Information Governance

Sylvia Reynolds

Senior Resources Officer / Information Governance Manager

What is Information Governance? • Information Governance is an overarching

term that we use to cover managing information that is held in any form – i.e. creation, handling, sharing storing and disposal

BenefitsKnowledge/Change Management

Reduce physical and electronic storage space

Enable mobile / home working

Reduce risks

Better service to the public

Data Protection

Freedom of Information

Environmental Information

Information Security

Information Sharing

Records Management

Regulation of Investigatory

Powers Act 2000

Information Strategy/Policies

National Information

Standards

Ownership and Responsibility• The Council, elected members, employees

and partnering organisations all have a duty to ensure that both business and personal information is dealt with legally, securely, efficiently and effectively, in order to deliver the best possible services

• Information Commissioner has power to issue monetary penalties of up to £500,000

IT- Destruction - Brighton and Sussex University Hospitals NHS Trust fined £325,000. Personal data of tens of thousands of patients and staff on hard drives sold on internet

Email to wrong recipients 3 times - Surrey County Council fined £120,000 – group email, 361 addresses.

Fax to wrong recipients twice - Hertfordshire County Council was fined £100,000 - Child sex abuse.

Unencrypted laptop - Sheffield-based A4e provides information on employment and starting a business 24,000 people affected - fined £60,000.

Paper Records Theft from Home - Barnet £70,000 - names, addresses, dates of birth and details of the sexual activities of 15 vulnerable children or young people. Social worker took the paper records home to work on them out of hours.

ICO Penalties Issued

Prosecutions

Individuals – criminal or malicious intent can be fined up-to £5000

• A Slough letting agent obtained details about their tenants from an employee at Slough Borough Council - Used by the company to chase up their tenant’s outstanding debts

• Selling Personal Information- A&E reception NHS patient information - to personal injury claims company.

• Receptionist at a GP Surgery- on 15 separate accessing ex husbands new wife medical records

Call for custodial sentences

Call for compulsory Data Protection audits

Incidents2 Significant incidents 50 More incidents in 2012

Data Protection Audit – Limited Assurance

Actions required•ICO Action Plan

•Corporate ownership•Awareness/Training•Standardisation•Enforcement•Information Amnesty

Risks in Middlesbrough

Roles & Responsibilities• Senior Information Risk Owner - Set strategic

direction ,Ensures there is accountability throughout the Council

• Information Governance Manager – Develop corporate standards and policies, operational advice/guidance to staff

• Information Working Group - Agreeing an ongoing programme of work to improve Information Governance within their department and within the Council

• Audit - ensure compliance against corporate Standards/Policies

Information Governance Team

Monitor ICO /Audit Action Plans

Information Requests - Supporting Service Areas

Compliance audits

Policy reviews

Incident management

Advise on investigations.

Information Commissioner’s Complaints

Mandatory Training Programme

Develop an Information Strategy

Develop a Corporate Information Sharing Protocol

Facilitate a more proactive approach to developing standards, liaison with the Caldicott Guardians, ICT and transformation projects.

Monitor and authorise RIPA Applications

Cases/Requests 2012

Data Protection/Subject Access Requests

42

Freedom of Information/Environmental Information

1064

Information Security Incidents 52

RIPA applications 24

Further Information

END

EXAMPLES OF MBC INCIDENTS  CAUSE TYPE DATA

Car Break in to car window when it was parked and double locked but unattended.

ID badge, an entry Fob, a diary containing 11 patients initials 8 of which also had their addresses & a notebook containing initials and assessment details of patent's/service users  

Memory Stick

Partner information - Transferred to a third party unencrypted lap top 

Forensic Social care Files containing sensitive personal data of 24 service users total of 216 docs.

Email Email & attachment to wrong internal group e-mail address - approx 150 recipients 

Child Protection / Domestic Violence Referral

Filing Cabinet

Files found in stored furniture redundant after office move 

Confidential Youth offending case files

Hard drive Staff Personal hard drive sold on Ebay  

Containing CFL client information

Partner Laptop theft -

Domiciliary Care provider - Allied - broken into and 2 laptops stolen.  

Names and addresses of Social care clients in receipt of domiciliary care. Allied's IT support have assured them all data is safe need pin numbers and are encrypted.

EXAMPLES OF MBC INCIDENTS

  CAUSE TYPE DATA

Manual Transporting Information

Gust of wind blew document out of technician's hand - unable to retrieve

Sensitive personal data re a client and a name and work details of an employee

Brief case An open briefcase found at the Deaf Centre.

Details of 6 children with disabilities.

Letter Sent to wrong address Sensitive personal data - core assessment form

Courier Box of approximately 20 children’s case files left in a corridor by a courier when office it was addressed to was locked.

Children's case files for archive