Quick Guide To Information Governance Policies

Transcription

1 Quick Guide To Information Governance Policies Data Protection The Data Protection Act 1998 established principles and rights in relation to the collection, use and storage of personal information by organisations. These are set out in the Eight Data Protection Principles. The Council s Data Protection Policy sets out the Council s objectives and sets out roles and responsibilities for data protection. There are two sets of objectives:- Meeting the requirement of the Act - Fair collection and legal use of information, safeguarding the rights of individuals, maintaining security over personal information, and ensuring information accuracy and quality. Managerial arrangements - Assigning responsibility for data protection, employee contractual obligations, training, supervision, dealing with enquiries and ensuring that processes are regularly reviewed. Information Sharing Any regular sharing of personal information with other agencies will require an information sharing agreement that complies with the Wolverhampton Overarching Information Sharing Protocol. Privacy Impact Assessments A privacy impact assessment is required where projects, new or changed service activities, or new ICT impact on the privacy of individuals. There are further details in the Corporate Programme Office toolkit. The data protection policy specifies data protection management roles and responsibilities for the following:- The Chief Executive, the Information Governance Board, Senior Information, Risk Owner (SIRO), Data Protection Officer, Caldicott Guardians, Information Asset Owners,and Managers. All Staff: Have a responsibility for data protection and should read, understand and adhere to any policies and procedures that relate to personal data that they may handle and to undertake any associated training.. Must understand the main concepts within the Data Protection legislation; the eight principles, sensitive data and informed consent and report any risks to the security of personal data processed to their line manager or the Information Asset Owner.

2 Must assist service users to understand their rights and the Council s responsibilities in regards to data protection and report any subject access requests to the Data Protection Lead. Freedom of Information The Freedom of Information Act 2000 (FOIA) came into full effect on 1 January 2005 and provides a general right of access to all recorded information held in any format by public authorities in England and Wales and Northern Ireland. Dealing with requests The Council will respond to all valid request requests within the statutory 20 working days. This timescale can be extended, for example if an exemption applies and we are considering whether or not disclosure is in the public interest. The requestor will be kept informed of progress in the event of any possible delay or which exemption has been applied and why. The starting point must always be in favour of disclosure and exemptions will only be applied where absolutely necessary. In all cases, the Council will consider what is in the best interests of the public and the public interest will prevail. The Council reserves the right to refuse requests where the cost of providing the information would exceed the statutory cost limit. This limit is currently 450, which equates to 18 hours' work at a statutory rate of 25 per hour. The Council reserves the right to refuse requests that it considers to be vexatious or repeated. The Council aims to publish as much information as it can; however exemptions will be applied to ensure that information which is not suitable for publication is protected. Publication scheme The FOIA includes the requirement for a Publication Scheme, to act as a guide to the information that the Council routinely publishes or intends to publish. It should provide information on how customers may browse information. The Council will maintain and regularly update the Publication Scheme. Specific responsibilities are allocated to Councillors and Corporate Freedom of Information staff. The latter will provide training, advice and support, and performance information via the FOI tracking system. All employees will: be aware of the FOI Act and what it means be able to identify any request that falls under the FOI Act follow the policy and procedures for handling FOI requests deal with all requests promptly and as a minimum within 20 working days of the Council receiving the request provide advice and assistance to persons making requests for information

3 pull on appropriate support (manager, finance, corporate FOI team) when responding to a request Information Security The information that the Council holds, processes, maintains and shares is an important asset that, like other important business assets, needs to be suitably protected. Wolverhampton City Council will maintain the highest standards of information security. Key Principles Information security will receive the regular attention of senior management through the role of the Senior Information Risk Owner and the Information Governance Board. Information risk management will be at the heart of the improvement processes for information security. All information users have an essential role to play in maintaining sound information security and they will be fully supported to enable them to achieve this. Successful implementation of information assurance across the Council is dependent on the full participation by Directorates led by their designated Information Asset Owners (IAOs). Mandatory Information Security Training There will be corporate information security training and periodic refresher training for all users of WCC information systems. Information users will also be expected to sign an acceptable use declaration. All Users Passwords - ICT access security is centred on each authorised user having a unique user id and a strong password that is kept secret and known only to them. Acceptable Use - Access to and the internet is provided for business use and users must comply with all acceptable use policies to protect the Council s information. Data Protection - The Data Protection Act is the key legislation affecting the use of personal data. Illegal disclosure of personal information can lead to the Council or the individual responsible being heavily penalised so all those handling personal information must understand and comply with the Act. Information Handling - Detailed information security and handling procedures are designed to protect the Council from identified business impacts in the event of the loss of confidentiality, integrity or availability of information. These must be complied with.

4 Information Incidents - Users must be able to identify potential information events and incidents and report these when they occur. Information Incidents Information incidents giving rise to threats to the confidentiality, integrity and availability of the Council s information are increasingly a part of everyday business. The Council through its information governance and security policies seeks to minimise the frequency of such incidents. The information security incident management policy is a key element in ensuring that the Council: - Understands and recognises actual or suspected information security events and incidents when they arise. Acts in a way that ensures that the event or incident is managed and resolved promptly, minimising the impact upon the public, the Council and its employees. Investigates incidents properly and learns any lessons necessary to ensure a cycle of continual improvement of information security Principles There will be:- A. A single information incident contact and logging point. B. A documented set of management procedures C. Prompt evaluation, escalation and remedial action D. An investigation and reporting procedure E. Risk management procedures applied Definition of an Incident The definition of an Information Incident is:- an adverse event affecting an information asset that has caused or has the potential to have an adverse effect on the public or community, or the Council, its service users, its employees, or its partners. All Information Users It is the responsibility of all Wolverhampton City Council information users to be able to identify potential security events and report these directly to the Information Incident Contact Point (ICTS Service Desk - Extn 8000 or ICT.servicedesk@wolverhampton.gov.uk) or their line manager.

5 Managers All managers should ensure that their staff are aware of their obligations under this policy and support them in meeting these obligations. Examples of Information Security Events and Incidents Examples of the most common Information Security Events and Incidents are listed below. It should be noted that this list is not exhaustive. Criminal Events: Theft of equipment, data or information, fraud or fraudulent activities; Blagging offences where information is obtained by deception e.g. unknown people asking for information, such as a password or details of a third party, that could gain them access to Council data or receiving unsolicited mail that requires you to enter password data; Attempts (either failed or successful) to gain unauthorised access to data or information stored on computer systems e.g. hacking; Copyright issues; Technical Events: Changes to information or data or system hardware, firmware, or software characteristics without the Council s knowledge, instruction, or consent e.g. malware (viruses, Trojans etc.); use of unapproved or unlicensed software on Council equipment; Unwanted disruption or denial of service to a system e.g. spam attacks; receiving unsolicited mail of an offensive nature; receiving and forwarding chain letters including virus warnings, scam warnings and other s that encourage the recipient to forward onto others; Hardware/software failures; People Events: Accidental loss of equipment, data or information including handheld devices such as Blackberries; Failing to lock a PC screen when left unattended. Human error e.g. ing personal and/or sensitive personal information outside of the Council s network either in error or without appropriate security measures in place; Sharing/transfer of data or information, including personal and/or sensitive information with those who are not entitled to receive that information; without the consent of the data subject; The unauthorised use of a system for the processing or storage of data by any person; Accessing computer systems/applications using someone else s authorisation e.g. user id and password; sharing access tokens or logins. Disclosure of passwords/writing it down, and leaving it on display where it would be easy to find and used by unauthorised users; Physical and Environmental Events:

6 Unforeseen circumstances e.g. fire or flood; Unsecure premises; Unlocked/unsecured workstations. Records Management The Council recognises that by efficiently managing its records, it will be able to comply with its legal and regulatory obligations and to contribute to the effective overall management of the Council. Records provide evidence for protecting the legal rights and interests of the Council, and provide evidence for demonstrating performance and accountability. Record Creation and Record Keeping Procedures All service areas will have in place record keeping systems (paper and electronic) that document their activities and provide for quick and easy retrieval of information. The systems will take into account the legal and regulatory environment specific to the area of work. Record Storage and Tracking Records keeping systems in all service areas will be maintained to ensure that all records are properly stored and can easily be located and retrieved. Protection and Security All service areas will maintain adequate levels of protection for records. Retention and Disposal All service areas will retain and dispose of records as part of a managed and documented process. This is increasingly important given the need for transparency and publication of data. There will be a defined process for the assessment and selection of records for disposal or preservation and for documenting this work. [Link to Retention Schedule] The records management policy assigns specific responsibilities to the Senior Information Risk Officer, Directorate/Service Area/Managers, and Contractors, consultants and agents All employees are responsible for ensuring that: Actions and decisions taken in the course of Council business are properly recorded. This policy and local service area procedures for records management are followed consistently. All information held is kept secure, and personal information is not disclosed deliberately or accidently either orally or in writing to any unauthorised third party. Records are identified for disposal in accordance with agreed policies and retention and disposal schedules.

7 Disposal procedures are implemented consistently. Data Quality Ensuring that data and information is of an appropriate quality for its purpose underpins the usefulness of information. Everyone who collects or processes data has an important role to play in maintaining data quality. Examples of some of the risks associated with data quality problems are: - Negative consequences, financial and other, as a result of submitting inaccurate or misleading data in statutory or regulatory returns Misleading external and internal impressions of organisational performance. Inappropriate decision-making and inefficient service provision. Policy Objectives 1. To instil confidence in all data and information that is used from operational information to strategic decision making information, including that which is shared with other organisations or made public. 2. Enhanced efficiency and effectiveness arising from the reduction of errors and improved accuracy and reliability resulting from a more structured approach to improving data quality. 3. To underpin the better use of information to support services and improve accessibility and transparency for the wider community and partners. Characteristics of Data Quality The characteristics of data quality are expressed in the policy in terms of:- Accuracy, Validity, Reliability, Timeliness, Relevance, Completeness For each of these headings there are specific requirements in the policy that all those involved in data input and data management must fulfil as far as possible, are defined in the Policy and these include:- All Staff - All staff have a responsibility to ensure that data is handled in a responsible way and that all reasonable efforts are made to ensure the accuracy, validity, reliability, timeliness, relevance and completeness of data. Staff must never knowingly report data which is inaccurate or incomplete and must endeavour to communicate any known risks or known variables. Information Asset Owners (IAOs) - IAO s will ensure that all data quality and records management roles are identified, assigned and coordinated by lead managers for the information assets that they control for the implementation of the requirements of this policy.

8