Audit INFORMATION GOVERNANCE STRATEGY AND POLICY

Transcription

1 Audit INFORMATION GOVERNANCE STRATEGY AND POLICY NOTE: This is an updated version of the first Information Management Strategy approved by the Executive. It contains additional information and opinion. Document history Date Version Author Changes made 28 July 08 Draft 0.1 Rita Hall Initial version 16 October January August August 2011 Draft 0.2 Rita Hall To incorporate changes following the review by Linda Williams Draft 0.3 Rita Hall To incorporate changes following the feedback by MB and HOST 1.0 Geraldine Sharman To update Information Management Strategy and develop Information Governance strategy following appointment of Records Manager 1.1 Geraldine Sharman Update after comments from ICT manager 25/8/ Geraldine Sharman Update from Keith Bush and Rita Hall s comments Approvals Name Signature Role/Title Date Cllr Keith Bush Councillor 23/8/11 Rita Hall Head of Corporate Resources 23/8/11 Document Filename and Location: Filename: Surrey Heath Information Governance Strategy and Policy Format Version Filepath Owner Draft Draft 0.1 Rita Hall Published 1 Draft Draft 1.0 G:\Apps Gen\OnBase EDMS\Information and Knowledge Management\Information Management\Information and Records Management Policies\Information Governance Strategy and Policy Geraldine Sharman Information Governance Strategy and Policy (paper submitted to Exec Oct 2011).doc 1 Created on 17 June 2011

2 1. FOREWORD from the Chief Executive 1.1. Foreword Public authorities rely on the collection of an ever-increasing amount of information to inform their strategies and plans to provide community and regulatory services. Surrey Heath Borough Council is no different in this respect and must have in place an effective framework for collecting, accessing, storing, sharing and deleting the information. Moreover the Council needs to be open in the way it does its business, in particular in how it delivers local services to local people and in how it makes decisions. The councils of today must be in a position to provide easily accessible and understandable information about their services and the decisions they make. Over the past few years all public authorities have been making increasing use of advancing technology: computing equipment in general, the Web, mobile phones and touch screens. Through making better use of these new technologies and more effective ways of working, this Information Governance strategy and policy sets out how the Council will manage the information that it has to best ensure that the Council is effective in providing services that its citizens want, protecting the information whilst complying with its statutory and regulatory responsibilities, and also in demonstrating transparent and accountable decision making Reasons for Revision This Information Governance Strategy and Policy has been developed in response to the Approval of Strategy document which went before the Executive on 10 February There have been a number of changes in Information Management since then. A term which is being widely used by public authorities is Information Governance. It is a framework to bring together all of the requirements, standards and best practice that apply to the handling of information. It is now often seen as the parent of Information Management. It allows organisations and individuals to ensure that information is accurate, dealt with legally, securely, efficiently within certain regulatory and Information Management standards frameworks. Although this document aims to focus on Information Governance it is at the same time talking about Information Management. These words are often seen as interchangeable, although the governance element is more about ensuring compliance with rules and procedures, particularly if they are regulatory. Information Governance is the phrase which is achieving greater use in the 21 st century as Information Management evolves into Information Governance. Information Governance is also about how roles and responsibilities are defined, about what information functions there are. Information is also evolving from different mediums e.g. social media. The Council needs to ensure that any information produced by its staff is created and managed in a secure, professional way. The Council now has a Social Media Policy which applies to both staff and Councillors. There is a growing movement within business and government (including local) to treat information as a key shared asset in the same way as Property or Finance, and it should be managed accordingly. All information which is produced on behalf of the Council is a corporate resource and belongs to the Council. It forms part of the Council s Corporate Information Governance Strategy and Policy (paper submitted to Exec Oct 2011).doc 1

3 Memory. However information is not an end in itself and must support the business needs of the Council. There are several major initiatives which the Government have instigated such as transparency and the drive to greater use of partnerships to deliver services and solve problems. There are also many different government standards which we have to comply with. Greater demand for openness or transparency means that information has to be easily accessible and able to be extracted. Information management and governance has important implications for the success or failure of each of these initiatives. According to Society of Information Technology Managers, managing information is managing the lifeblood of the organisation. The government is demanding transparency from the public sector and wants more information proactively made available. There has been a raft of new legislation in the last few years which has placed new obligations on Councils. There are regulations which require us to provide information within given time scales, to make information more accessible and to guard people's rights. In order to comply we must ensure we manage our information effectively, taking into account these new legal requirements. Below is a list of recent legislation which affects some or all services and are drivers for Information Governance: Data Protection Act 1998 Human Rights Act 1998 Freedom of Information Act 2000 Environmental Information Regulations 2004 Intellectual property Rights (Copyright) Local Government Acts Electronic Communications Act 2000 Regulation of Investigatory Powers Act 2000 Misuse of Computers Act 1990 Consumer Protection Regulations 2000 The Electronic Commerce Directive Re-use of Public Sector Information Regulations 2005 In order to comply with legislation and to ensure the Council manages its valuable information assets effectively, it is important to set out a strategic, corporate approach to information governance that becomes a shared vision across the whole organisation., The strategy set out in this document will (once adopted) deliver a direction and framework in which to operate, and a springboard from which the council can further improve its services in a more cohesive manner through the improved provision of, and accessibility to, information held by the Council. There have been a number of high profile losses of public sector data. This has undermined the public s confidence in the public sector being able to manage people s personal data. Although we have the Data Protection Act guidelines have been issued to Local Government on Data Handling and also by the Information Commissioner s Office which are aimed at helping senior managers discharge their responsibilities in and accountability for secure and effective handling of personal information which we need to comply with. 2. SURREY HEATH INFORMATION VISION Information Governance Strategy and Policy (paper submitted to Exec Oct 2011).doc 2

4 Information Governance is at the heart of the way in which we deliver service to the public. It can be a building block of our corporate memory, which enables us to discharge our responsibilities for public accountability. If we do not have consistent and accurate information we cannot optimise our efficiency or measure the improvements; in order to achieve this, our information will be: (a) (b) (c) (d) (e) (f) (g) (h) Available - Our information will be available to those who need it, when they need it and who have the permissions to view or use it. This will include improving responsiveness to requests for information. We will avoid information overload and target information where it is needed. Accessible - Our information will be clearly identified and easily found when it is needed, in a timely fashion, by anyone with authority who needs to access it. We will maintain a clear information structure using a corporate file plan. We will share and exchange information efficiently where necessary. Electronic - Our information and documents will be stored electronically. Over time, we will evolve our policies such that we will endeavour to only keep paper records where there is a legal requirement to do so. Secure - We will ensure that there are controls in place when we store and transfer information, so that the information itself is protected and any risks associated with inappropriate disclosure are reduced. We will record the confidentiality of information. Non confidential information will be openly published. A revised IT security policy is being produced. Managed throughout its lifecycle - It is essential that information is only kept for as long as necessary, whether it is through a legal requirement or a business need. Information when it is no longer required should be disposed of in a secure manner in line with our retention and disposal policy. Information assets - make full use of our information assets Generate an information culture Information should be managed in a common structured system. This encourages collaborative working and reduces duplication of work. Training - Implement a training programme to encourage staff to manage, share and work with information in a corporate way to ensure all of the above. In summary, the vision is about connecting people 2 with the information 3 they need 4, whilst also keeping it safe 5 and secure 6 over its life-cycle. Achieving it is critical to the success of our organisation. Recommendation: That the Surrey Heath Vision on Information Governance is accepted and widely disseminated. 3. INTRODUCTION Information, in all its forms, whether electronic, paper-based or in people s heads, is our second most important resource after our people. There have been a number of 2 Colleagues, customers, citizens, suppliers, partners, contractors 3 Documents, s, case papers, project files, web pages 4 Rather than a deluge of information they don t need 5 From internal and external threats 6 With controlled access and versioning Information Governance Strategy and Policy (paper submitted to Exec Oct 2011).doc 3

5 strategies for managing information (e.g. Information Security Policy, Freedom of Information policy, Data Protection policy,) but the Information Governance strategy and policy will act as the overarching strategy. Information is a corporate resource, to be shared and used as effectively as possible, it is not owned by the individual who created but by the authority. It should though be decentralised to its point of prime use. Information Management has been defined as the means by which an organisation efficiently plans, collects, organises, uses, controls, audits disseminates and disposes of its information, and through which it ensures that the value of that information is identified and exploited to the fullest extent. In Managing Information: managing the lifeblood of the organisation Society of Information Technology Managers endorses a statement by Sir Gus O Donnell, the current Cabinet Secretary and Head of the Home Civil Service in Information Matters, Government Information Management Strategy Successful societies and economies in the future will depend on how well they enable information to be appropriately shared while maintaining essential protection for those on whose behalf the information is held. They will depend on how well they learn from the information they hold, and how they use it to create new value, and on how well they deal with the new challenges that digital information presents, whether around security, sustainability and privacy 7 Security, sustainability and privacy are concepts we should always consider when producing or working with information. Information Governance covers a vast canvas. We can never expect to achieve perfection, but we have massive scope to improve our practice by a range of improvements to our policies, frameworks, technology and training, and by seeking to promote a culture which recognises and delivers our information management vision. Failure to manage information properly within SHBC exposes the council to a significant financial, legal, public relations and potentially manpower-shortage risk. When reviewing or implementing technologies, Information Governance should be a consideration. To help develop the Council s Information Governance Strategy and Policy, OnBase has been accepted as the Electronic Document Records Management system of preference. Systems should be developed to work with it where necessary. OnBase can often manage the records, whilst a different front end system will be seen by users. Recommendation: Information Governance will be considered when reviewing technologies Recommendation: All future application developments will be considered and integrated where possible with OnBase if document storage links are required 4. PURPOSE As was explained earlier, this document updates the Information Management Strategy. The paper includes a number of recommendations for The Executive to acknowledge as well as endorsing the strategy paper. 7 Information Matters, Government Information Management Strategy Information Governance Strategy and Policy (paper submitted to Exec Oct 2011).doc 4

6 The Information Governance Strategy and Policy is about how Surrey Heath creates, communicates, stores, uses and distributes the information we need to deliver our services and corporate objectives. It covers all information in all formats - paper, electronic (including graphical, audio and video files) and, so far as feasible, that is held in people s heads. The strategy will add value to the information resources used by the authority and will promote efficiency. It will show customers and citizens that the Council has a commitment to providing high quality information and takes its role as the custodian of information seriously. Below is the Information Governance wheel and the elements which need to be addressed to achieve it: Information Governance Strategy and Policy (paper submitted to Exec Oct 2011).doc 5

7 Key IT Security Audit Information Technology Security Audit Info Audit Information Audit EDRM Electronic Document Records Management RM Policy Records Management Policy FOI Freedom of Information EIR Environmental Information Regulations Information Governance Strategy and Policy (paper submitted to Exec Oct 2011).doc 6

8 DPA Data Protection Act Information is different from every other resource when it is produced and used, it increases rather than decreases. But this brings risks information overload, breach of confidentiality, multiple versions of the truth. Recommendation: Accept the Information Governance wheel as the elements of an Information Governance Strategy and Policy which should be addressed by Surrey Heath Borough Council. There is a great deal of confusion between Information Technology and Information Governance. This has led to relatively too much effort being spent on managing information technology, and relatively too little spent on managing information. Information Governance is concerned with the actual meaningful content that we own and how that content is prepared and its quality ensured. Information Technology helps with the dissemination and spreading of that content, but the entire Information Technology infrastructure in the world is of no use if the core content is of poor quality. To take an analogy from the publishing world, Information Governance is analogous with the writing and editing of a book, whereas Information Technology is analogous with the printing and distribution of the book. Both processes are important, but Information Technology must always support the Information Governance, not the other way round. There is no point printing and distributing a book if the content is not useful. This should not be taken as implying that Information Technology is unimportant. A welldesigned Information Technology architecture aids information governance by facilitating the key Information Governance processes. Information Technology is not Information Governance. For example, a well-designed Electronic Document Records Management system makes it a simpler task to find all the information on a particular subject and ensure the correct/latest version is being used. But if there are not well-designed processes in place, with associated roles and responsibilities, to mandate using the systems the technological ability of the Information Technology infrastructure is wasted. Recommendation: OnBase, which is an Electronic Document Records Management system, to continue being adopted across the whole Council. 5. OBJECTIVES OF INFORMATION GOVERNANCE The objectives of the Information Governance Strategy and Policy are based upon the Information Governance wheel: (a) (b) (c) To instil an understanding of the importance, and an appreciation of the potential, of effective information governance. To help develop awareness, understanding and to promote the application of good practice in handling information, and develop skills in this area. To define what Surrey Heath considers are the principles and practice of good information management and to reduce risk Information Governance Strategy and Policy (paper submitted to Exec Oct 2011).doc 7

9 (d) (e) (f) (g) To identify the changes and investments needed to deliver the Surrey Heath Information Vision connecting people with the information they need whilst also keeping it safe and secure over its life-cycle. To support Surrey Heath s ambition to improve processes, to improve customer services, to become more efficient and to reduce costs. To ensure that Surrey Heath takes advantage of technology advances appropriate to conducting the Information Governance processes within the council. To ensure business continuity and protect vital records to ensure the continued functioning of the Council if any disasters affect the Council 6. INFORMATION GOVERNANCE WHEEL 6.1. Information Rights Information Rights is a global term for Freedom of Information, Environmental Information Regulations and Data Protection. They are statutory functions and the information needed to comply with requests under these rules has to be gathered from across the Council. It is therefore essential that all our systems can be accessible and searchable to retrieve the information needed. Part of the Freedom of Information Code of Practice acknowledges that information is not held if it is managed in line with retention and disposal schedules. We need to ensure we comply with these regulations and guidance from the Information Commissioner s Office to reduce the number of complaints to them. There needs to be policies on each of the areas and staff be made aware of their responsibilities as part of on-going training Information Security Ensuring the security of the Council s information, both from internal and external sources is paramount. As well as information being available to the people who need it, it also needs to be protected from those who should not use it. As part of Information Governance the Council has a Network and ICT Security Policy and Procedures which covers all business functions and information contained on the IT Network and the relevant people who support the Network Information Assurance is managing information-related risk. As part of Information risk there needs to be an information risk register. Examples of information risk which should be assessed include whether disaffected staff could do damage to information systems if they are given access to them or the risks associated with information falling into the wrong hands. Government Connect (GCSX) enables secure data sharing up to Restricted level across government. It is a key enabler of joined up working and shared services. To be a member of this community we have to instigate number of procedures including Protective Markings. There is an annual process of accreditation we have to undertake to continue using Government Connect. Rightly, much publicity has been made about the loss of sensitive data from public authorities. Both members of the public and staff should expect that any personal Information Governance Strategy and Policy (paper submitted to Exec Oct 2011).doc 8

10 information given to the Council is stored and transferred when necessary safely and securely. Guidance has been given to Local Authorities on Data Handling and the recommendations must be implemented across the Council. This includes appointing a Senior Information Risk Owner and ensuring staff understand through training and guidance their responsibilities when handling personal protected information Management has become an important part of the recording of decisions within the Council and hence much of the Corporate Memory is stored there. It is important that the lifecycle is correctly and securely managed. It must be treated as a business communication and not an ephemeral tool. An management policy was approved by the Management Board on 19 July From this all councillors, new and existing staff will be trained in management. Guidance will be given to staff and Councillors individually and also on the Intranet. As part of the management policy staff must manage their s as they would documents. This is the Archive element on the Information Governance wheel. s will be deleted after three years. If they are needed as records and to comply with different retention and disposal schedules they must be moved out of Outlook Audit It is essential for Information Governance that Surrey Heath Borough Council maintains an on-going IT Security Audit of network maintenance, patching and upgrades, and notifies the Governance Working Group of any breaches and hardware failures affecting the loss of data. An information audit identifies where information is located, its flow and how accessible it is. It should also look at the information needs of the Council and compare them with the systems that are in place to meets those needs and see if there are any gaps. It would be useful to help in assessing an information strategy s success as it can be used as a performance measurement. It is important when doing an information audit to match it against the organisations objective. An information audit was carried out a few years ago but needs to be revisited as part of the role out of OnBase. As well as investigating the information needs of Surrey Heath, the audit also needs to record the Council s information assets. As part of the Freedom of Information publication scheme and also a need for greater transparency there is a requirement for an information asset register Records Management According to ISO 15489: Information and Documentation - Records Management a record is information which is created, received and maintained as evidence and information by an organisation or person, in pursuance of legal obligations or in the transaction of its business. A record is a primary source of information. Records Management is the field of management responsible for the efficient and systematic control of the creation, receipt, maintenance, use and disposition of records, including processes for capturing and maintaining evidence of and information about business activities and transactions in the form of records Information Governance Strategy and Policy (paper submitted to Exec Oct 2011).doc 9

11 A Records Management Policy was approved in November 2004 as the Freedom of Information Act was introduced. The following statements were approved in the Policy and are still applicable. Policy Statements The Council recognises that its records are an important public asset and a key resource for the effective conduct of its activities. The Council is committed to the creation, keeping and management of records that properly document its principal activities. A revised Records Management Policy to include the introduction of Electronic Document Records Management is required as is guidance and training for staff in records management good practices. Retention and Disposal is about managing the lifecycle of a record. As well as creating documents there is a need to decide how long a record is kept. Both the Freedom of Information Act and the Data Protection Act require that data should be kept for no longer than is necessary for the purpose it was created. If we destroy documents in line with the Council s retention and disposal policy then if requested in the future, there is no retort on the Council. Conversely, if the Council still held the documents, but should have been destroyed then they are required to be disclosed. Some legislation states how long a record should be kept; other retention periods are devised from guidance or departmental policy. Retention and disposal policies are applied to the information and not the media in which it was created e.g. Word documents, s. In the Management policy approved by Management Board it was agreed that accounts will be deleted after three years. This does not mean that the retention period for the content of the s is three years. It is important that staff and Councillors move the s out of Outlook into either shared drives or OnBase if the retention period for them is longer than three years. Surrey Heath s current retention and disposal policy was approved in December A review of this document is now required. Retention and disposal schedules should be applied to all documents and is an essential feature of OnBase to ensure it is managed correctly. Electronic Document Records Management (EDRM) allows a corporate approach to filing and storing information. It helps provide the corporate memory of the Council. OnBase is the system being implemented for varying functions across the Council. All documents and s the Council creates can be stored in OnBase making it easy to publish, access, find and retrieve in the future. It can be used to assist with Information Rights queries, research by Council staff and records management. It will be able to help access information from both current and previous members of staff. The work plan to implement OnBase is controlled by the Information Management Working Group within Corporate Resources Training Information Governance Strategy and Policy (paper submitted to Exec Oct 2011).doc 10

12 Training is at the core of Information Governance. It is important that at all stages, Councillors and staff are fully aware of their responsibilities when it comes to managing information. Policies and procedures can be put into place but it is the responsibility of all to understand that the information they create and use is the property of the Council and is not just for here and now but as part of the corporate memory. Information and particularly Personal Protected Information is an important resource. Many data losses are not done deliberately but they can have serious consequences. Councillors and Staff must be made aware on how to handle information correctly. The Information Commissioner s Office is being given greater powers to investigate any data breaches. Training will be delivered in a variety of different formats including face to face, induction and the intranet. Recommendation: The individual elements of the Information Governance wheel to form the basis for Information Governance across Surrey Heath Borough Council Recommendation: Guidance/training on Information Governance to be rolled out to staff and Councillors 7. RESPONSIBILITIES FOR INFORMATION GOVERNANCE 7.1. The Council Overall responsibility for the efficient administration of the Information Governance lies with the Authority Senior Information Risk Owner As the governance of information and the protection of personal information are important a senior member of staff should be appointed as the Senior Information Risk Owner. This role is laid down in the Guidelines on Local Government Data Handling. The Senior Information Risk Owner (SIRO) is responsible for ensuring that information governance is embedded into the organisation to ensure that the potential risks to corporate information and records are mitigated. It has been agreed that the Section 151 Officer will be the SIRO Governance Working Group In both the Guidelines on Local Government Data Handling and the Information Governance toolkit it recommends an Information Governance Group. As there is an existing Governance Working Group, they will be responsible for ensuring coherence, clarity and consistency in the way information is governed in the Council. This will include monitoring information governance across the Council Records Manager and ICT Manager The Records Manager and ICT Manager will be responsible for: Co-ordinating all the Records Manager initiatives and contributing to the Corporate Resources Business Plan Information Governance Strategy and Policy (paper submitted to Exec Oct 2011).doc 11

13 Providing operational work and support including training, query resolution, incident support and legal compliance requirement e.g. Data Protection Act 1998 and Freedom of Information Act Information Security Officer Responsible for security of the Council network and infrastructure 7.6. Information Champions These are members of staff within directorates who will liaise with the Records Manager and ICT on all matters concerning administration of the Strategy. It is suggested that there will be one representative from each service area. In particular they will assist where necessary in ensuring compliance in respect to information management systems and ensuring awareness of the need for information governance within their directorate. This applies particularly to Personal Protected Information. They will also act as a liaison on using OnBase within their service area. Additional training will be provided on Information Governance and OnBase Managers Managers are responsible for ensuring that staff under their direction and control are aware of the policies, procedure and guidance laid down on Information Governance and for checking that those staff understand and appropriately apply policies, procedures and guidance in respect of Information Governance in carrying out their day to day work All staff It is the responsibility of all staff to process information in accordance with the Data Protection Act 1998 and to adhere to the policies, procedures and guidance that are laid down by the Council for information governance and security. Recommendation: To accept that the Section 151 Officer will be the holder of the Senior Information Risk Owner role and that the Governance Working Group will monitor Information Governance across the Council. 8. MONITORING COMPLIANCE WITH, AND THE EFFECTIVENESS OF, THE INFORMATION GOVERNANCE STRATEGY AND POLICY Compliance with this Strategy will be monitored through its associated policies and the Corporate Resources work plan Information Governance Strategy and Policy (paper submitted to Exec Oct 2011).doc 12

14 GLOSSARY TERM BS7666:2006 CONTENT CORPORATE GOVERNANCE DATA DOCUMENT MANAGEMENT FREEDOM OF INFORMATION ACT: SECTION 46 CODE OF PRACTICE INFORMATION INFORMATION ASSURANCE INFORMATION DESCRIPTION A collection of data describing the addressing of locations. The British Standard for address representation, in particular with reference to gazetteers. Surrey Heath s Local Land and Property Gazetteer complies with this standard, and submits changes to the National Land and Property Gazetteer. Content can be seen as a composite of various pieces of information. The content of a book can include a table of contents, chapters, paragraphs, index, and bibliography. A web page is an example of digital content. It can contain text, pictures, graphical elements, interactive fields, links to other resources, navigational links to the rest of the site, audio files and video clips. The processes and procedures which ensure an appropriate level of responsibility and accountability in the direction of the organisation 8. Numbers, characters, images or other methods of recording, in a form which can be assessed by a human or (especially) input into a computer, stored and processed there, or transmitted on some digital channel. Computers nearly always represent data in binary. Data on its own has no meaning, only when interpreted by some kind of data processing system does it take on meaning and become information. Software that controls and organises documents throughout an enterprise. Incorporates document and content capture, workflow, document repositories, output. Section 46 of the Freedom of Information Act 2000 requires the Information Commissioner to issue a Code of Practice on the management of records. Information tells us something about a physical object, a person or a process or activity. Information is something which can be communicated to other people in a meaningful way. Information is data which is put into context and can be comprehended, understood and shared with other people and machines or both. The practice of managing information-related risks. IA seeks to protect and defend information and information systems by ensuring confidentiality, integrity, authentication, availability, and nonrepudiation. These goals are relevant whether the information is in storage, processing, or transit, and whether threatened by malice or accident. IA is the process of ensuring that authorised users have access to authorised information at the authorised time Information governance is the organisation of the administration of Information Governance Strategy and Policy (paper submitted to Exec Oct 2011).doc 13

15 GOVERNANCE INFORMATION MANAGEMENT ISO 15489:2001 METADATA RECORD RECORDS MANAGEMENT the legal, security, regulatory and standards framework for information management. Information management is a set of processes and procedures used to collect and manage information from one or more sources and the distribution of that information to one or more audiences. It involves organising, acquiring, storing, retrieving, maintaining and delivering the information It provides guidance on managing records of originating organisations, public or private, for internal and external users. All the elements outlined in ISO are recommended to ensure that adequate records are created, captured and managed. Metadata is "data about data", of any sort in any media. Metadata are used to facilitate the understanding, characteristics, and management usage of data. The metadata required for effective data management vary with the type of data and context of use. Some metadata can be derived automatically from clever information technology (for example, automatically adding a last revised date to a document). Other metadata must be added by hand (for example, a list of documents). Information created, received and maintained as evidence and information by an organisation or person in pursuance of legal obligations or in the transaction of business. (Records Management Standard BS ISO 15489). A digital record will usually be held in a database. Records Management enables an organisation to assign a specific lifecycle to individual pieces of corporate information from creation, receipt, maintenance and use to the ultimate disposal of records. Records are essential for the organisation; they hold evidentiary value of a business decision or are kept for compliance reasons. A record has strict rules associated with it and is mainly kept in a separate repository from normal working documents Information Governance Strategy and Policy (paper submitted to Exec Oct 2011).doc 14