information management strategy 2016-18 · attend mandatory training and comply with the...

Information Management Strategy 2016-18

Version: Proposal to Executive Date: 25th October 2016

Information Management Strategy 2016 Draft v0.1

of 12

2 Document Control

Organisation Copeland Borough Council

Title Information Management Strategy

Version Proposed Version

Author Jo Morley-Hill

Filename Information Management Strategy 2016 Draft to Exec

Owner Information Management Officer

Subject Information Management

Protective Marking None

Review Date Two years from date of approval

Revision History

Version Reviewed

Date Reviewed Reviewed by Description of Revision

V1.0 26/4/16 Jo Morley-Hill Complete re-write of 2013 Strategy

Document Approval Version Consulted/Approved by Date

Corporate Leadership Team

Leadership Management Group

Trade Union Consultation Not Applicable

Audit & Governance 4/8/2016

Executive

Full Council Not Applicable

Document Distribution

This policy is to be distributed to all staff and elected members of Copeland Borough Council and placed on the Council’s Intranet Site. A copy must also be provided to contractors and 3rd parties undertaking work on Copeland Borough Council premises.

Contributors This strategy was developed with support from, or reference to the following: -

Home Office (2012) Want to know more? Getting the most out of knowledge and information.

Information Commissioner’s Office

https://ico.org.uk/for-organisations/local-government/

University of Sheffield (2009)

Information Management Strategy and Governance

Leicestershire County Council (2011)

Information Strategy

Aberdeen City Council (2014)

Corporate Information Management Strategy


of 12

3 Contents

Document Control .......................................................................................................................... 2 Contents ......................................................................................................................................... 3 Purpose .......................................................................................................................................... 4 Introduction ................................................................................................................................... 4 Scope .............................................................................................................................................. 5 Definitions ...................................................................................................................................... 5 Roles and Responsibilities .............................................................................................................. 6 Information Management .............................................................................................................. 7 Information Management Key Principles ...................................................................................... 9 Collecting and Storing Information .............................................................................................. 10 Compliance ................................................................................................................................... 10 Confidentiality and Security ......................................................................................................... 10 Sharing Information ..................................................................................................................... 11 Publishing Information ................................................................................................................. 11 Training and Development ........................................................................................................... 11 The Information Management Framework ................................................................................. 12


of 12

4 Purpose

This Information Management Strategy will provide Copeland Borough Council (the Council) with a framework in which it can manage its Information through an Improvement Programme that will ensure that the Council has data, information and knowledge, which is:

Useable: information will be accurate, up to date, and fit for purpose. The Council will have the information it needs.

Accessible: information will be in the right place, organised appropriately, open wherever possible, protected where required.

Reliable: the Council will have access to the information it needs, where it needs it, whenever it needs it and that appropriate business continuity arrangements are in place to protect it.

This strategy has been devised in consultation with all internal stakeholders, members and service managers.

Introduction

Copeland Borough Council recognises that information is a vital asset in the provision and effective management of services and resources. Inappropriate management of information is also a huge risk to the Council in terms of legislation, financial and reputational loss, therefore, it is of paramount importance that information is processed, within a framework designed to support, enable and meet regulatory, legal, risk, environmental and operational requirements. The Council will work to ensure that the three main areas of Information Management, People, Process and Technology are given equal status in the development of Information Management Systems.


of 12

5 These Information Management systems will include a set of multi-disciplinary structures, policies, procedures, processes and controls to manage information at an organisational level.

Scope

This Information Management Strategy applies to everyone who uses or has access to the council’s information, information assets or IT equipment. These people are referred to ‘users’. This may include, but is not limited to employees of the council, members of the council, temporary workers, partners and contractual third parties. This strategy covers information and records created and held in all physical and electronic formats, including, but not restricted to:

• Paper; • Electronic / digital documents, including scanned images, databases and spreadsheets; • E-mail and voice mail; • Information held in blogs, wikis and discussion threads, and in other social media when used for business purposes, such as Twitter; • Visual images such as photographs; • Microform, including microfiches & microfilm; • Information stored on removable media, such as data sticks, audio and video tapes, CDs, DVDs and cassettes (where still applicable) • Published web content (Intranet and Internet).

Definitions

This strategy will also cover formats that are developed and used in the future. Data quality Ensures that the Council’s information is accurate, reliable,

relevant and up-to-date.

Information security Ensures that Council information is not compromised by unauthorised access, modification or loss.

Information compliance Ensures compliance with all legislation that is relevant to the management of information, including rights of access under freedom of information and data protection legislation.

Records management Ensures that Council information is systematically controlled and maintained, and includes arrangements for storing, managing, accessing, using and disposing of records, in compliance with legal and policy requirements.

Information sharing Ensures that Council information is shared in a secure and controlled manner


of 12

6 Roles and Responsibilities

It is important that all officers and members are aware of who is responsible for Information Management systems, strategy, policies, and information holdings within the Council. The Council will further develop its Information Management Governance Structure, to provide clarity of roles and reduce duplication of work. The table below identifies the roles and responsibilities of all officers and members within the Council. The Director of Customer and Community Services is the Council’s designated Senior Information Risk Owner (SIRO)

Elected Mayor, Executive and Members

Executive Responsible for approving the Information Management Strategy and monitoring and responding to performance reports Audit & Governance Committee Challenging the actions of the Corporate Leadership Team and Executive in managing information risks. Overview and Scrutiny Performance Sub-Group Receive and monitor quarterly performance reports around Freedom of Information performance Members Attend mandatory training and comply with the Information Management Strategy and associated policies in all areas of their work Report any breaches to information Management procedures to the Democratic Services Manager.

Corporate Leadership Team

1. Provide strategic leadership for information governance and information risk management throughout the Council.

2. Support the development of the Information Governance Framework, including an annual maturity assessment to measure progress and improvement.

3. Support, monitor and approve the annual information governance improvement plan, including plan revision and realignment to mitigate risk.

4. Take ownership of the information risk management approach, including monitoring compliance with the Information Governance Framework and highlighting information risks.

5. Receive and consider reports into Freedom of Information Requests, breaches of confidentiality and security and, where appropriate, undertake or recommend remedial action.

Leadership & Management Group

1. Act as the Information Asset owner for their own Service Area. 2. Implement and comply with the Information Management strategy and

associated policies 3. Ensure officers are aware of their responsibilities 4. Report breaches to Information Management procedures to the

relevant director


of 12

7

Information Management Officer

1. Develop solutions and implementation programmes to ensure that the Council complies with developing information governance requirements.

2. Develop and manage the Council’s information archive 3. Support directorates with the implementation of information

governance standards, policies and controls. 4. Develop and deliver Information Management Training 5. Support audit and assessment arrangements for information

governance. 6. Liaise with IT Manager on all issues around Information Security

Officers 1. Attend mandatory training and comply with the Information Management Strategy and associated policies in all areas of their work

2. Report any breaches (or potential breaches) to Information Management procedures to their Manager.

Information Management

Good information management will ensure that every officer and member of the Council can say:

When processing information, there are a number of legal obligations placed upon the Council that will inform the way Information Management is applied. In addition, there are a variety of standards, principles and best practices which have been adopted to improve the way the Council handles information. The most important of these are shown below.

The Data Protection Act 1998

The Human Rights Act 1998

Freedom of Information Act 2000

Local Government Act 1972

The Public Services Network Code of Connectivity

“I know what information we’ve got and where it’s stored”

“I collaborate with others to share knowledge and information”

“I know how to protect information and manage it appropriately”

“I have the skills I need to manage information”

“I know what’s expected of me when creating and using information”

“I have the IT that I need to manage information”

“I know why all of this matters because I am part of an organisation which values knowledge and information”


of 12

8 Information security management systems – ISO/IEC 27001:2013.

Information and documentation -Records management -- Part 1: Concepts and principles - ISO 15489-1:2016

Information and documentation -Management systems for records -- Fundamentals and vocabulary - ISO 30300:2011

Information and documentation - Management systems for records – Requirements - ISO 30301:2011

Information and documentation - Principles and functional requirements for records in electronic office environments - ISO 16175:2011

Payment Card Industry Security Standards Council – Data Security Standard 3.2:2016 To ensure that the Council achieves and maintains compliance with standards and legislation, the following Information Management key principles have been developed. These principles will be shared widely throughout the organisation, placed on our intranet and internet sites and will be used to guide the production of the associated policies, procedures and training, known as the Information Management Framework.


of 12

9 Information Management Key Principles

Key Principle 1: Collecting & Storing Information

•We will only collect, process and store information we need to fulfil our obligations and duties.

•We will ensure that all information is stored securely and disposed of/achived appropriately.

Key Prinicple 2: Compliance

•We will comply with relevant legislation in respect of how we manage information and we will comply with the relevant codes of compliance and guidance issued by relevant authorities including the Information Commissioner’s Office.

Key Principle 3: Confidentiality and Security

•We recognise that we hold a duty of trust to the residents and businesses that we hold information about and undertake to protect the confidentiality, integrity and availability of this information.

Key Principle 4: Sharing Information

•We may share data with other organisations where it is necessary to do so to fulfil our obligations or there is a legal requirement to do so. Where relevant we will comply with published guidance and codes of practice on information sharing. Where information is regularly shared with external organisations an Information Sharing Agreement will be in place that will document the legal basis for the sharing.

Key Principle 5: Publishing Information

•We will publish data via our website (and in alternative formats when required) where we have an obligation to do so – including the government Code for transparency and open data (2015), including information covered by the Freedom of Information Act 2000, and the Environmental Information Regulations 2004.

Key Principle 6: Accessing Information

•We will allow both individuals and businesses to access records we hold about them to check for accuracy, correct any errors and to keep information up to date except where such information is restricted in accordance with legislation or codes of compliance.


of 12

10 Collecting and Storing Information

The Council will provide officers/members with the right tools and knowledge for managing all information and records throughout their lifecycle, so that everyone knows what information is available to them, why it is being held, where it is stored, who has access to it and for how long it should be retained. This will be attained through a series of comprehensive policies and guidance that will: -

Show when and where they need to be applied so officers/members can easily see what is necessary

Ensure policies are focussed towards Council business and only apply the relevant standards so that we comply where it is necessary and in a way that is beneficial and cost-effective to the Council.

Describe clearly the need for confidentiality and protective marking

Ensure requirements reflect our changing focus and make full use of available IT resources

Be widely published and distributed through the Council to ensure everyone is aware

Compliance

The Council will ensure that all Information Management policies and training comply with all legislative guidance and are clear about who is responsible and accountable for compliance. For example, all staff are required to comply with the DPA. Compliance with this strategy and associated polices and guidance will be through the following:

Quarterly Reporting of Freedom of Information Requests and reported breaches to Information Management to Corporate Leadership Team

Quarterly reporting of Key Performance Indicators to Corporate Leadership Team, Overview & Scrutiny Performance Sub-Group and the Executive.

Annual Information Management Audit performed by the Information Management Officer with results and action plan for improvement reported to Corporate Leadership Team.

RIPA Audit

Information Commissioner Audit The Council will ensure that vital information and associated procedures are included in the business continuity and emergency planning/recovery model. This will ensure that vital information is both suitably protected and readily accessible even in times of crisis.

Confidentiality and Security

The Council is aware of the associated risks around collecting, using and storing information and therefore will develop a proactive, planned, proportionate approach to risk and security.


of 12

11 The response to managing information risk will be appropriate and balanced with business need, enabling staff to do their jobs whilst safeguarding information. The Council will have effective security policies and will monitor to ensure that procedures for handling breaches are strictly adhered to, and lessons learnt are incorporated into policies and ways of working The Council will develop and implement a document and security classification system that allows documents to be managed and secured appropriately.

Sharing Information

The Council routinely shares information with partners and 3rd Party organisation in the delivery of its services and while working with partners. Information shared with partners must be protected appropriately dependant on the classification of the document. Whilst ensuring that information is properly protected, we will appropriately and effectively share information in order to protect and inform the public, for example, sharing via the Police Hub to prevent harm to individuals or groups. If a member of the public makes a request to access information, either held in paper format or electronically, we will only disclose information to that person or to a person authorised by the data subject to act on their behalf. The council will verify the identity of the person making the request and may charge the prescribed fee before disclosure is made.

Publishing Information

Where we are required to do so (under the Openness of Local Government Bodies Regulations 2014 and the Freedom of Information Act 2000 etc.), we will publish information on our website. Data published in this way will be corporate information, including information such as performance measures, service targets, expenditure, census data or data shown in a spatial context. It will be anonymous or aggregated to protect personal information except in circumstances where legislation allows us to do so or tells us we must – for example senior management salary information, public registers and planning applications. Information published by us may be covered by copyright or licence restrictions.

Training and Development

Good Information Management Skills will be seen as a core skill for all officers and members. The Council will work to develop a culture where Information Management Skills are recognised and given the same recognition as skills such as management, communication, project management and financial.


of 12

12 The Council will further develop its Information Management Training Programme and it will be compulsory for all officers and members to undertake Information Management Training as part of the Mandatory Training Programme/Members Development Programme. Training will be provided in Data Protection, Confidentiality, Freedom of Information and Information Management. Monitoring and compliance will be performed by the Information Management Officer and reported to Corporate Leadership Team on a six-monthly basis.

The Information Management Framework

To further support the Council’s Information Management framework, we shall develop and maintain a number of local policies which support and embed information processes. The key policies will be:

Data Protection Policy; Freedom of Information Policy; Information Sharing Policy; Records Retention and Disposal Policy; Information Management Policy Information Security Policy.

Monitoring of Strategy Implementation The implementation of this strategy will monitored via the Delivering Differently Business Theme Working Group and the Delivering Differently governance processes.

information management strategy 2016-18 · attend mandatory training and comply with the...

Documents