Information Governance and Assurance Framework Version 1.0

Size: px
Start display at page:

Download "Information Governance and Assurance Framework Version 1.0"

Transcription

1 Information Governance and Assurance Framework Version 1.0 Page 1 of 19

2 Document Control Title: Original Author(s): Owner: Reviewed by: Quality Assured by: Meridio Location: Approval Body: Policy and Guidance Information Governance and Assurance Framework Head of Information and Records Management (KS) Chief Operating Officer (SIRO) Security and Information Assurance Committee Executive Director Operations and Investigations To go in 1.07 APPROVED STRATEGIES, POLICY AND GUIDANCE / Business Policy and Guidance Leadership Team Approval Date: 11/02/14 Change History Version Date Status Update by Comment /10/13 Draft Katharine Stevenson /01/14 Draft Tom Stoddart /01/14 Draft Luke Whiting /02/14 Draft Katharine Stevenson /02/14 Final Version Katharine Stevenson In draft shared with Frank Garofalo and Security and Information Assurance Committee 15/01/14 General comments and ICT detail General comments and legislative detail Changes from TS and SIAC made. Submitted to Mick Martin for QA and approval to submit to LT Leadership Team approved Framework Page 2 of 19

3 1. Introduction 1.1 Purpose and Context of the Framework The purpose of the Information Governance and Assurance Framework is to formally establish PHSO s position regarding Information Governance and Assurance. Information Governance describes the holistic approach to managing information by implementing processes, roles, controls and metrics that treat information as a valuable asset. At PHSO it involves the work of the IRM, FOI/DP, ICT and Insight and Research teams. Information Assurance describes the confidence in the processes of information risk management specifically. It is the practice of managing the appropriate levels of availability, integrity and confidentiality whether information is in storage, processing or transit, and if it is threatened by malice or accidental error, fraud, privacy violation, service interruption, theft or disaster. The intent is to consolidate our Information Governance and Assurance arrangements and risk mitigation measures into one central source. The Framework therefore details the people, places and processes which are in place to ensure that the appropriate staff have access to the appropriate information, at the appropriate time. The Framework is a baseline for Information Governance training and awareness and sets out the policies and procedures all staff need to understand and apply in the course of their day-to-day work. 1.2 Framework Scope The Information Governance and Assurance Framework is relevant to all PHSO staff (including temporary and contract staff) who create, store, share and dispose of information. Though many of the controls are concerned with the management of electronic information and associated systems, the framework also covers paper records. 1.3 Framework Implementation The Information and Records Management (IRM) Team will be responsible for the oversight and maintenance of the Information Governance and Assurance Framework, with assistance from other specialists in the office. The Framework will be placed on Ombudsnet and referenced in the Induction pack. PHSO also recognises that we must demonstrate our security controls to third parties and therefore the Framework will also be published on our website. Page 3 of 19

4 1.4 Information Governance and Assurance Contacts There are a number of specialists who have specific responsibility for supporting PHSO s approach to Information Governance and Assurance. In the first instance staff can contact the IRM team for support and assistance. 2. Information Risk Management 2.1 Risk Management Structure If we use information well it helps to make our casework and other office processes more efficient and improves the services we offer to our customers and stakeholders. The risks in handling the information are not only in failing to protect it properly, but also in not using it for the public good. Managing information risk is about taking a proportionate approach so that both of these aims are achieved. Our approach to information risk management is consistent with PHSO s Corporate Risk Policy. Since the Cabinet Office Review of Data Handling Procedures in Government, there is also a separate but complimentary structure for explicitly managing information risk. In summary: Our Audit Committee must now maintain an explicit oversight of information risk, and the Accounting Officer has overall responsibility for ensuring that information risks are assessed and mitigated to an acceptable level, as well as reporting our status as part of the Governance Statement The Senior Information Risk Owner (SIRO) governs the management of information risk at board level. She is also responsible for policy and providing written advice to the Accounting Officer on the content of the annual Governance Statement relating to information risk The Information Asset Owners are senior individuals involved in running key areas of PHSO. Their role is to understand the address risks to the information; ensure that the information in their part of PHSO is used legally and for the public good, and provides written assurance to the Senior Information Risk Owner on information security and use of their information assets PHSO has Local Information and Records Advisers to further support our Information Asset Owners and staff in our overall approach to assurance 2.2 Our Risk Tolerance PHSO is not willing to accept information risks that may result in significant reputational damage, financial loss or exposure, information integrity, major breakdowns in information systems or significant incidents of regulatory noncompliance. Page 4 of 19

5 However, PHSO recognises that we cannot eliminate information risk altogether and there may be circumstances where the cost of mitigation outweighs the likely impact of the risk. Our information assurance approach provides the means to identify, prioritise and manage the risk and provide a balance between the cost of treating risk, and the anticipated benefits that we be derived. PHSO s Information Risk Tolerance statements are currently being developed and will be included in Annex A once approved by Leadership Team. 3. Information Assets 3.1 What are Information Assets? PHSO recognises a number of information asset categories that are central to the efficient running of PHSO data, software, hardware, services, casework and people. 3.2 Our Information Asset Register Information assets are documented in PHSO s Information Asset Register and each has an Information Asset Owner assigned. Its purpose is to record the organisational areas and processes which handle information throughout PHSO. As such it is the foundation for the selection and deployment of our on-going security controls. It is important to ensure that the register is kept up to date. Changes can be identified via a number of routes, for example an annual risk assessment, a Privacy Impact Assessment exercise or an Information Governance Audit. The IRM team are responsible for ensuring the register up to date. 3.3 What is the Protective Marking Scheme? PHSO s Protective Marking Scheme is our administrative scheme which helps to ensure that access to information is correctly managed and safeguarded to an agreed and proportionate level, including creation, storage, transmission and disposal. The scheme is designed to support our work and meet the requirements of relevant legislation and international standards. Where a Protective Marking is used the creator/owner is indicating its sensitivity and the level of security and protection they expect. Staff should be are of the scheme s markings and associated handling arrangements (in descending order of sensitivity): RESTRICTED PROTECT UNMARKED 4. Responsibilities for Information Assurance Page 5 of 19

6 4.1 Accounting Officer The Accounting Officer is the Ombudsman who has overall responsibility for ensuring that information risks are assessed and mitigated to an acceptable level. Information risks should be handled in a similar manner to other major risks such as financial, legal and reputational risk. Key elements of the Accounting Officer role are: Lead and foster a culture that values, protects and uses information for the public good. For example, support the SIRO, participate in training, review and encourage the information assurance approach Discuss information risk in the delivery chain regularly with Leadership Team, the Board and Audit Committee Cover information risk explicitly in the Governance Statement 4.2 Senior Information Risk Owner (SIRO) Our SIRO is the Chief Operating Officer familiar with information risks and leads PHSO s approach. The SIRO governs the management of information risk at Board level. For our purposes the term Board encompasses our Leadership Team, Non- Executives and the Ombudsman. Key elements of the SIRO role are: Lead and foster a culture that values, protects and uses information for the public good. For example, support the Information Asset Owners, participate in training, and lead the information assurance approach Define the overall information assurance approach including the Information Governance policies and Information Assurance Framework Own the overall information risk assessment process, test its outcome and ensure it is used Advise the Accounting Officer on the information risk aspects of her Governance Statement. 4.3 Information Asset Owners Information Asset Owners are senior managers involved in running key PHSO business areas. They are responsible for managing the risks associated with their information assets. Accountability for information helps to ensure that appropriate protection is maintained. Information Asset Owners are expected to set the regime for information assurance as a policy and process owner. Staff are however still responsible for compliance both with relevant legislation and security policies and procedures. Page 6 of 19

7 Key elements of the Information Asset Owner are: Lead and foster a culture that values, protects and uses information for the public good. For example, participate and support the information assurance approach Know their information assets, for example which business processes use it; which systems are used; who has access to it and why; who is the information shared with and how; and how and when is the information disposed of? Understand and address risks to their information and provide written assurance to the SIRO quarterly. For example, contribute to the information risk management procedures and assess the impact of change on an on-going basis (using Privacy Impact Assessments) Ensures the information is fully used for the public good, including responding to requests for access from others. For example, negotiate, manage and approve agreements on the sharing of personal and PHSO sensitive information between organisations; and consider whether better use of the information could be made. The Information Asset Owner can assign day-to-day responsibility for each information asset to a manager but overall liability should remain with the nominated owner of the asset. In some business areas, Information Asset Owners will also work with other staff to increase awareness of information assurance procedures and measures. They will be expected to build protection measures in the quality control and operational delivery. 4.4 Managers All line managers are responsible for ensuring that they and their staff are instructed in their information assurance responsibilities which include the correct handling of information. The responsibility of all managers includes fostering a climate in which staff will give security its due attention. Practical examples: Ensure new staff attend the corporate induction which includes information governance training and all existing staff complete Data Protection training annually Ensure all staff know about and understand the Information Assurance Framework and specifically recognise the importance of Information Governance policies and supporting procedures and guidance Actively particulate in identifying potential information risks in their area and contribute to the implementation of appropriate mitigation Implement the authorisation of access to data Page 7 of 19

8 4.5 Staff All staff must recognise and understand the need to proactively manage the information they create. They should consider the value and sensitivity of all of the data in their care and take personal responsibility for it. Practical examples: Read the Information Governance and Assurance Framework and understand the Information Governance policies and supporting procedures and guidance Attend Information Governance training, including Data Protection training annually 4.6 Information Governance and Assurance staff PHSO does not have one single Information Governance and Assurance team; instead the responsibilities are distributed across the office. Together they support the SIRO. The Head of IRM is responsible for: the co-ordination and operational management of the Information Governance and Assurance approach Reviewing Information Governance and Assurance compliance and ensures quality control and alignment with the Information Assurance Maturity Model and other professional standards The creation, monitoring and enforcement of PHSO s Records Management, Retention and Disposal and Information Security policies Ensuring PHSO is complying with the eight Data Protection Principles, providing advice, guidance and training to staff, procurements and projects involving information requirements Handling information security breach incidents Records Management, monitoring compliance with its standards and raising awareness of records management practice. The responsibility for the day-to-day management of records is devolved to individual business areas and Local Information and Records Advisers support this. The Information and Records Manager(s) support the Head of IRM in the coordination and management of the information assurance and records management approaches. Head of FOI/DP is responsible for: ensuring PHSO complies with requests for information under the Freedom of Information Act 2000,the Environmental Information Page 8 of 19

9 Regulations 2004, and Subject Access requests and requests for information relating to cases under the Data Protection Action 1998, the Health Service Commissioners Act 1993 and Parliamentary Commissioners Act Helping to maintain an effective relationship with the Information Commissioner s Office and respond to correspondence from the that office on complaints about PHSO s handling of information requests. In conjunction with the FOI/DP Officers, act as a source of advice and expertise to PHSO staff about information legislation generally, including the release of information during an investigation and compliance with the Data Protection Act. FOI/DP officers support the Head of FOI/DP Head of ICT, as IT Security Officer (ITSO) is responsible for: supporting production of the RMADS in accordance with IS1 and IS2; accrediting PHSO s ICT systems, accepting residual risk on behalf of the SIRO where it is clearly within PHSO s normal risk appetite; representing security requirements in the procurement, design and implementation of PHSO s ICT architectures, including software, platform and infrastructure as a service (SaaS, PaaS, IaaS); conducting technical risk assessments against PHSO s Information Security Management Systems, using CESG IA methodologies where appropriate; assisting PHSO in the routine application and interpretation of ICT security policies and practices; agreeing the Security policy and guidance, ICT Acceptable Use policy, Security Operating Procedures (SyOPs) and Forensic Readiness policy, ensuring these are updated as IT security threats emerge and evolve; maintaining PSN code of connection compliance; maintaining PHSO s relationship with CESG and CPNI; The Learning and Insight Manager is responsible for our Information Promise, and the Information Sharing Policy, promoting and updating with assistance and advice from the IRM and FOI/DP teams. 5. Third Party Arrangements 5.1 Contractual Obligations PHSO uses the information assurance/security elements of the Office of Government Commerce (OGC) model terms and conditions for ICT Services and Contracts, which are the approved Government standards for ICT services contracts and which embody current policy and best practice. PHSO also specifies security requirements in non-ict services contracts which handle personal and organisational sensitive information. Page 9 of 19

10 5.2 PHSO suppliers PHSO has a small number of suppliers who handle personal and sensitive business information on our behalf (i.e. TNT). PHSO is committed to working with suppliers to drive data handling improvements throughout the delivery chain. Review meetings are held with suppliers periodically to discuss any issues that arise during the course of the contract. 6. Working with information 6.1 Legal and Regulatory Framework In managing information risk PHSO will comply with all relevant legislation. The Data Protection Act 1998 (DPA) imposes statutory obligations on anybody processing personal data. The DPA makes clear that PHSO is legally responsible for ensuring that the personal information it creates, collects, uses, stores or otherwise processes must be handled and protected in accordance with the requirements of the DPA. Parliamentary Commissioner Act this act also regulates the use and handling of information collected by PHSO for the purposes of carrying out investigations under the Act. The Act includes restrictions about when information obtained for the purposes of an investigation can be disclosed. Health Service Commissioner Act 1993 this act also regulates the use and handling of information collected by PHSO for the purposes of carrying out investigations under the Act. The Act includes restrictions about when information obtained for the purposes of an investigation can be disclosed. Freedom of Information Act 2000, together with the Environmental Information Regulations 2004, establishes a statutory regime for public access to information held by public authorities. The appropriate balance must be struck between this right of access and the need to protect personal and business sensitive information, applying exemptions where legitimate and the public interest is best served by withholding the information. Other relevant legislation includes the Computer Misuse Act 1990 and the Human Rights Act The Health and Social Care Act 2012 also enables us to share information with relevant stakeholders (see Information Sharing Policy). PHSO is working towards achieving appropriate levels in the Information Assurance Maturity Model. Work to modernise and improve information governance and assurance policies and processes will continue and it is expected that we will manage our specific security risks over and above the baseline measures. PHSO is committed to keeping abreast of change and will respond to threat and circumstance appropriately. Page 10 of 19

11 6.2 Our Information Policies The Information Governance policies The purpose of the Information Governance policies is to provide the tools that support the effective use of information and technology while maintaining an environment of controlled risk and value for money investment. In this way, the policies aim to enable PHSO to: Deliver its strategic priorities Meet its responsibilities to its external stakeholders and complainants Comply with legislation The Information Governance policies are as follows: Archive Policy Clear Desk Policy Cookie Policy Digital Preservation Policy Forensic Readiness Policy ICT Acceptable Use Policy Information Security Breach Policy Information Sharing Policy Privacy Policy Records Management Policy Retention and Disposal Schedules Security Policy The high level polices are supported by a number of more detailed guidance documents: Case file Structure Guidance ICT Control Procedures Records Management best practice guidance (including Meridio) Remote Working and BlackBerry Security Operating Procedures (SyOPs) Security Guidance The Information Promise PHSO is required to hold and process certain personal data in order to fulfil its operational and legal obligations. The Information Promise is our ethos on how PHSO manages the information provided to us by our customers. PHSO s Information Promise sets out our responsibilities in respect of personal information and explains how the public can request information we may hold Page 11 of 19

12 about them. It demonstrates that we recognise the importance of the lawful treatment of personal information and ensures confidence in the organisation. The Information Promise is the externally facing vehicle by which we communicate our internal information governance policies (i.e. Records Management, Retention and Disposal) on how we manage customer information. 6.3 Creating and Receiving Information Information that staff create during the course of their working life is considered as recorded information if held: Electronically for example, an , Word document, spreadsheet, audio recording, in Meridio, SharePoint, Engage, Visualfiles or any other system Physically for example, a printed letter, handwritten notes, a photograph or x-ray Information staff receive during the course of their working life is also considered as recorded information. This includes information originally created by a colleague, another organisation, a customer or a third party. All recorded information is subject to the Freedom of Information Act 2000 and the Environmental Information Regulations All recorded personal data is subject to the Data Protection Act Recorded information must be disclosed on request unless there is a valid exemption for withholding it. Staff should therefore be aware of the type and volume of information they are handling. Further information can be found in the Records Management Policy. Type and Volume of Information The type and volume of information created and received will have a direct impact on how staff are expected to handle it for example, the security arrangements that will be necessary; who will be entitled to access and use the information; and how (if at all) it should be shared outside PHSO. In particular, the information staff create and receive may contain the following types of key information: Personal information this relates to individuals, often our customers or sometimes our stakeholders and staff. For example, biographical information or views and opinions recorded about someone Business sensitive information information that can be considered as business sensitive if PHSO or a third party organisation would be affected by any loss of, or unauthorised access to, the information. For example, information marked PROTECT or RESTRICTED under PHSO s Page 12 of 19

13 Protective Marking Scheme, or marked under the Government s Protective Marking Scheme. The volume of information, along with the nature of the information, can define the risk posed by any breach of security. For example, the loss of one person s bank details (although important) does not have the same impact as losing bank details of 10 million people; the loss of one person s medical record can however cause substantial damage and distress to the individual concerned. Collecting Personal Information PHSO would be unable to fulfil many of its functions without collection personal information from bodies in jurisdiction and/or individuals. However, a legitimate need to collect personal information for example, in order to undertake an investigation into a complaint provides the justification to collect and use personal information, meeting Principle 1 of the DPA. Staff must take care to only request information which is likely to be relevant to their investigation. 6.4 Storing Information Protecting Information the layered approach Once information is captured it must be protected. Security involves a number of distinct measures which form part of a layered approach. The approach starts with the protection of the asset at its source, for example protecting the ICT assets (e.g. PSN CoCo), and then proceeds progressively outwards to include security measures at PHSO offices. PHSO has a number of policies and procedures which staff must follow to assist with this layered approach. Examples include: ICT Acceptable Use Policy Security Operating Procedures for remote and mobile working Control Procedures for ICT Administrators covering removable media, backups, secure disposal, security vetting, account creation and deletion, incident response. Clear Desk Policy Security Guidance Storage Physical information assets such as case files or HR, Finance or Procurement files which no longer require regular access but need to be retained until their retention period has exceeded, should be prepared for offsite storage, submitted to the IRM team for registration and deposited to the offsite storage facility (TNT). Electronic information will remain in-situ until their retention period is reached when it will either be deleted or migrated to the PHSO Archive for permanent preservation. Page 13 of 19

14 PHSO Archive PHSO has a physical and electronic archive where information assets selected for permanent preservation is kept. Records are selected in accordance with our Archive Policy. 6.5 Sharing Information Sharing information with colleagues and stakeholders Information can be shared where appropriate and in line with relevant legislation and internal policies (i.e. Information Sharing Policy). PHSO staff have a responsibility to ensure that information is secure when it is being shared whether internally or externally. All movement of information between people, organisations or ICT systems involves an element of risk. At the same time, people have expectations of us whenever we have access, receive or handle information, especially if the information is personal or business sensitive. In an attempt to encourage greater knowledge sharing within PHSO, Meridio and Visualfiles follow the ethos of open access except for staffing and business sensitive information, or highly sensitive casework. Staff are reminded however to always be mindful of the information they have access to. Sharing data by hardcopy documents Internal sharing of hardcopy documents must follow the Protective Marking Scheme and Associated Handling Arrangements. The clear desk policy must also be followed. External sharing of hardcopy documents must also follow the Protective Marking Scheme and Associated Handling Arrangements. Where personal data is being shared with stakeholders, Information Sharing Agreements in line with ICO best practice must be created, approved and followed. Sharing data by The Protective Marking Scheme and Associated Handling Arrangements must be followed when sharing information by . Personal or business sensitive documentation being shared with customers, stakeholders or other third parties on non-secure networks (i.e. Gmail, yahoo,) must be password protected. Guidance on secure s and how to password protect documents can be found on Ombudsnet. Sharing data by removable media Removable media is not allowed, please contact ICT for guidance and advice. Third Party Access to PHSO network Access to PHSO ICT systems can be gained in three ways: 1. From a desktop terminal within PHSO, which provides access to a PHSO domain user account. This is subject to the ICT Acceptable Use Policy. Page 14 of 19

15 2. Using a PHSO laptop and authentication token, which provides access to a PHSO domain user account. This is subject to the ICT Acceptable Use Policy and a SyOPs. 3. Using a PHSO-issued BlackBerry, which provides access to PHSO and calendar. This requires the user to have a PHSO domain user account, administered by PHSO. This is subject to the ICT Acceptable Use Policy and a SyOPs. Access is granted to PHSO systems following a decision by the IT Security Officer, and is usually subject to completion of BPSS checks, or SC clearance where administrative access is granted. 6.6 Disposing Information Information Disposal Information is retained by PHSO to support its operational business functions and to fulfil its legal obligations to comply with legislation. At the end of its operational purpose, it needs to be disposed. This means preserved permanently in our PHSO Archive, or destroyed. PHSO s Disposal Schedule can be found in the Information Asset Register and details the period of retention and the disposal action necessary to manage the information lifecycle. The retention periods and disposal actions that are detailed in this schedule are supported by legislation and best practice and should be applied to all information retained by PHSO. Where possible the retention periods and disposal actions will be undertaken and managed by PHSO s Electronic Document and Records Management System (EDRMS Meridio). Where this is not possible, the Information Asset Owner is responsible for the application of the retention period and disposal action detailed in this schedule. Please contact the IRM team for further advice and guidance. Preservation Information that it to be retained for an extended period will be subject to the Digital Preservation policy to reduce the risk of loss through obsolescence and degradation and ensure its on-going accessibility. Hardcopy records will also be preserved in accordance with best practice standards. Records selected for Permanent Preservation will be stored in our PHSO Archive. Information Destruction Personal and business information must be securely disposed of. PHSO has arrangements in place for the secure disposal of information with secure disposal bins, confidential waste bins and shredders in both sites. 7. Training and Culture Page 15 of 19

16 Fostering a professional culture and developing a positive attitude toward managing our information assets is critical to the successful delivery of this framework. Information Assurance must be seen as an integral part of and a key enabler to effective PHSO business. Training All new and existing staff are required to undertake Information Governance training on appointment, and Data Protection training annually. This has been made mandatory by Leadership Team. Information Asset Owners will receive an IAO Briefing on their role and responsibilities on appointment and attend training offered by the National Archives. The Senior Information Risk Owner will attend regular SIRO network briefings and other training offered by the National Archives. We will also provide our Board and Audit Committee with relevant training and briefing information should they choose to undertake the training. Guidance PHSO has provided a range of technical and policy guidance to staff via Ombudsnet, and internal publications. This guidance covers the use, creation, protection, access and disposal of PHSO s information. Disciplinary Procedures Breaches of information security could result in disciplinary action. The kind of action will depend on the nature of the breach and will be dealt with in accordance with the Capability and Disciplinary policies. The ICT Acceptable Use Policy states that Inappropriate use of the PHSO s ICT assets may result in action being taken under the misconduct procedure and in cases of gross misconduct, this may include dismissal. 8. Incident Reporting, Recovery and Contingency Reporting Information Losses Staff should report any loss of paper or electronic (i.e. ) records to the Head of IRM in line with the Information Security Breach Policy. Loss of ICT equipment (including Blackberry s and laptops) should also be reported to the Head of ICT. ICT will log the loss of the ICT asset and arrange a replacement. At the same time staff should ensure that their local Information Asset Owner is also notified of the incident. Incident Management and Escalation Page 16 of 19

17 The Head of IRM will assess all information losses by completing an incident breach form which will help to determine the sensitivity of the information and impact of the potential loss. The actual and/or potential harm to individuals is the overriding consideration in deciding whether a breach of data security should be reported to the individuals concerned and/or the Information Commissioner s Office (ICO). Only the SIRO is authorised to permit the Head of IRM to report incidents to the ICO. The Head of ICT will assess all technology related incidents reporting to CESG or CPNI as required. Recovery PHSO makes regular daily backups of our corporate systems. Backups will be taken at a point in time (nightly) and therefore will not include any information or files created before the next backup is taken. Desktops are not backed up and staff must not store items there, in line with our Records Management policy. Business Continuity Management Information Security is a key element of business continuity management. In the event of a significant interruption to service, PHSO s Business Continuity procedures will be actioned. 9. Audit, Monitoring and Review 9.1 Monitoring Information Access and Use ICT Assets PHSO is required to ensure that its ICT Acceptable Use Policy and its other rules and procedures are followed. PHSO also has a legitimate interest in protecting its reputation and communication systems, limiting its exposure to legal liability and ensuring that users conduct themselves and perform their work to the level expected of them. PHSO automatically monitors all users use of ICT assets on a continuous basis and reserves the right to further monitor users use of its ICT assets, without advance notice, in accordance with the terms of the Policy. Information obtained as a result of monitoring will not normally be used for purposes other than those for which monitoring was carried out, unless it reveals information that PHSO cannot reasonably be expect to ignore (for example, a breach of the ICT Acceptable Use Policy or evidence of criminal activities). All use of ICT evidence in investigations is subject to PHSO s Forensic Readiness Policy. Information Assets The Information Governance Compliance Programme outlines the approach to monitoring and reporting of access, use and disposal of information held in our ICT systems, including Meridio, Visualfiles and SharePoint. Privacy Impact Assessments and Information Governance Audit Page 17 of 19

18 A Privacy Impact Assessment (PIA) is initiated as a result of a proposed change and is a process whereby potential privacy issues and risks in a project or process are identified and examined, from the perspectives of all stakeholders, and a search is undertaken for ways to avoid or minimise privacy concerns. Information Asset Owners should be instrumental in the completion and approval of a PIA. An Information Governance Audit seeks to understand all aspects of an existing information asset, for example the type and nature of information involved; which business processes use the information; which systems are used; who has access and why. The Audit is therefore similar to a PIA, but is undertaken on projects/process changes that have already been implement. Information Asset Owners should be instrumental in the completion and approval of an Information Governance Audit. 9.2 Risk Assessments Quarterly Assessments PHSO s Audit Committee and Accounting Officer will review information risk quarterly on the basis of a report from the Head of IRM and Head of FOI/DP on Information Governance Compliance in PHSO. Information Asset Owners are expected to contribute to the quarterly risk assessment by completing the IAO quarterly assurance statement. In doing so, they identify and, where appropriate, formally accept significant risks introduced when personal or business sensitive information is moved or shared. Annual Assessments There will be an annual assessment of information risk, which will support the Senior Information Risk Owner in providing written assurance/advice on the Governance Statement to the Accounting Officer. The assessment will cover the effectiveness of the Information Governance and Assurance programme and will be informed by the written IAO annual assurance statements and compliance checks carried out as part of the Information Governance Compliance Programme. Internal audit inspections should also be taken into consideration. 9.3 External Accountability, Transparency and Progress Reporting PHSO promotes transparency about its information risks and incidents. PHSO has published its Information Promise on our website which sets out for the public our standards for handling personal information and how they can address any concerns that they may have. All staff are aware of and uphold the Promise. Each year PHSO will set out in its Annual Report summary material on information risk, covering the overall judgement in the Governance Statement, numbers of information risk incidents sufficiently significant for the Information Commissioner to be informed, the number of people potential affected and action taken to contain the breach and prevent recurrence. Page 18 of 19

19 9.4 Keeping the Framework under Review The Framework should be subject to an annual review. The Review will be carried out by Head of IRM in consultation with the Head of ICT, Head of FOI/DP, Insight and Research Manager, Health Policy Team and the Security and Information Assurance Committee. Page 19 of 19

Information governance strategy 2014-16

Information governance strategy 2014-16 Information Commissioner s Office Information governance strategy 2014-16 Page 1 of 16 Contents 1.0 Executive summary 2.0 Introduction 3.0 ICO s corporate plan 2014-17 4.0 Regulatory environment 5.0 Scope

More information

PARLIAMENTARY AND HEALTH SERVICE OMBUDSMAN. Records Management Policy. Version 4.0. Page 1 of 11 Policy PHSO Records Management Policy v4.

PARLIAMENTARY AND HEALTH SERVICE OMBUDSMAN. Records Management Policy. Version 4.0. Page 1 of 11 Policy PHSO Records Management Policy v4. PARLIAMENTARY AND HEALTH SERVICE OMBUDSMAN Records Management Policy Version 4.0 Page 1 of 11 Document Control Title: Original Author(s): Owner: Reviewed by: Quality Assured by: File Location: Approval

More information

INFORMATION GOVERNANCE AND SECURITY 1 POLICY DRAFTED BY: INFORMATION GOVERNANCE LEAD 2 ACCOUNTABLE DIRECTOR: SENIOR INFORMATION RISK OWNER

INFORMATION GOVERNANCE AND SECURITY 1 POLICY DRAFTED BY: INFORMATION GOVERNANCE LEAD 2 ACCOUNTABLE DIRECTOR: SENIOR INFORMATION RISK OWNER INFORMATION GOVERNANCE AND SECURITY 1 POLICY DRAFTED BY: INFORMATION GOVERNANCE LEAD 2 ACCOUNTABLE DIRECTOR: SENIOR INFORMATION RISK OWNER 3 APPLIES TO: ALL STAFF 4 COMMITTEE & DATE APPROVED: AUDIT COMMITTEE

More information

Information Security Policy September 2009 Newman University IT Services. Information Security Policy

Information Security Policy September 2009 Newman University IT Services. Information Security Policy Contents 1. Statement 1.1 Introduction 1.2 Objectives 1.3 Scope and Policy Structure 1.4 Risk Assessment and Management 1.5 Responsibilities for Information Security 2. Compliance 3. HR Security 3.1 Terms

More information

Information Governance Strategy & Policy

Information Governance Strategy & Policy Information Governance Strategy & Policy March 2014 CONTENT Page 1 Introduction 1 2 Strategic Aims 1 3 Policy 2 4 Responsibilities 3 5 Information Governance Reporting Structure 4 6 Managing Information

More information

Corporate Information Security Policy

Corporate Information Security Policy Corporate Information Security Policy. A guide to the Council s approach to safeguarding information resources. September 2015 Contents Page 1. Introduction 1 2. Information Security Framework 2 3. Objectives

More information

PARLIAMENTARY AND HEALTH SERVICE OMBUDSMAN. Email Management and Data Storage Policy. Version 1.4

PARLIAMENTARY AND HEALTH SERVICE OMBUDSMAN. Email Management and Data Storage Policy. Version 1.4 PARLIAMENTARY AND HEALTH SERVICE OMBUDSMAN Email Management and Data Storage Policy Version 1.4 Document Control Title: Reference: Original Author(s): Owner: Distribution: Reviewed by: Quality Assured

More information

Head of Information & Communications Technology Responsible work team: ICT Security. Key point summary... 2

Head of Information & Communications Technology Responsible work team: ICT Security. Key point summary... 2 Policy Procedure Information security policy Policy number: 442 Old instruction number: MAN:F005:a1 Issue date: 24 August 2006 Reviewed as current: 11 July 2014 Owner: Head of Information & Communications

More information

How To Protect School Data From Harm

How To Protect School Data From Harm 43: DATA SECURITY POLICY DATE OF POLICY: FEBRUARY 2013 STAFF RESPONSIBLE: HEAD/DEPUTY HEAD STATUS: STATUTORY LEGISLATION: THE DATA PROTECTION ACT 1998 REVIEWED BY GOVERNING BODY: FEBRUARY 2013 EDITED:

More information

Policy Document Control Page

Policy Document Control Page Policy Document Control Page Title Title: Information Governance Policy Version: 5 Reference Number: CO44 Keywords: Information Governance Supersedes Supersedes: Version 4 Description of Amendment(s):

More information

Information Governance Policy A council-wide information management policy. Version 1.0 June 2013

Information Governance Policy A council-wide information management policy. Version 1.0 June 2013 Information Governance Policy Version 1.0 June 2013 Copyright Notification Copyright London Borough of Islington 2012 This document is distributed under the Creative Commons Attribution 2.5 license. This

More information

OFFICIAL. NCC Records Management and Disposal Policy

OFFICIAL. NCC Records Management and Disposal Policy NCC Records Management and Disposal Policy Issue No: V1.0 Reference: NCC/IG4 Date of Origin: 12/11/2013 Date of this Issue: 14/01/2014 1 P a g e DOCUMENT TITLE NCC Records Management and Disposal Policy

More information

INFORMATION GOVERNANCE POLICY

INFORMATION GOVERNANCE POLICY INFORMATION GOVERNANCE POLICY Including the Information Governance Strategy Framework and associated Information Governance Procedures Last Review Date Approving Body N/A Governing Body Date of Approval

More information

Scotland s Commissioner for Children and Young People Records Management Policy

Scotland s Commissioner for Children and Young People Records Management Policy Scotland s Commissioner for Children and Young People Records Management Policy 1 RECORDS MANAGEMENT POLICY OVERVIEW 2 Policy Statement 2 Scope 2 Relevant Legislation and Regulations 2 Policy Objectives

More information

HMG Security Policy Framework

HMG Security Policy Framework HMG Security Policy Framework Security Policy Framework 3 Foreword Sir Jeremy Heywood, Cabinet Secretary Chair of the Official Committee on Security (SO) As Cabinet Secretary, I have a good overview of

More information

WEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY

WEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY WEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY DATA LABEL: PUBLIC INFORMATION SECURITY POLICY CONTENTS 1. INTRODUCTION... 3 2. MAIN OBJECTIVES... 3 3. LEGISLATION... 4 4. SCOPE... 4 5. STANDARDS... 4

More information

Caedmon College Whitby

Caedmon College Whitby Caedmon College Whitby Data Protection and Information Security Policy College Governance Status This policy was re-issued in June 2014 and was adopted by the Governing Body on 26 June 2014. It will be

More information

FINAL May 2005. Guideline on Security Systems for Safeguarding Customer Information

FINAL May 2005. Guideline on Security Systems for Safeguarding Customer Information FINAL May 2005 Guideline on Security Systems for Safeguarding Customer Information Table of Contents 1 Introduction 1 1.1 Purpose of Guideline 1 2 Definitions 2 3 Internal Controls and Procedures 2 3.1

More information

LEEDS BECKETT UNIVERSITY. Information Security Policy. 1.0 Introduction

LEEDS BECKETT UNIVERSITY. Information Security Policy. 1.0 Introduction LEEDS BECKETT UNIVERSITY Information Security Policy 1.0 Introduction 1.1 Information in all of its forms is crucial to the effective functioning and good governance of our University. We are committed

More information

Data Protection Act 1998. Guidance on the use of cloud computing

Data Protection Act 1998. Guidance on the use of cloud computing Data Protection Act 1998 Guidance on the use of cloud computing Contents Overview... 2 Introduction... 2 What is cloud computing?... 3 Definitions... 3 Deployment models... 4 Service models... 5 Layered

More information

Public Records (Scotland) Act 2011. NHS Health Scotland Assessment Report. The Keeper of the Records of Scotland. 5 th August 2015

Public Records (Scotland) Act 2011. NHS Health Scotland Assessment Report. The Keeper of the Records of Scotland. 5 th August 2015 Public Records (Scotland) Act 2011 NHS Health Scotland Assessment Report The Keeper of the Records of Scotland 5 th August 2015 Contents 1. Public Records (Scotland) Act 2011... 3 2. Executive Summary...

More information

Information Governance Plan

Information Governance Plan Information Governance Plan 2013 2015 1. Overview 1.1 Information is a vital asset, both in terms of the clinical management of individual patients and the efficient organisation of services and resources.

More information

Human Resources Policy documents. Data Protection Policy

Human Resources Policy documents. Data Protection Policy Policy documents Aims of the Policy apetito is committed to meeting its obligations under data protection law. As a business, apetito handles a range of Personal Data relating to its customers, staff and

More information

Data Protection Policy June 2014

Data Protection Policy June 2014 Data Protection Policy June 2014 Approving authority: Consultation via: Court Audit and Risk Committee, University Executive, Secretary's Board, Information Governance and Security Group Approval date:

More information

Information Governance Framework

Information Governance Framework Information Governance Framework March 2014 CONTENT Page 1 Introduction 1 2 Strategic Aim 2 3 Purpose, Values and Principles 2 4 Scope 3 5 Roles and Responsibilities 3 6 Review 5 Appendix 1 - Information

More information

How To Protect Decd Information From Harm

How To Protect Decd Information From Harm Policy ICT Security Please note this policy is mandatory and staff are required to adhere to the content Summary DECD is committed to ensuring its information is appropriately managed according to the

More information

Information Security Policies. Version 6.1

Information Security Policies. Version 6.1 Information Security Policies Version 6.1 Information Security Policies Contents: 1. Information Security page 3 2. Business Continuity page 5 3. Compliance page 6 4. Outsourcing and Third Party Access

More information

Information Governance Policy

Information Governance Policy Information Governance Policy Document Number 01 Version Number 2.0 Approved by / Date approved Effective Authority Customer Services & ICT Authorised by Assistant Director Customer Services & ICT Contact

More information

Information Integrity & Data Management

Information Integrity & Data Management Group Standard Information Integrity & Data Management Serco recognises its responsibility to ensure that any information and data produced meets customer, legislative and regulatory requirements and is

More information

INFORMATION GOVERNANCE OPERATING POLICY & FRAMEWORK

INFORMATION GOVERNANCE OPERATING POLICY & FRAMEWORK INFORMATION GOVERNANCE OPERATING POLICY & FRAMEWORK Log / Control Sheet Responsible Officer: Chief Finance Officer Clinical Lead: Dr J Parker, Caldicott Guardian Author: Associate IG Specialist, Yorkshire

More information

National Approach to Information Assurance 2014-2017

National Approach to Information Assurance 2014-2017 Document Name File Name National Approach to Information Assurance 2014-2017 National Approach to Information Assurance v1.doc Author David Critchley, Dave Jamieson Authorisation PIAB and IMBA Signed version

More information

Cardiff Council. Data protection audit report. Executive summary June 2014

Cardiff Council. Data protection audit report. Executive summary June 2014 Cardiff Council Data protection audit report Executive summary June 2014 1. Background The Information Commissioner is responsible for enforcing and promoting compliance with the Data Protection Act 1998

More information

The CPS incorporates RCPO. CPS Data Protection Policy

The CPS incorporates RCPO. CPS Data Protection Policy The CPS incorporates RCPO CPS Data Protection Policy Contents Introduction 3 Scope 4 Roles and Responsibilities 4 Processing Criminal Cases 4 Information Asset Owners 5 Information Asset Register 5 Information

More information

DATA PROTECTION AND DATA STORAGE POLICY

DATA PROTECTION AND DATA STORAGE POLICY DATA PROTECTION AND DATA STORAGE POLICY 1. Purpose and Scope 1.1 This Data Protection and Data Storage Policy (the Policy ) applies to all personal data collected and dealt with by Centre 404, whether

More information

Information Security Policy

Information Security Policy Information Security Policy Author: Responsible Lead Executive Director: Endorsing Body: Governance or Assurance Committee Alan Ashforth Alan Lawrie ehealth Strategy Group Implementation Date: September

More information

INFORMATION GOVERNANCE POLICY

INFORMATION GOVERNANCE POLICY INFORMATION GOVERNANCE POLICY Issued by: Senior Information Risk Owner Policy Classification: Policy No: POLIG001 Information Governance Issue No: 1 Date Issued: 18/11/2013 Page No: 1 of 16 Review Date:

More information

INFORMATION GOVERNANCE POLICY & FRAMEWORK

INFORMATION GOVERNANCE POLICY & FRAMEWORK INFORMATION GOVERNANCE POLICY & FRAMEWORK Version 1.2 Committee Approved by Audit Committee Date Approved 5 March 2015 Author: Responsible Lead: Associate IG Specialist, YHCS Corporate & Governance Manger

More information

Closed Circuit Television (CCTV) code of practice. Based on the publication A Code of Practice for CCTV www.ico.gov.uk

Closed Circuit Television (CCTV) code of practice. Based on the publication A Code of Practice for CCTV www.ico.gov.uk Closed Circuit Television (CCTV) code of practice Based on the publication A Code of Practice for CCTV www.ico.gov.uk Owner: Ian Heywood Last reviewed: July 2011 Contents 1.0 Introduction... 4 2.0 CCTV

More information

INFORMATION TECHNOLOGY SECURITY STANDARDS

INFORMATION TECHNOLOGY SECURITY STANDARDS INFORMATION TECHNOLOGY SECURITY STANDARDS Version 2.0 December 2013 Table of Contents 1 OVERVIEW 3 2 SCOPE 4 3 STRUCTURE 5 4 ASSET MANAGEMENT 6 5 HUMAN RESOURCES SECURITY 7 6 PHYSICAL AND ENVIRONMENTAL

More information

PARLIAMENTARY AND HEALTH SERVICE OMBUDSMAN

PARLIAMENTARY AND HEALTH SERVICE OMBUDSMAN PARLIAMENTARY AND EALT SERVICE OMBUDSMAN Information Security Breach Policy Version 2.0 Document Control Title: Original Author(s): Owner: Reviewed by: Quality Assured by: Meridio Location: Approval Body:

More information

Records Management Plan. April 2015

Records Management Plan. April 2015 Records Management Plan April 2015 Prepared in accordance with the Public Records (Scotland) Act 2011 and submitted to the Keeper of the Records of Scotland for their agreement on 28 April 2015 (Revised

More information

So the security measures you put in place should seek to ensure that:

So the security measures you put in place should seek to ensure that: Guidelines This guideline offers an overview of what the Data Protection Act requires in terms of information security and aims to help you decide how to manage the security of the personal data you hold.

More information

West Dunbartonshire Council. Follow-up data protection audit report

West Dunbartonshire Council. Follow-up data protection audit report West Dunbartonshire Council Follow-up data protection audit report Auditors: Lee Taylor (Audit Team Manager) Jonathan Kay (Engagement Lead Auditor) Data controller contacts: Michael Butler (Data Protection/Information

More information

Information Governance Management Framework

Information Governance Management Framework Information Governance Management Framework Responsible Officer Author Business Planning & Resources Director Governance Manager Date effective from October 2015 Date last amended October 2015 Review date

More information

Information Governance Policy

Information Governance Policy Information Governance Policy Version: 4 Bodies consulted: Caldicott Guardian, IM&T Directors Approved by: MT Date Approved: 27/10/2015 Lead Manager: Governance Manager Responsible Director: SIRO Date

More information

Cloud Computing and Records Management

Cloud Computing and Records Management GPO Box 2343 Adelaide SA 5001 Tel (+61 8) 8204 8773 Fax (+61 8) 8204 8777 DX:336 srsarecordsmanagement@sa.gov.au www.archives.sa.gov.au Cloud Computing and Records Management June 2015 Version 1 Version

More information

Align Technology. Data Protection Binding Corporate Rules Processor Policy. 2014 Align Technology, Inc. All rights reserved.

Align Technology. Data Protection Binding Corporate Rules Processor Policy. 2014 Align Technology, Inc. All rights reserved. Align Technology Data Protection Binding Corporate Rules Processor Policy Confidential Contents INTRODUCTION TO THIS POLICY 3 PART I: BACKGROUND AND ACTIONS 4 PART II: PROCESSOR OBLIGATIONS 6 PART III:

More information

Information Security and Governance Policy

Information Security and Governance Policy Information Security and Governance Policy Version: 1.0 Ratified by: Information Governance Group Date ratified: 19 th October 2012 Name of organisation / author: Derek Wilkinson Name of responsible Information

More information

West Midlands Police and Crime Commissioner Records Management Policy 1 Contents

West Midlands Police and Crime Commissioner Records Management Policy 1 Contents West Midlands Police and Crime Commissioner Records Management Policy 1 Contents 1 CONTENTS...2 2 INTRODUCTION...3 2.1 SCOPE...3 2.2 OVERVIEW & PURPOSE...3 2.3 ROLES AND RESPONSIBILITIES...5 COMMISSIONED

More information

Issue 1.0. UoG/ILS/IS 001. Information Security and Assurance Policy. Information Security and Compliance Manager

Issue 1.0. UoG/ILS/IS 001. Information Security and Assurance Policy. Information Security and Compliance Manager Document Reference Number Date Title Author Owning Department Version Approval Date Review Date Approving Body UoG/ILS/IS 001 January 2016 Information Security and Assurance Policy Information Security

More information

06100 POLICY SECURITY AND INFORMATION ASSURANCE

06100 POLICY SECURITY AND INFORMATION ASSURANCE Version: 5.4 Last Updated: 30/01/14 Review Date: 27/01/17 ECHR Potential Equality Impact Assessment: Low Management of Police Information (MoPI) The Hampshire Constabulary recognises that any information

More information

IM&T Infrastructure Security Policy. Document author Assured by Review cycle. 1. Introduction...3. 2. Policy Statement...3. 3. Purpose...

IM&T Infrastructure Security Policy. Document author Assured by Review cycle. 1. Introduction...3. 2. Policy Statement...3. 3. Purpose... IM&T Infrastructure Security Policy Board library reference Document author Assured by Review cycle P070 Information Security and Technical Assurance Manager Finance and Planning Committee 3 Years This

More information

Auditing data protection a guide to ICO data protection audits

Auditing data protection a guide to ICO data protection audits Auditing data protection a guide to ICO data protection audits Contents Executive summary 3 1. Audit programme development 5 Audit planning and risk assessment 2. Audit approach 6 Gathering evidence Audit

More information

University of Liverpool

University of Liverpool University of Liverpool Information Security Policy Reference Number Title CSD-003 Information Security Policy Version Number 3.0 Document Status Document Classification Active Open Effective Date 01 October

More information

INITIAL APPROVAL DATE INITIAL EFFECTIVE DATE

INITIAL APPROVAL DATE INITIAL EFFECTIVE DATE TITLE AND INFORMATION TECHNOLOGY RESOURCES DOCUMENT # 1107 APPROVAL LEVEL Alberta Health Services Executive Committee SPONSOR Legal & Privacy / Information Technology CATEGORY Information and Technology

More information

Service Children s Education

Service Children s Education Service Children s Education Data Handling and Security Information Security Audit Issued January 2009 2009 - An Agency of the Ministry of Defence Information Security Audit 2 Information handling and

More information

Data Protection Policy

Data Protection Policy Data Protection Policy Responsible Officer Author Date effective from July 2009 Ben Bennett, Business Planning & Resources Director Julian Lewis, Governance Manager Date last amended December 2012 Review

More information

MONMOUTHSHIRE COUNTY COUNCIL DATA PROTECTION POLICY

MONMOUTHSHIRE COUNTY COUNCIL DATA PROTECTION POLICY MONMOUTHSHIRE COUNTY COUNCIL DATA PROTECTION POLICY Page 1 of 16 Contents Policy Information 3 Introduction 4 Responsibilities 7 Confidentiality 9 Data recording and storage 11 Subject Access 12 Transparency

More information

Records Management Policy & Guidance

Records Management Policy & Guidance Records Management Policy & Guidance COMMERCIALISM Document Control Document Details Author Nigel Spencer Company Name The Crown Estate Department Name Information Services Document Name Records Management

More information

University of Sunderland Business Assurance Information Security Policy

University of Sunderland Business Assurance Information Security Policy University of Sunderland Business Assurance Information Security Policy Document Classification: Public Policy Reference Central Register Policy Reference Faculty / Service IG 003 Policy Owner Assistant

More information

Merthyr Tydfil County Borough Council. Data Protection Policy

Merthyr Tydfil County Borough Council. Data Protection Policy Merthyr Tydfil County Borough Council Data Protection Policy 2014 Cyfarthfa High School is a Rights Respecting School, we recognise the importance of ensuring that the United Nations Convention of the

More information

NSW Government Digital Information Security Policy

NSW Government Digital Information Security Policy NSW Government Digital Information Security Policy Version: 2.0 Date: April 2015 CONTENTS PART 1 PRELIMINARY... 3 1.1 Scope... 3 1.2 Application... 3 1.3 Objectives... 3 PART 2 POLICY STATEMENT... 4 Core

More information

Information Security Management System (ISMS) Policy

Information Security Management System (ISMS) Policy Information Security Management System (ISMS) Policy April 2015 Version 1.0 Version History Version Date Detail Author 0.1 18/02/2015 First draft Andy Turton 0.2 20/02/2015 Updated following feedback from

More information

Information Governance Policy

Information Governance Policy Information Governance Policy Version 1.1 Responsible Person Information Governance Manager Lead Director Head of Corporate Services Consultation Route Information Governance Steering Group Approval Route

More information

Corporate Data Protection Policy

Corporate Data Protection Policy Corporate Data Protection Policy September 2010 Records Management Policy RMP-09 GOLDEN RULE When you think about Data Protection remember that we are all data subjects. Think about how appropriately and

More information

Information Governance Framework. June 2015

Information Governance Framework. June 2015 Information Governance Framework June 2015 Information Security Framework Janice McNay June 2015 1 Company Thirteen Group Lead Manager Janice McNay Date of Final Draft and Version Number June 2015 Review

More information

INFORMATION GOVERNANCE STRATEGIC VISION, POLICY AND FRAMEWORK

INFORMATION GOVERNANCE STRATEGIC VISION, POLICY AND FRAMEWORK INFORMATION GOVERNANCE STRATEGIC VISION, POLICY AND FRAMEWORK Policy approved by: Assurance Committee Date: 3 December 2014 Next Review Date: December 2016 Version: 1.0 Information Governance Strategic

More information

Information Governance Strategy :

Information Governance Strategy : Item 11 Strategy Strategy : Date Issued: Date To Be Reviewed: VOY xx Annually 1 Policy Title: Strategy Supersedes: All previous Strategies 18/12/13: Initial draft Description of Amendments 19/12/13: Update

More information

Third Party Security Requirements Policy

Third Party Security Requirements Policy Overview This policy sets out the requirements expected of third parties to effectively protect BBC information. Audience Owner Contacts This policy applies to all third parties and staff, including contractors,

More information

Information Governance Policy (incorporating IM&T Security)

Information Governance Policy (incorporating IM&T Security) (incorporating IM&T Security) ONCE PRINTED OFF, THIS IS AN UNCONTROLLED DOCUMENT. PLEASE CHECK THE INTRANET FOR THE MOST UP TO DATE COPY Target Audience: All staff employed or working on behalf of the

More information

Information Governance Strategy. Version No 2.0

Information Governance Strategy. Version No 2.0 Plymouth Community Healthcare CIC Information Governance Strategy Version No 2.0 Notice to staff using a paper copy of this guidance. The policies and procedures page of PCH Intranet holds the most recent

More information

Information and Compliance Management Information Management Policy

Information and Compliance Management Information Management Policy Aurora Energy Group Information Management Policy Information and Compliance Management Information Management Policy Version History REV NO. DATE REVISION DESCRIPTION APPROVAL 1 11/03/2011 Revision and

More information

Information Governance Strategy

Information Governance Strategy Information Governance Strategy To whom this document applies: All Trust staff, including agency and contractors Procedural Documents Approval Committee Issue Date: January 2010 Version 1 Document reference:

More information

Security Awareness. A Supplier Guide/Employee Training Pack. May 2011 (updated November 2011)

Security Awareness. A Supplier Guide/Employee Training Pack. May 2011 (updated November 2011) Security Awareness A Supplier Guide/Employee Training Pack May 2011 (updated November 2011) Contents/Chapters 1. How do I identify a DWP asset 2. Delivering on behalf of DWP - Accessing DWP assets 3. How

More information

Lord Chancellor s Code of Practice on the management of records issued under section 46 of the Freedom of Information Act 2000

Lord Chancellor s Code of Practice on the management of records issued under section 46 of the Freedom of Information Act 2000 Lord Chancellor s Code of Practice on the management of records issued under section 46 of the Freedom of Information Act 2000 Lord Chancellor s Code of Practice on the management of records issued under

More information

RECORDS MANAGEMENT POLICY

RECORDS MANAGEMENT POLICY [Type text] RECORDS MANAGEMENT POLICY POLICY TITLE Academic Year: 2013/14 onwards Target Audience: Governing Body All Staff and Students Stakeholders Final approval by: CMT - 1 October 2014 Governing Body

More information

All CCG staff. This policy is due for review on the latest date shown above. After this date, policy and process documents may become invalid.

All CCG staff. This policy is due for review on the latest date shown above. After this date, policy and process documents may become invalid. Policy Type Information Governance Corporate Standing Operating Procedure Human Resources X Policy Name CCG IG03 Information Governance & Information Risk Policy Status Committee approved by Final Governance,

More information

Newcastle University Information Security Procedures Version 3

Newcastle University Information Security Procedures Version 3 Newcastle University Information Security Procedures Version 3 A Information Security Procedures 2 B Business Continuity 3 C Compliance 4 D Outsourcing and Third Party Access 5 E Personnel 6 F Operations

More information

Data Protection Act. Conducting privacy impact assessments code of practice

Data Protection Act. Conducting privacy impact assessments code of practice Data Protection Act Conducting privacy impact assessments code of practice 1 Conducting privacy impact assessments code of practice Data Protection Act Contents Information Commissioner s foreword... 3

More information

SOMERSET PARTNERSHIP NHS FOUNDATION TRUST RECORDS MANAGEMENT STRATEGY. Report to the Trust Board 22 September 2015. Information Governance Manager

SOMERSET PARTNERSHIP NHS FOUNDATION TRUST RECORDS MANAGEMENT STRATEGY. Report to the Trust Board 22 September 2015. Information Governance Manager SOMERSET PARTNERSHIP NHS FOUNDATION TRUST RECORDS MANAGEMENT STRATEGY Report to the Trust Board 22 September 2015 Sponsoring Director: Author: Purpose of the report: Key Issues and Recommendations: Director

More information

Crime Statistics Data Security Standards. Office of the Commissioner for Privacy and Data Protection

Crime Statistics Data Security Standards. Office of the Commissioner for Privacy and Data Protection Crime Statistics Data Security Standards Office of the Commissioner for Privacy and Data Protection 2015 Document details Security Classification Dissemination Limiting Marker Dissemination Instructions

More information

Data Protection Policy

Data Protection Policy Data Protection Policy Owner : Head of Information Management Document ID : ICT-PL-0099 Version : 2.0 Date : May 2015 We will on request produce this Policy, or particular parts of it, in other languages

More information

HMG Security Policy Framework

HMG Security Policy Framework HMG Security Policy Framework Version 11.0 October 2013 Contents Introduction... 4 Government Security Responsibilities... 4 Role of the Centre... 5 Policy Context... 7 Critical National Infrastructure

More information

BOARD OF DIRECTORS PAPER COVER SHEET. Meeting date: 22 February 2006. Title: Information Security Policy

BOARD OF DIRECTORS PAPER COVER SHEET. Meeting date: 22 February 2006. Title: Information Security Policy BOARD OF DIRECTORS PAPER COVER SHEET Meeting date: 22 February 2006 Agenda item:7 Title: Purpose: The Trust Board to approve the updated Summary: The Trust is required to have and update each year a policy

More information

Council Policy. Records & Information Management

Council Policy. Records & Information Management Council Policy Records & Information Management COUNCIL POLICY RECORDS AND INFORMATION MANAGEMENT Policy Number: GOV-13 Responsible Department(s): Information Systems Relevant Delegations: None Other Relevant

More information

University of Brighton School and Departmental Information Security Policy

University of Brighton School and Departmental Information Security Policy University of Brighton School and Departmental Information Security Policy This Policy establishes and states the minimum standards expected. These policies define The University of Brighton business objectives

More information

University of Aberdeen Information Security Policy

University of Aberdeen Information Security Policy University of Aberdeen Information Security Policy Contents Introduction to Information Security... 1 How can information be protected?... 1 1. Information Security Policy... 3 Subsidiary Policy details:...

More information

Operational Risk Publication Date: May 2015. 1. Operational Risk... 3

Operational Risk Publication Date: May 2015. 1. Operational Risk... 3 OPERATIONAL RISK Contents 1. Operational Risk... 3 1.1 Legislation... 3 1.2 Guidance... 3 1.3 Risk management process... 4 1.4 Risk register... 7 1.5 EBA Guidelines on the Security of Internet Payments...

More information

Data Protection Policy

Data Protection Policy Data Protection Policy Version: V1 Ratified by: Operational Management Executive Committee Date ratified: 26 September 2013 Name and Title of originator/author(s): Chris Brady, FOI, Data Protection and

More information

School of Anthropology and Museum Ethnography & School of Interdisciplinary Area Studies Information Security Policy

School of Anthropology and Museum Ethnography & School of Interdisciplinary Area Studies Information Security Policy School of Anthropology and Museum Ethnography & School of Interdisciplinary Area Studies Information Security Policy Page 1 of 10 Contents 1 Preamble...3 2 Purpose...3 3 Scope...3 4 Roles and responsibilities...3

More information

Information Security Policy. Document ID: 3809 Version: 1.0 Owner: Chief Security Officer, Security Services

Information Security Policy. Document ID: 3809 Version: 1.0 Owner: Chief Security Officer, Security Services Information Security Policy Document ID: 3809 Version: 1.0 Owner: Chief Security Officer, Security Services Contents 1 Purpose / Objective... 1 1.1 Information Security... 1 1.2 Purpose... 1 1.3 Objectives...

More information

Operations. Group Standard. Business Operations process forms the core of all our business activities

Operations. Group Standard. Business Operations process forms the core of all our business activities Standard Operations Business Operations process forms the core of all our business activities SMS-GS-O1 Operations December 2014 v1.1 Serco Public Document Details Document Details erence SMS GS-O1: Operations

More information

Information Governance Policy

Information Governance Policy Policy Policy Number / Version: v2.0 Ratified by: Audit Committee Date ratified: 25 th February 2015 Review date: 24 th February 2016 Name of originator/author: Name of responsible committee/individual:

More information

DATA PROTECTION POLICY

DATA PROTECTION POLICY DATA PROTECTION POLICY Version 1.3 April 2014 Contents 1 POLICY STATEMENT...2 2 PURPOSE....2 3 LEGAL CONTEXT AND DEFINITIONS...2 3.1 Data Protection Act 1998...2 3.2 Other related legislation.....4 3.3

More information

Information and Data Security

Information and Data Security Information and Data Security Guidance for Knowsley Schools Version 4.0 Version Control Record: Revision Date Author Summary of Changes V1.0 19 th November 2008 L Hornsby V2.0 18 February 2010. Maria Bannister

More information

Highland Council Information Security Policy

Highland Council Information Security Policy Highland Council Information Security Policy Document Owner: Vicki Nairn, Head of Digital Transformation Page 1 of 16 Contents 1. Document Control... 4 Version History... 4 Document Authors... 4 Distribution...

More information

Information & ICT Security Policy Framework

Information & ICT Security Policy Framework Information & ICT Security Framework Version: 1.1 Date: September 2012 Unclassified Version Control Date Version Comments November 2011 1.0 First draft for comments to IT & Regulation Group and IMG January

More information

Rotherham CCG Network Security Policy V2.0

Rotherham CCG Network Security Policy V2.0 Title: Rotherham CCG Network Security Policy V2.0 Reference No: Owner: Author: Andrew Clayton - Head of IT Robin Carlisle Deputy - Chief Officer D Stowe ICT Security Manager First Issued On: 17 th October

More information

Records Retention and Disposal Schedule. Information Management

Records Retention and Disposal Schedule. Information Management Records Retention and Disposal Schedule Information Management Version control Version Author Policy Approved By Approval Date Publication Date Review Due V 1.0 Information Governance Unit Philip Jones,

More information