Information governance

Data Protection, Freedom of Information and Information/Records Management

What is information governance? According to Gartner:

the specification of decision rights and an accountability framework to encourage desirable behavior in the valuation, creation, storage, use, archival and deletion of information. It includes the processes, roles, standards and metrics that ensure the effective and efficient use of information in enabling an organization to achieve its goals

Information governance

Complying with

Data Protection Act Freedom of Information Act Environmental Information Regulations Cookies Directive RIPA Whatever the EU and the government come up

with next

What does this mean in practice

Internal

Information security Records management

External Legislation Guidance from ICO Case law from the Information Tribunal and

other courts Standards

Tools for compliance

Covers personal information of living individuals Eight principals – fairness, specified purpose,

relevance, accuracy, retention, rights of data subjects, security, transfer outside EEA

Sensitive personal data defined e.g. health Conditions for processing

Schedule 2 for general Schedule 3 for sensitive

Subject access requests Requests for changes to personal information

Data Protection Act

Things we do

Policy coming – some guidance already available Breach procedure coming – tell us as soon as

possible Transfers outside the School procedure Embedded in project planning process

When talking to people about their IT projects, remember to raise DP issues if the system will require processing of personal information

Handle subject access requests – sometimes have to contact IT services for this

Complying with the DPA

Respond to requests in 20 working days Have to be in writing More than 18 hours work breaches cost limit Some exemptions available – public interest

test, prejudice test, time test Publication scheme Datasets – will be required to provide in

machine readable format

Freedom of Information Act

Cover environmental information only Like FoI, must respond in 20 working days Unlike FoI

Requests can be made verbally Has exceptions rather than exemptions All public interest test

Environmental Information Regulations

Records management blurring into information

management Records are evidence of decisions made and action

taken – more formal than information However, more or less treated the same these

days Main issues are:

Finding information, particularly that produced by other staff

Sharing information securely outside shared drives Disposing of information – particularly electronic

Records and information

management

Retention schedules set out how long records/info needs

to be kept legally Fairly easy with paper – box up, send to storage, destroy

when reach disposal date or use confidential waste sacks. Not so easy with electronic

Can use time trigger but when from? Date created? Date last used? What if not used for four years but relates to H&S accidents which need to be kept for 40 years?

Applying time triggers at which level? Document? Folder? Deletion from systems like SITS – can you even do it or just

wait until system is replaced? Latter not good enough for ICO

Information disposal

Any questions?