Information Management Policy

Transcription

1 Information Management Policy Document Control Title Organisation Description Author(s) Information Management Policy London Legacy Development Corporation The Information Management Policy describes how data and information will be managed across the Legacy Corporation. Danny Budzak; Rachael Clauson Date 7 August 2014 Approvals Distribution Protective Marking Jonathan Dutton; EMT Public Not protectively marked Version Control Version Date Description Author v EMT Approved Rachael Clauson v Minor changes based on recommendations in the audit report Rachael Clauson

2 Contents 1 Executive Summary 4 2 Introduction Overview Legal, Regulatory and Policy Framework Principles of Information Management Scope Statement of Intent 8 3 Roles and Responsibilities Overview Executive Management Team (EMT) Senior Information Risk Owner Director of IT The IT and Information Services Team Information Asset Owners and Data Stewards All Personnel Civica Legal Services Procurement 10 4 Information Security Overview Information Risks Personnel Security Password Management Inactive Accounts Monitoring of Access Physical Security Control and Security of Assets Encryption Access Controls to Data Privacy Impact Assessments (PIA) Protecting the ICT Infrastructure Use of Managing Information Security Risks Reporting 14 6 Records Management Overview Standards for the Creation of Records Metadata File Paths and File Names Version Control Date Formats Folder Structure Electronic Files Paper Files Moving Data and Information outside the Offices 17 LLDC Information Management Policy v1.1 Page 2 of 22

3 6.12 Retention and Disposal Schedule 17 7 Data Management Overview Scope of Data Quality 18 8 Information Sharing Overview Stakeholders and Strategic Partners Management Overview Use of Information Management Reporting Overview Information Asset Register Finance and Corporate Services Risk Register Annual Information Governance Report Training Information Security Induction IT Induction Information Management Review and Monitoring of the Policy Review of Policy Monitoring 20 Appendix 1 Definitions 22 LLDC Information Management Policy v1.1 Page 3 of 22

4 1 Executive Summary The Information Management Policy outlines how the London Legacy Development Corporation ( the Legacy Corporation ) will organise and manage its data and information. It sets out the statutory, regulatory and policy framework with which the Legacy Corporation needs to comply, in order to deliver two key objectives: 1. To ensure that data and information reflects the Legacy Corporation s commitments to openness and transparency; and 2. To ensure that, where necessary, the security, protective marking, privacy and confidentiality of data and information is assured. The policy defines the roles and responsibilities of all members of staff. The key points are as follows: All staff must understand they are responsible for information security; All data and information must have a data steward; The data steward is responsible for ensuring the accuracy, completeness and relevance of all the data they manage on behalf of the Legacy Corporation. The Legacy Corporation generates business records such as decisions made, agreements, commitment to meet obligations, histories of projects and deliverables. These records will be managed using a retention and disposal schedule which determines which records are kept, for what length of time, and what happens to them in the long term. The section on data management outlines how data will be managed at both a macro and micro level. At a macro level, data sets will be defined with named data stewards who will understand their roles and responsibilities. These details will be recorded and maintained in the Information Asset Register. At a micro level, all staff who create data and information will do so according to a set of standards, including version control, dates, folder names and file paths. The policy outlines the protocols and process for information sharing, internally within the Legacy Corporation, as well as with external bodies. All staff who share information will be made aware of the issues relating to this, and systems will be designed where relevant, in order to facilitate information sharing. management is presented as a key topic in this policy due to the challenging business issues it raises. Any which is a business record needs to be retained, in accordance with the retention and disposal schedule. s which are not business records can be deleted. The key issue is not whether a piece of data or information is an , it is whether it is a business record. The final part of the policy looks at the type of management information which should be produced on a regular basis so the Legacy Corporation understands what data and information it has and how it is being used to support business requirements. Management information will include the number of files, types of files, content types, and volumes of data. It will include how compliance with Freedom of Information, Data Protection and other statutory requirements have been met. It will include an overview of all known data security incidents and how these were managed and resolved. LLDC Information Management Policy v1.1 Page 4 of 22

5 Key Points for All Staff Information Security Information security is the responsibility of all staff, including access to buildings, information systems, data and information. The security, privacy, protective marking, confidentiality of information must be assured. Data and information must be managed to support openness and transparency. The Legacy Corporation must comply with Freedom of Information, Environmental Information Regulations, and Data Protection legislation, ensuring that information must be disclosed when requested and that personal and sensitive personal data is protected. Records Management A record is proof that something has been agreed, has happened, has been promised, regardless of whether it is a document, a PDF, an , a hand written note. Examples include minutes of meetings, contracts, PIDs, invoices, appraisals, and reports. All business records must be managed with the retention and disposal schedule to ensure compliance with legislation, regulations and internal policies. All business records must be stored in the relevant parts of the folder structure so they are readily available to those who need them. All business records must have a minimum of data standards attached to them including versions, dates, and authors. Data Management All data and information which is produced must have a clearly defined data steward. Stewards are responsible for ensuring that the data is accurate, up to date and relevant and is maintained for the necessary retention periods. All data sets and the data stewards will be recorded in the Information Asset Register. Information Sharing Processes and protocols will be understood and followed to ensure that information can be shared within the Legacy Corporation and its stakeholders. Management Information Management information will be generated to show the number of files, volume of data, information security incidents, size of mailboxes and personal drives and costs of data storage. LLDC Information Management Policy v1.1 Page 5 of 22

6 2 Introduction 2.1 Overview The Legacy Corporation aims to promote the highest standards of information management This policy describes the Legacy Corporation s approach to managing its data and information and describes the procedures and process which must be followed by all personnel The Legacy Corporation creates and maintains a large quantity of information, in a variety of formats, including both paper and electronic. This data and information is essential for: Supporting a policy of openness and transparency Decision making Programme and project development and delivery Administrating the organisation Creating the historic record of the Legacy Corporation The management of this data and information is necessary to ensure that the Legacy Corporation: is compliant with information law; can operate effectively and efficiently; and can carry out business continuity if necessary. As a legacy organisation, the Legacy Corporation will eventually pass information to any successor organisations, or to public bodies such as The National Archive Almost all records, data and information held by the Legacy Corporation will originate as an electronic file and should therefore be primarily managed within electronic information systems. 2.2 Legal, Regulatory and Policy Framework Information will be managed in compliance with the following legal, regulatory and policy frameworks: Legal and Regulatory Framework Computer Misuse Act 1990 Copyright, Design and Patents Act 1998 Data Protection Act 1998 Environmental Information Regulations 2004 Equality Act 2010 Freedom of Information Act 2000 Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011 Protection of Freedoms Act 2012 Public Records Act 2005 Regulation of Investigatory Powers Act (RIPA) 2000 LLDC Information Management Policy v1.1 Page 6 of 22

7 Legacy Corporation Policy Framework Acceptable Use of IT Policy Information Compliance Policy In addition, a range of legislation covers the retention and disposal of business records. This legislation is set out in the Legacy Corporation s Retention and Disposal Schedule and covers functions and business areas such as finance and human resources There are also a number of standards, such as ISO for Information Security, and ISO for Records Management, with which the Legacy Corporation is working to align itself The Legacy Corporation is also able to use the Regulation of Investigatory Powers Act (RIPA) RIPA permits the monitoring and recording of employees electronic communications (including telephone communications) for reasons such as: Establishing the existence of facts; Investigating or detecting unauthorised use of the system; Preventing or detecting crime; Ascertaining or demonstrating standards which are achieved or ought to be achieved by persons using the system (quality control and training); Ascertaining compliance with regulatory or self-regulatory practices or procedures ensuring the effective operation of the system Civica, the Legacy Corporation s managed IT service provider, may use RIPA on behalf of the Legacy Corporation to operate non-intrusive exception monitoring of personnel s use of the Legacy Corporation s computer resources including and internet use. This will not be done unless a genuine possibility of inappropriate use has been raised through exception reporting, disciplinary proceedings or a complaint If action is required as the result of inappropriate use of computer resources, then the issue will be referred to Human Resources and the relevant Line Manager for remedial action. 2.3 Principles of Information Management The key principles of information management at the Legacy Corporation are as follows. Information will be: managed as a corporate resource to support decision making, the delivery of programmes and projects and the administration of the organisation shared across the Legacy Corporation and with strategic stakeholders and partners, using formal protocols where necessary managed to ensure compliance with statutory and regulatory requirements accurate and relevant to the business purposes it supports used to support transparency and openness protected to prevent theft, loss and corruption accessible to those who need it and in formats which are usable managed using the retention and disposal schedule. LLDC Information Management Policy v1.1 Page 7 of 22

8 2.4 Scope The scope of this policy extends to all of the Legacy Corporation s data and information held both electronically and on paper. For the purposes of this policy, the term information will be used to describe both data and information, see Appendix A for definitions The policy includes all of the personnel who work for, or with the Legacy Corporation, including full-time and part-time employees, contractors, consultants, secondees, agency and temporary employees It includes all of the hardware, networks and information systems used to create, store and access electronic data and information. This includes desk top PCs, mobile devices, USB sticks, databases, websites, software and licences The policy also includes information held by third parties on behalf of the Legacy Corporation or which is shared with third parties It includes management of access to information, including the access to buildings and facilities where information is held It includes the transmission of information including electronically, verbally and by paper. 2.5 Statement of Intent The Legacy Corporation seeks to embed effective and appropriate information and records management into business processes and functions. This will be achieved through approved procedures and appropriate monitoring and controls Awareness of the policy will be raised across the Legacy Corporation on an ongoing basis through a variety of methods, such as the induction process, e- learning and the intranet. 3 Roles and Responsibilities 3.1 Overview It is the responsibility of all staff to have an understanding and awareness of information management issues, including information security, freedom of information, environmental information regulations, data protection, copyright and records management. 3.2 Executive Management Team (EMT) The EMT is responsible for: approving and endorsing this policy; providing support and leadership for the implementation of this policy; receiving and reviewing management information relating to this policy; providing guidance on how the policy continues to be aligned with corporate objectives; nominating a Senior Information Risk Owner (SIRO); and committing resources to ensure the objectives of the policy can be delivered. 3.3 Senior Information Risk Owner LLDC Information Management Policy v1.1 Page 8 of 22

9 The Executive Director of Finance and Corporate Services is the Senior Information Risk Owner (SIRO). The responsibilities of the role are to: provide the Chief Executive and EMT with an annual report on information governance with particular reference to information security, information risk and compliance; own the Legacy Corporation s information security and information risk management process; review risks escalated by stakeholders or third party suppliers; review risks and issues escalated by the any part of the business; take the lead on incident management and reporting, including lessons learned; and act on behalf of the Legacy Corporation in dealings with local and central government and other bodies on information risk and assurance. 3.4 Director of IT The Director of IT is responsible for: strategic leadership of information security; ensuring effective governance to control IT and information management activities including relevant standards, security and risk; and ensuring continued uninterrupted operation of the organisation s IT services and that service is secure from threats. 3.5 The IT and Information Services Team The IT and Information Services Team are responsible for: developing and maintaining the retention and disposal schedule to all records; developing and implementing information management standards; Freedom of Information and Environmental Information Regulations (EIR) requests and subject access requests under the Data Protection Act; ensuring compliance with data protection; maintaining the publication scheme; and maintaining the information asset register. 3.6 Information Asset Owners and Data Stewards Information Asset Owners and data stewards are recorded in the Information Asset Register. They will be responsible for ensuring that those assets are up to date, accurate, complete and held securely. 3.7 All Personnel All data and information, information systems, hardware, mobile devices, software, licences belonging to the Legacy Corporation are corporate assets. All personnel must understand and be aware of: their obligations to ensure the security of data, information, information systems, buildings, hardware and mobile devices; the processes, procedures and standards outlined in this policy; which information assets they are owners of, and the need to update and maintain the register of those assets; LLDC Information Management Policy v1.1 Page 9 of 22

10 3.8 Civica the compliance framework including freedom of information, data protection, privacy and copyright and the need to support openness, accountability and transparency; the statutory obligations to maintain records which are accurate, complete and up to date, including s; managing s so that s which are business records are moved to the relevant folders; and the need to ensure the quality of data so that it is usable and fit for purpose Civica are the Legacy Corporation s managed service provider. Civica have ISO Certification for Information Security. Their role is to: ensure that the Legacy Corporation s IT systems are functioning at optimum level; make regular back-ups of the Legacy Corporation s electronic files, including s; ensure the Legacy Corporation s files and computer systems are adequately protected against viruses, spyware, malware and external attack; update and maintain the Legacy Corporation s computer hardware, telephone equipment and network; manage and maintain the Legacy Corporation s servers and infrastructure; manage and maintain data recovery systems to ensure the Legacy Corporation s business systems can continue to be accessed if offices at Stratford are inaccessible or unusable; manage and update existing Legacy Corporation software and install new software; and provide a support service for queries and problems relating to IT hardware and software. 3.9 Legal Services Transport for London (TfL) provide the Legal services for the Legacy Corporation. A detailed Data Transfer Plan and information Sharing Protocol has been established between the two organisations to ensure that the records of the Legacy Corporation are managed effectively and in compliance with legislation Procurement All Procurement projects must ensure the inclusion of appropriate contract clauses on information security, information assurance and records management, and liaise with the Legal and Procurement team Before entering a contractual agreement, all third party agencies will be invited to partake in a risk assessment to ascertain the adequacy of their development and support environments for maintaining the security and integrity of the Legacy Corporation s data, applications and networks. 4 Information Security 4.1 Overview LLDC Information Management Policy v1.1 Page 10 of 22

11 4.1.1 Information security will be applied to manage and control risk to data, systems, people, buildings and IT hardware, infrastructure and assets. Information security processes and procedures will be monitored and updated on a regular basis Where possible, devices will be configured with password protection and encryption, so that if they are lost or stolen, any data cannot be accessed All personnel will receive awareness training on information security. Information Asset Owners will receive additional training to ensure they can maintain the information asset register and are fully aware of their responsibilities. 4.2 Information Risks Information risk management will be conducted in association with business areas to ensure risks are understood, captured, monitored and controlled by all members of staff Information risks will be recorded on the Finance and Corporate Services departmental risk register. Where necessary, risks will be escalated to the Corporate Risk Register The Legacy Corporation will regularly carry out technical risk assessment for core ICT systems and projects. 4.3 Personnel Security All personnel must sign a form to show they are aware of, and understand, the Acceptable Use of IT Policy Line managers must notify HR and IT when new personnel require access to systems, and when they leave the Legacy Corporation. Authorisation for starters and leavers must be given using the approved Legacy Corporation form IT and IS will keep an up to date register of all new starters and leavers. This will be used to ensure that all new starters receive an induction to IT and information governance and the impact of leavers on the systems are controlled An account expiry date will be set up for all temporary accounts, which will be their leaving date. Requests for extensions must be validated by their Line Manager Background verification checks will be carried out by HR for all new employees of the Legacy Corporation Line Managers should ensure that appropriate exit procedures are carried out with all personnel when they leave. The leaver notification form must be completed. All assets must be returned to the Legacy Corporation and signed off Security roles and responsibilities will be included in job descriptions where appropriate. These will include any specific responsibilities for the protection of particular assets, or for carrying out particular processes such as data protection or freedom of information All staff will be instructed not to store personal data, sensitive data or protectively marked information on laptops or home PCs which have not been encrypted to the Federal Information Processing Standard (FIPS) standard Where any personnel leave their desk unattended they should either log off from the system, or they should lock their PC screen. Each PC is set to automatically LLDC Information Management Policy v1.1 Page 11 of 22

12 lock after 15 minutes if not in use, and can only be unlocked by entering a user name and password. 4.4 Password Management The password management system will enforce the use of individual passwords to support and maintain accountability and changing the passwords will be automatically forced Staff are given instructions that passwords must be of a minimum of six characters and include a combination of upper and lower case letters, numbers and punctuation or symbol characters. Passwords cannot be changed more than once a day All personnel with access to systems will have their own unique user name and password and are instructed not to share this with anyone Passwords should not be written down Users should not log in using other users passwords. 4.5 Inactive Accounts The individual s account will be deactivated upon leaving the Legacy Corporation. Access to the contents of any inactive accounts can be authorised by the appropriate department head; however, access will usually only be limited to business records. Users will be requested to remove all personal data before leaving the organisation The contents of any inactive accounts will be deleted after a period of six months Login IDs which have not been used for twenty days will be disabled. IDs not used for ninety days will be deleted. All deleted IDs will be maintained for a period of six months and then will be removed. 4.6 Monitoring of Access Information Asset Owners (IAOs) must put in place arrangements to log activity of users in relation to protectively marked and personal information. IAOs must check that these arrangements are being followed, with particular focus on those working remotely. User activity should be collated and reported on a regular basis. 4.7 Physical Security All staff within the Corporation properties will be issued with a picture security pass that allows access to the relevant buildings. These passes should be worn when in the office Any guests visiting the building will need to be registered with the Legacy Corporation s reception the day before their visit by ing lldcreception@londonlegacy.co.uk. Visitors who are not registered will have to be collected from the ground floor by the meeting organiser. LLDC Information Management Policy v1.1 Page 12 of 22

13 4.7.3 All personnel should inform the Legacy Corporation s reception of any expected deliveries by couriers All visitors should, on arrival at the main reception to the building sign the Visitors book. On arrival at the 10 th floor LLDC reception they should be issued with a LLDC Visitors pass that they wear and display during their visit to the office. This should be returned when they leave the LLDC floor either to their host or to the receptionist Personnel should alert colleagues if they discover an unauthorised person on the premises If personnel lose their security pass, they should report this to Human Resources. 4.8 Control and Security of Assets IT and Information Services, with the IT managed service provider, will record and categorise all ICT assets including PCs, mobile devices such as Blackberrys and USB sticks, printers, laptops, software licences This inventory will be held in an asset register and will include details of how to implement disaster recovery. 4.9 Encryption Encryption will be managed through Pretty Good Privacy (PGP ) Access Controls to Data The levels of access to any set of data or information system will be determined by the relevant information asset owner The Information Asset Owner will define and document the user access rights to personal data and other sensitive or protectively marked data and information. By recording these, the Information Asset Owner is authorising an acceptable level of risk associated with those access rights Privacy Impact Assessments (PIA) Privacy Impact Assessments (PIA), as described by the Information Commissioner s Office (ICO), will be conducted for any projects involving collection or storage of personal data of members of the public A PIA will also be conducted for any project or system development that will be subject to a formal accreditation process Protecting the ICT Infrastructure All of the Legacy Corporation s data is stored centrally and securely on Civica s servers with access limited to authorised Civica personnel only. All backup media is held off-site by a specialist third party. Content on servers is backed up both weekly and monthly The Legacy Corporation s IT network systems are protected from the public domain by a series of firewalls in order to restrict access from the internet to permitted traffic. LLDC Information Management Policy v1.1 Page 13 of 22

14 Annual penetration testing and vulnerability assessments are undertaken by an independent external specialist All PCs, laptops and servers are protected by anti-virus software is scanned before it enters the Legacy Corporation s network, and again when it is placed in user s inbox. Users are instructed to report any suspicious s to the helpdesk All devices that are connected to the network are automatically scanned for viruses Use of Staff will be instructed that they must not send any data or sensitive data to personal accounts. Staff will also be made aware of the risks of sending outside the Legacy Corporation. Any s with sensitive data which are sent to third parties should be encrypted. 5 Managing Information Security Risks 5.1 Reporting Any information security incidents must be reported immediately to IT and Information Services or to a line manager, or both Information security incidents and the responses include: Type of incident Immediate action Notes Loss or theft of Blackberry Phone EE (Orange) Loss or theft of Corporation laptop Loss or theft of non-corporation laptop or PC Loss or theft of sensitive paper documents Loss or theft of notebooks Unknown persons in building IT or line manager or both IT or line manager or both Information Services or line manager or both Information Services or line manager or both Inform colleagues Laptops should NOT be used to store any Legacy Corporation information If a personal laptop has been used for work purposes, the theft or loss should be reported to IT. Staff must be aware that personal and sensitive data must not be stored on personal PCs or laptops. Sensitive paper documents should not be removed from Legacy Corporation offices Paper notebooks should NOT be used to record personal or sensitive personal data about people and then taken out of the building If you feel uncomfortable with anyone in the building talk to immediate colleagues to find out if LLDC Information Management Policy v1.1 Page 14 of 22

15 anyone knows who they are 6 Records Management 6.1 Overview There are statutory and regulatory requirements which provide a framework for the management of records. This includes determining what data and information are records, the length of time for which they should be retained, when they should be reviewed, whether they need to be transferred to The National Archives or other records repository, and the disposal process. 6.2 Standards for the Creation of Records The following section applies to the creation of business records; it does not apply to ephemeral data and information, reference materials, or materials received from third parties. 6.3 Metadata Metadata is information about a record which may not be implicit in the record itself. It provides a context in which to understand the record. The following metadata should be added to records: Title this should be concise, meaningful and not too long. Organisation this is always the London Legacy Development Corporation. Description a clear and concise paragraph or two about the content. Author- who created the resource; it could be more than one person. Version this should be changed as necessary. Approvals informs users whether the content is approved. Status describes whether the record is active, inactive or due for review. Protective marking describes any limitations on sharing. 6.4 File Paths and File Names File names need to be clear, concise and meaningful. File paths (the total number of characters from all the folders, sub-folders, and file name) which exceed 240 characters will not be usable within a Windows Explorer environment as they cannot be opened. Where possible, file names should not have spaces in them, as they will be displayed as percentage signs when published on the web. File names should be concise this makes them more usable. Recursive naming of folders should be avoided as it becomes confusing. It is acceptable, particularly for internal records, to use common abbreviations and acronyms 6.5 Version Control Version control should be managed in the following way: LLDC Information Management Policy v1.1 Page 15 of 22

16 v0.1 First draft version (this is usually the document creation) v0.2 Second draft version v0.3 Third draft version...and so on There is no need to add the term draft to this sequence, or to the document title. These version changes should be applied in a proportionate way. For example, they do not necessarily need to be updated when only one person is working on the document and opening and closing it while making changes. The first published version or public version of the document will be: v1.0 Subsequent minor changes should be recorded as: v1.1 v1.2...and so on Each significant change or major revision of a file should be recorded as: v2.0 v3.0 v4.0...and so on 6.6 Date Formats Date formats need to be applied consistently. The primary date standard is: dd mm yyyy However, there may be instances when there is a need to use the reverse date order of yyyy mm dd. 6.7 Folder Structure The structure and names of folders will be based on the business classification scheme Folder names and structure will reflect the functions, organisation, programmes, projects, policies and decision making of both the Corporation as a whole, and of each of the business areas Folder names need to be clear, concise and meaningful. Sub folders should be logical and not recursively named. 6.8 Electronic Files Electronic records must be stored in the appropriate folders on the O drive, which is managed by the Information Services team Business records must not be stored in personal drives (H drive), memory sticks, portable devices or home PCs. There may be a temporary need to use this space for work in progress, but they must be moved to the appropriate folder when they become records. LLDC Information Management Policy v1.1 Page 16 of 22

17 6.8.3 The use of portable media such as USB sticks is restricted for limited use; for example, when working away from the office. Any new records created on removable media must be transferred to the shared drive upon return to the office s which are business records must be transferred to the appropriate folders on the O drive. They will then be managed through the retention and disposal schedule. The overall policy is outlined in Section 7 below Paper Files Paper records should be filed in a corporate folder, mirroring the corresponding electronic file structure. Duplicate papers need to be removed and where a file becomes too large, a second part should be created The accumulation of paper on desks and in the offices will be monitored to ensure that this does not become an information risk or health and safety hazard or both Where paper resources are classified as records, they will be reviewed for the possible transfer to off-site storage Paper files which contain personal or sensitive data and information should be stored securely and not left unattended and should not be accessible to personnel who are not authorised to view them, for example, not left on desk tops Moving Data and Information outside the Offices Any personnel who takes paper records out of the office should keep a record of that movement All portable assets will be recorded in the Information Asset Register, with details of who they are assigned to. That person will be responsible for the data and information which is held on those devices Retention and Disposal Schedule The retention and disposal schedule outlines the main classes of records and the periods they need to be retained for. The authority for those retention periods is also stated. At end of their retention period, records will be reviewed All personnel are expected to be aware of the retention and disposal schedules and to create, manage and store their business records in a way which facilities the application of the schedule The retention and disposal schedule will be fully reviewed on an annual basis, with partial reviews based on legislative and other changes throughout the year The further retention, archiving or disposal of records will be decided through the application of the retention and disposal schedule Where paper or electronic files are to be disposed of, this will be done in a secure way Cross-cutting shredders are available for the disposal of paper. LLDC Information Management Policy v1.1 Page 17 of 22

18 Any IT equipment which is decommissioned will have the data wiped. 7 Data Management 7.1 Overview Data quality is essential to ensure that the work of the Legacy Corporation is carried out to a high standard, with minimal risks. Data quality needs to be assured so that data can be trusted, accurate, up to date and reliable. 7.2 Scope of Data Quality Data quality relates to the completeness, integrity and accuracy of data and information resources The Legacy Corporation will use the Information Asset Register and the standards described in this policy to manage and monitor data quality The Legacy Corporation will commit to ensuring the quality of data which will form part of its reporting requirements to the Mayor, Greater London Assembly, Parliament and government departments Data stewards will be established for all data sets and data repositories. The role of the data stewards will be to ensure that all data is relevant, accurate, up to date and fit for purpose; that the data is accessible to those who need it, and there is a process to update and review the data on a regular basis Data stewards will be responsible for applying the retention and disposal schedules to ensure that data is managed within the records management framework. 8 Information Sharing 8.1 Overview The Legacy Corporation has a business need to share data and information with a range of stakeholders, strategic partners, contractors, the GLA group and government departments. The sharing of data and information must be governed by a set of agreed protocols and standards. 8.2 Stakeholders and Strategic Partners The Legacy Corporation will comply with the Information Sharing Protocol which has been created for the GLA Group Where there is a specific requirement to share data with third parties and other organisations, the Corporation will create formal information sharing protocols. 9 Management 9.1 Overview LLDC Information Management Policy v1.1 Page 18 of 22

19 is a key business tool. It is used to manage work flow, exchange information about projects, to make decisions and share ideas and opinions. The content of could be a business record, and therefore needs to be managed as such. s could be disclosed as part of a Freedom of Information request and could be used in the context of a tribunal or investigation. 9.2 Use of is used for a range of activities and the content can include: Decision-making Agreements to proceed Accepting responsibility Work instructions Work Communications Personal communications Corporate administration Corporate social communications All staff should ensure that they do not create content in which could be construed as libellous or offensive. Appropriate language must be used at all time and content should be proportionate, professional and measured Where s are business records, they must be saved to the relevant folders in the file structure Personal s should be marked as such and should be deleted or moved to a folder called personal s should only be sent to the whole of the Legacy Corporation following approval by the Communications Team Links to documents should be sent, rather than attachments, wherever possible The relevant protective markings should be used where necessary. 10 Information Management Reporting 10.1 Overview The Legacy Corporation is committed to understanding the scope, volume, accuracy and reliability of its information resources. It will record and monitor a range of indicators relating to its data and information, including Freedom of Information requests, subject access requests, and information security incidents. It will record information asset owners and maintain a publication scheme to show the main classes of data it holds. It will maintain a retention and disposal schedule and keep accurate records of its records management processes, including transfer and disposal Information Asset Register The Information Asset Register will be used to record all of the data sets and information systems held by the Legacy Corporation. It will include details of the owner of the data set or information system, the content, the level of protective marking and details of personal data which is being held LLDC Information Management Policy v1.1 Page 19 of 22

20 10.3 Finance and Corporate Services Risk Register The Finance and Corporate Services Risk Register will be used to record and monitor information risks Annual Information Governance Report The Information Services Team will produce an annual information governance report for circulation to the Legacy Corporation and for publication. This will include: details of the policy framework for information management number of FOI, EIR and subject access requests volume of paper in storage information security incidents and their resolution. 11 Training 11.1 Information Security Induction All staff will receive information security induction. This will be refreshed on an annual basis Other training will be organised and delivered on a regular basis IT Induction All new starters will receive IT induction which will cover the key points of the Acceptable Use of IT Policy. This will enable new starters to clarify any points about the policy which they do not understand Information Management The Information Services Team will run regular sessions on all aspects of information management including management, retention and disposal, organising information into folders, data and information responsibilities The intranet will be used to promote and publish online training materials and resources. 12 Review and Monitoring of the Policy 12.1 Review of Policy A full review of this policy will be carried out on an annual basis. However, throughout the course of each year, amendments will be made if necessary to reflect changes in legislation and regulations and changing business requirements Monitoring The policy will be tested on a regular basis to make sure that the rules and guidelines are being followed. This will include the testing of specific procedures LLDC Information Management Policy v1.1 Page 20 of 22

21 such as the use of encryption, user rights, password control and the use of portable media Any breaches of the policy will be recorded in the information security risk register. LLDC Information Management Policy v1.1 Page 21 of 22

22 Appendix 1 Definitions Data the individual words or numbers which are used to measure quantities or to express characteristics of physical objects, people, places or time. Information data that has been organised so that it has meaning, context and structure. Information is the use of data to communicate a message or produce an outcome or change. Knowledge the use of information which has been aggregated from different sources and where the use is based on experience. Information Resources the physical holders of data and information. This includes electronic and paper files, databases, web pages. Personnel in the context of this policy, personnel means any person who works for, or with the Legacy Corporation. This includes full-time and part-time employees, Board members, contractors, consultants, suppliers, agency staff, temporary staff and volunteers. Records evidence of a decision or an activity. There are legal obligations to keep records for specific lengths of time, depending on their content. The Legacy Corporation generates business records such as decisions made, agreements, commitment to meet obligations, histories of projects and deliverables LLDC Information Management Policy v1.1 Page 22 of 22