Information Management Policy Suite Table of Contents

Transcription

1 Information Management Policy Suite Table of Contents 1. Foreword Application Policy Suite Structure Guiding Principles Exceptions Accountability and Responsibility Approval Policy Review Policy on Information Management Policy Statement Purpose Policy Requirements Policy Support Policy on Records Management Policy Statement Purpose Policy Requirements Policy on Data Management Policy Statement Purpose Guiding Principles Policy Requirements Policy on Electronic Document Management Policy Statement Purpose Exceptions Policy Requirements Policy on Electronic Mail Management Policy Statement Purpose Policy Requirements Annex A Relevant Government of Canada Legislation, Regulations and Policies... 1 Information Management Policy Suite 1

2 1. Foreword 1.1. Application The direction provided in the Information Management Policy Suite applies to: all information created, collected and received in the OIC in the normal course of business, regardless of type and recording media; and, all employees and all contractors, consultants, students and volunteers working on behalf of the OIC Policy Suite Structure The Information Management Policy Suite is comprised of a two-level policy structure. The Policy on Information Management comprises the first level and provides general direction on the management of information in the OIC. It supports the second level within the policy structure, which provides direction within specific information management disciplines and specialty areas. The second level within the policy structure is comprised of the following: Policy on Records Management Provides policy direction on the management of unstructured records in all recording media. Policy on Data Management - Provides policy direction on the creation, use, quality control and management of structured data. Policy on Electronic Document Management Provides policy direction on the ownership, organization, storage and protection of electronic documents in local and shared folders and in an electronic document and records management system. Policy on Electronic Mail Management Provides policy direction on the organization, storage, protection and disposal of messages stored in electronic mail accounts. Both levels of the Information Management Policy Suite are supported by procedures, guidelines, tools, training and communications Guiding Principles The Information Management Policy Suite is based on the following principles. a. Information created, collected and received in the course of conducting OIC business is a valuable and strategic business resource and is the property of the OIC under the custodianship of the Government of Canada. b. All OIC employees are responsible for the management of information under their custody and control. Information Management Policy Suite 1

3 1.4. Exceptions The Information Management Policy Suite does not apply to publications and reference material maintained by the OIC library Accountability and Responsibility a. All employees, while delivering OIC programs and services, will document activities, decisions, policies, significant action taken and processes in order to account for the activities of the OIC. b. Employees are responsible for the safekeeping of all records under their custody and control. This includes safeguarding records from unauthorized access, use, disclosure, alteration, removal and destruction Approval The Information Management Policy Suite is approved by the Information Commissioner s Management Group (ICMG) based on a recommendation from the Chief Information Officer. [approval pending] 1.7. Policy Review These policies will be reviewed by the Chief Information Officer two years after implementation. Information Management Policy Suite 2

4 2. Policy on Information Management 2.1. Policy Statement The Policy on Information Management provides overall direction on the management of information within the OIC. As a critically valuable resource, it is recognized that information must be managed in the same manner and given the same consideration as financial and human resources. The Policy on Information Management is the over-riding policy within the OIC information management policy structure Purpose The Policy on Information Management provides direction on managing information as a valuable and strategic resource through the support and controls of an accountability structure to: a. ensure the integrity of information and to support the mandate and business functions of the OIC; b. ensure information is protected while facilitating access; c. support decision-making and enhance the services provided by the OIC to Parliament, the Government of Canada and the public; d. reduce costs and leverage innovations in program and service delivery; e. assist in information collaboration in the OIC and between other government institutions and stakeholders; and, f. meet statutory and policy obligations of the Government of Canada Policy Requirements Official Records Official records of the OIC are those that: are created and received in electronic form, or; contain a signature, regardless of the existence of an electronic version. Creation and Collection The collection, use, and disclosure of personal information by the OIC will be in accordance with the provisions of the Privacy Act and Regulations. Information Management Policy Suite 3

5 Description and Organization Information will be described through metadata and organized within a formal classification structure to optimize its retrieval, use and overall management. Access, Sharing and Re-Use a. Access to information will be provided to other government institutions and the public in accordance with the provisions of the Access to Information Act and Regulations. b. Information will be made accessible, shared and re-used to the greatest extent possible within the OIC, subject to technological, legal, policy and security restrictions. c. Other Government institutions, stakeholders and Canadian citizens will be provided secure, timely and convenient access to OIC records, subject to OIC and Government of Canada legal, policy and security restrictions. Maintenance, Protection and Preservation a. The integrity, authenticity and usability of information will be maintained over the course of its life. b. Information of enduring value to the OIC and to Canadians will be identified and safeguarded to ensure long-term access. c. Information deemed essential will be identified and safeguarded to provide for its recovery and use for business resumption. d. The period of time that information needs to be retained to meet legal, business and accountability requirements of the OIC will be identified and the information will be managed accordingly. e. Information will be preserved over time and through technological changes. f. Information will be safeguarded from unauthorized access, use, disclosure, alteration, removal or destruction. Classified and protected information will be managed in accordance with the Government Security Policy, the Access to Information Act, the Privacy Act and the Privacy and Data Protection Policy. Disposition a. Information will be stored in a manner that maximizes efficiencies and economies (e.g., off-site storage) while ensuring that OIC programs and services are maintained. b. Information that is no longer valuable to the OIC will be disposed of in a manner that meets statutory and policy obligations of the Government of Canada. Information Management Policy Suite 4

6 c. Information will be transferred to Library and Archives Canada (LAC) based on formal agreements between all parties. Integration Information management will be integrated into OIC programs and services, and into the ongoing planning, budgeting and management processes of the OIC. It will also be integrated into the design of new or updated technology tools and systems Policy Support This policy will be supported by other information management policies, procedures, guidelines, by manual and automated tools, and by ongoing training and communications to all OIC employees. Information Management Policy Suite 5

7 3. Policy on Records Management 3.1. Policy Statement The Policy on Records Management provides direction on managing all records, regardless of medium or form, through a life-cycle Purpose The purpose of the Policy on Records Management is to ensure that all records paper, electronic, audio, video and microform which are considered a strategic resource, are managed in a manner to: a. support the mandate and business functions of the OIC; and b. remain accessible, understandable and usable for as long as they are required to meet the legal, business and accountability requirements of the OIC Policy Requirements Capture a. All records that document the delivery of programs and services will be captured and stored within manual or automated systems or repositories endorsed by the OIC. b. Capturing records will comply with documentation standards for professional practices where these practices have been formally adopted. Organize and Describe a. All records will be arranged and organized within a current and comprehensive classification structure. b. The content and structure of records will be described through index information (e.g., metadata) that is associated to the record within manual and automated systems. c. Security classified and designated records will be identified in accordance with the Government Security Policy. d. Records deemed essential will be identified for emergency preparedness and disaster recovery in accordance with the Emergency Preparedness Act. Store and Maintain a. No OIC employee will remove any documents, correspondence, reports or other material from paper files after the files have been closed. Information Management Policy Suite 6

8 b. Inactive records will be transferred to less costly off-site and off-line facilities and media, while maintaining effective and timely access, for as long as required to meet legal, business and accountability requirements, and in accordance with established records retention schedules. c. Custodial rights to records will always be assigned to current OIC employees. Records Office staff will be informed of all transfers of custodial rights for chargedout files. The transfer of custodial rights of records will be undertaken with due consideration for the protection of sensitive information. Retain and Dispose a. All records will be assigned a retention period which will be maintained within a schedule approved by the Chief Information Officer and maintained by the Head, Records Services. b. The retention period assigned to all records will be extended or suspended (frozen) when subject to: i. a request made under the Access to Information Act or the Privacy Act (ATIP); ii. a formal investigation; iii. legal proceedings; iv. other conditions that alter the normal operational, fiscal, administrative or legal value of the records. Retention periods will be extended or suspended on an exception basis when authorized or directed by the Chief Information Officer or, in the case of ATIP requests, by the ATIP coordinator. Retention periods will only be extended or suspended for the time required. c. No record under the control of the OIC will be destroyed or disposed of without the consent or delegated authority of Library and Archives Canada. d. Transitory records, that is those required for a limited period of time, will be disposed of in accordance with the Authority for the Destruction of Transitory Records issued by Library and Archives Canada. Transitory records will be disposed of at the earliest time possible, subject to legal, business and accountability requirements. e. Records (with the exception of transitory records) will be disposed of only following authorization from the senior manager responsible for the records. f. Records will not be disposed of when subject to a request pursuant to the Access to Information Act or the Privacy Act, or when subject to pending or actual litigation, or an official investigation. Information Management Policy Suite 7

9 4. Policy on Data Management 4.1. Policy Statement The Policy on Data Management provides direction on the capture, collection, security, transfer, quality control, recoverability and management of data within the OIC Purpose The purpose of the Policy on Data Management is to ensure that data is managed: a. to ensure accessibility, security and usability for as long as required to meet legal, business and accountability requirements; and b. in a consistent and structured manner across the OIC Guiding Principles The Policy on Data Management is based on the following principles. a. The management of data is driven primarily by OIC s business requirements with consideration given to the practical, feasible and economic capabilities of technology. b. The management of data is made possible through an effective partnership between business area staff, information management specialists and information technology specialists Policy Requirements Capture and Collection a. Data will be captured once, as close to the point of collection as possible, then shared and re-used in digital format by authorized users based on a need to know. b. Responsibility for data collection will be assigned to managers in OIC programs. c. Information technology will be applied, based on a business case, to make data collection more efficient, make data and information more easily accessible, complete transactions more quickly and accurately, and support management and staff. Replication a. By default, there will be one centralized instance of any data, and a replicated instance of data for recovery purposes. Copies of data extracted and manipulated for reporting and analysis are considered a separate data set. Information Management Policy Suite 8

10 b. Data replication will be used when dictated by the timeliness and the efficiency of business processes. For example, high-volume transaction data that is shared across locations and needs to be current for all locations. c. Replicated data will be read-only, except where business operations allow inconsistencies between data repositories. Quality Data quality will be ensured by the manager in the business area having responsibility over the data, with support from the information technology specialists. Availability and Recoverability a. Backup and recovery tools, methods and processes will be applied to all data to ensure the timely availability and recovery of corrupted, lost or impaired data, or in the event of system failure. b. To remain accessible and usable over time, data and electronic documents will be migrated to new software versions. When migrating electronic documents, the original content, context and structure will be retained, along with associated information on the properties of the document. Data Architecture The data architecture will be adaptable to accommodate: i. the sharing, re-use and access of data across the OIC; ii. simplified management of distributed data; iii. rapid increases in the volume of data capture and collection; iv. changes to business processes or policy; v. improved access to data and information; vi. technology change; and vii. the use of commercial, open source and custom applications. Configuration Change Management Configuration change management will be undertaken to provide the required change control and release management procedures necessary to ensure consistency, continuity and integrity of data through software, application and system upgrades. Security a. The secure storage, access, transmittal and disposal of classified and designated data will be undertaken in accordance with requirements of the OIC Information Security Policy and with the spirit and intent of the Government Security Policy. Information Management Policy Suite 9

11 b. Data encryption will be employed for the transmission of classified and designated data over unsecured transmission means. Data encryption will be removed once transmission is complete. Disposal Data will be disposed of in accordance with the OIC Record Management Policy and Government of Canada statutes and policies. Information Management Policy Suite 10

12 5. Policy on Electronic Document Management 5.1. Policy Statement The Policy on Electronic Document Management provides direction on the ownership, filing, organization, storage and protection of electronic documents in local and shared folders and in an electronic document and records management system. Electronic documents are recognized by the OIC as being vital to the ongoing business activities of the organization Purpose The purpose of the Policy on Electronic Document Management is to: a. create rigor and structure in the manner that electronic documents are managed in the OIC; b. ensure the integrity, completeness and reliability of electronic documents; and, c. protect electronic documents having enduring value to the OIC Exceptions The Policy on Electronic Document Management does not apply to: messages (see the Policy on Electronic Mail Management) publications and reference material maintained by the OIC library Policy Requirements General The contents of an electronic document, in whole or in part, published to an OIC Internet and Intranet site will be deemed a copy. The official versions of all electronic documents are those stored in the Electronic Document and Records Management System (EDRMS). Ownership a. Custodial rights to electronic documents of an employee that is ceasing employment at the OIC will be transferred to the employee s successor or the immediate supervisor. b. Custodial rights to collections of electronic documents of a business group will be transferred to another OIC group as a result of changes in responsibilities such as re-organizations. The receiving group will assume full custody and control over the Information Management Policy Suite 11

13 electronic documents. The Chief Information Officer will authorize the transfer of electronic document collections. File and Describe a. Electronic documents created or received in the course of conducting OIC business will be filed within an EDRMS or other suitable document repository. b. When significant changes are made to an electronic document, consideration will be given to creating a new version of the document. c. The properties (i.e., metadata) of an electronic document will not be altered after the document is declared final. Organize Electronic documents will be arranged and organized based on the OIC classification structure. Access a. An OIC employee (or another authorized individual) having custody or control over an electronic document will ensure that: appropriate access rights are provided to individual employees or to groups; and at least one other OIC employee, usually their supervisor, is provided full access rights. b. Information Management staff will monitor the degree that electronic documents are shareable and accessible and not unduly restricted. c. Electronic documents that are password protected or encrypted will not be stored in an EDRMS. Store and Retain Electronic documents of enduring value to the OIC: are to be retained for as long as necessary to meet legal, business and accountability requirements; will remain accessible, based on security constraints, and will be stored in an EDRMS. Dispose Electronic documents, including preservation and back-up copies, and associated index information (i.e., metadata), will be disposed of in accordance with disposition authorities issued by Library and Archives Canada and in accordance with the OIC Policy on Information Management and the Policy on Records Management. Information Management Policy Suite 12

14 6. Policy on Electronic Mail Management 6.1. Policy Statement The Policy on Electronic Mail Management provides direction on the ownership, organization, storage and protection of electronic mail messages stored within OIC electronic mail accounts Purpose The purpose of the Policy on Electronic Mail Management is to ensure that electronic mail messages of enduring value to the OIC remain accessible to meet legal, business and accountability requirements, and to ensure the regular disposal of electronic mail messages having transitory value. Electronic mail ( ) is one of the most extensively used forms of communication between OIC employees and between the OIC and other government institutions and partners. messages, like other records created and received in the OIC, are official records Policy Requirements General a. The OIC reserves the right, without the consent of the user, to monitor, examine, copy, store, forward and disclose the contents of messages, especially in relation to investigations, legal proceedings, professional misconduct and requests under the Access to Information Act and the Privacy Act. b. Employees will ensure that accounts, or specific portions, are accessible to designated individuals during prolonged periods of absence. c. Common rules of etiquette will be followed when using the OIC system. d. accounts of employees that are no longer employed at the OIC will be removed from the system twelve (12) months after the employee s last day of employment. accounts will be removed in a manner that ensures of enduring value remain accessible and are stored in an EDRMS. Ownership a. All accounts are the property of the OIC and are provided to employees to facilitate the conduct of OIC business. b. accounts may be used for personal use on personal time. c. Employees do not have any personal or proprietary rights over messages and attachments contained within OIC accounts. Information Management Policy Suite 13

15 d. Custodial rights to messages within an account of a former employee will be transferred to a current employee. Store and Retain a. messages of enduring value to the OIC will: be retained for as long as necessary to meet legal, business and accountability requirements; remain accessible, based on security constraints, and will be stored within an EDRMS; will not to be stored on a personal drive (i.e., C drive on a computer assigned to an employee). b. Appropriate measures will be taken to reduce storage demands on the OIC s system. Protect and Secure a. Access to the OIC system is limited to employees, contractors, consultants, students and volunteers working on behalf of the OIC and who have been assigned an account. b. The OIC system will not be used to transmit any information above Protected B unless encoding or encryption methods are employed. c. Sensitive third-party information received via and residing on the OIC system will be protected from unauthorized or accidental disclosure, use or alteration. d. Scanned personal signatures will not be included within messages under any circumstances to prevent their use in a fraudulent or inappropriate manner. Dispose messages that are transitory will be: retained on the OIC system for not more than twelve (12) months from the date created or received; disposed of in accordance with the Authority for the Destruction of Transitory Records issued by Library and Archives Canada. Information Management Policy Suite 14

16 Annex A Relevant Government of Canada Legislation, Regulations and Policies Relevant Government of Canada Legislation and Regulations Access to Information Act and Regulations Canada Evidence Act Copyright Act Criminal Records Act Emergency Preparedness Act Federal Accountability Act Library and Archives of Canada Act Official Languages Act and Regulations Personal Information Protection and Electronic Documents Act (Part 2) Privacy Act and Regulations Security of Information Act Statistics Act Related Treasury Board of Canada Policies Access to Information Policy * Common Services Policy Communications Policy * Policy on the Duty to Accommodate Persons with Disabilities in the Federal Public Service Policy on Electronic Authorization and Authentication * Policy on Evaluation * Government Security Policy * Policy on Information Management * Policy on Internal Audit * Policy on Language of Work * Policy on Learning, Training and Development * Policy on Management of Information Technology * Management, Resources and Results Structure Policy * Policy on Official Languages for Human Resources Management * Privacy Protection Policy * Policy on the Use of Official Languages for Communications with and Services to the Public* * The Treasury Board Secretariat recognizes that central agency policies cannot impair the Officers of Parliament and their ability to carry out their mandate. The policies indicated with an asterisk have been identified as interfering with the accountability relationship between the OIC and Parliament and the ability of the OIC to carry out its mandate independently of government. Therefore, while they are listed as references, caution should be taken in applying their provisions to the OIC. Information Management Policy Suite 1