council to ensure it has robust policies,

procedures and systems in place to protect it.

The Council’s approach to managing its information assets has not been particularly well co-

ordinated in the past. A number of policies and procedures exist but they have been

developed largely in isolation, at different times and by different people. There has been no

overarching framework or policy to draw them together.

The Council’s Service Innovation Board identified the need for improved data governance

and data sharing in 2015, to support and enable the Digital Transformation Project. This

resulted in the creation of the Information Governance Manager post through a restructure,

implemented with effect from 1 April 2016.

What is Information Governance?

Information Governance is a term used to describe how organisations, including local

authorities ensure that statutory, regulatory and best practice requirements are met when

they collect, store, use and share information in their possession.

An Information Governance Framework is a multidisciplinary term that encompasses a wide

range of functions, policies, procedures and systems. This Framework will provide the

Council with a coherent structure to ensure that legal and best practice standards are met

and continuously assessed.

The table below shows the six aspects of Information Governance included in this

Information Governance Framework:

Information Governance Management;

Data Quality;

Information Compliance;

Information Security;


www.eden.gov.uk

Information Sharing; and

Records Management.

2. Information Governance Policy Statement

The Council recognises information as a valuable asset in the provision and effective management of its services and resources. It is of paramount importance therefore that information is processed within a framework designed to support and enable appropriate Information Governance. All information users (staff, Members, contractors and partners) will take responsibility for managing information in accordance with this Information Governance Framework and with all policies, procedures, guidance and systems developed to support it. Information must be managed using sound processes. The Council will ensure that it:

Conforms to all legal and statutory requirements;

Holds all information securely;

Holds all personal information confidentially;

Obtains information fairly and lawfully;

Records information accurately and reliably;

Uses information effectively and ethically;

Shares information appropriately and lawfully;

Makes available non-confidential information wherever possible to the public via the Council’s website (Open Data); and

Reviews and disposes of information and records no longer required securely.

3. Legal and Regulatory Framework

There are a number of legal obligations placed upon local authorities relating to the use of

information, including personally identifiable information. The Council needs to ensure these

legal and best practice standards are met and continuously assessed:

Data Protection Act 1998;

Electronic Communications Act 2000;

Environmental Information Regulations 2004;

Freedom of Information Act 2000;

Human Rights Act 1998;

Public Records Act 2011;

Regulations of Investigatory Powers Act 2000; and

Reuse of Public Sector Information Regulations 2005.

The General Data Protection Regulation (2018) which will come into force on 25 May 2018

will place additional responsibilities on the Council and could quite significantly increase

demand on the Council’s resources.


www.eden.gov.uk

4. Scope

This Framework applies to:

All information, regardless of format held and processed by the Council;

All information systems operated or managed by the Council;

All information shared by the Council with third parties, including partner organisations and contractors;

Any individual processing information held by the Council; and

Any individual requiring access to information held by the Council.

5. Roles and Responsibilities

Matters relating to Information Governance come under the Resources Portfolio. Progress on

the Information Governance Framework Work Plan will be reported to the Resources

Portfolio Holder.

The Chief Executive as Head of Paid Service, together with Senior Management Team have

overall responsibility for ensuring the delivery of an effective Council-wide approach to

Information Governance.

The Council’s Director of Finance is the Senior Information Risk Owner (SIRO). The SIRO is

concerned with the management of all information assets and information risks. The SIRO is

responsible for fostering a culture for protecting data and for managing information risks and

incidents. All breaches of information security should be reported to the SIRO. The SIRO is

heading-up the Service Innovation Board in overseeing the Digital Transformation Project.

The Deputy Chief Executive is the Council’s Data Protection Officer. He is responsible for co-

ordinating the needs of Data Protection across the Council and for ensuring compliance with

the requirements of the Data Protection Act.

The Information Governance Manager is responsible for producing the Information

Governance Framework and Work Plan, for co-ordinating the implementation and monitoring

progress of the Work Plan, for ensuring relevant policies, procedures, protocols and guidance

are in place, for advising staff and Members and for arranging training.

Each Senior Manager is an Information Asset Owner, accountable for information assets

within their service area. They should be able to understand how the information asset is

held, used and shared and address any associated risks. However, all staff and Members are

responsible for the data and information they generate, handle and dispose of.

The responsibilities for delivering specific actions under this Framework are indicated in the

Work Plan table on pages 15 to 26.


www.eden.gov.uk

6. Main Themes for Improvement

There are six main themes for the improvement of Information Governance under this

Framework and it is expected there will be a degree of cross-over between them.

6.1 Information Governance Management

Information Governance Management is the management of Information Governance at a

corporate, managerial and operational level across the organisation. It provides the

necessary ownership, accountability and support required to ensure the development,

implementation and promotion of the required Information Governance infrastructure.

The current situation (as at mid September 2016)

The Council has identified that its management of Information Governance in the past has

not always been given the attention it deserves. However, this is now being addressed, with

the creation of an Information Governance Manager post and an acknowledgement that

Information Governance must be improved to support the work of the Digital Transformation

Project. This planned improvement is supported by the adoption on an Information

Governance Framework and Work Plan and annual reporting regime.

The Information Governance Framework encompasses a wide range of different policies,

procedures, processes, protocols and guidance and these need to be consistent with each

other and kept up to date and relevant. A regime for monitoring, reviewing and updating is to

be introduced.

A training programme will identify the various training levels required for different staff and

Members and will set out the Council’s expectations for working practices and behaviours

related to Information Governance. Also, clear guidance on the Council’s approach to the

various aspects of Information Governance will be made readily available to all staff. All staff

will be made aware of their responsibilities relating to Information Governance, particularly

with regard to Access to Information, Data Protection and Information Security and the duties

they place on the Council.

Information Governance competencies, particularly with regard to Data Protection are

already written into all job descriptions.

Areas to be addressed

The following areas are to be addressed under the heading of Information Governance

Management and are expanded on in the Work Plan on page 15:

Introduce an Information Governance Framework;

Produce an annual Information Governance report at the end of each financial year;

Review existing Information Governance policies, protocols, processes, procedures and guidance and establish a regime to regularly monitor, review and update them;

Implement an Information Governance training and awareness raising programme; and

Recruit a Data Transparency Assistant on a temporary, part time basis.


www.eden.gov.uk

6.2 Data Quality

Data Quality is an assessment of the fitness of data to serve its purpose in a given context.

Data is generally considered high quality if it is fit for its intended uses in operations, decision

making and planning. It is important to ensure the accuracy, coverage, timeliness and

completeness of data so that staff, Members, contractors/partners and customers are able to

trust the validity and authority of information sources and have confidence that it is up to date

and accurate.


The Council has a Data Quality Statement, which is available on the website. This is a short

policy statement which is reviewed biennially and is next due to be reviewed in March 2018.

The Council reports around 50 separate data sets to the Government under the Single Data

List, which is a list of all the data that local authorities are required to submit to central

Government departments in a given year. In addition, the Council has selected a number of

Key Performance Indicators for the monitoring of its own corporate health and these are

reported internally to Management Team every six months.

For some time, contractors and partner organisations have been required to sign the

Council’s Third Party Data Quality Protocol. The protocol template has been included or

appended to contract and service level agreement documentation. However, there is no way

of enforcing the protocol and at best it is only of use insofar as raising awareness of data

quality issues.


The following areas are to be addressed under the heading of Data Quality and are

expanded on in the Work Plan on page 16:

Ensure the Data Quality Statement is reviewed and updated on a biennial basis;

Raise awareness of the Council’s Data Quality Statement and the expectations on staff;

Introduce a register of data the Council has a duty to provide to Government under the Single Data List;

Provide guidance on writing Data Quality requirements into contracts and agreements, where data is provided to the Council by third parties; and

Review the use and benefits of Third Party Data Quality Protocols.


www.eden.gov.uk

6.3 Information Compliance

Information Compliance is the process of conforming to certain information laws and

regulations through the application of appropriate policies and procedures. The Council

manages and processes large volumes of confidential and sensitive information about people

and has a duty to deal with it lawfully and ethically.


The Council has in place the following related policies, which are published on the website:

Access to Information Policy (Freedom of Information (FOI), Environmental Information Regulations and Data Protection (Subject Access Requests) - April 2016;

Complaints Procedure (webpage) - December 2015;

Data Protection Policy - April 2016;

Privacy Policy (webpage) - last updated June 2016; and

Regulation of Investigatory Powers Policy - December 2012.

The Access to Information Policy and Data Protection Policy were quite recently adopted and

so are not in need of updating. However, staff would benefit from more detailed and practical

guidance and training based on the policies. The Data Protection Policy is likely to require

reviewing before May 2018, in preparation for the General Data Protection Regulation (2018).

It has been identified by staff responsible for managing Access to Information requests that

there would be benefit in improving the existing process, which is unnecessarily convoluted.

It is recommended that alternative systems are explored with a view to increasing the

efficiency and robustness of processes for the management of Freedom of Information

requests.

Two of the above procedures/policies only exist as web pages. It would be preferable for all

Information Governance policies to be in a consistent format and to be subject to version

control (webpages are not).


The following areas are to be addressed under the heading of Information Compliance and

are expanded on in the Action Plan on page 18:

Improve the process for handling Access to Information (FOI, EIR, Subject Access Requests);

Ensure any forms (including online forms) relating to Access to Information and Data Protection are consistent and comply with legislative requirements and the Council’s Information Governance policies;

Undertake Data Protection testing to ensure compliance;

Examine the requirements of the General Data Protection Regulation (2018) and the likely impact on the Council;

Provide procedures on Access to Information to relevant staff;

Review the Privacy Policy;


www.eden.gov.uk

Introduce a CCTV Policy and Code of Practice; and

Review the Complaints Procedure.


www.eden.gov.uk

6.4 Information Security

Information Security describes measures put in place to protect information assets and

information systems from unauthorised access, use, disclosure, disruption, modification or

destruction.


The Council holds a valid PSN (Public Services Network) compliance certificate,

demonstrating that the Council’s transmission and processing of personal information is

carried out using a trusted secure network. The Council also completes and submits to the

Cabinet Office an annual Assurance Notice, which evaluates the Council’s performance

against standards set by the ‘CESG,’ the UK government's national technical authority for

information assurance.

The roll-out of fully PSN compliant encrypted laptops to staff and Members between 2014

and 2016 has improved information security, particularly in terms of accessing the Council’s

network remotely (from home or other premises). Non-corporate devices such as personal

computers are no longer able to access the Council’s systems.

The Council has the following related policies in place:

Information Security Policy - 2012;

Internet and Email Acceptable Use Policy and Authorised User Agreement - 2012; and

IT Security and Confidentiality Requirements for Home/Mobile Working - 2012.

All staff and Members are required to sign the Authorised User Agreement to confirm that

they will abide by the terms of the Information Security Policy and the Internet and Email

Acceptable Use Policy. All new staff and Members receive information about Information

Security during their induction.

The Digital Transformation Project currently under development will present opportunities to

build-in a high level of security into the new digital platform (ESB Agile). These security

measures will be designed in such a way as to protect both the Council’s information and that

of customers accessing the Council’s systems. It is important that an ongoing dialogue is

maintained between the people responsible for the Digital Transformation Project (IT and the

Service Innovation Board) and those responsible for matters of Information Governance

(within the Legal section).

The new digital platform could be subject to a Privacy Impact Assessment (PIA) during its

development. PIA is a tool to help organisations identify the most effective way to comply

with their Data Protection obligations and meet individuals’ expectations of privacy. An

effective PIA allows organisations to identify and fix problems at an early stage, reducing the

associated costs and damage to reputation which might otherwise occur. The Information

Commissioner’s Office (ICO) provides guidance and a template.

Also, the Council needs to comply with PCI DSS, the Payment Card Industry Data Security

Standard. This is a worldwide standard that was set up to help businesses and organisations

process card payments securely and reduce card fraud. The way it does this is through tight

controls surrounding the storage, transmission and processing of cardholder data that

businesses handle. PCI DSS is intended to protect sensitive cardholder data. The Council’s


www.eden.gov.uk

current website and the new digital platform need to be PCI DSS compliant. An internal audit

is being carried out into the Council’s compliance with PCI DSS during 2016-17.


The following areas are to be addressed under the heading of Information Security and are


Update the Reporting of Security Incidents and Information Breaches policy and procedure;

Review and update the Information Security Policy and IT Security and Confidentiality Requirements for Home/Mobile Working policies;

Review and update the Internet and Email Acceptable Use Policy and Authorised User Agreement and Social Media Policy;

Establish an interface with the Digital Transformation Project for the duration of its development;

Consider undertaking a Privacy Impact Assessment on the new digital platform (ESB Agile) being developed under the Digital Transformation Project; and

Ensure card payments achieve compliance with PCI - DSS, the Payment Card Industry Data Security Standard.


www.eden.gov.uk

6.5 Information Sharing

Information Sharing is the exchange of data between different organisations, people and

technologies, through the application of appropriate policies, procedures and protocols.

Although maintaining confidentiality is vital, service delivery can sometimes be improved

through the appropriate sharing of data. This requires the proper governance of information

sharing practice across the Council (internally) and with partners (externally).


Work has commenced to fulfil the Council’s requirements to publish data under the Local

Government Transparency Code 2015. The Code sets out the minimum data the Council

needs to publish, the frequency it should be published and how it should be published. Some

of the required data is already available on the website and it will be added to it as other data

sets become available. In publishing the data required under the Local Government

Transparency Code 2015, certain Data Standards should be observed and the Local

Government Association provides comprehensive guidance on meeting those standards.

There are a number of circumstances which involve the sharing of data with partner

organisations and contractors. An example of this is the transfer of planning records to the

Lake District and Yorkshire Dales National Park Authorities during the national park

extensions in 2016, for which Data Sharing Agreements were drawn up. However, there is no

list of the various Data Sharing Agreements across the Council.

There is currently no Information Sharing Protocol in place; such a protocol would assist in

the production of any new arrangements and agreements. It would also also assist in

emergency situations such as flooding incidents when agencies need to work closely

together to protect the safety and wellbeing of residents.

The sharing of data internally within the Council could improve the efficiency of the Council’s

services but there has been resistance from some staff in the past, mainly on the grounds of

Data Protection. Clearer guidelines for staff would assist in allowing more internal sharing of

data, as would the production of an Information Asset Register (so that staff are aware of

what other data exists, where it is held and who is responsible for it). All data held on the new

digital platform will be linked to a Unique Property Reference Number (UPRN) and a unique

citizen reference, which will collectively eliminate duplication.


The following areas are to be addressed under the heading of Information Sharing and are


Fulfil the Council’s obligations under the Local Government Transparency Code 2015;

Draw up and maintain a list of Data Sharing Agreements held across the Council;

Introduce an Information Sharing Protocol to provide a framework for agreeing terms; and

Conduct a review into the internal sharing of data.


www.eden.gov.uk

6.6 Records Management

Records Management is the practice of managing the records of an organisation throughout

their life cycle, from the time they are created to their eventual disposal.


The Council has a Business Continuity Plan (2016), which is available on the website. The

Business Continuity Plan is an important tool that ensures services to the public (which

require access to records) are maintained in the event of a major interruption at either the

Town Hall or Mansion House.

An Information Management Strategy was produced in 2009 by the then IT Services

Manager and this document is available on the website. The main thrust of the strategy is the

migration to Sharepoint and the implications for document management.

The introduction of Document Management Systems at the Council has been beneficial in

terms of sharing information internally, in reducing capacity demands on email and in

providing a degree of version control. However, not all sections of the Council are using

these systems (in part due to concerns around confidentiality) and there have also been

some issues in terms of functionality. An audit and review of the Council’s document

management practices would be beneficial in identifying any specific issues and this would

be assisted by the production of an Information Asset Register. In fact the two exercises

could be combined.

The Council does not have an Information Asset Register. There is currently no list of

records, files or databases held by the Council. Staff will have knowledge of the different

information assets retained in their sections but there is no corporate list. A comprehensive

and definitive list of all information assets retained by the Council would help to identify areas

of duplication and spot areas of potential risk such as loss of personal data. By

understanding the nature of the Council’s information and where it is held, it will be possible

to mitigate the risks more easily.

Currently the Council does not have an approved and adopted Records Management or

Information Retention and Disposal Policy. Some work has been undertaken in this area in

the past by IT staff and the Document Management Assistant and a draft policy and user

guidelines are available (these could be revisited and further developed). A clear, workable

policy and guidelines would greatly assist staff in knowing how to store different types of

records, for how long and how to dispose of them securely.

Although some sections across the Council have their own system of Version Control of

documents, there is no currently no official Council-wide system in place. This can

occasionally result in old versions of documents and reports being circulated and

consequently in confusion. A common system of version control across the Council would

provide consistency and confidence in the Council’s documentation.


The following areas are to be addressed under the heading of Records Management and are


Review document management practices across the Council;

Produce and maintain a corporate Information Asset Register;


www.eden.gov.uk

Assign Information Asset Owners (IAO);

Introduce a corporate Records Management Policy (including Document Retention and Disposal);

Introduce a corporate system of Version Control;

Introduce a Confidential marking policy; and

Ensure consistency between documents and information on the website and other formats of the same information.


www.eden.gov.uk

7. Information Governance Work Plan - October 2016 to September 2018

Aspect of

Information

Governance

Action Target Outcome Resource

Implications

Responsibility Deadline

Information

Governance

Management

IGM1: Introduce an

Information

Governance

Framework

Approve, adopt

and implement a

Framework and

two year Work

Plan

There is a clear

sense of direction,

commitment and

ownership

Officer time

Information

Governance Manager

SIRO

Data Protection

Officer

Approval at

Executive -

4 Oct 2016

IGM2: Produce an

annual Information

Governance report

at the end of each

financial year

Monitor progress,

outline keys issues

and risks and

identify areas for

further

improvement.

Report to

Executive

Progress of the Work

Plan is monitored and

any constraints, risks

and additional

resource implications

are identified.

Annual report

approved at

Executive

Officer time Information

Governance Manager

SIRO

Data Protection

Officer

End Jul 2017

IGM3: Review

existing Information

Governance

policies, protocols,

processes,

procedures and

guidance and

establish a regime

Produce a

comprehensive

list, with details of

the date

documents were

approved, where

they can be found,

who is responsible

All policies, protocols,

processes,

procedures and

guidance are current,

relevant and fit for

purpose


Governance Manager

Member Services

Team Leader

IT Services Manager

HR

End Mar 2017


www.eden.gov.uk

Aspect of

Information

Governance


Implications


to regularly monitor,

review and update

them

for them and when

due for renewal

IGM4: Implement an

Information

Governance training

and awareness

raising programme

Provide

specialised

external Data

Protection and

Freedom of

Information

training to

managers, key

staff and Members

in 2017-2018 and

cascade to other

staff

A culture exists

across the Council in

which all staff,

Members and third

parties recognise the

importance of Data

Protection and

Access to Information

and positive practices

are embedded in the

work of the

organisation

External

trainer @

£3,000 in

2017-2018

Officer time

Information

Governance Manager

Member Services

Team Leader

HR

End Mar 2018

Post regular

reminders on

the bulletin

board

IGM5: Recruit a

Data Transparency

Assistant on a

temporary, part time

basis

Data Transparency

Assistant in post

There is greater

capacity to undertake

Information

Governance activities

£8,000

government

grant

Information

Governance Manager

Deputy Chief

Executive

HR

End Mar 2017

Data Quality DQ1: Ensure the

Data Quality

Statement is

reviewed and

Approve and adopt

the revised

statement

Statement is current,

relevant and fit for

purpose


Governance Manager

Review date -

March 2018


www.eden.gov.uk

Aspect of

Information

Governance


Implications


updated on a

biennial basis

DQ2: Raise

awareness of the

Council’s Data

Quality Statement

and expectations on

staff

Provide guidance

to staff through

regular bulletins

Staff take ownership

of and seek to

improve the quality of

data within their

services

Officer time

Information

Governance Manager

Reminders to

be issued

every six

months

DQ3: Introduce a

register of data the

Council has a duty

to provide to

Government under

the Single Data List

Produce and

maintain a list and

make available to

relevant staff

Staff take ownership

of and seek to

improve the quality of

data provided to

Government under

the Single Data List


Governance Manager

Staff with

responsibility for

reporting data to

Government

End Jun 2017

DQ4: Provide

guidance on writing

Data Quality

requirements into

contracts and

agreements, where

data is provided to

the Council by third

parties

Guidance is

produced and is

accessible to

relevant staff.

(could be included

in the Procurement

Strategy)

Data Quality is

assured wherever

possible at the point

of collection


Governance Manager

Assistant Director,

Technical Services

Director of Finance

End Dec 2017


www.eden.gov.uk

Aspect of

Information

Governance


Implications


DQ5: Review the

use and benefits of

Third Party Data

Protocols

Produce (internal)

report

The most effective

means of assuring

the quality of data

being provided to the

Council by

contractors and

partner organisations

is established


Governance Manager

Assistant Director,

Technical Services

Director of Finance

End Dec 2017

Information

Compliance

IC1: Improve the

system for handling

Access to

Information (FOI,

EIR, Subject Access

Requests)

Explore alternative

systems and adopt

the most efficient

and appropriate for

the Council’s

needs

The process is

efficient and fit for

purpose


Governance Manager

Member Services

Team Leader

IT

End Jun 2017

IC2: Ensure any

forms (including

online forms)

relating to Access to

Information and

Data Protection are

consistent and

comply with

legislative

requirements and

the Council’s

Review and

update the forms

and cross-

reference the

online forms with

other formats of

the same

information

There is a consistent

approach to providing

information and all

information is current,

relevant and

compliant


Governance Manager

Member Services

Team Leader

Web Co-ordinator

Assistant Director

Customer Services

and Transformation

End Jun 2017


www.eden.gov.uk

Aspect of

Information

Governance


Implications


Information

Governance policies

Data Protection

Officer

IC3: Undertake Data

Protection testing to

ensure compliance

Complete the

ICO’s Data

Protection Self

Assessment

Toolkit

Consider an

internal Data

Protection audit in

2017-2018

The Council’s

processes,

procedures and

systems are

compliant


Governance Manager

Assistant Director,

Legal Services

Data Protection

Officer

End Sep 2017

IC4: Examine the

requirements of the

General Data

Protection

Regulation (2018)

and the likely impact

on the Council

Report the likely

impact and

resource

implications to

Executive

The Council is

compliant with the

regulation when it

comes into force on

25 May 2018


Governance Manager

Member Services

Team Leader

Assistant Director,

Legal Services

Data Protection

Officer

End Oct 2017


www.eden.gov.uk

Aspect of

Information

Governance


Implications


IC5: Provide

procedures on

Access to

Information to

relevant staff

Produce

procedures and

make readily

accessible

There is a clear and

consistent approach

to handling requests


Governance Manager

Member Services

Team Leader

End Jun 2017

Reminders

issued every

six months

IC6: Review the

Privacy Policy

Condense the

content of the

existing webpage,

with a link to a

stand-alone PDF

policy


approach to the

Council’s suite of

policies and Version

Control


Governance Manager

Member Services

Team Leader

Data Protection

Officer

End Dec 2017

IC7: Introduce a

CCTV Policy and

Code of Practice

Produce, approve

and adopt a policy

and ensure

relevant staff are

aware of it

The Council’s CCTV

systems are

adequately managed

and controlled and

the information and

images obtained are

handled appropriately

and lawfully


Governance Manager

Engineering Officer

Assistant Director,

Legal Services

Data Protection

Officer

End Jun 2017

IC8: Review the

Complaints

Procedure

Condense the

content of the

existing webpage,

with a link to a

There is clarity for

customers and a

clear and consistent

Officer time Secretary to Deputy

Chief Executive

End Dec 2017


www.eden.gov.uk

Aspect of

Information

Governance


Implications


stand-alone PDF

document

Consider ways of

simplifying the

procedure for

customers

approach for staff

handling complaints.


approach to the

Council’s suite of

policies and Version

Control

Information

Governance Manager

Assistant Director,

Legal Services

Deputy Chief

Executive

Information

Security

IS1: Update the

Reporting of

Security Incidents

and Information

Breaches policy and

procedure

Update the policy

and procedure and

ensure staff and

Members are

aware of it

A clear and

accessible procedure

exists that ensures

any breaches are

reported and

addressed at the

earliest opportunity


Governance Manager

IT Services Manager

SIRO

End Dec 2017

IS2: Review and

update the

Information Security

Policy and IT

Security and

Confidentiality

Requirements for

Home/Mobile

Working policies

Approve and adopt

the revised policies

The policies are

current, relevant and

fit for purpose


Governance Manager

IT Services Manager

SIRO

End Dec 2017


www.eden.gov.uk

Aspect of

Information

Governance


Implications


IS3: Review and

update the Internet

and Email

Acceptable Use

Policy and

Authorised User

Agreement and

Social Media Policy

Approve and adopt

the revised policy

The policies are

current, relevant and

fit for purpose


Governance Manager

Communication

Officer

IT Services Manager

HR

End Dec 2017

IS4: Establish an

interface with the

Digital

Transformation

Project for the

duration of its

development

Agree a regime for

ongoing dialogue

Policies and

procedures are in

place which are

consistent with and

relevant and

appropriate to the

needs of the new

digital platform

Officer time

Information

Governance Manager

IT Services Manager

End Dec 2016

IS5: Consider

undertaking a

Privacy Impact

Assessment on the

new digital platform

(ESB Agile) being

developed under the

Digital

Assess the need

for an Privacy

Impact

Assessment (using

ICO guidance and

template)

Privacy is ‘designed-

in’ so that the

platform complies

with the Council’s

Data Protection

obligations and meets

individuals’

expectations of

privacy


Governance Manager

IT Services Manager

Service Innovation

Board

In line with

Digital

Transformation

Project


www.eden.gov.uk

Aspect of

Information

Governance


Implications


Transformation

Project

IS6: Ensure card

payments achieve

compliance with PCI

- DSS, the Payment

Card Industry Data

Security Standard

The PARIS system

is accredited and

approved by the

Payment Card

Industry Council.

Staff taking card

payments comply

with PCI-DSS

rules and

requirements

Card payments are

processed securely

and sensitive

cardholder data is

protected

Officer time IT Services Manager

Senior Auditor

SIRO

Ongoing

Information

Sharing

ISH1: Fulfil the

Council’s obligations

under the Local

Government

Transparency Code

2015

Publish all required

data sets on the

Council’s website

under Open Data

Government code is

complied with and

data is readily

accessible and in the

required format

Officer time Data Transparency

Assistant

Information

Governance Manager

Data Protection

Officer

End Dec 2017

ISH2: Draw up and

maintain a list of

Data Sharing

Agreements held

across the Council

Produce list and

make available to

staff

Risks are adequately

monitored


Governance Manager

IT Services

End Sep 2017


www.eden.gov.uk

Aspect of

Information

Governance


Implications


ISH3: Introduce an

Information Sharing

Protocol to provide

a framework for

agreeing terms

Produce and

approve a protocol

and make

available to staff.

The protocol could

be further

developed into a

template

agreement

Risks are minimised

and agreements can

be drawn up

efficiently and

relatively quickly


Governance Manager

IT Services Manager

SIRO

End Dec 2017

ISH4: Conduct a

review into the

internal sharing of

data

Produce a report

summarising

current practices,

any constraints

and the reasons

for behaviours

There is a culture of

transparency and co-

operation between

departments and

sections and

efficiencies are

increased


Governance Manager

IT Services

End Sep 2018

Records

Management

RM1: Review

document

management

practices across the

Council

Produce a report

summarising

current practices,

highlighting any

areas to be

addressed

Processes,

procedures and

behaviours are

identified and

documented


Governance Manager

Document

Management

Assistant

IT Services

End Dec 2017


www.eden.gov.uk

Aspect of

Information

Governance


Implications


Assistant Director,

Customer Services

and Transformation

RM2: Produce and

maintain a corporate

Information Asset

Register

Audit all of the

Council’s

information assets

and create and

maintain an

Information Asset

Register

There is ownership

and accountability

and clarity over what

information the

Council holds and

where key datasets

reside

Officer time IT Services

Information

Governance Manager

In line with

Digital

Transformation

Project

RM3: Assign

Information Asset

Owners (IAO)

Designate IAO’s

and provide them

with guidance on

their

responsibilities

There is ownership

and accountability in

managing the

Council’s information

assets


Governance Manager

IT Services

Senior Managers

In line with

Digital

Transformation

Project

RM4: Introduce a

corporate Records

Management Policy

(including Document

Retention and

Disposal)

Produce, approve

and adopt policy

and procedures

and make

available to all

staff.

Issue regular

reminders

There is a clear,

traceable policy and

process for managing

records and

documents across

the Council


Governance Manager

Document

Management

Assistant

Secretarial Support

End Sep 2018

Reminders

issued every

six months


www.eden.gov.uk

Aspect of

Information

Governance


Implications


Assistant Director,

Customer Services

and Transformation

IT Services

RM5: Introduce a

corporate system of

Version Control

Produce, approve

and implement a

policy and

procedure notes

There is a clear and

consistent process for

managing Version

Control across the

Council


Governance Manager

Secretarial Support

Member Services

Team Leader

IT Services

End Sep 2017

Reminders

issued every

six months

RM6: Introduce a

Confidential marking

policy

Produce, approve

and implement a

policy and

procedure notes

The status of

documents is clear


Governance Manager

Secretarial Support

Member Services

Team Leader

End Sep 2017

RM7: Ensure

consistency

between documents

and information on

the website and

Staff to check and

cross-reference

the content of their

webpages

regularly (including

documents)


approach to

presenting

information and all

information provided

Officer time Web Co-ordinator

Information

Governance Manager

Ongoing


www.eden.gov.uk

Aspect of

Information

Governance


Implications


other formats of the

same information

is current and

relevant

Assistant Director

Customer Services

and Transformation

information governance framework - eden district › media › 2276 › information... ·...

Documents