Information Governance Strategy and Framework 2021-23
This strategy sets out our aims and priorities for the way we manage information.
- Our duty
1.1 Information and data is the lifeblood of any organisation and the efficient use of data enables Uttlesford District Council to continue to deliver the wide range of services to our residents and customers. The processing of large quantities of personal data does however place certain responsibilities on the council and we are legally required to ensure that all processing is carried out in compliance with the terms of both GDPR (UK) and other associated Data Protection Legislation.
1.2 Uttlesford District Council in our role as a "Data Controller" is therefore committed to ensuring that all data we hold within our files and systems is processed in an efficient and secure manner which allows for informed decisions to be taken across the entire range of services for the benefit of those we serve. As part of this commitment it is essential that the council implements a robust Information Governance (IG) Strategy and Framework which serves to act as our roadmap for ensuring that we continue to improve our data management processes across all service areas.
1.3 The measures outlined within this document are designed to align with best practice for the processing of personal data as recommended by the UK Supervisory Authority the Information Commissioners Office (ICO). These measures will provide the appropriate level of assurance necessary for the councils continued compliance with data protection legislation.
1.4 This Strategy and Framework document will clearly define the responsibilities of the key stakeholders who are involved in the management of Information Governance (IG) for the council and will also identify clear lines of communication and systems for approving policy, procedures and standard operating procedures which the council may wish to introduce as we continue to develop a mature and fit for purpose IG strategy in the coming years ahead
2.1 This document applies to all employees, elected members, partners, suppliers, agents, representatives, volunteers and temporary staff working for or on behalf of Uttlesford District Council.
2.2 The term "Data" includes all information created, collected or processed by the council regardless of format, storage, how it is obtained or shared.
3.1 Uttlesford District Council is committed to providing a safe and secure environment in which to provide members, officers and staff the ability to create manage and retain records that will assist us to perform our core business activities and deal with legitimate council matters.
3.2 All information and data must be processed and protected diligently, lawfully and ethically through the adoption of effective data security practices, accurate information and informed openness.
3.3 When managing information the council will:
- ensure we comply with our legal obligations
- process all data in accordance with the reasons for which it was initially obtained
- ensure that all data is accurate , up to date and meets with customer expectations
- treat all data as a valuable resource that must be protected
- ensure that data remains accessible only to those who have a legitimate reason to view or receive it
- comply with all guidelines on the use of privacy markings where appropriate with particular consideration given to any confidential and sensitive information we may hold
4.1 Uttlesford District Council considers information to be a valuable corporate asset. Data security, accurate and informed openness are at the heart of the councils approach to efficient information management.
4.2 The council will take a risk based approach to Information Governance focusing on safeguarding customers, providing business transparency and ensuring legislative compliance
4.3 The policy sets out the roles and responsibilities for:
a. To promote the implementation and monitoring of information management arrangements through a defined governance structure, with clear responsibilities and accountabilities which encompasses everyone within the organisation from the Chief Executive as the "Accounting Officer" to the individual responsibilities of our staff.
b. To provide corporate management oversight of data incidents, information risks, annual information an audit reports and other Information Governance arrangements through a regular quarterly reporting regime to the Corporate Management Team (CMT).
c. The council's Senior Information Risk Owner (SIRO) and the Assistant Director Legal services will jointly approve and oversee all Information Governance improvement plans and will continue to monitor progress against these plans. Both officers will provide a senior management support towards ensuring continuous improvements in Information management and governance are adopted throughout all council services.
d. To provide comprehensive training and awareness in data protection and Information Governance matters to ensure that appropriate knowledge and skills are consistently maintained by staff.
a. To carry out the councils duty to be legally compliant when managing data and personal information, to provide an improved service, reduce reputational risk and potential for monetary fines and sanctions that could be imposed.
a. To ensure all data is secure (regardless of format). Security will be regularly reviewed to ensure that the council has adequate safeguards in place to protect existing data and information and is prepared for new information and communication technologies used to improve and enhance the way the council delivers its various services.
b. The council will promote transparency whilst at the same time ensuring that we take all appropriate measures to safeguard our customers and commercial partners interests
c. The council will adopt a "Data Protection by Design" culture which requires all staff to consider data protection and privacy issues at the very earliest stage of any new project or initiative.
d. To complete a Data Protection Impact Assessment (DPIA) whenever any new software or initiative requiring the large scale processing of personal data to properly assess any information risks as a consequence of the activity.
e. To ensure that all data incidents are recorded, reported and appropriately investigated and that any measures or recommendations are acted upon promptly.
f. To ensure that after any data breach event, information obtained following the investigation into the cause and circumstances through "lessons learned process" will be circulated throughout the council for wider staff awareness.
a. To promote transparency and information quality assurance so that information is more easily accessible to help deliver operational effectiveness.
b. To provide a timely response to all requests for information access.
a. To ensure that all data sharing that takes place is risk assessed, legally compliant and arrangements for data sharing are sufficiently documented and monitored to safeguard customers' data.
b. To ensure all data requests are handled effectively and in a timely fashion to fulfil the councils legal obligations.
c. To promote a spirit of openness and accessibility in our activities whilst safeguarding individuals.
d. To take a proactive approach to the publication of specific data as part of the councils publication scheme as required by our legal obligations in order to reduce the need for individual information requests.
e. To ensure that customers are informed of their rights under Data Protection legislation and how they can access data through Freedom of Information / Environmental Information Regulations or in the case of obtaining their own personal data through requesting a Data Subject Access request under the provisions of GDPR (UK) and the Data Protection Act 2018.
5.1 The council will apply a risk based approach to Information Governance which will principally focus on customer safety, business transparency and legislative compliance. There will be an Accountable Officer (AO) appointed (Chief Executive) who has overall responsibility with a Senior Information Risk Owner (SIRO) and a Data Protection Officer (DPO). The Senior Information Risk owner (SIRO) will report direct to the Accountable Officer, and will oversee risk to all data assets and provide strategic management direction on Information Governance matters throughout the council.
5.2 The Assistant Director Legal and Monitoring Officer will provide expert technical legal assistance to both the SIRO and the Accountable Officer in matters of complex legal significance which could pose high risk to the council.
5.3 The Data Protection Officer (DPO) will provide advice to the SIRO, Senior Management and individual officers on their data protection obligations, monitor compliance with data protection laws, including managing internal activities, advise on training of staff and conducting internal audits and will act as the point of contact with the Supervisory Authority and data subjects.
5.4 The SIRO and the DPO will provide quarterly update reports to the council's Corporate Management Team (CMT) which will include a diverse range of Information Governance issues and under the direction of the Chief Executive the CMT will consider:
- compliance with Information Governance Policies and Strategies
- managing potential Information Governance risks and establishing the councils risk appetite
- support to the SIRO and DPO in performing their functions
- the review of data incidents
- monitoring of relevant IG performance measures and service areas compliance
- agreeing Information Governance work plans on a risk based approach;
- communication to the Accountable Officer of significant Information Governance/ Management issues and the council's progress
- setting an information management training and awareness programme that will meet the diverse needs of the council
Information Asset Owners
5.5 To provide an additional level of support to the Senior Information Risk owner the council will appoint both a "Strategic" and "Tactical" Information Asset owners with the responsibility to create a positive culture around information Governance and management of data assets throughout their respective service areas.
Role of the Strategic Information Asset Owners (assistant directors)
5.6 The Strategic Information Asset owners Assistant Directors (AD's) have senior management responsibility for ensuring that the processing of all data by their staff throughout their directorate is managed in compliance with the appropriate Data Protection legislation. They will provide strategic advice and direction for individual service area's data processing activities within their directorate and will consult with both the Senior Information Risk owner (SIRO) and the Data Protection Officer on any data protection or Information Governance matters considered to be of a complex nature.
5.7 The Strategic Information Asset Owners (AD's) will also be responsible for formally approving all Information management assurance documents for their directorate, (i.e. the Record of Processing Activity (ROPA), Data Processing flowcharts and Data Protection Impact Assessments (DPIA's)) and to ensure these documents are reviewed on an annual basis.
Duties of the Tactical Information Asset owners (service managers)
5.8 The Tactical Information Asset owners (Service managers) will have the day to day oversight of how personal data and other information is routinely managed by staff within their own service area. They will provide confirmation and assurance to their Strategic Information Asset Owner that the standards required for secure processing activity are being maintained following the annual review of their service Record of Processing Activity (ROPA). They will also report on potential improvements, initiatives and best practice being proposed by their service to ensure that continuous progress for data processing can be given due consideration by the CMT before being introduced.
5.9 They will also act as the conduit for all information governance matters for their service area and will report on any identified risks within their area to their Strategic lead. Service managers will also take steps to raise awareness of Information Governance through cascade briefing / team meetings and will ensure that their staff regularly undertake any approved training in line with the council's policies and procedures.
Information Access Co-ordinators, (liaison officers)
5.10 Information Access Co-ordinators may be appointed within each service area to provide a supporting role to assist with managing and responding to the large quantity of Information access requests received by the council. The actual level of support provided in each case will be determined by the Tactical Information Asset owner and will be very much dependent upon on the structure and staffing levels that exists within their service. The Information Access coordinators (where appointed) will normally be the focal point for all information requests received by the council's Freedom of Information Team that may require further attention or a direct response from their service area.
5.10 All council staff have an important role to ensure that any matters that come to their attention which may have a detrimental impact on the efficient management of Information for their service area is swiftly brought to the attention of their Tactical Information Asset owners or immediate line manager in the first instance.
5.11 Staff will be required to attend any training events for Information Governance and data protection matters as required by the council and will apply all information management policies, procedures and guidelines which are applicable to their role.
6.1 All staff and representatives of Uttlesford District Council have a duty to be compliant with legislation concerning Information management and data protection.
This legislation includes but is not exclusive to the following:
- Data Protection Act 2018
- General Data Protection Regulation (UK) 2021
- Freedom of Information Act 2000
- Environmental Information Regulations 2004
- Computer misuse Act 1990
- Protection of Freedoms Act 2012
- Local Government Act 1996
- Re-use of Public Sector Information Regulations 2015
6.2 All staff have an equal responsibility to be compliant with the law and to reduce the levels of risk to the council's reputation and any subsequent fines or sanctions which could be imposed by the Supervisory Authority (ICO). The council has developed policies and procedures to ensure staff are compliant with our legal obligations.
6.3 Ensuring and maintaining compliance with legislation is a key driver in the design and development of Information Governance procedures and any improvement plans established.
6.4 The Corporate Management Team (CMT) will oversee matters concerning the council's compliance with their legal requirements and also with regards to Information Governance assessment and levels of performance. An annual report will be supplied to the council's Governance, Audit and Performance Committee (GAP) for noting and consideration.
Securing assets and resources
7.1 Information security is the responsibility of everyone who processes data on behalf of the council. Uttlesford District Council (UDC) fully recognizes the importance of securely managing our digital and physical assets and resources in order to protect all existing data and information we hold. The council's policies and procedures for effective Information management and linked to this document establish responsibilities, guidelines and best practice to minimize risks of unauthorized use, modification, destruction, disclosure of information or disruption of council services.
7.2 Where information contains personal data, unlawfully obtaining such information or disclosing it knowingly or recklessly could constitute a criminal offence.
7.3 Information Communication Technology (ICT) security will be regularly reviewed by the ICT experts to ensure that the council has adequate safeguards in place for the use of new information and communication technologies to improve the way it delivers its services. These steps will serve to promote transparency and to safeguard our customers' residents and commercial partners.
7.4 Prompt and effective incident management is absolutely essential when things do not go according to plan or are unexpected. All incidents must be reported as soon as possible after staff first become aware of the circumstances of any incident so that suitable mitigating measures can be introduced to reduce the risk to the organization and those we serve.
7.5 It is the responsibility of every employee to report an incident to their line manager as soon as practically possible. In the case of loss or risk to personal data assets the line manger should alert the Data Protection Officer of the circumstances as known at that time. The DPO will cause the matter to be investigated and will conduct an assessment of the level of risks to the any individuals affected by the incident and if considered high risk will report the matter to the Supervisory Authority (ICO). Serious breaches are required to be reported to the ICO within a maximum of 72 hours from the breach first being identified so it is vitally important that information concerning the incident is reported promptly.
7.6 Should the incident relate to matters which could place the council's ICT systems at risk or unauthorized activity, penetration or cyber threat is suspected then the ICT Service desk should also be notified of the circumstance as soon as possible. The ICT manager and his team will, on receipt of the report, convene an Incident Response Group who will consider what measures will be necessary to protect the council's systems and whether wider notification to the National Co-ordination body is necessary.
7.7 Incidents can be caused by malicious behaviour, human error, equipment failure or unforeseen circumstances (such as fire or flood). They include but are not solely restricted to:
- loss or theft of data/ information or the equipment on which it is stored
- corruption of or destruction of information or equipment on which it is stored
- provision of data to someone who it not entitled to see it
- attempts to gain unauthorised access to data (hacking, blagging, breaking in, accessing files without permission)
- inappropriate access controls allowing unauthorised use
- changes to information or data or system hardware, firmware, or software characteristics without the council's knowledge, instruction, or consent
7. 8 Incidents can include personal data breaches which are defined as "the loss, theft, corruption, inappropriate access or sharing of data". Each incident will be thoroughly investigated and considered on its individual circumstances and addressed accordingly. A serious data breach may lead to a disciplinary investigation and subsequent disciplinary action being taken, especially where gross negligence or malice is found to be evident.
7.9 If a criminal offence is considered to have been committed the matter will be reported and further action may be taken to assist in the prosecution of the offender(s).
7.10 More detailed guidance to staff of the procedures to follow in the event of a Personal data breach is available on the council's intranet under GDPR Personal Data Breach Procedure
7.11 Further guidance to staff on the reporting of ICT incidents can also be found on the council's intranet within the ICT Incident Response Guidance.
Controls and standards
8.1 Uttlesford District Council fully recognizes the importance for all data and records held to be effectively managed and this responsibility is shared throughout the council extending to all staff.
8.2 Establishing effective controls allows for trustworthy, accurate and accessible records to be made available when required and to those who are sufficiently authorized so that the council delivers the highest standards to our customers residents and partners and maintains the reputation of the organization.
8.3 In our commitment towards continuous improvement the council will consider all suitable control measures for creating, processing, storing, preserving or disposing of organisational records and data in accordance with the principles of GDPR (UK) and best practice advised by Local Government Association and the ICO.
8.4 Records of Processing Activity (ROPA's) will be maintained by each Service area which will serve to define what data is held processed and stored by their service and the legal basis upon which the council relies for the processing activity. These documents will be reviewed by the nominated service representative on a yearly basis and formally signed off as being accurate by the Strategic Information Asset owner.
8.5 The council will also maintain a Retention Policy with specific details as to the recommended retention periods for data held by all service areas. The Strategic Information Asset Owners for each service will ensure that staff comply with the retention periods for their areas and any departure from the period recommended is considered on a case by case basis and the reasons for the departure fully justified and documented.
8.6 Information and data quality is essential and all information retained by the council must be fit for purpose.
All council staff are required to ensure that data is:
- verified and checked at point of collection
- recorded in full
- recorded as accurately as possible in the circumstances
- recorded in a timely manner ( if not possible to record data in real time it must be recorded as soon as practically possible after the event)
- collected and recorded in keeping with national data standards where appropriate
9.1 Data sharing is defined as disclosing data between or with organisations.
Examples can include
- one of or ad-hoc instances of sharing data
- meeting regular and scheduled requests for data from the same source/ department or organization
- exceptional one off disclosures of data in unexpected or emergency situations(i.e. safeguarding issues)
- different parts of the same organization making data available to each other
- reciprocal exchanges of data
- one or more organisations providing data to a third party or parties
- several organisations pooling information and making it available to a third party or parties
Data sharing protocols
9.2 All data that is shared needs to be obtained legally, verified before use and recorded. When data is updated any linked systems will also need to be updated. Before data is shared with another organization it is important that a protocol agreement or contract is established which serves to define the terms of the agreement, which should include the purpose the data is being shared, the legal basis or legal gateway for the sharing, how frequently data will be shared and who will have access to the data etc.
9.3 Where Service managers are considering entering into a service agreement with any suppliers or service which falls below the procurement threshold of £50,000 then they must strictly follow the council's purchasing guidelines. If the service provision requires the council to share personal data with the supplier or service provider then it is the manager's responsibility to ensure that the following legal obligations are complied with:
- the service provider only acts on instructions issued by the council
- there are sufficient security measures equivalent to that imposed by the council for the processing personal data issued to them for the purpose of the service provision.
- any data issued must be returned to the council on conclusion of the contract.
- t5he service provider agrees to permit inspection of their security measures if requested by the council
9.4 Before agreeing any service which requires the council to share personal data with service providers then managers are strongly encouraged to seek the assistance and support of the council's Data Protection Officer (DPO) in the first instance who can advise.
9.5 Tactical Information Asset Owners are also strongly advised to consider entering into Inter Departmental data sharing protocol agreements when considering regular requests for data between service areas (especially where special category data is likely to be shared).
9.6 Before entering into any data sharing protocol or agreement the Information Asset Owner should consult with the council's DPO who can advise and assist where necessary.
9.7 Records of all data sharing protocols or agreement established within each service area must be supplied to the Data Protection Officer by the Tactical Information Asset Owner. The DPO is responsible for maintaining an official record of all data sharing protocols agreed within the council for the attention of the Senior Information Risk Owner (SIRO).
Data sharing - monitoring
9.8 Where staff have any concerns that data may be accessed inappropriately by colleagues they should report it immediately to their line manager and Information Asset Owner. Additional guidance on data sharing and protocols can be obtained through the Data Protection Officer.
9.9 All individuals have a legal right to request access to information that the council may hold, either about a subject which would be requested through the FOI /EIR process or about themselves which would be through the Subject Access Request process. They may also request to re-use data held by the council.
9.10 Whenever responding to requests for information of this nature the legal requirements and the approved format should be included within the response. Templates for use in preparing responses to FOI and EIR are usually supplied to the officer dealing with the request by the FOI team.
9.11 The DPO is responsible for providing a formal response to all Data Subject Access requests (DSAR's) received.
9.12 Uttlesford District Council operates a Publication Scheme to keep customers informed of the data and information we hold, what we do with it, what information they have access to and how they can access it.
9.13 By routinely publishing official information on its website, the council aims to take a proactive approach to transparency of services and reduce the need for customers to make individual requests under the Freedom of Information Act, Environmental Information Regulations or other statutory provisions.
9.14 When staff are publishing information they need to take into account the council's legal obligation not to publish any material which in whole or in part appears to be designed to affect public support for a political party.
9.15.Line managers and directors should work with the Information Asset Owner possible to have a proactive approach to publication of information within their service area.
10.1 Non-compliance with this Information Governance Policy could have a significant effect on the efficient operation of the council and may result in financial loss, reputational damage and an inability to provide necessary services to our customers.
10.2 If any employee is found to have breached this policy, then they may be subject to the council's disciplinary procedure.
10.3 If any employee does not understand the implications of this policy or how it may apply to them then they should seek advice from their line manager.
11.1 The Senior Information Risk Owner will instruct the following review activities:
- an annual review of training and awareness within the council to ensure that employees are suitably knowledgeable and can fully comply with the council's information governance procedures
- a bi-annual review of the Information risks and recommendations for mitigating measures
- a review of this Strategy and Framework Policy document at least every two years to ensure currency and fit for purpose
- implement changes to this policy if instructed by Corporate Management Team
Adopted. 12 October 2022