Appendix A
Information Management Strategy
2016-2019
Contents
3. Definition of Information Management
6. Governance Framework and Responsibilities.
Objective one: Strong Governance
Objective two: Effective INFORMATION MANAGEMENT policies and guidance
Objective three: Effective record management
Objective four: Transparency and Accessibility
1. Executive Summary
This strategy sets out the framework for Information Management in Maidstone Borough Council (MBC). Information is an essential asset for MBC. Without our information assets we simply cannot operate; an essential source of knowledge and learning, information helps to inform our decision making. It is not easy to get information management right; however, the cost of getting it wrong can be high resulting in poor decision making, increasingly punitive monetary penalties from the Information Commissioner’s Office and reputational damage that can ensue from data protection breaches and ill-conceived decisions.
The purpose of this strategy and supporting policies and procedures is to ensure that information is managed effectively and efficiently so we can find it when we need it and to be confident that it is safeguarded appropriately. It provides:
- a comprehensive and corporate approach to all aspects of information management;
- ensures legislative and regulatory compliance;
- quality of information and decision making;
- reduction in operating costs;
- safeguarding vital information;
- protection the rights of employees, customers and other stakeholders;
- Agile working efficiency and productivity.
The strategy applies to all recorded information, irrespective of content, format or source. The strategy defines information management as the means by which the Council looks after its information from its creation, through to storage, use and its disposal. It should not be viewed as a static document but as one that will evolve as legislation, best practice standards and the Council’s information needs change.
2. Vision
At the heart of the strategy is our vision for Information Management:
Maidstone Borough Council is committed to being a compliant organisation that consistently improves the way we manage our data and information. Information matters and we aim to build the Council’s capability in managing it, enabling us to increase our knowledge and insight and ultimately ensuring well informed decision-making to meet our strategic priorities and deliver excellent services.
To deliver the information management vision our information will be managed in a way that is:
· Accessible;
· Fit for purpose; and
· Open and Transparent
3. Definition of Information Management
Information Management is a term used to describe how an organisation plans, collects, organises, uses, controls, disseminates, shares, preserves and disposes of its information. The primary objective of information management is to ensure that the right information is available to the right people, in the right format and at the right time. Organisations that manage information effectively ensure that the value of the information is identified and exploited to the fullest extent.
4. Legislation and Regulation
The following legislative provisions and best practice guidelines inform the way we process information as a local authority:
· Freedom of Information Act 2000 – gives a general right of access to the information that we hold as a public authority.
· Data Protection Act 1998 and Data Protection Regulations – establishes 8 principles governing the way we process personal information.
· The Data Protection Regulations – which will likely be enacted, next year provide more stringent requirements than the Data Protection Act 1998 and will be directly applicable in all EU member states. All policies and guidelines will be required to be reviewed to ensure compliance when the regulations are enacted.
· European Convention on Human Rights
· Environmental Information Regulations 2004 – gives a right to access of information concerning the environment and elements.
· European Directive on the Re-use of Public Sector Information 2005 – public sector bodies are required to make their non-personal information available to a wider audience. Under the Directive, MBC is required to produce a information asset register showing the main categories of published and unpublished documents available.
· Transparency and Open Data Agenda
· INSPIRE law and codes of practice (spatial information)
· Local Government Records Retention and Disposal Schedule
· The Lord Chancellor’s Code of Practice on the Management of Records issued under s.26 of the Freedom of Information Act 2000
· ISO 15489-1: 2001 Information and Documentation - Records Management
5. Information Management Policies
The following policies apply in respect of information management to ensure we comply with legal requirements and meet our responsibilities effectively:
· Data Protection Policy
· Data Quality Policy
· Information Sharing Policy
· Information Security Policy (currently being updated)
· Protective Marking Policy
· Records Management Policy
· Clear Desk Policy
· Home and Mobile Working Policy
· Social Media Policy
· Computer Usage Policy
6. Governance Framework and Responsibilities
The Information Management Group (IMG) will provide clear direction, support and consideration to the management of security initiatives and information risk management.
The broad principles are as follows:
• Information Security needs to be a key consideration in everything we do as a Council
• The responsibility for compliance with good practice is with each staff member. The IMG role is to make this responsibility clear.
• The IMG will be convened with subject matter representatives from key service areas of the Council
The structure of the Group can be seen below
|
Senior Roles |
Responsibilities |
|
Senior Information Risk Owner (SIRO)/Director of Finance and Business Improvement |
Take overall ownership for MBC’s information management and act as champion for information risk. Chairman of the information management group |
|
Deputy Senior Information Risk Owner/Head of Policy and Communications |
carry out information management investigations on behalf of the SIRO and ensure any actions are delivered report information management issues to the SIRO as identified |
|
HR Manager |
Advise and report on staffing matters relating to information management |
|
Head of Audit |
Advises the group and siro on information management risks and governance issues. |
|
Head of Legal Partnership/ Monitoring Officer |
Provide Legal advice for information management including data breach investigations |
|
Chief Information Officer |
Identify and review all security incidents and determine if action is required that could affect the ISMS or the Information Security Policy; |
|
Key Roles |
|
|
Deputy Head of the Legal Partnership |
Responsible for ensuring that the Council is prepared for changes to legislation and provides legal advice on requests for information data breaches. |
|
Policy and Information Manager |
Responsible for ensuring day to day data quality and data transparency |
|
Audit Manager |
Ensures information risk is included in corporate risk management approach by services and ensures Audit reviews include information management. |
|
Information Asset Owners |
Ensures that specific information assets are handled and managed appropriately and their value to the organisation is fully exploited. |
7. Objectives
Four overarching objectives are derived from the Council’s vision. These will determine the overall plans for the continued development and improvement of information management.
· Strong Governance;
· Effective information management policies and guidance;
· Effective record management;
· Transparency and Availability
Objective one: Strong Governance
The key foundation block in embedding information management across MBC and ensuring clear ownership and accountability for Information Assets is to establish a robust information management framework. Every department, service, team and member of staff creates recorded information. Therefore are all are responsible for effective information management and this strategy relies on engagement from staff at all levels across the Council to succeed.
Overall organisational responsibility is with the Chief Executive and the Senior Information Risk Owner (SIRO). This responsibility is monitored and administered through the Information Management Group (IMG), who are responsible for ensuring the Council delivers on the objectives set out in this document, by regular monitoring, resource investment where required, championing culture change and ensuring adherence from departments across the organisation. Details on the membership of the IMG and other key roles can be seen at section six.
Information Security is achieved by ensuring that information is processed and stored securely. This is monitored by the IMG. Where incidents occur these are escalated and investigated swiftly, thoroughly and transparently and corrective action taken to ensure any incidences are minimised and prevented from reoccurring.
To embed the strategy successfully in all parts of the organisation requires understanding from staff of the value of information as an asset in the same way that they value staff or technology. In order to help this shift, there needs to be a comprehensive set of activities around learning, development, communication and monitoring.
Information management will be embedded as part of the induction process, both at corporate level and departmental level. Guidance around the key issues of information management should be easily accessible for all.
Objective two: Effective information management policies and guidance
Key policies which support this strategy have been identified at section five; these will be reviewed according to each individual policy or in light of any legislation changes.
Policies and guidance should be disseminated to managers to roll out and discuss with teams. Where significant change has taken place these will be changed and promoted to staff proactively.
In implementing each of the objectives, consideration must be given to our partnership arrangements. Protocols for sharing information with our public, voluntary and community sector partners must be established and partners must be encouraged and supported to implement their own information management practices.
Objective three: Effective record management
Achieving excellence in records management is a challenge. A suite of guidance and information on Records Management has been produced and will continue to be updated. Records should be stored according to a corporate file plan, which will be loosely based on the Information Record Management System best practice guidelines. Consistent file naming conventions will be followed to ensure information is well organised and easy to find and use. It is also crucial that version control is used to ensure that information is published as the final record to ensure that staff know which information has been agreed and approved and which is in draft or an earlier version. This will ensure that information is accurate, authentic, up to date and reliable. It will increase staff confidence in the quality of the information they refer to.
Objective four: Transparency and Accessibility
We want to create a culture where we go beyond meeting Government requirements on what we must publish and proactively publish as much information as we can, in formats that are accessible and engaging.
We will seek to understand what information people want and need and make it available for them without having to request it.
Actions
|
Action No. |
Description |
Complete by: |
Associated costs: |
|
Strong governance |
|||
|
1.1 |
Ensure appropriate training for all those with specific information management roles within MBC |
Ongoing |
External training sessions and Officer Time to facilitate and attend training |
|
1.2 |
Promoting and ensuring the programme of mandatory information management training for all staff is completed on E-learning |
31 March 2017 |
Staff time to complete training every 3 years and any additional training deemed necessary for role. |
|
1.3 |
Raise awareness of information management issues throughout MBC |
Ongoing |
Communication campaign costs – printing posters/ team meetings/ compliance sweeps. |
|
Effective information management policies and guidance |
|||
|
2.1 |
Provide guidance and procedure notes for all staff. |
31 March 2017 |
Policy and Information Officer Time |
|
2.2 |
Establish arrangements for monitoring compliance with information management policies and supporting standards, procedures and guidelines. As part of data quality checks. |
Ongoing |
Policy and Information, Audit and Transformation Officers Time |
|
2.3 |
Roll out and raise awareness and understanding of the information sharing log
|
31 March 2017 Ongoing |
Information Management Officer time/ Unit Managers to disclose who they share information with. |
|
Effective record management |
|||
|
3.1 |
Review hardcopy records across MBC, with the aim of reducing reliance - creation and storage of paper records. |
Timetable of services to be agreed for 2016-2017 |
Unit mangers and officer time |
|
3.2 |
Consider possible improvements to the security of hardcopy files and documents in Maidstone House |
31 March 2017 |
Officer time |
|
3.3 |
Establish secure disposal arrangements for records including implementing the Government Protective Marking Schedule. |
31 March 2017 |
Policy and Information Management Officers Time |
|
3.4 |
Consider whether to implement a check-in, check-out system for files being taken out of the building for key services |
31 March 2017 |
Officer time |
|
3.5 |
ICT to sweep files to remove/reduce duplication of electronic files |
31 March 2017 |
ICT Officers time |
|
3.6 |
Staff to dispose of unnecessary electronic records in line with the retention schedule and procedures regarding the recording of the disposal of records as a matter of routine. Reviewing how effective this has been. |
Ongoing |
Officer time (as a matter of routine) |
|
3.7 |
Clear out days for departments with the highest volume of unnecessary paper records |
|
Staff time/time away from day-job, disposal costs, archiving costs |
|
3.8 |
Improve the security of hardcopy files and documents enforcing a clear desk policy. |
Ongoing |
Officer time (conducting spot-checks) |
|
|
|
|
|
|
Transparency and Accessibility |
|||
|
4.1 |
Review information requests and identify common themes and information that can be published routinely |
Ongoing |
Policy and Information team time |
|
|
|||
|
4.2 |
Improve online information request forms to ensure that they provide information without request |
March 2017 |
Policy and Information Team and Digital Team time |
|
4.3 |
Work with Services to identify information that is routinely created and identify whether there is a public interest in making the information |
Ongoing |
Policy and Information Team time |
|
4.4 |
Review the quality of published information and ensure that it is understandable and accessible |
Ongoing |
Policy and Information Team time |