The Information Management Journey Sheffield City Council October 2013.

transcript

The Information Management Journey Sheffield City Council

October 2013

Paul Green

Director of Business Information and Transformation ServiceSheffield City Council

Information Matters!

“Most councils could and should improve their information”

Exemplar councils have the right culture, people and standards to provide good information, but most councils do not, and so are missing opportunities to improve services and save money.

The Audit CommissionIs There Something I Should Know – June 2009

Central Government and Local Government Digital Strategies

• INFORMATION at the heart of both strategies

• Outcomes that service users value delivered by people, performing processes, with INFORMATION, underpinned and enabled through technology

• Services, whether internal or external should be designed as" digital by default”

• CIO leadership role critical to make more intelligent and collaborative use of INFORMATION and technology

• Political and Executive Leadership need to recognise transformational change will only be realised with effective information management

Who should own Information?

• Information Assets (IA) are organised sets of validated Information that are valuable and easily accessible to those who need it.

• Information Asset Owners (IAO) are individuals within the organisation appointed and responsible for ensuring that specific information assets are handled and managed appropriately.

• Role of the CIO – To provide a robust Governance framework for the organisations Information Assets – “Information Management”

Why is it important to manage Information corporately?

• Information Strategy• Information Management Policy• Information Security Policy• Records Management Policy• Data Management Policy• Senior Information Risk Owner (SIRO)• Information Governance• Information Assurance• All of the above managed by the organisations CIO

Information management, assurance and transparency – in 5 years time will…

• be managed at every point in its lifecycle• Create or Acquire Information• Validate – is it fit for purpose• Store – it is stored securely and accessible• Protect – is it classified correctly• Update – controlled by the IAO• Publish – to those who need access• Dispose – appropriately via a retention policy

What happens if we ignore these dimensions?

• Organisations run the risk of penalties for failure to safeguard sensitive or personal information assets.

• The above can place the public at risk• Up to date Information is unlikely to be easily

available, accessible and of value for the organisation in making key and critical decisions

• Service redesign will be difficult – can the current baseline data be trusted on which to make changes

• The public lose trust with us

Sheffield City Council – Information Management Journey

Appointment of CIO – January 2007

Created Business Information Solutions (BIS) Team

Convinced Chief Executive to allocate ownership of Information Management to BIS (no previous owner allocated or identified)

Identified need to take action – what were the issues

Secured monthly 1:1 with Chief Executive

Recommended a ‘Proof of Value’ exercise to validate suspicions

Getting Started

The Information Management Proof of Value Project

• Commissioned by Executive Management Team (EMT) in August 2008

• EMT Objectives:

• Identify how much current IM processes are impacting on service delivery

• Where are the current Information Security Risks and potential organisational and customer impact

• What actual benefits would ‘best practice’ IM bring for the service and constituents of Sheffield

The Information Management Proof of Value Project

Project Objectives:

• Report IM impact to EMT

• Develop scalable approach for subsequent IM initiative

Project Approach:

• Executive Management Team to volunteer a service area for scrutiny

• Single process within Adult Social Care identified

• Tested Information Audit Survey

• Validated via interviews and mapping of information flows

Example: Care in the Home Information Flow

Care Manager assesses need

Customer highlights need

Care worker delivers care plan & meets need

NEED CARE PLAN

Care in the Home Information Flow

PERCEPTION OF NEED

CARE REQ

Customer Services gather required info

Resource management team log req

Home Care Manager creates detailed care plan

CARE REQ

CARE PLANDELIVERED CARE

FAPRA charge for care

Planning co-ordinator plans resource

CARE REQ

PERCEPTION OF NEED

CARE REQ

PERCEPTION OF NEED

CARE REQ

PERCEPTION OF NEED

Information Management Proof of Value Project – Findings

• SCC and its customers are exposed to unacceptable levels of risk through loss of information

• SCC senior management is at risk of action by the Information Commissioner’s Office (ICO) as a result of breach of Data Protection legislation

• Information is not accessible to staff

• Key data sets are inaccurate

• Access to information is dependent on physical access to information – a direct obstacle to mobile/flexible working (Workstyle) initiatives.

• Avoidable costs are incurred due to lack of efficiency

• Data sets are not currently structured to support a Modern and Efficient Council

Alongside IMPOV - Identify & close down security risks

• Laptop encryption

• Sanctuary Deployment

– Network protection

– Data Leakage

• Virus Protection

• Blackberry Protection

• Installation of blinds in printing room

• Securing windows in server room

• Rigorous USB process implemented

• Establish Information Governance Board

• Information Security Health Check with Strategic ICT partner

• Developed Corporate Information Security Risk Register

• Reviewed fortnightly at 1:1 with Chief Executive

• Reported to Portfolio Leadership Management monthly across organisation

Immediate mitigations included:

"In an environment of ever increasing customer expectations, spiralling pressures to demonstrate efficiency and a desire to deliver modern, efficient and customer focused

services, we have to recognise information as a key corporate asset and a major responsibility"

Cllr Simon Clement-Jones

Cabinet Member for Finance and Customer Focused Services

"As an information wealthy organisation, alongside people, information is one of our greatest assets. How we manage, exploit, manipulate and protect this key asset will increasingly

determine our success in transforming our organisation and the way we deliver services"

John Mothersole

Chief Executive, Sheffield City Council

The Result?

Next Steps: Initiate the Information Management Programme (IMP)

• EMT Approval - Joint sponsorship of IMP with Chief Executive and CIO

• Programme Board of Portfolio Reps, Strategic IT partner and Information Services

• Dedicated Programme Manager reporting to the CIO

• IM Vision & principles developed in collaboration with all Portfolios and Major Transformation Programmes

• Blueprint to meet IM best practice developed and approved

• Work streams shaped to deliver blueprint capability – all with Directorate input

Vision, Strategy & Policy

•IM Vision•IM Policies•IM Strategies

IM Governance

•Info Governance Board

•IM Steering groups

•PIRO /IAOs

IM Toolkit

•Function Analysis

•Information Asset Register

•Info Risk Assessment

•Risk / Opportunity Register

•Action Plan•Retention Schedules

•Classification Schemes

•E-Mail Management

•R&R for IRO/ IAO

Education & Awareness

•Directors Workshops

•Senior Manager Workshops

•Member's Workshops

•Info Security Training for all employees across the organisation and key partners

•Programme Communications

Enterprise Content

Management

•Gap Analysis•Rationalisation Opportunities

•Advise on Technology Investment

Metrics & Benefits

Realisation

•Range of measures to monitor BR

The Information Management Programme

IMP Work Stream Summary

• Mandated attendance for all Senior Directors at 3 hour workshop

• Mandated attendance for all Senior Managers at 2 hour workshop

• Mandated attendance for Members (delivered alongside allocation of IT)

Key Tool: The IMPOV findings

• Mandated completion of Information Security Training by all officers and members driven by business Directors

• E-learning for IT users (5000 staff trained in 12 months)

• Workbooks for non-IT users (1500+ staff trained in 12 months)

Critical Success Factor: Education & Awareness

• 1:1 with Chief Executive & Lead Member for Information Services

• IMPOV findings at EMT

• Director’s & Manager’s workshops – IMPOV & Soham case making it relevant to all

• Updates in Member’s quarterly briefings, mandated attendance at IM Session

• Presentation at all Senior Management Team Meetings

• Attendance at all Risk Management Meetings (publishing Risk Register, driving through initiatives)

• Pilots to demonstrate value of IM assessment in each Portfolio

• Policies circulated to all Directors and relevant stakeholder for feedback

• Launch training via:

• Monthly news letter, Key Brief and First Monday

• Poster campaign

• Intranet Articles (Training) Weekly progress on training to Directorates Additional comms generated to help cascade

Communication, Communication, Communication

Senior Information Risk

Owner (SIRO)Director of Information Services

Portfolio Information Risk Owners (PIRO)Portfolio Directors

Place RMG

CYP ICT Strategy

Communities RMG

Resources RMG

Deputy CEX SIG

Property Information

Council Tax InformationSchools Information

Information Asset Owners (IAO)

Senior Portfolio Managers (Examples shown)

Process OwnersStaff and Managers

Information Governance Board

Strategic Partner IT Director

Enterprise Architect

DP \ FOI Advisor

Information Security Officer

Solutions Architect (Information)

Process Owners are individuals or roles who own a documented and defined business process that may utilise information assets from one or more IAO’s

Information Risk Owners (IRO)

Service Managers IROs are individuals charged with identifying and managing information risk within their area of responsibility

IAOs are individuals charged responsibility for assessing and managing risk for particular information assets – they ensure the asset is used within the law & should look to encourage exploitation where possible

Board of Elected Members

Audit Committee

Officers from Portfolios &Key Corporate Processes

Corporate Risk Management Group

Critical Success Factor: Position IM in Transformation & Efficiency Agendas

Lessons Learned

• Chief Executive ongoing commitment and support essential

• CIO or similar Senior Director/head of IT must be allocated responsibility for Information Management and ideally be appointed Senior Information Risk Owner (SIRO)

• Passion and Vision (and perseverance) needed to drive initiatives & raise interest

• Dedicated resource (Programme Manager) needed

• Bring it home - have an illustration that service delivery can relate to

• Clear message - ‘IM is not IT & it will help you overcome your issues’

• Involve non technical colleagues at every step

• Regular communications to maintain profile (up and down)

Benefits Already Seen

• Significant reduction in the impact of Information related security incidents

• Increased proactive engagement from users with the Information Management Team in addressing issues

• Increased readiness for change – better quality information on which to make key Business Change decisions

• Increasing recognition of Information Management as an efficiency opportunity

• Information Management Team seen to add more value to the organisation and have a bit more clout!

• Developed and implemented an Information Management service offering to include IM services for schools - 70 schools signed up since 2010

Public Health IntegrationInformation Management challenges

• Requirements gathering• Lack of detailed knowledge of business

processes/systems/information • Stakeholder engagement and sign-off• On-going engagement with business users• Lack of support from PCT IT colleagues• Post transfer to LA’s gaining approval to

access to key Information

Final Key Messages

• Drive through Information Risk assessment work with Information Management (IM) steering groups

• Start to deliver on strategies to implement policies

• Look to demonstrate IM and technology exploitation as efficiency opportunities – we must use Information more effectively

• Establishment of Directorate/Portfolio Risk Groups with appropriate Senior Director as chair

• Always be aware of the ever changing legislation and law around Information – weekly check of Information Commissioner Officer (ICO) Website

Thank You

Contact: Paul Green at paul.green2@sheffield.gov.uk

Tel:0114 273 6818

The Information Management Journey Sheffield City Council October 2013.

Documents