Information Governance Strategy

Transcription

1 Introduction Information Governance Strategy This strategy sets out the approach to be taken within Children s Hearings Scotland (CHS) to develop a robust Information Governance (IG) framework for the management of information relating to the national Children s Panel, Area Support Teams and CHS. Information comes in many forms, including policy documents, minutes, financial data, personal data, and is held in a variety of paper and electronic formats. Across the Children s Hearings System (the System) we use this information as we work to achieve our vision, mission and values, in accordance with the National Standards and Corporate Plan. Information is a vital asset and plays a key part in corporate governance, business planning and performance management. To maximise the potential benefit from our information we need to manage it effectively, share it appropriately and ensure that it is adequately protected. Each year this strategy will be reviewed and an implementation plan developed to identify areas for improvement, in line with the key objectives identified below. It will highlight who is responsible and accountable for these areas and how we will implement, monitor and review the strategy. It will also describe how the strategy aligns to our corporate and business objectives. Key objectives CHS aims to achieve a standard of excellence in IG by ensuring information is managed securely, efficiently and effectively and in accordance with our statutory and regulatory obligations. The implementation of the following objectives will provide a foundation from which CHS can operate IG best practice. IG Objective 1: We will ensure that all members of the CHS community understand their responsibilities in relation to keeping information safe and know what is expected of them when creating and handling information. implementing comprehensive IG policies, procedures and guidance

2 creating an accessible IG policy framework with clear guidance on what is relevant for each role in the CHS community published on CHS website and the Children s Hearings Information and Resource Portal (CHIRP) delivering inductions, awareness sessions and training communicating key IG messages using CHS Keeping information safe newsletters and CHIRP recording the agreement and acknowledgement of responsibilities to keep information safe establishing processes to monitor compliance with the IG policy framework This objective indirectly aligns to outcomes 1-3 of CHS Corporate Plan and directly aligns to the following outcomes: 4. Members of the CHS Community feel valued, and are supported and well-trained to carry out their role. IG Objective 2: We will ensure that all panel members, AST members, Clerks, staff and Board members have the necessary skills to manage information. using online training and development tools, such as the Civil Service Learning resources producing bespoke IG elearning courses for all panel and AST members, Clerks, staff and Board members requiring all staff and volunteers to complete the elearning modules every two years monitoring and recording elearning completion and pass rates to identify where further training and guidance may be required evaluating the effectiveness of training materials on an ongoing basis communicating key contact details for CHS staff to volunteers who require advice or guidance on IG identifying essential skills and experience required by staff and volunteers when managing information, in our Records Management Competency Framework This objective indirectly aligns to outcomes 1-3 of CHS Corporate Plan and directly aligns to the following outcomes: 4. Members of the CHS Community feel valued, and are supported and well-trained to carry out their role. IG Objective 3: In line with CHS values, we will foster a culture of openness, transparency and accountability and one which values information and knowledge. We will achieve this through the development of an organisational culture: which values information and works to remove barriers to managing information effectively

3 where staff and volunteers have confidence and trust in the quality of our information and in making it available to the public, unless there are reasons for not doing so, such as privacy or security which values protecting information appropriately where managing information is everyone s responsibility and is part of how we operate every day where managing information is an enabler to our business and not a barrier which increases awareness of the importance of information We will do this by: regularly reviewing our Publication Scheme to identify additional classes of data that can be published to build greater public trust in the way we operate whilst at the same time safeguarding personal data from misuse and protecting individuals rights to privacy adopting a risk based approach to withholding data in order to strike the right balance in achieving transparency and maintaining confidentiality whether the privacy of individuals or commercial interests, or where protection is in the public interest producing accessible practical guidance using clear and consistent language using case studies of best practice and examples of poor practice in our communications building messages about IG into general communications and activities This objective indirectly aligns to outcomes 1-4 of CHS Corporate Plan and directly aligns to the following outcome: IG Objective 4: We will maintain a robust information security incident management structure to ensure risks, vulnerabilities and incidents are appropriately identified, reported and managed. communicating responsibilities to staff and volunteers to notify us of any events, vulnerabilities or incidents in CHS systems or information implementing clear incident reporting mechanisms implementing comprehensive risk assessments, investigation and analysis of information security events, vulnerabilities and incidents regularly reviewing the managing incident procedures to reflect best practice standards This objective indirectly aligns to outcomes 1-4 of CHS Corporate Plan and directly aligns to the following outcome:

4 IG Objective 5: We will work with key partners to share information appropriately and responsibly and investigate new ways of improving information sharing practices. sharing and publishing key information to support transparency and accountability establishing information sharing protocols with associated data access agreements embedding privacy impact assessments and compliance checks into the core programme management structure contributing to peer reviews with key partners of IG structures, practices and compliance ensuring that knowledge and experience is shared This objective indirectly aligns to outcomes 1-3 of CHS Corporate Plan and directly aligns to the following outcomes: 4. Members of the CHS Community feel valued, and are supported and well-trained to carry out their role. IG Objective 6: We will know what information we hold and where it is stored. managing information in line with our Retention and Disposal Schedule to ensure that we retain only information where there is a business need to do so, and in line with legal requirements, such as the Data Protection Act 1998 (DPA) migrating content held in shared drives into a new functional Business Classification Scheme, enabling quicker access to information and a better understanding of what information we hold and where it is stored developing CHIRP as a corporate repository for the storage of information created, accessed and shared across the CHS community regularly reviewing and updating the Information Asset Register (IAR) identifying all records created and held by the organisation (including vital records) This objective indirectly aligns to outcomes 1-4 of CHS Corporate Plan and directly aligns to the following outcome: IG Objective 7: We will create, manage and share reliable and trustworthy records which support our core business processes. establishing clear business processes which identify the flow of information throughout the organisation

5 identifying roles and responsibilities in managing information setting data quality standards for the management of information capturing metadata on creation, access, amendment or receipt of information applying access and security mechanisms capturing audit trail information relating to the creation, access, retrieval and disposal of records throughout their lifecycle This objective indirectly aligns to outcomes 1-4 of CHS Corporate Plan and directly aligns to the following outcome: IG Management and Reporting Structure and Responsibilities It is essential that we understand who is responsible for IG systems, strategies and policies in order to support IG activities across the organisation and ensure that key responsibilities align to the corporate governance framework. Details of roles and responsibilities in relation to IG are as follows: Director of Finance and Corporate Services/Senior Information Risk Owner (SIRO) The SIRO is responsible for CHS IG Policy Framework and acts as advocate for IG on the Audit and Risk Management Committee (ARMC). The Information Governance Officer (IGO) provides sixmonthly reports to the SIRO on information risk and highlights any immediate security risks and concerns. The SIRO ensures that an effective IG infrastructure is in place including information asset ownership, reporting, and defined roles and responsibilities. Senior Management Team (SMT) It is the role of the SMT to define CHS IG strategy and associated policies and procedures. It is responsible for ensuring that sufficient resources are provided to support the delivery of this strategy. SMT, in consultation with the IGO, will agree an annual work programme to monitor performance and define new objectives. Audit and Risk Management Committee (ARMC) The ARMC advises the Board on IG arrangements and reviews core IG policies and procedures. The ARMC will review and endorse this IG Strategy and recommend approval to the Board. The ARMC is also responsible for monitoring performance and assessing the control of risk in relation to IG, receiving and acting on reports from the IGO and SIRO. The ARMC will formally review this strategy every two years, however the content will be reviewed by the IGO annually to ensure that the objectives remain relevant and the organisation continues to meet all of its statutory and regulatory responsibilities.

6 Information Governance Officer (IGO) The IGO is responsible for: overseeing and responding to day to day IG issues; developing and maintaining IG policies, procedures and guidance; raising awareness of IG roles and responsibilities; monitoring and reporting on compliance with statutory and regulatory obligations; providing advice and guidance to the CHS community on IG related matters; developing suitable IG training for staff and volunteers; and monitoring and responding to information security events, vulnerabilities and incidents. The IGO also acts as the organisation s Data Protection Officer and is responsible for coordinating and managing the response to all information requests received by CHS. Information Asset Owners (IAOs) Information Asset Owners are responsible for identifying, understanding and addressing risks to the information assets they are responsible for. Risks are highlighted to the IGO who in turn reports to the SIRO. IAOs are accountable to the SIRO for providing assurance on the security and use of their information assets. Joint CHS and SCRA Information Governance Group This joint group is responsible for monitoring and reviewing day to day IG issues which affect the IG frameworks of SCRA and CHS. The group will work together to develop joint IG guidance and will consider new ways to raise awareness. For CHS, the group will report to the ARMC on issues and risk. IT Officer (ITO) The ITO provides technical advice to the SIRO on matters relating to IT Security and ensures compliance with relevant standards. CHS community (all panel members, AST members, Clerks, staff and Board members) All panel members, AST members, Clerks, staff (whether permanent, temporary or contracted) and Board members shall be familiar with and comply with the IG Policy Framework. Any records created by members of the CHS community must be created and managed in line with IG policies and procedures. The CHS community are required to undertake relevant IG training which covers keeping information safe and data protection. Data Processors (including local authorities, IT service providers, panel member recruitment campaign service providers, website providers) Appropriate data processing contracts shall be established with third parties where potential or actual access to and processing of information assets is identified. All data processors will be required to complete an annual self-assessment of their information governance performance and compliance with the contractual arrangements.

7 Training Training and awareness is essential to the success of this strategy and to ensuring that the organisation meets each of the objectives outlined above. We must all complete training in data protection and the care and handling of information. Awareness of our policies and procedures relating to data protection, information security and records management is also essential to ensure confidence in the handling and sharing of information. We aim to develop and deliver a range of bespoke training and awareness methods, suitable for each role within the System. Please see details of the methods to be employed below. Pre-service training Pre-service training is delivered over seven days by lecturers employed by CHS Training Unit at West Lothian College (the CHS Training Unit) - and assisted by volunteers from the CHS Community. Volunteers act as group leaders, facilitating discussion and assisting in role play. The Data Protection Act 1998 (DPA) is covered on the training course and covers an introduction to data protection and specific guidance on keeping information safe, including panel papers and other panel and AST member contact details. On completion of the training, panel members must demonstrate their understanding of the System and their roles and responsibilities, through a Professional Development Award (PDA) assessment process, accredited by the Scottish Credit and Qualifications Framework (SCQF) Level 7. The PDA includes an assessment of panel member responsibilities in relation to the DPA and keeping information safe. Pre-service training is delivered to prospective panel members following their provisional appointment by the National Convener (usually from January onwards each year). Once appointed, panel members will be expected to attend refresher training with the CHS Training Unit on an annual basis. They will also be required to complete elearning refresher training on data protection and keeping information safe every two years. elearning Bespoke elearning courses containing an introduction to data protection and key information security messages for each role within the System are currently being produced by CHS in partnership with the CHS Training Unit. The IGO is responsible for writing the bespoke content for the training and the CHS Training Unit are developing it within their Virtual Learning Environment. All panel and AST members, Clerks, staff and Board members will be expected to complete Part A: An Introduction to Data Protection and a 10 question revision quiz. On completion of Part A, users will be directed to Part B: Key messages for [panel members / AST members / Clerks / staff / Board members] which will cover the key information security messages for each role and will be followed by a further 10 question revision quiz.

8 Volunteers without access to IT facilities will be sent a hard copy version of the elearning course to complete and return to CHS. If resources allow, local training events may be arranged to provide technical support to panel and AST members when completing the online course. Dates of completion as well as scores from the two revision quizzes will be retained on training records to demonstrate that individuals have completed the necessary training in relation to data protection and information security. The elearning course will be made available to panel members who transferred to the national Children s Panel before the end of April AST members, Clerks, staff and Board members will be provided with access to the training on a phased basis, with everyone having access by the end of March All panel and AST members, Clerks, staff and Board members will be expected to complete the training by August 2017 and then complete a shorter, refresher course every two years. Managing Information - what you need to know video CHS has produced a training video for panel members, entitled Managing information what you need to know. It highlights key tips and guidance on the management of information relating to the System, including keeping panel papers safe and using other panel and AST member contact details. The video was circulated to all panel members who transferred to the national Children s Panel in November 2013 and now forms part of the pre-service training for new panel members. It is also available on CHIRP. Panel member s understanding of the key messages highlighted in the video is assessed as part of the PDA, completed at the end of the training. All panel members are expected to have watched the video. The content is regularly reviewed by the IGO and updated accordingly. Information Governance Policy Framework To achieve best practice in the management of information, CHS has established an IG Policy Framework which encompasses all IG related policies, procedures and guidance. The framework outlines the policies that are relevant to each role within the System and so all staff and volunteers are expected to be aware of and understand their responsibilities in regard to the relevant policies. CHS asks all new panel and AST members to sign and return an acknowledgement confirming that they have read and understood each of the relevant policies and procedures. The IG Policy Framework was approved by the CHS Board and Senior Management Team (SMT) in August 2014 and subsequently made available on CHIRP and the CHS website. The framework will be regularly monitored by the IGO to ensure that it remains relevant and up-to-date and will be formally reviewed by SMT and the ARMC every two years.

9 Keeping Information Safe newsletters In the first year of operation, CHS circulated a number of Managing Information Updates to the CHS community to highlight key messages in relation to IG. As there was no process for checking whether or not the newsletters had been read by recipients, CHS investigated the use of a third party to issue the newsletters and provide regular reports on access. Advice was sought from the ICO with regards to the Privacy and Electronic Communications Regulations (PECR) and a procurement exercise resulted in Dotmailer being appointed. The first Keeping Information Safe newsletter, designed in Microsoft Publisher, was produced and circulated to the CHS community in August The next newsletter, to be issued in February 2015, will be produced using the Dotmailer application which will enable us to monitor how many people have read the newsletter and which links have been opened from it. Civil Service Learning Civil Service Learning (CSL) is a Civil Service wide elearning portal allowing access to elearning training on a range of topics, including information governance. Following review of the courses available through CSL, SMT requested that all members of staff completed the Information Asset Owner + Government Security Classifications course and that the Director of Finance and Corporate Services completed the Senior Information Risk Owner + Government Security Classifications course by the end of August All members of staff have now completed the training and have provided the IGO with copies of their certificates. All new staff members will be expected to complete the CSL training until the bespoke elearning training for staff members is available. Relationship to other Strategies A Digital Strategy, presenting the aim of a fully digitised System, is currently being developed by CHS in partnership with SCRA. When available, activities identified within this IG Strategy will be reviewed alongside the Digital Strategy to remove duplication and assess ongoing relevance against other priorities. Monitoring and Review The SMT and IGO will monitor the implementation of this strategy in terms of its supporting policies, procedures and guidance. This document will be formally reviewed by the ARMC annually.

10 Document Control Title Information Governance Strategy Author Ava Wieclawska, March 2015 Approved by CHS Board Date of approval 24 March 2015 Version number 1.0 Review frequency Annually Next review date April 2016 Status Control Version Date Status Author Amendments 0.1 September 2014 Draft Ava Wieclawska N/A January 2015 Draft Ava Wieclawska Amendments made in line with new Corporate Plan outcomes February 2015 Draft Ava Wieclawska Minor amendments following review by staff February 2015 Draft Ava Wieclawska Minor amendments following review by Communications & Engagement Officer March 2015 Draft Ava Wieclawska Minor changes to corporate outcomes and new section on relationship to other strategies following review by ARMC March 2015 Draft Ava Wieclawska Final version approved by the CHS Board subject to a removal of the reference to day 5 of the training course March 2015 Final Ava Wieclawska Final version approved by the CHS Board.

11 Annex A: Training requirements for each role Pre-service training elearning An Introduction to DP elearning Key messages for PMs elearning Key messages for AST members elearning Key messages for Clerks elearning Key messages for Staff elearning Key messages for Board members Civil Service training responsible for Info + Govt Security Classifications Managing Information what you need to know video IG Policy framework Keeping Information Safe newsletter PMs appointed post 24/06/13 PMs appointed pre 24/06/13 AST members Clerks Staff Board members