Post on 24-Jun-2020
transcript
www.eden.gov.uk
Approved by: Executive
Date Approved: 4 October 2016
Review Frequency: Biennial (next update due: October 2018)
Responsible Officer: M Neal, Deputy Chief Executive
Information Governance Framework
Deputy Chief Executive
V1.0
4 October 2016
Information Governance Framework V1.0 4 October 2016 Page 2 of 27
www.eden.gov.uk
Contents
Page
1. Introduction 3
2. Information Governance Policy Statement 4
3. Legal and Regulatory Framework 4
4. Scope 5
5. Roles and Responsibilities 5
6. Main Themes for Improvement 6
6.1 Information Governance Management 6
6.2 Data Quality 7
6.3 Information Compliance 8
6.4 Information Security 10
6.5 Information Sharing 12
6.6 Records Management 13
7. Information Governance Work Plan 15
Information Governance Framework V1.0 4 October 2016 Page 3 of 27
www.eden.gov.uk
1. Introduction
This Information Governance Framework and its Work Plan present Eden District Council
(“the Council”) with an opportunity to establish a robust structure for managing its information
assets but also a significant challenge. This document contains a large number of actions,
some quite ambitious, addressing a wide range of issues and involving all staff and Members
to some extent. The Work Plan therefore spans two years, from October 2016 to September
2018. It will run largely concurrently with the Digital Transformation Project, to both inform
and be informed by its development.
Information is an Asset
Information is a valuable asset, vital for the efficient management of services and resources.
It is needed to inform policy development and make evidence based decisions. Information is
important in terms of making improvements to service delivery and helping the Council to
respond more flexibly to changing customer needs.
The Council receives, generates, uses and stores vast amounts of data, in many different
forms, including: emails, its website, files stored on laptops/PC hard drives, on Sharepoint
and on servers, databases and application software and also hard copy paper files and
maps. The extent and types of information held on Eden residents, businesses and
organisations places a great responsibility on the Council to ensure it has robust policies,
procedures and systems in place to protect it.
The Council’s approach to managing its information assets has not been particularly well co-
ordinated in the past. A number of policies and procedures exist but they have been
developed largely in isolation, at different times and by different people. There has been no
overarching framework or policy to draw them together.
The Council’s Service Innovation Board identified the need for improved data governance
and data sharing in 2015, to support and enable the Digital Transformation Project. This
resulted in the creation of the Information Governance Manager post through a restructure,
implemented with effect from 1 April 2016.
What is Information Governance?
Information Governance is a term used to describe how organisations, including local
authorities ensure that statutory, regulatory and best practice requirements are met when
they collect, store, use and share information in their possession.
An Information Governance Framework is a multidisciplinary term that encompasses a wide
range of functions, policies, procedures and systems. This Framework will provide the
Council with a coherent structure to ensure that legal and best practice standards are met
and continuously assessed.
The table below shows the six aspects of Information Governance included in this
Information Governance Framework:
Information Governance Management;
Data Quality;
Information Compliance;
Information Security;
Information Governance Framework V1.0 4 October 2016 Page 4 of 27
www.eden.gov.uk
Information Sharing; and
Records Management.
2. Information Governance Policy Statement
The Council recognises information as a valuable asset in the provision and effective management of its services and resources. It is of paramount importance therefore that information is processed within a framework designed to support and enable appropriate Information Governance. All information users (staff, Members, contractors and partners) will take responsibility for managing information in accordance with this Information Governance Framework and with all policies, procedures, guidance and systems developed to support it. Information must be managed using sound processes. The Council will ensure that it:
Conforms to all legal and statutory requirements;
Holds all information securely;
Holds all personal information confidentially;
Obtains information fairly and lawfully;
Records information accurately and reliably;
Uses information effectively and ethically;
Shares information appropriately and lawfully;
Makes available non-confidential information wherever possible to the public via the Council’s website (Open Data); and
Reviews and disposes of information and records no longer required securely.
3. Legal and Regulatory Framework
There are a number of legal obligations placed upon local authorities relating to the use of
information, including personally identifiable information. The Council needs to ensure these
legal and best practice standards are met and continuously assessed:
Data Protection Act 1998;
Electronic Communications Act 2000;
Environmental Information Regulations 2004;
Freedom of Information Act 2000;
Human Rights Act 1998;
Public Records Act 2011;
Regulations of Investigatory Powers Act 2000; and
Reuse of Public Sector Information Regulations 2005.
The General Data Protection Regulation (2018) which will come into force on 25 May 2018
will place additional responsibilities on the Council and could quite significantly increase
demand on the Council’s resources.
Information Governance Framework V1.0 4 October 2016 Page 5 of 27
www.eden.gov.uk
4. Scope
This Framework applies to:
All information, regardless of format held and processed by the Council;
All information systems operated or managed by the Council;
All information shared by the Council with third parties, including partner organisations and contractors;
Any individual processing information held by the Council; and
Any individual requiring access to information held by the Council.
5. Roles and Responsibilities
Matters relating to Information Governance come under the Resources Portfolio. Progress on
the Information Governance Framework Work Plan will be reported to the Resources
Portfolio Holder.
The Chief Executive as Head of Paid Service, together with Senior Management Team have
overall responsibility for ensuring the delivery of an effective Council-wide approach to
Information Governance.
The Council’s Director of Finance is the Senior Information Risk Owner (SIRO). The SIRO is
concerned with the management of all information assets and information risks. The SIRO is
responsible for fostering a culture for protecting data and for managing information risks and
incidents. All breaches of information security should be reported to the SIRO. The SIRO is
heading-up the Service Innovation Board in overseeing the Digital Transformation Project.
The Deputy Chief Executive is the Council’s Data Protection Officer. He is responsible for co-
ordinating the needs of Data Protection across the Council and for ensuring compliance with
the requirements of the Data Protection Act.
The Information Governance Manager is responsible for producing the Information
Governance Framework and Work Plan, for co-ordinating the implementation and monitoring
progress of the Work Plan, for ensuring relevant policies, procedures, protocols and guidance
are in place, for advising staff and Members and for arranging training.
Each Senior Manager is an Information Asset Owner, accountable for information assets
within their service area. They should be able to understand how the information asset is
held, used and shared and address any associated risks. However, all staff and Members are
responsible for the data and information they generate, handle and dispose of.
The responsibilities for delivering specific actions under this Framework are indicated in the
Work Plan table on pages 15 to 26.
Information Governance Framework V1.0 4 October 2016 Page 6 of 27
www.eden.gov.uk
6. Main Themes for Improvement
There are six main themes for the improvement of Information Governance under this
Framework and it is expected there will be a degree of cross-over between them.
6.1 Information Governance Management
Information Governance Management is the management of Information Governance at a
corporate, managerial and operational level across the organisation. It provides the
necessary ownership, accountability and support required to ensure the development,
implementation and promotion of the required Information Governance infrastructure.
The current situation (as at mid September 2016)
The Council has identified that its management of Information Governance in the past has
not always been given the attention it deserves. However, this is now being addressed, with
the creation of an Information Governance Manager post and an acknowledgement that
Information Governance must be improved to support the work of the Digital Transformation
Project. This planned improvement is supported by the adoption on an Information
Governance Framework and Work Plan and annual reporting regime.
The Information Governance Framework encompasses a wide range of different policies,
procedures, processes, protocols and guidance and these need to be consistent with each
other and kept up to date and relevant. A regime for monitoring, reviewing and updating is to
be introduced.
A training programme will identify the various training levels required for different staff and
Members and will set out the Council’s expectations for working practices and behaviours
related to Information Governance. Also, clear guidance on the Council’s approach to the
various aspects of Information Governance will be made readily available to all staff. All staff
will be made aware of their responsibilities relating to Information Governance, particularly
with regard to Access to Information, Data Protection and Information Security and the duties
they place on the Council.
Information Governance competencies, particularly with regard to Data Protection are
already written into all job descriptions.
Areas to be addressed
The following areas are to be addressed under the heading of Information Governance
Management and are expanded on in the Work Plan on page 15:
Introduce an Information Governance Framework;
Produce an annual Information Governance report at the end of each financial year;
Review existing Information Governance policies, protocols, processes, procedures and guidance and establish a regime to regularly monitor, review and update them;
Implement an Information Governance training and awareness raising programme; and
Recruit a Data Transparency Assistant on a temporary, part time basis.
Information Governance Framework V1.0 4 October 2016 Page 7 of 27
www.eden.gov.uk
6.2 Data Quality
Data Quality is an assessment of the fitness of data to serve its purpose in a given context.
Data is generally considered high quality if it is fit for its intended uses in operations, decision
making and planning. It is important to ensure the accuracy, coverage, timeliness and
completeness of data so that staff, Members, contractors/partners and customers are able to
trust the validity and authority of information sources and have confidence that it is up to date
and accurate.
The current situation (as at mid September 2016)
The Council has a Data Quality Statement, which is available on the website. This is a short
policy statement which is reviewed biennially and is next due to be reviewed in March 2018.
The Council reports around 50 separate data sets to the Government under the Single Data
List, which is a list of all the data that local authorities are required to submit to central
Government departments in a given year. In addition, the Council has selected a number of
Key Performance Indicators for the monitoring of its own corporate health and these are
reported internally to Management Team every six months.
For some time, contractors and partner organisations have been required to sign the
Council’s Third Party Data Quality Protocol. The protocol template has been included or
appended to contract and service level agreement documentation. However, there is no way
of enforcing the protocol and at best it is only of use insofar as raising awareness of data
quality issues.
Areas to be addressed
The following areas are to be addressed under the heading of Data Quality and are
expanded on in the Work Plan on page 16:
Ensure the Data Quality Statement is reviewed and updated on a biennial basis;
Raise awareness of the Council’s Data Quality Statement and the expectations on staff;
Introduce a register of data the Council has a duty to provide to Government under the Single Data List;
Provide guidance on writing Data Quality requirements into contracts and agreements, where data is provided to the Council by third parties; and
Review the use and benefits of Third Party Data Quality Protocols.
Information Governance Framework V1.0 4 October 2016 Page 8 of 27
www.eden.gov.uk
6.3 Information Compliance
Information Compliance is the process of conforming to certain information laws and
regulations through the application of appropriate policies and procedures. The Council
manages and processes large volumes of confidential and sensitive information about people
and has a duty to deal with it lawfully and ethically.
The current situation (as at mid September 2016)
The Council has in place the following related policies, which are published on the website:
Access to Information Policy (Freedom of Information (FOI), Environmental Information Regulations and Data Protection (Subject Access Requests) - April 2016;
Complaints Procedure (webpage) - December 2015;
Data Protection Policy - April 2016;
Privacy Policy (webpage) - last updated June 2016; and
Regulation of Investigatory Powers Policy - December 2012.
The Access to Information Policy and Data Protection Policy were quite recently adopted and
so are not in need of updating. However, staff would benefit from more detailed and practical
guidance and training based on the policies. The Data Protection Policy is likely to require
reviewing before May 2018, in preparation for the General Data Protection Regulation (2018).
It has been identified by staff responsible for managing Access to Information requests that
there would be benefit in improving the existing process, which is unnecessarily convoluted.
It is recommended that alternative systems are explored with a view to increasing the
efficiency and robustness of processes for the management of Freedom of Information
requests.
Two of the above procedures/policies only exist as web pages. It would be preferable for all
Information Governance policies to be in a consistent format and to be subject to version
control (webpages are not).
Areas to be addressed
The following areas are to be addressed under the heading of Information Compliance and
are expanded on in the Action Plan on page 18:
Improve the process for handling Access to Information (FOI, EIR, Subject Access Requests);
Ensure any forms (including online forms) relating to Access to Information and Data Protection are consistent and comply with legislative requirements and the Council’s Information Governance policies;
Undertake Data Protection testing to ensure compliance;
Examine the requirements of the General Data Protection Regulation (2018) and the likely impact on the Council;
Provide procedures on Access to Information to relevant staff;
Review the Privacy Policy;
Information Governance Framework V1.0 4 October 2016 Page 9 of 27
www.eden.gov.uk
Introduce a CCTV Policy and Code of Practice; and
Review the Complaints Procedure.
Information Governance Framework V1.0 4 October 2016 Page 10 of 27
www.eden.gov.uk
6.4 Information Security
Information Security describes measures put in place to protect information assets and
information systems from unauthorised access, use, disclosure, disruption, modification or
destruction.
The current situation (as at mid September 2016)
The Council holds a valid PSN (Public Services Network) compliance certificate,
demonstrating that the Council’s transmission and processing of personal information is
carried out using a trusted secure network. The Council also completes and submits to the
Cabinet Office an annual Assurance Notice, which evaluates the Council’s performance
against standards set by the ‘CESG,’ the UK government's national technical authority for
information assurance.
The roll-out of fully PSN compliant encrypted laptops to staff and Members between 2014
and 2016 has improved information security, particularly in terms of accessing the Council’s
network remotely (from home or other premises). Non-corporate devices such as personal
computers are no longer able to access the Council’s systems.
The Council has the following related policies in place:
Information Security Policy - 2012;
Internet and Email Acceptable Use Policy and Authorised User Agreement - 2012; and
IT Security and Confidentiality Requirements for Home/Mobile Working - 2012.
All staff and Members are required to sign the Authorised User Agreement to confirm that
they will abide by the terms of the Information Security Policy and the Internet and Email
Acceptable Use Policy. All new staff and Members receive information about Information
Security during their induction.
The Digital Transformation Project currently under development will present opportunities to
build-in a high level of security into the new digital platform (ESB Agile). These security
measures will be designed in such a way as to protect both the Council’s information and that
of customers accessing the Council’s systems. It is important that an ongoing dialogue is
maintained between the people responsible for the Digital Transformation Project (IT and the
Service Innovation Board) and those responsible for matters of Information Governance
(within the Legal section).
The new digital platform could be subject to a Privacy Impact Assessment (PIA) during its
development. PIA is a tool to help organisations identify the most effective way to comply
with their Data Protection obligations and meet individuals’ expectations of privacy. An
effective PIA allows organisations to identify and fix problems at an early stage, reducing the
associated costs and damage to reputation which might otherwise occur. The Information
Commissioner’s Office (ICO) provides guidance and a template.
Also, the Council needs to comply with PCI DSS, the Payment Card Industry Data Security
Standard. This is a worldwide standard that was set up to help businesses and organisations
process card payments securely and reduce card fraud. The way it does this is through tight
controls surrounding the storage, transmission and processing of cardholder data that
businesses handle. PCI DSS is intended to protect sensitive cardholder data. The Council’s
Information Governance Framework V1.0 4 October 2016 Page 11 of 27
www.eden.gov.uk
current website and the new digital platform need to be PCI DSS compliant. An internal audit
is being carried out into the Council’s compliance with PCI DSS during 2016-17.
Areas to be addressed
The following areas are to be addressed under the heading of Information Security and are
expanded on in the Work Plan on page 21:
Update the Reporting of Security Incidents and Information Breaches policy and procedure;
Review and update the Information Security Policy and IT Security and Confidentiality Requirements for Home/Mobile Working policies;
Review and update the Internet and Email Acceptable Use Policy and Authorised User Agreement and Social Media Policy;
Establish an interface with the Digital Transformation Project for the duration of its development;
Consider undertaking a Privacy Impact Assessment on the new digital platform (ESB Agile) being developed under the Digital Transformation Project; and
Ensure card payments achieve compliance with PCI - DSS, the Payment Card Industry Data Security Standard.
Information Governance Framework V1.0 4 October 2016 Page 12 of 27
www.eden.gov.uk
6.5 Information Sharing
Information Sharing is the exchange of data between different organisations, people and
technologies, through the application of appropriate policies, procedures and protocols.
Although maintaining confidentiality is vital, service delivery can sometimes be improved
through the appropriate sharing of data. This requires the proper governance of information
sharing practice across the Council (internally) and with partners (externally).
The current situation (as at mid September 2016)
Work has commenced to fulfil the Council’s requirements to publish data under the Local
Government Transparency Code 2015. The Code sets out the minimum data the Council
needs to publish, the frequency it should be published and how it should be published. Some
of the required data is already available on the website and it will be added to it as other data
sets become available. In publishing the data required under the Local Government
Transparency Code 2015, certain Data Standards should be observed and the Local
Government Association provides comprehensive guidance on meeting those standards.
There are a number of circumstances which involve the sharing of data with partner
organisations and contractors. An example of this is the transfer of planning records to the
Lake District and Yorkshire Dales National Park Authorities during the national park
extensions in 2016, for which Data Sharing Agreements were drawn up. However, there is no
list of the various Data Sharing Agreements across the Council.
There is currently no Information Sharing Protocol in place; such a protocol would assist in
the production of any new arrangements and agreements. It would also also assist in
emergency situations such as flooding incidents when agencies need to work closely
together to protect the safety and wellbeing of residents.
The sharing of data internally within the Council could improve the efficiency of the Council’s
services but there has been resistance from some staff in the past, mainly on the grounds of
Data Protection. Clearer guidelines for staff would assist in allowing more internal sharing of
data, as would the production of an Information Asset Register (so that staff are aware of
what other data exists, where it is held and who is responsible for it). All data held on the new
digital platform will be linked to a Unique Property Reference Number (UPRN) and a unique
citizen reference, which will collectively eliminate duplication.
Areas to be addressed
The following areas are to be addressed under the heading of Information Sharing and are
expanded on in the Work Plan on page 23:
Fulfil the Council’s obligations under the Local Government Transparency Code 2015;
Draw up and maintain a list of Data Sharing Agreements held across the Council;
Introduce an Information Sharing Protocol to provide a framework for agreeing terms; and
Conduct a review into the internal sharing of data.
Information Governance Framework V1.0 4 October 2016 Page 13 of 27
www.eden.gov.uk
6.6 Records Management
Records Management is the practice of managing the records of an organisation throughout
their life cycle, from the time they are created to their eventual disposal.
The current situation (as at mid September 2016)
The Council has a Business Continuity Plan (2016), which is available on the website. The
Business Continuity Plan is an important tool that ensures services to the public (which
require access to records) are maintained in the event of a major interruption at either the
Town Hall or Mansion House.
An Information Management Strategy was produced in 2009 by the then IT Services
Manager and this document is available on the website. The main thrust of the strategy is the
migration to Sharepoint and the implications for document management.
The introduction of Document Management Systems at the Council has been beneficial in
terms of sharing information internally, in reducing capacity demands on email and in
providing a degree of version control. However, not all sections of the Council are using
these systems (in part due to concerns around confidentiality) and there have also been
some issues in terms of functionality. An audit and review of the Council’s document
management practices would be beneficial in identifying any specific issues and this would
be assisted by the production of an Information Asset Register. In fact the two exercises
could be combined.
The Council does not have an Information Asset Register. There is currently no list of
records, files or databases held by the Council. Staff will have knowledge of the different
information assets retained in their sections but there is no corporate list. A comprehensive
and definitive list of all information assets retained by the Council would help to identify areas
of duplication and spot areas of potential risk such as loss of personal data. By
understanding the nature of the Council’s information and where it is held, it will be possible
to mitigate the risks more easily.
Currently the Council does not have an approved and adopted Records Management or
Information Retention and Disposal Policy. Some work has been undertaken in this area in
the past by IT staff and the Document Management Assistant and a draft policy and user
guidelines are available (these could be revisited and further developed). A clear, workable
policy and guidelines would greatly assist staff in knowing how to store different types of
records, for how long and how to dispose of them securely.
Although some sections across the Council have their own system of Version Control of
documents, there is no currently no official Council-wide system in place. This can
occasionally result in old versions of documents and reports being circulated and
consequently in confusion. A common system of version control across the Council would
provide consistency and confidence in the Council’s documentation.
Areas to be addressed
The following areas are to be addressed under the heading of Records Management and are
expanded on in the Work Plan on page 24:
Review document management practices across the Council;
Produce and maintain a corporate Information Asset Register;
Information Governance Framework V1.0 4 October 2016 Page 14 of 27
www.eden.gov.uk
Assign Information Asset Owners (IAO);
Introduce a corporate Records Management Policy (including Document Retention and Disposal);
Introduce a corporate system of Version Control;
Introduce a Confidential marking policy; and
Ensure consistency between documents and information on the website and other formats of the same information.
Information Governance Framework V1.0 4 October 2016 Page 15 of 27
www.eden.gov.uk
7. Information Governance Work Plan - October 2016 to September 2018
Aspect of
Information
Governance
Action Target Outcome Resource
Implications
Responsibility Deadline
Information
Governance
Management
IGM1: Introduce an
Information
Governance
Framework
Approve, adopt
and implement a
Framework and
two year Work
Plan
There is a clear
sense of direction,
commitment and
ownership
Officer time
Information
Governance Manager
SIRO
Data Protection
Officer
Approval at
Executive -
4 Oct 2016
IGM2: Produce an
annual Information
Governance report
at the end of each
financial year
Monitor progress,
outline keys issues
and risks and
identify areas for
further
improvement.
Report to
Executive
Progress of the Work
Plan is monitored and
any constraints, risks
and additional
resource implications
are identified.
Annual report
approved at
Executive
Officer time Information
Governance Manager
SIRO
Data Protection
Officer
End Jul 2017
IGM3: Review
existing Information
Governance
policies, protocols,
processes,
procedures and
guidance and
establish a regime
Produce a
comprehensive
list, with details of
the date
documents were
approved, where
they can be found,
who is responsible
All policies, protocols,
processes,
procedures and
guidance are current,
relevant and fit for
purpose
Officer time Information
Governance Manager
Member Services
Team Leader
IT Services Manager
HR
End Mar 2017
Information Governance Framework V1.0 4 October 2016 Page 16 of 27
www.eden.gov.uk
Aspect of
Information
Governance
Action Target Outcome Resource
Implications
Responsibility Deadline
to regularly monitor,
review and update
them
for them and when
due for renewal
IGM4: Implement an
Information
Governance training
and awareness
raising programme
Provide
specialised
external Data
Protection and
Freedom of
Information
training to
managers, key
staff and Members
in 2017-2018 and
cascade to other
staff
A culture exists
across the Council in
which all staff,
Members and third
parties recognise the
importance of Data
Protection and
Access to Information
and positive practices
are embedded in the
work of the
organisation
External
trainer @
£3,000 in
2017-2018
Officer time
Information
Governance Manager
Member Services
Team Leader
HR
End Mar 2018
Post regular
reminders on
the bulletin
board
IGM5: Recruit a
Data Transparency
Assistant on a
temporary, part time
basis
Data Transparency
Assistant in post
There is greater
capacity to undertake
Information
Governance activities
£8,000
government
grant
Information
Governance Manager
Deputy Chief
Executive
HR
End Mar 2017
Data Quality DQ1: Ensure the
Data Quality
Statement is
reviewed and
Approve and adopt
the revised
statement
Statement is current,
relevant and fit for
purpose
Officer time Information
Governance Manager
Review date -
March 2018
Information Governance Framework V1.0 4 October 2016 Page 17 of 27
www.eden.gov.uk
Aspect of
Information
Governance
Action Target Outcome Resource
Implications
Responsibility Deadline
updated on a
biennial basis
DQ2: Raise
awareness of the
Council’s Data
Quality Statement
and expectations on
staff
Provide guidance
to staff through
regular bulletins
Staff take ownership
of and seek to
improve the quality of
data within their
services
Officer time
Information
Governance Manager
Reminders to
be issued
every six
months
DQ3: Introduce a
register of data the
Council has a duty
to provide to
Government under
the Single Data List
Produce and
maintain a list and
make available to
relevant staff
Staff take ownership
of and seek to
improve the quality of
data provided to
Government under
the Single Data List
Officer time Information
Governance Manager
Staff with
responsibility for
reporting data to
Government
End Jun 2017
DQ4: Provide
guidance on writing
Data Quality
requirements into
contracts and
agreements, where
data is provided to
the Council by third
parties
Guidance is
produced and is
accessible to
relevant staff.
(could be included
in the Procurement
Strategy)
Data Quality is
assured wherever
possible at the point
of collection
Officer time Information
Governance Manager
Assistant Director,
Technical Services
Director of Finance
End Dec 2017
Information Governance Framework V1.0 4 October 2016 Page 18 of 27
www.eden.gov.uk
Aspect of
Information
Governance
Action Target Outcome Resource
Implications
Responsibility Deadline
DQ5: Review the
use and benefits of
Third Party Data
Protocols
Produce (internal)
report
The most effective
means of assuring
the quality of data
being provided to the
Council by
contractors and
partner organisations
is established
Officer time Information
Governance Manager
Assistant Director,
Technical Services
Director of Finance
End Dec 2017
Information
Compliance
IC1: Improve the
system for handling
Access to
Information (FOI,
EIR, Subject Access
Requests)
Explore alternative
systems and adopt
the most efficient
and appropriate for
the Council’s
needs
The process is
efficient and fit for
purpose
Officer time Information
Governance Manager
Member Services
Team Leader
IT
End Jun 2017
IC2: Ensure any
forms (including
online forms)
relating to Access to
Information and
Data Protection are
consistent and
comply with
legislative
requirements and
the Council’s
Review and
update the forms
and cross-
reference the
online forms with
other formats of
the same
information
There is a consistent
approach to providing
information and all
information is current,
relevant and
compliant
Officer time Information
Governance Manager
Member Services
Team Leader
Web Co-ordinator
Assistant Director
Customer Services
and Transformation
End Jun 2017
Information Governance Framework V1.0 4 October 2016 Page 19 of 27
www.eden.gov.uk
Aspect of
Information
Governance
Action Target Outcome Resource
Implications
Responsibility Deadline
Information
Governance policies
Data Protection
Officer
IC3: Undertake Data
Protection testing to
ensure compliance
Complete the
ICO’s Data
Protection Self
Assessment
Toolkit
Consider an
internal Data
Protection audit in
2017-2018
The Council’s
processes,
procedures and
systems are
compliant
Officer time Information
Governance Manager
Assistant Director,
Legal Services
Data Protection
Officer
End Sep 2017
IC4: Examine the
requirements of the
General Data
Protection
Regulation (2018)
and the likely impact
on the Council
Report the likely
impact and
resource
implications to
Executive
The Council is
compliant with the
regulation when it
comes into force on
25 May 2018
Officer time Information
Governance Manager
Member Services
Team Leader
Assistant Director,
Legal Services
Data Protection
Officer
End Oct 2017
Information Governance Framework V1.0 4 October 2016 Page 20 of 27
www.eden.gov.uk
Aspect of
Information
Governance
Action Target Outcome Resource
Implications
Responsibility Deadline
IC5: Provide
procedures on
Access to
Information to
relevant staff
Produce
procedures and
make readily
accessible
There is a clear and
consistent approach
to handling requests
Officer time Information
Governance Manager
Member Services
Team Leader
End Jun 2017
Reminders
issued every
six months
IC6: Review the
Privacy Policy
Condense the
content of the
existing webpage,
with a link to a
stand-alone PDF
policy
There is a consistent
approach to the
Council’s suite of
policies and Version
Control
Officer time Information
Governance Manager
Member Services
Team Leader
Data Protection
Officer
End Dec 2017
IC7: Introduce a
CCTV Policy and
Code of Practice
Produce, approve
and adopt a policy
and ensure
relevant staff are
aware of it
The Council’s CCTV
systems are
adequately managed
and controlled and
the information and
images obtained are
handled appropriately
and lawfully
Officer time Information
Governance Manager
Engineering Officer
Assistant Director,
Legal Services
Data Protection
Officer
End Jun 2017
IC8: Review the
Complaints
Procedure
Condense the
content of the
existing webpage,
with a link to a
There is clarity for
customers and a
clear and consistent
Officer time Secretary to Deputy
Chief Executive
End Dec 2017
Information Governance Framework V1.0 4 October 2016 Page 21 of 27
www.eden.gov.uk
Aspect of
Information
Governance
Action Target Outcome Resource
Implications
Responsibility Deadline
stand-alone PDF
document
Consider ways of
simplifying the
procedure for
customers
approach for staff
handling complaints.
There is a consistent
approach to the
Council’s suite of
policies and Version
Control
Information
Governance Manager
Assistant Director,
Legal Services
Deputy Chief
Executive
Information
Security
IS1: Update the
Reporting of
Security Incidents
and Information
Breaches policy and
procedure
Update the policy
and procedure and
ensure staff and
Members are
aware of it
A clear and
accessible procedure
exists that ensures
any breaches are
reported and
addressed at the
earliest opportunity
Officer time Information
Governance Manager
IT Services Manager
SIRO
End Dec 2017
IS2: Review and
update the
Information Security
Policy and IT
Security and
Confidentiality
Requirements for
Home/Mobile
Working policies
Approve and adopt
the revised policies
The policies are
current, relevant and
fit for purpose
Officer time Information
Governance Manager
IT Services Manager
SIRO
End Dec 2017
Information Governance Framework V1.0 4 October 2016 Page 22 of 27
www.eden.gov.uk
Aspect of
Information
Governance
Action Target Outcome Resource
Implications
Responsibility Deadline
IS3: Review and
update the Internet
and Email
Acceptable Use
Policy and
Authorised User
Agreement and
Social Media Policy
Approve and adopt
the revised policy
The policies are
current, relevant and
fit for purpose
Officer time Information
Governance Manager
Communication
Officer
IT Services Manager
HR
End Dec 2017
IS4: Establish an
interface with the
Digital
Transformation
Project for the
duration of its
development
Agree a regime for
ongoing dialogue
Policies and
procedures are in
place which are
consistent with and
relevant and
appropriate to the
needs of the new
digital platform
Officer time
Information
Governance Manager
IT Services Manager
End Dec 2016
IS5: Consider
undertaking a
Privacy Impact
Assessment on the
new digital platform
(ESB Agile) being
developed under the
Digital
Assess the need
for an Privacy
Impact
Assessment (using
ICO guidance and
template)
Privacy is ‘designed-
in’ so that the
platform complies
with the Council’s
Data Protection
obligations and meets
individuals’
expectations of
privacy
Officer time Information
Governance Manager
IT Services Manager
Service Innovation
Board
In line with
Digital
Transformation
Project
Information Governance Framework V1.0 4 October 2016 Page 23 of 27
www.eden.gov.uk
Aspect of
Information
Governance
Action Target Outcome Resource
Implications
Responsibility Deadline
Transformation
Project
IS6: Ensure card
payments achieve
compliance with PCI
- DSS, the Payment
Card Industry Data
Security Standard
The PARIS system
is accredited and
approved by the
Payment Card
Industry Council.
Staff taking card
payments comply
with PCI-DSS
rules and
requirements
Card payments are
processed securely
and sensitive
cardholder data is
protected
Officer time IT Services Manager
Senior Auditor
SIRO
Ongoing
Information
Sharing
ISH1: Fulfil the
Council’s obligations
under the Local
Government
Transparency Code
2015
Publish all required
data sets on the
Council’s website
under Open Data
Government code is
complied with and
data is readily
accessible and in the
required format
Officer time Data Transparency
Assistant
Information
Governance Manager
Data Protection
Officer
End Dec 2017
ISH2: Draw up and
maintain a list of
Data Sharing
Agreements held
across the Council
Produce list and
make available to
staff
Risks are adequately
monitored
Officer time Information
Governance Manager
IT Services
End Sep 2017
Information Governance Framework V1.0 4 October 2016 Page 24 of 27
www.eden.gov.uk
Aspect of
Information
Governance
Action Target Outcome Resource
Implications
Responsibility Deadline
ISH3: Introduce an
Information Sharing
Protocol to provide
a framework for
agreeing terms
Produce and
approve a protocol
and make
available to staff.
The protocol could
be further
developed into a
template
agreement
Risks are minimised
and agreements can
be drawn up
efficiently and
relatively quickly
Officer time Information
Governance Manager
IT Services Manager
SIRO
End Dec 2017
ISH4: Conduct a
review into the
internal sharing of
data
Produce a report
summarising
current practices,
any constraints
and the reasons
for behaviours
There is a culture of
transparency and co-
operation between
departments and
sections and
efficiencies are
increased
Officer time Information
Governance Manager
IT Services
End Sep 2018
Records
Management
RM1: Review
document
management
practices across the
Council
Produce a report
summarising
current practices,
highlighting any
areas to be
addressed
Processes,
procedures and
behaviours are
identified and
documented
Officer time Information
Governance Manager
Document
Management
Assistant
IT Services
End Dec 2017
Information Governance Framework V1.0 4 October 2016 Page 25 of 27
www.eden.gov.uk
Aspect of
Information
Governance
Action Target Outcome Resource
Implications
Responsibility Deadline
Assistant Director,
Customer Services
and Transformation
RM2: Produce and
maintain a corporate
Information Asset
Register
Audit all of the
Council’s
information assets
and create and
maintain an
Information Asset
Register
There is ownership
and accountability
and clarity over what
information the
Council holds and
where key datasets
reside
Officer time IT Services
Information
Governance Manager
In line with
Digital
Transformation
Project
RM3: Assign
Information Asset
Owners (IAO)
Designate IAO’s
and provide them
with guidance on
their
responsibilities
There is ownership
and accountability in
managing the
Council’s information
assets
Officer time Information
Governance Manager
IT Services
Senior Managers
In line with
Digital
Transformation
Project
RM4: Introduce a
corporate Records
Management Policy
(including Document
Retention and
Disposal)
Produce, approve
and adopt policy
and procedures
and make
available to all
staff.
Issue regular
reminders
There is a clear,
traceable policy and
process for managing
records and
documents across
the Council
Officer time Information
Governance Manager
Document
Management
Assistant
Secretarial Support
End Sep 2018
Reminders
issued every
six months
Information Governance Framework V1.0 4 October 2016 Page 26 of 27
www.eden.gov.uk
Aspect of
Information
Governance
Action Target Outcome Resource
Implications
Responsibility Deadline
Assistant Director,
Customer Services
and Transformation
IT Services
RM5: Introduce a
corporate system of
Version Control
Produce, approve
and implement a
policy and
procedure notes
There is a clear and
consistent process for
managing Version
Control across the
Council
Officer time Information
Governance Manager
Secretarial Support
Member Services
Team Leader
IT Services
End Sep 2017
Reminders
issued every
six months
RM6: Introduce a
Confidential marking
policy
Produce, approve
and implement a
policy and
procedure notes
The status of
documents is clear
Officer time Information
Governance Manager
Secretarial Support
Member Services
Team Leader
End Sep 2017
RM7: Ensure
consistency
between documents
and information on
the website and
Staff to check and
cross-reference
the content of their
webpages
regularly (including
documents)
There is a consistent
approach to
presenting
information and all
information provided
Officer time Web Co-ordinator
Information
Governance Manager
Ongoing
Information Governance Framework V1.0 4 October 2016 Page 27 of 27
www.eden.gov.uk
Aspect of
Information
Governance
Action Target Outcome Resource
Implications
Responsibility Deadline
other formats of the
same information
is current and
relevant
Assistant Director
Customer Services
and Transformation