Lancashire County Council Information Governance Framework

Transcription

1 Appendix 'A' Lancashire County Council Information Governance Framework

2 Introduction Information Governance provides a framework for bringing together all of the requirements, standards and best practice that apply to the handling of information. It encompasses efficient ways of handling records and information, risk management and compliance. The need for information governance stems first and foremost from the council's responsibility towards its citizens and customers. This is a challenge for all public sector organisations and is high on the council's agenda. Access to reliable information is an indispensable component of meeting our core objectives and there is an increased need to focus on the overall value of information protected and delivered. We often underestimate the value, importance and legal responsibility associated with the information we use every day. There can be a fine balance to maintain between keeping information safe and accurate, and sharing it when needed. The council holds and processes huge volumes of personal and sensitive information which is necessary for the efficient and effective delivery of services. Consequently, and recognising the size and diversity of the council, an information governance framework that is flexible and responsive to changes in risks and to services delivered is essential. The council is committed to preserving the confidentiality, integrity and availability of all its physical and electronic information systems and records in order to provide assurance that the organisation manages its information risks: So that the needs of service users and citizens and the requirements of corporate governance are met; To establish confidence that partnership arrangements involving sharing and exchange of information are legal and secure; To establish that designed and implemented security features are effective; To provide confidence that services and products offered by third parties manage information risks on behalf of the council in a way which is adequate and fit for purpose. The need for a comprehensive information governance framework also arises from: Legal (legislation and common law), regulatory and contractual requirements; Corporate governance; Business and service delivery; Protecting the public purse; Business continuity requirements; Each of these imposes significant demands on the council.

3 Scope of the Framework The scope of information governance, taken at its widest, includes the management of information in all locations and all media. It includes structured information in databases and unstructured information in paper and electronic files. It includes s and transient documents, work in progress and telephone notes. It includes blogs, wikis and discussion threads. It includes vital records essential to the continuation of council business and long-term records that must be preserved through many generations. The framework relates to all of the council's functions that fall within the direct responsibilities of the core directorates, i.e. Office of the Chief Executive; County Treasurer's Department; Directorate for Children and Young People; Adult and Community Services Directorate; Environment Directorate; and; Lancashire County Commercial Group. The framework encompasses all data owned by the council and used in the delivery of its services and statutory responsibilities. This includes any information that is held by the council on behalf of another agency. Each school within Lancashire is responsible for the management and governance of its own information and are also individually registered as data controllers under the Data Protection Act. Schools are therefore treated as separate third party organisations within the context of this framework. One Connect Limited is a joint venture partnership established between Lancashire County Council and BT. One Connect Limited is an essential partner in the implementation of the council's information governance framework.

4 Document purpose and structure This document forms the core of the council's Information Governance Framework and is designed to provide a concise overview of the council's approach to information governance. It includes the Information Governance Strategy, defining the corporate aims and objectives for information governance, and the overarching Information Governance Policy that sets out the policies, standards and best-practice that apply to the handling of information and the provision of information assurance needed to deliver the strategy. The document is structured as follows: Part 1 The Lancashire County Council Information Governance Strategy. 1. Purpose and aim of the strategy. 2. Strategic objectives. 3. Annual priorities and implementation 4. Business considerations and success measures. 5. Strategy governance. Part 2 The Lancashire County Council Information Governance Policy. 1. Scope and principles. 2. Policy governance. 3. Approach Framework definition Maturity assessment Information risk management Training and awareness Information sharing. 4. Compliance. 5. Key roles and responsibilities. Appendix A The Information Assurance Policy Framework. Appendix B Legislative and best practice references.

5 Part 1 The Lancashire County Council Information Governance Strategy. 1. Purpose and aim of the strategy. This strategy recognises the high standards expected of all public bodies as well as the scale of the ongoing task of maintaining appropriate standards of security and to fully embed the security culture throughout the organisation in a rapidly changing and challenging environment. The use of records and information is integral to much of the council's work. Typically this will be a mix of public domain information which should be accessible under the Freedom of Information Act, personal data protected by the Data Protection Act, and other confidential or business sensitive information. The aim of this strategy is to ensure that the council meets its information management and security responsibilities ensuring that internal and external customers, partners and suppliers have the confidence that information, both personal and non-personal, is handled and stored with due regard to its value and risk, where individuals understand the importance of using it correctly, sharing it lawfully and protecting it from improper use. These requirements for security, integrity and accessibility must be met as part of service delivery and the primary means of achieving this is to follow good information handling practices. Although there is an increasing emphasis on the electronic delivery of services and storage of information we continue to retain a significant proportion of our information in more traditional manual formats and this cannot be neglected in our aims and ambitions. 2. Strategic objectives These are the overarching information governance goals of the council from which the council's improvement programme priorities and objectives are derived. To support the realisation of corporate strategy and the continual improvement of council services. To ensure that the infrastructure and processes for service delivery can provide the right information to the right people at the right time for the right purpose. To identify and support effective practice in the management of information across all business areas, including preventing duplication of effort and enabling efficient use of resources. To work with all partner organisations securely and in support of the council's strategic objectives. To work to achieve required standards to comply with legislative, regulatory and contractual obligations and relevant policies. To implement and operate proportionate controls that apply best practice standards to protect information assets and give confidence to all interested parties. To Identify and manage information assets corporately and introduce an information risk management regime that balances risks with opportunities.

6 To provide adequate training and awareness for all staff and key partners and embed a culture of care and responsibility in the handling of all information throughout the council. To implement efficient and effective information sharing arrangements to support service delivery. To implement efficient and effective data quality arrangements. To ensure that the information governance framework acts as an enabler to business and service transformation programmes and that information assurance practices are embedded within the design and roll-out of such programmes. 3. Annual priorities and change programme Continual improvement of the information governance framework is also a key strategic objective. The improvement programme is designed to implement change within the strategic objectives defined in this strategy. The annual improvement programme will define each agreed project for the year and will be implemented in accordance with the stated governance arrangements and the approach detailed within the Information Governance Policy (Part 2 of this document). 4. Business considerations and success measures. Activities undertaken in relation to information governance and assurance must have a relationship with council business and as such all associated activities are to be regarded as support activities to the business. In delivering advice on the governance of information, four key factors are engaged: People Process Information Technology In delivering solutions and services for the council's business, information governance and assurance will have regard to these factors alongside core business requirements such as records and knowledge management. Business Benefits will include: Improved council performance: Consistent and effective management of information across the council. Increased understanding of, and compliance with, relevant legislation. Reduced number of information security breaches. Reduced civil actions and complaints against the council as a result of poor information management, saving staff time and effort. Improved data quality. Clear responsibilities in relation to information governance and assurance. Effective management of information risks. Greater confidence that information risks are effectively managed within transformation programmes.

7 Better Information Sharing: Improved information sharing compliance. Improved protection of children and vulnerable adults. Better deployment of operational resources. Increased willingness of partner agencies to share their information. Less bureaucratic processes for sharing information. Increased public confidence: Improved customer satisfaction. Increased confidence in the management of personal information. Achieving maturity towards the strategic objectives will enable the council to generate greater trust in its information systems and processes, both internally and between trusted partners. This will be particularly important in the context of shared services and collaboration. The success of this strategy will be determined by improvement in maturity as measured using the criteria contained within the NHS IG Toolkit and the IAMM 1 and the business benefits this brings. 5. Strategy governance This strategy is owned by the Senior Information Risk Owner (SIRO) but the Corporate Information Governance Group (CIGG) is responsible for monitoring and reporting progress on the improvement programme throughout the year. The information Governance Strategy will be implemented in line with the agreed approach within the Information Governance Policy. Annually, CIGG will agree the improvement programme for the coming year, based on agreed priorities and available resources. CIGG will assign a lead officer responsible for the day to day management and implementation of each project contained within the programme. The SIRO will annually ratify the improvement programme agreed by CIGG.. 1 The Information Assurance Maturity Model is described in Part 2 section 3.2

8 Part 2 The Lancashire County Council Information Governance Policy 1. Scope and principles This policy is designed to outline the framework and principles of information governance adopted by the council to ensure that its information is properly protected and used effectively. A range of appropriate policies, procedures and management arrangements have been agreed to support the overall policy and ensure that the council can meet the strategic aims 2 of its information governance arrangements. Information governance is a holistic approach to managing corporate information by implementing processes, roles, controls and metrics that treat information as a key component of how the council serves its customers. The goal of a holistic approach to information governance is to make information assets available to those who need them, while streamlining management, reducing storage costs and ensuring compliance. This, in turn, allows the council to reduce the legal risks associated with unmanaged or inconsistently managed information and to be more agile in response to changing environments. The Policy must also support the council's compliance with all legislation that is relevant to the use and management of information and to the requirements and best practice defined by the Public Services network, Government Connect and Connecting for Health (N3 Network), all of which require appropriate protection to be in place. Accordingly reference is made to the expectations and requirements contained in relevant legislation, standards and guidance. 3 Implementation of this policy will also enable the SIRO to provide evidenced statements of information assurance as part of the council's Annual Governance Statement. The term information assurance (IA) is used to describe confidence in the processes of information risk management. Effective IA should ensure all information assets have the appropriate levels of: Confidentiality - protecting information from unauthorised access and disclosure. Integrity safeguarding the accuracy and completeness of information and processing methods. Availability ensuring that information and associated services are only available to authorised users when required. Non-repudiation- the inability to deny the integrity and authenticity of information. Authentication ability to verify the identity of a user logging into an information asset. This confidence is particularly important in the present environment, which is subject to unprecedented levels of reduced resources, increased scrutiny and malicious activity. Confidence is also improved through good IA where there exists the risk of nondeliberate loss, such as lost or stolen assets or papers etc. 2 Strategic aims are defined in the council's Information Governance Strategy in Part 1 section 2. 3 Legislative and best practice references Appendix 2

9 IA is often described as a sub-set of information management. In the context of this policy it is taken to include all information management activities including creation, collection, evaluation, organisation, dissemination and disposal. This policy, together with all other related policies, standards and guidance provides a mandate for the performance of all information assurance functions. This policy applies to everyone who has access to the council s information, information assets or IT equipment. These people are referred to as users in the policy. This may include, but is not limited to, employees of the council, councillors, temporary workers, partners and contractual third parties. 2. Policy governance. The SIRO will retain ownership of all information governance activities and allocation of resources. The SIRO is also responsible for briefing Management Team on strategy progress and the management of information risks in line with the council's risk management approach. The SIRO is supported by CIGG whose role is to provide oversight of the council s information governance arrangements and ensure the implementation of the information assurance strategy. The day to day management of specific tasks or projects will be delegated to nominated officers or the Information Governance (IG) Lead. Further details around the key roles and responsibilities can be found in section Approach Framework overview. Information risks will be identified through the information risk management approach. This will inform CIGG of the threats and impacts of issues that may affect the council's information governance framework. CIGG will assess identified risks and issues for impact and likelihood within the risk management approach and agree appropriate remedial actions. These will be ratified as appropriate by the SIRO and will form the basis of the annual improvement programme. All remedial actions and other tasks identified will be treated as individual projects within the annual improvement programme. Responsibility for delivery will assigned to a designated officer(s). Identified risks and issues that require consideration by CIGG will be collated by the IG Lead and reported to CIGG and the SIRO. Reporting will be quarterly but incidents or changes that are likely to have a significant impact upon the council will be reported immediately by the IG Lead. Progress in addressing the projects contained within the annual improvement programme will be reported quarterly to CIGG and the SIRO. CIGG will be responsible for the sign-off of each completed project. Emerging risks or incidents requiring action will be assessed by CIGG at their scheduled meetings for either addendum to the annual improvement programme or consideration for inclusion in subsequent programmes. All changes to the annual improvement programme should be ratified by the SIRO.

10 As part of the review and creation of the annual improvement programme, consideration will be given to the impact of specific projects and the communications necessary to inform and support responsible officers of planned changes and enhancements. The collation of agreed tasks into an annual improvement programme will introduce coordination of the related and interdependent projects that support the common strategic aims, including: A clear vision statement to take the information governance programme forward; A clear description of the benefits to be achieved (and how they will be measured) that is commensurate with the council's objectives; The identification and management of risks and issues; A clear estimation of specific costs, timescales and projects needed to achieve the programme's objectives; Greater stakeholder (i.e. SIRO and CIGG) analysis to clarify the impacts, requirements and achievable benefits across the council. The approach should also provide a high degree of flexibility in how individual elements can be implemented. For example, If the budget is not available projects can be rescheduled within the programme as funding becomes available and, new projects can be adopted into the programme without becoming 'rogue' projects lacking strategic focus. A review of the whole information governance framework, to consider any required changes to the key strategic aims or other content, will be a scheduled project within the annual improvement programme every two years. The review will include the Information Governance Strategy, all policies, standards and procedures, and the Terms of Reference for CIGG. The Information Governance Policy will be implemented through the information assurance policy framework. The specific policies 4 included in this framework will define the standards expected in each area. These will be defined and agreed through CIGG and the SIRO. It is crucial that the standards meet the requirements necessary for the council to fulfil its statutory and other obligations for information sharing, security and quality. Guidelines will provide the 'how to' guidance necessary for responsible managers and staff to implement and comply with the policy framework and therefore ensure the whole information governance framework is effective Maturity assessment. Although the defined strategic objectives within the Information Governance Strategy provide direction for improvement, success will be determined by improvement in maturity as measured using the criteria contained within the Department of Health Information Governance Toolkit and elements of the Information Assurance Maturity Model (IAMM) 5 and the business benefits this brings. The Department of Health requires organisations to carry out information governance assessments to provide an assurance that they are adhering to good information governance practices. This applies to organisations that: 4 Appendix 1 5 Produced by CESG the UK Government's National Technical Authority for Information Assurance

11 have access to NHS patients and/or to their information; provide support services directly to an NHS organisation; or have either direct or indirect access to NHS Connecting for Health services, including N3 - the NHS National Network. In order for the council to meet its obligations for the delivery of social care and public health services it is obliged to meet the criteria specified in the Department of Health Information Governance Toolkit. The purpose of the assessment is to enable organisations to measure their compliance against the law and central guidance and to see whether information is handled correctly and protected from unauthorised access, loss, damage and destruction. The ultimate aim is to demonstrate that the organisation can be trusted to maintain the confidentiality and security of personal information. This in turn increases public confidence that the NHS and its partners can be trusted with personal data. Where partial or non-compliance is revealed, organisations must take appropriate measures, (e.g. assign responsibility, put in place policies, procedures, processes and guidance for staff), with the aim of making cultural changes and raising information governance standards through year on year improvements. The IAMM has been designed to help establish a comprehensive programme of work to achieve progress through clearly identifiable milestones. The levels of maturity defined will assist with measuring progress towards the council's strategic objectives for information governance supporting and supplementing the less definite criteria within the Department of Health Information Governance Toolkit. There are five levels of maturity within the IAMM: Level1 initial Level 2 established Level 3 business enabling Level 4 quantitatively managed Level 5 - optimised Each level of the IAMM aims to build on the achievements of the preceding levels and as such the levels are cumulative. This will provide a standard measure of the level of success and achievement of projects defined within the annual improvement programme, an assessment of the level of maturity of areas still requiring actions and the basis of an assessment of resource required to mitigate risks to an acceptable level Information risk management. A fundamental element of information assurance relates to the delivery of effective information risk management. Without an effective approach that enables the sensible aggregation of information risks being taken across the council, decision makers will be prevented from making informed decisions, particularly relating to the treatment of systemic information risks which have the potential to cause severe disruption of the council s business.

12 The policy also recognises that it is essential that any change that may impact upon policy, standards and guidance issued is captured and risk assessed to ensure appropriate action can be taken, ensuring that the framework remains up to date, relevant and practical. Information handling systems cannot provide total protection and therefore performance needs to be monitored and lessons learned so that the council has robust and sustainable means to meet its responsibilities, support corporate strategy and address any incidents or breaches in an effective and timely manner. This is recognised in the continual improvement approach contained within the Information Governance Strategy. The council's risk management approach is based upon the effectiveness of its governance arrangements and managers' good understanding of their services, service developments and their understanding of what risks it is acceptable to take during the normal course of work. This approach removes unnecessary bureaucracy, in particular by preparing documentation solely to demonstrate (rather than support or enhance) effective management. Accordingly the information governance framework does not contain a separate overarching information risk policy but builds upon the corporate approach to ensure information risks are identified, assessed and managed. The Information Assurance Policy Framework does however include a local information risk management policy that defines the expectations expected in service areas for the identification and management of information risks. It is recognised that the delivery of training, education and awareness will need to consider the identification and treatment of information risks to support the delivery of effective information risk management. As defined in Section 3.1, identified risks and issues will be collated by the IG Lead and reported to CIGG for assessment and inclusion where appropriate in the annual improvement programme. Clear accountability is vital, particularly at senior levels, to ensure that risks to information are considered from the outset. The SIRO and CIGG have a key role in identifying corporate information risks and informing Management Team as well as cascading corporate information risks to directorates and service teams. The following table sets out each of the main categories of risk within the council and the management controls applied for information risks.

13 Management control Evidence of management Emerging issues affecting the council and its services Management Team, with cascade down via the SIRO and CIGG to directorate and service teams as appropriate and as the issues develop. New projects and service developments Corporate strategy and Information Governance Framework Management Team agendas and papers CIGG agendas and papers Directorate management team agendas and papers Directorate management teams, with cascade down to service teams as the issues develop, and up to the SIRO, CIGG and Management Team for information. Corporate strategy and Information Governance Framework Directorate strategy/ business plans Directorate management team agendas and papers Project risk registers CIGG agendas and papers Management Team agendas and papers Current issues or developments within the council's existing services Service management teams, with cascade up to directorate management teams and intervention by the SIRO, CIGG and Management Team as appropriate. Directorate management team agendas and papers Project board agendas and papers as appropriate CIGG agendas and papers Management Team agendas and papers Monitoring of performance measures Performance Working Group Executive, with cascade across to directorate management teams and up to the SIRO, CIGG and Management Team as appropriate. Performance Working Group Executive agendas and papers Directorate management team agendas and papers CIGG agendas and papers On-going provision of the council's services: underlying risks Service teams, with cascade up to directorate management teams as appropriate. Directorate management team agendas and papers Corporate documentation of specific information risk areas and annual improvement plan Internal Audit Service risk and control evaluations with supporting audit work

14 3.4. Training and awareness. Every user is engaged in information assurance and is expected to adopt good information management and handling practices, valuing information as a business asset. Without effective training, education and awareness users will not implement policies and procedures in a way that values and protects information as a core business asset. Cultural change is identified throughout the information governance framework and is key to ensuring compliance with information assurance policies and procedures and improving IA maturity across the council. All training and awareness activities must support the underlying objective of embedding information assurance across the council. Training is an ongoing activity which requires constant attention if information is to be handled and shared appropriately. Training on basic information assurance will be delivered to all users using e-learning and other delivery mechanisms. Training relates to all users with access to council information, as well as specific training for the SIRO and users with specific IA responsibilities, such as users working in joint teams that may need some specific training where confusion may arise from having to comply with different organisations' policies and procedures. Service specific and individual training requirements may be identified within service plans or in individual learning and development plans. Strategic training requirements will be identified by CIGG as part of the information risk management approach and a project for delivery will be included in the annual improvement programme as appropriate. All communications must be carried out in consultation with the corporate Communications Service and supported by the service to ensure the most effective means are applied at all times. It is essential that information assurance and security related communications reach intended audiences and are easy to read, understand and assist with compliance as this will aid the culture change within the council Information sharing. It is a requirement of this policy that information sharing within the council and across organisational boundaries is done securely and proportionately to the value of the information in question. Information will be readily shared within the council and with external stakeholders in an assured and cost-effective way, whilst reducing the business impact should a compromise occur. Where the systematic sharing of data is required with another organisation an agreement must be implemented that follows the council's information sharing code of practice. The code of practice is designed to provide a framework for the secure and confidential sharing of information between the partner organisations that contribute to the wellbeing of residents and ensuring disclosure is in line with statutory requirements. Where it is necessary to share information on an ad hoc or case by case basis this must be carried out in accordance with the guidance contained within the Information Commissioner's Data Sharing Code of Practice.

15 4. Compliance The SIRO and CIGG are responsible for ensuring overall compliance with the Policy. The council's code of conduct for employees sets out the behavioural standards that must be upheld by all employees of the council and forms part of the council's terms and conditions of employment. The Code sets out minimum standards of conduct and in the context of the Information Governance Framework the following standards apply: Adhere to all corporate, Directorate/LCCG and service-specific policies and procedures. Follow any local rules laid down for your work location. Use of facilities - at work, you may have access to facilities, such as office equipment, computers, telephones, transport, etc. These facilities are not intended for private use. Where some personal use is permitted, you must observe any corporate protocols, including the Internet, and Telephone System Acceptable Use Policy. Notify your line manager* of any known or suspected breaches of the law or Council's policies, procedures and regulations, and co-operate with any investigation of such breaches. (* If you feel unable to approach your immediate line manager on a specific matter, you should notify a more senior manager responsible for the area of the service in which you work or use the confidential whistleblowing line ) Undertake training courses and learning/e-learning modules as required by your job role or employment with the Council. Non compliance with the Code may result in action being taken under the council's Disciplinary Procedure and could result in dismissal from employment with the council. A breach of policy involving a partner or third party organisation will be treated as a security incident and investigated in accordance with the Security Incident Management Policy. Appropriate action will be agreed with the SIRO taking into consideration any specific contractual recourse or sanctions available. The Audit Committee holds the council to account for the adequacy of all of its risk management arrangements. It seeks assurance over these arrangements from the council's head of internal audit and requires a periodic statement of the most significant risks facing the county council. In addition, the Internal Audit Service works with individual directors and executive directors to consider the council's assurance needs. Priority is given to providing assurance over the controls which reduce the greatest inherent risks to the greatest degree. 5. Key roles and responsibilities. Senior Information Risk Officer (SIRO) The County Secretary and Solicitor is appointed as the council's SIRO. The SIRO takes ownership of the information governance framework, acts as an advocate for information governance and risk at Management Team and provide evidenced statements of information assurance as part of the council's Annual Governance Statement.

16 Key responsibilities of the SIRO are: To take ownership for the development and maintenance of the information governance framework that incorporates the Information Governance Strategy, Information Governance Policy. To consider decisions made by CIGG and ratify those decisions as appropriate. To take ownership of the information risk management approach, including review of the annual improvement programme to support and inform the Annual Governance Statement. To ensure each Directorate and service fulfil their responsibilities and apply the relevant information governance policies and controls. To ensure that council's approach to information governance and risk is effective in terms of resource, commitment and execution and that this is communicated to all staff. To provide a focal point for the resolution and/or discussion of information governance and risk issues. To ensure Management Team is regularly adequately briefed on information governance and risk issues. Corporate Information Governance Group (CIGG) The group is composed of representatives of the council's core directorates and the council's strategic partner (One Connect Limited). Representatives from other specialist areas (e.g. Legal Services and Internal Audit) may be also be required to attend as necessary. The Group is to support and assist the SIRO with the development and maintenance of the information governance framework and to agree all changes to policies, standards and guidance. The Group is to support managers in the implementation of policy and standards, management of information risks and in promoting information security awareness throughout their service areas. The Caldicott Guardian The Caldicott Guardian is responsible for ensuring that processes satisfy the highest practical standards for handling patient/service user information. He/she is responsible for ensuring the safe recording, storing and retention of all personal data and ensuring all information flows are mapped to exclude any leaks of information. The Caldicott Guardian acts as the conscience of the organisation to provide a focal point for patient/service user confidentiality & information sharing issues

17 Information Governance Lead The Information Governance Lead is responsible for: Fully supporting and assisting the SIRO, CIGG and the Caldicott Guardian by overseeing the day to day Information Governance issues, providing guidance to the organisation, assisting with the development and maintenance of all policies, protocols, strategies and procedures within the Information Governance framework. Assisting in raising awareness on an on-going basis to staff of all levels throughout the council. Co-ordinating the Department of Health Information Governance Toolkit annual submission and periodic returns. Conducting or supporting any investigations (with the relevant manager(s)) relating to breaches of confidentiality, either suspected or confirmed. County Data Protection Officer The key role of the Data Protection Officer is to promote the council's compliance with the Data Protection Act Specific responsibilities within the context of this policy are contained within the Data Protection, Freedom of Information and Environmental Information Regulations Policies that are part of the Information Assurance Policy Framework. One Connect Limited ICT Services Provide technical advice; Manage the necessary technical environment and tools to support effective information assurance in accordance with recognised good practice. All Managers All managers are responsible for ensuring that relevant policies and supporting standards and guidance are built into local processes and that there is on-going compliance on a day to day basis. Any breaches or suspected breaches of confidentiality or information security must be reported in accordance with the Incident Management Policy. All managers are responsible for the identification of existing or emerging information risks relating to their service area and either addressing or reporting the issues to CIGG for consideration. All staff This includes permanent, temporary, contractors and any individual who has been given access to the council's network, systems or other information. Individuals are responsible for ensuring that they familiarise themselves with relevant policies and guidance and that they understand the responsibilities set out in them. If individuals are unsure about any aspect of a policy or guidance they must seek clarification from their line manager or the IG Lead. Staff must ensure that they are compliant with legislative and regulatory requirements. Information Governance training is mandatory for all staff and will be delivered in accordance with this policy.

18 Document Control Organisation Lancashire County Council Title Information Governance Framework Author Ian Shipcott Filename Owner County Secretary & Solicitor (SIRO) Subject Information Governance Protective Marking Not Protectively Marked Review date Revision History Version Status Revision Date Summary of Changes Author 0.1 Draft 17/1/13 First Draft I Shipcott 0.2 Draft 18/1/13 Amended Caldicott Guardian R&R Y Byrne 0.3 Draft 23/1/13 Added DPA Officer R&R and compliance for partners & third parties I Shipcott 0.4 Draft 31/1/13 Removed FOI Policy from IAPF Framework I Shipcott 0.5 Draft 7/2/13 Amended IAPF Framework content I Shipcott 0.6 Draft 14/2/13 Update following comments from Deputy CS&S and Head of Efficiency and Business Support; CYP. I Shipcott

19 Review and Approvals Title Name Signature IG Project Lead CIGG SIRO Date Issue of Distribution This document has been distributed to: Name Title Date of Issue Version