Information Governance Policy
1.1 Information governance is the framework of law and best practice that regulates the manner in which information (including information relating to and identifying individuals) is managed. It is an area of great importance since information is key to the success of the organisation.
1.2 This policy and the suite of policies which support and underpin it set out Helping Our Futures’ approach to ensuring that it has a robust information governance framework to manage its information assets.
1.3 Information Governance is an umbrella term for a number of overlapping areas. This policy and the supporting policies will deal with:
• Access to information
• Confidentiality and data protection
• Information security
• Information quality
• Records and document management
This policy will be supported by an extensive awareness raising and training programme in relation to information management responsibilities.
2.0 Purpose and Scope
2.1 The purpose of this Policy is to set out the controls and responsibilities that will operate to control the management of the wide range of information that is generated, shared maintained and archived within the organisation.
2.2 The objective of the Policy is to achieve:
• Openness – by making information available where appropriate and sharing it where good practice requires us to;
• Legal compliance – by adhering to the relevant legislative requirements to minimise the risk to the organisation through misuse
• Information security – by ensuring that information is protected against loss or unauthorised access
• Information quality assurance – by ensuring that information is accurate and up to date
2.3 This Policy applies to all areas where information is held within Helping Our Future.
2.3.1 The Policy covers all types of information held:
• Information about properties
• Information about customers
• Information about staff and Board members
• Information about other individuals
• Information about the organisation
2.3.2 The Policy applies to:
• All employees of Helping Our Future
• All Board members
• All employees and agents of external partners or contractors who in anyway support or access Helping Our Future information
2.3.3 The Policy covers all aspects of handling information, including:
• Maintaining documentary records – paper files
• Maintaining and using electronic records and databases
• Transmission of information whether verbal, email post telephone or fax
3.1 There are numerous legal obligations placed on Helping Our Future in relation to the use and management of information. This Policy has been prepared with direct regard to the following legislation:
• Data Protection Act 1998
• Human Rights Act 1998
• Computer Misuse Act 1990
• Electronic communications Act 2000
• Crime and Disorder Act 1998
• Regulation of Investigatory Powers Act 2000
• Limitation Act 1980
• Public Interest Disclosure Act 1998
In addition the provisions of the following legislation have been taken into account:
• Freedom of Information Act 2000
• Environmental Information Regulations 1992
4.1 Helping Our Future has established and will maintain the structures, roles and responsibilities for dealing with information governance set out below:
• The Chief Executive has overall responsibility for Information Governance at Helping Our Future. He has overall responsibility for the management of the organisation and for ensuring appropriate mechanisms are in place for management and security of information.
• The Executive Management Group is responsible for Information Governance at an operational level and is accountable to the Board. The Executive Management
Group will ensure that there is an adequate level of resources and expertise to ensure that Information Governance issues are dealt with.
• The Director of Legal and Governance services is the nominated Data protection Officer for the Information Commissioner’s Office. He is responsible for dealing with the regulators, the drafting of Policies, legal advice on the obligations of the organisation, assisting with procedural issues, training and supporting information governance throughout the organisation.
• The Director of ICT is responsible for managing the policies and ensuring that robust and effective security is in place in relation to electronic forms of data processing
• All Directors are responsible for the implementation and oversight of information governance policies within their areas of work.
• All staff have responsibility for the safe and proper management of the information which they process.
4.2 Helping Our Future has established an information governance steering group which is responsible for reviewing and updating policies, initiating improvements in information management and monitoring the information compliance.
5.0 Policy Framework
Helping Our Future will develop and maintain policies which deal with:-
5.1 Data Protection and Confidentiality
A policy which identifies the data which Helping Our Future processes and sets out the circumstances in which such information is obtained, handled and disclosed. Sets out the circumstances in which a duty of confidentiality arises and details the obligations on Helping Our Future and its employees in relation to such confidential information and how they will be discharged. The policy will identify categories of information and set levels of security applicable to each category. The policy will establish measures designed to ensure data accuracy and updating. It is part of data protection that data subjects are entitled to access to dates held about them. The policy will deal with identifying and responding to requests for access to data.
5.2 Information Security and ICT
Because most of Helping Our Future information is held or handled in an electronic format Helping Our Future will adapt a separate ICT code of conduct which will deal with the management of, access to and security measures in relation to electronic management of information.
5.3 Risk Assessment and Management
Helping Our Future will embed information security and risk assessment and management into the key controls of its major business risk management processes in order to safeguard the interests of customers, officers and the organisation itself.
5.4 Information Security Awareness and Training.
Employment documentation (contracts and job descriptions) will include a statement dealing with data protection and confidentiality.
Employment inductions will include sections on Data protection, confidentiality and the ICT code of conduct.
All employees will be give information governance and information security awareness training at a level appropriate to their role.
5.5 Information Sharing
The sharing of information between Helping Our Future and other organisations is permissible for certain defined purposes. Helping Our Future will establish a policy for dealing with requests for access to data. Where such exchanges take place on a regular basis Helping Our Future will establish an information exchange protocol to ensure legitimate information exchange by clear and transparent procedures. Helping Our Future will establish a policy for recording maintaining and reviewing at such protocols.
5.6 Business Continuity/Disaster Recovery Plans
Helping Our Future will ensure that business continuity plans are in place for all business critical attributes which provide for the preservation and /or recovery of information and records.
5.7 Records/Documents Management
Helping Our Future will establish a policy and supporting procedure for ensuring the integrity of records and the disposal of data records after an appropriate period.
5.8 Information Security Events Management
A mechanism for reporting and responding to breaches of information security policy will be established and publicised throughout the organisation.
. Compliance with this Policy is mandatory for everyone included within its scope. Where instances of non-compliance are suspected they will be investigated and disciplinary measures may be invoked.
Compliance audits will be undertaken and findings and recommendations reported to the Information Governance steering Group who will ensure that significant risks are assessed in the most appropriate manner.
7.0 Best Practice and Review
7.1 There will be an automatic review of this policy whenever there is a change of statutory or regulatory provisions, or when other Best Practice information becomes available that will impact on the policy. In any event there will be a substantive review of this policy every 3 years.
In addition, the Policy and the accompanying procedures will be subject to ongoing scrutiny and operational review, in consultation with all relevant stakeholders.