Information Asset Owner’s Role - Staff Guidance

1. Introduction

Background

1.1 The Information Asset Owner (IAO) is a mandated role[1] with the individual appointed, responsible for ensuring that information assets are handled and managed appropriately. This means making sure that information assets are properly protected and that their value to the organisation is fully exploited.

1.2 An IAO, reports to the Senior Information Risk Owner (SIRO) who in turn reports to the Chief Executive. The IAO is expected to provide information to the SIRO and the Corporate Affairs Unit for assurance purposes when requested.

1.3 Although the role was created out of the Data Handling Review (DHR) which initially focused on personal data handling, it is equally important for any sensitive information processed by the organisation, whether it includes personal information or not. The IAO also needs to manage information assets to comply with statutory obligations such as Freedom of Information Act 2000, the Public Records Act 1958, the General Data Protection Regulation 2016 and the Data Protection Act 2018.

1.4 Performing the role effectively brings significant benefits. It provides a common, consistent and unambiguous understanding of what information you hold; how important it is, how sensitive it is, how accurate it is, how reliant you are on it and who is responsible for it. It helps ensure that you can use the information you need to operate transparently and accountably, for example to meet open data standards, to unlock previously unavailable data and to improve public service.

1.5 The lawful and correct treatment of person-identifiable information by the NHSCFA is paramount to the success of the organisation and to maintaining the confidence of its stakeholders and staff. This policy will help NHSCFA ensure that all person-identifiable information is handled and processed lawfully and correctly.

1.6 This guidance document follows and adopts the best practice recommendations contained within Cabinet Office guidance[2].

2. Purpose of this guidance

2.1 This sets out the nature and primary responsibilities of an IAO in managing the risks to personal information and business critical information held within their department.

2.2 The Acts and Regulation highlighted in the previous section provide an overview of why the IAO role was created and what you are expected to achieve. However, IAOs have requested additional information about what that might mean in practice. This document provides an initial starting point for IAOs, providing practical guidance on:

• identifying information assets

• managing information risks

• your responsibilities

• how to achieve them

• who can assist you?

• how to know if you are doing your role effectively.

3. Your role as an Information Asset Owner

3.1 IAOs must be senior/responsible individuals involved in running the relevant business. For NHSCFA purposes, the responsibility and accountability of IAOs has been assigned to designated members of the Senior Management Team (SMT) and Leadership Team (LT). Their role is to understand what information is held, what is added and removed, how information is moved and who has access and why. As a result, they are able to understand and address risks to the information and ensure that information is fully utilised within the law for the public good. They provide a written judgement of the security and use of their asset annually to support the audit process.

3.2 The IAOs must be made aware of their responsibilities on appointment and will submit as part of a collective annual report, an assessment on the security and use of their asset to the SIRO[3]. The Head of Intelligence & Fraud Prevention is the NHSCFA’s SIRO and is a member of the Senior Management Team. The annual report will consist of a signed declaration[4] from each SMT and LT member to confirm they have complied with all NHSCFA polices relating to document retention and GDPR. Assurance will be provided to the SMT, the Executive Team and the Board via commissioned Governance & Assurance exercises. The scope and size of sample data will be reviewed each year according to the risk.

4. Key principles

4.1 Your role is about managing information not systems.

4.2 The initial driver for establishing the role of the IAO was to ensure that personal data was identified and securely handled. However, you also need to ensure you are managing the handling of other categories of sensitive or important information that the organisation relies on too. This involves making sure that it can be used in the way that you need, for as long as it is needed.

4.3 You are responsible for ensuring that information is protected appropriately and where the information is shared that the proper confidentiality, integrity and availability safeguards apply. But you are equally responsible for ensuring that its value to the organisation is fully realised and that it is used appropriately and within the law, for public good. You will also need to ensure that information is managed in accordance with the data principles - see Appendix 1.

4.4 Your role is about providing assurance and making sure that action is taken. But that does not mean you have to do everything yourself - in fact, much of the role is about understanding and where necessary coordinating the activities of others within the organisation who have specialist areas of responsibility. The organisation’s Information Governance, IT Security and Records Management functions will be key in supporting you in the role. However, if you delegate responsibility for ensuring actions are taken, you must make sure that this is properly co-ordinated and that there are clear reporting chains that everyone understands their role and who they need to engage with. You can delegate responsibility to particular areas that can support you in your role, but you and the SIRO retain accountability for proper information management and handling.

4.5 You may need to work with other IAOs within the organisation to ensure your data is properly protected and its value to the organisation fully realised.

5. What is an Information Asset and what Assets are you responsible for?

5.1 An information asset is a body of information defined and managed as a single unit, so it can be understood, shared, protected and exploited effectively. Information assets have recognisable and manageable value, risk, content and lifecycles.

5.2 The SIRO will decide what information assets you are responsible for. This should not just be a list of systems to manage but should focus on the information that needs to be managed within those systems. This could cover both sensitive personal data and non-personal information that is critical to the organisation’s business. It could be held in paper as well as electronic formats.

5.3 When you are appointed you need to discuss and be familiar with the agreed performance metrics in your business unit plan. These metrics will be delivered against the organisational business plan.

6. Information risks to manage

6.1 As an IAO you will need to assure against:

• inappropriate access to, or disclosure of, protectively marked or personal data by staff, contractors and outsiders, whether accidental or deliberate

• internal threat - staff acting in error or deliberately, or external parties getting your information illegally and exposing it/acting maliciously to defraud you or the data subject

• information loss - particularly during transfer or movement of information, or as a result of organisational/business change

• loss of ready access to information

• losing the ability to use your information in the way required, when required (by use we mean being able to find, open, work with, understand and trust your information).

The lifecycle of a piece of information and how long you need to use and keep it, is often different to the lifecycle of the IT system that we have to access and use it.[5]

• poor quality of information and poor quality assurance, for example datasets

• poor change management - business needs change, systems change, your information risk appetite may change, so you need to keep your policies and processes in step accordingly; and

• failing to maximise the public benefit from information, thereby leading to a waste of public money and poor service delivery.

6.2 You will be required to formally review the risks to the confidentiality, integrity and availability of your information assets, including for any proposed new information systems, using the organisation’s Data Protection Impact Assessment (DPIA) process at a minimum once a year or more frequently (quarterly or six monthly) depending on an identified need and to implement proportionate responses.

6.3 You must ensure that all staff with access to personal information successfully complete information risk awareness training on appointment and thereafter as appropriate according to the business unit’s needs and circumstances.

• It is important that the post holder has the skills, resources and authority to discharge the responsibilities and to take action on any deficiencies in the relevant processes.

• Appropriate mechanisms exist so that where duties are distributed across posts and organisational units; they are fully co-ordinated and visible to all relevant staff.

• Appropriate reporting chains exist to ensure that the SIRO has full visibility of the state of information asset management across the organisation.

• Assurance is available through the internal Governance & Assurance unit, forwarding their planning process to help ensure that all delegated duties are appropriately carried out and understood.

• All relevant duties and responsibilities are demonstrably discharged.

7. Your responsibilities

7.1 Your role is to ensure that the information in your charge is properly protected and its value to the organisation fully realised. This section of the guidance provides examples to get you thinking about your responsibilities and how that might look in practice. Some of your responsibilities require action that you must take, others are actions that you should take to assure that action is being taken by others.

You have five responsibilities:

1. Lead and foster a culture that values, protects and uses information for the public good.

You must:

• Undertake and pass information management training on appointment and at least annually thereafter.

You should:

• Contribute to the department’s plans to achieve and monitor the right culture, across the department and throughout its delivery chain.

• Take visible steps to support and participate in that plan.

• Ensure compliance with the provisions of GDPR and the DPA 2018 in respect of IAO’s personal information assets and in accordance with the organisation’s compliance mechanisms and policies.

2. Know what information the asset holds, and what enters and leaves it and why.

You must:

• Submit a request to and discuss with other IAOs within the organisation where it is considered that public protection or public services could be enhanced through greater access to their information asset.

• Maintain a log of access requests made.

• Monitor as required with managers/ IT department the allocation of users’ rights to transfer personal information to removable media.

You should:

• Keep your understanding of the asset and how it is used up to date.

• Ensure that registers of personal data held are compiled and maintained.

• Approve and minimise transfers while achieving the business purpose.

• Be involved in negotiating, managing and approving agreements on the sharing of personal information between organisations.

• Approve arrangements so that information put onto removable media is minimised and protected. To do this IAOs should:

1. Agree with the Information Technology Security Officer (ITSO) an appropriate regime for the physical protection of personal information, whether on network systems or on paper.
2. Keep written records of your decisions on at least the following:
   • Unavoidable use of removable media.
   • Application of mandatory risk mitigation measures if use of removable media is unavoidable.
   • Use of alternatives to removable media for information transfer or storage.
   • Suitability of security configurations on remote systems with approved access to the asset.
   • Exemptions from the requirement to encrypt material stored on removable media together with approval of compensating risk management measures.

• Approve the disposal mechanisms for paper or electronic records from your asset[6].

To do this you should:

1. Agree with the ITSC an appropriate regime of department-wide arrangements for the secure disposal of electronic or paper material, which has contained or carried personal data.

3. Know who has access and why and ensure their use of the asset is monitored.

You must:

• Agree in writing that relevant access control regimes permit the business to be transacted with an acceptable level of risk or, if agreement cannot be given, require that an acceptable alternative approach be adopted.

You should:

• Understand the organisation’s policy on use of the information.

• Check that access provided is the minimum necessary to achieve the business purpose.

• Receive records of usage checks and assure yourself that they are being conducted. To do this you should:

1. Establish with managers an appropriate regime for the monitoring of the use made of access to personal information, electronic or otherwise.
2. Establish with managers appropriate mechanisms for the IAOs to receive summary reports on the conduct and results of such monitoring.

4. Understand and address risks to the asset and provide assurance to the SIRO.

You must:

• Submit as part of an annual report an assessment[7] to the SIRO about the security and use of the asset.

You should:

• Contribute to the organisation’s risk assessment. To do this you should identify and, where appropriate, formally accept significant risks introduced when personal information is moved from one organisational unit, system element, medium or location to another.

• Make the case where necessary for new investment to protect the asset.

• Ensure all risk decisions taken are demonstrably in accordance with organisational risk management policies.

5. Ensure the asset is fully used for the public good, including responding to access requests (where appropriate).

You must:

• Receive and log access requests from others. To do this you must ensure that a log of access requests is maintained (where this function is not devolved centrally).

• You should:

• Be involved in negotiating, managing and approving agreements on the sharing of personal information between organisations.

• Consider annually whether better use of the information could be made.

• Where it is decided that public access to information is in the public interest, reflect this in the organisation’s Freedom of Information Publication Scheme.

• Ensure where decisions on access are taken that the rationale for this is recorded accordingly.

8. Self-Assessment questions

8.1 Where you have followed the above, you should then be able to answer the following questions:

• Do I understand what information assets I am responsible for (including personal and non-personal data) and has that understanding been properly documented within the Information Asset Register (IAR) and shared with the SIRO and others who need that information?

• Have I assessed and recorded information risks to those assets?

• Do I have a plan for managing risks and maximising opportunities for using my information assets for the public good?

• Do my team and third parties understand their roles and responsibilities in managing those risks and opportunities?