Information Assurance and Information Sharing

IMKS Public Sector Forum 7 February 2011

Clare Cowling, Senior Information Governance Adviser

Transport for London

Transport for London (TfL)

• TfL was created in 2000 - its main role is to implement the Mayor's Transport Strategy for London and manage transport services across the Capital. These services include:– London's buses – London Underground – Docklands Light Railway (DLR) – London Overground – London River Services – Barclays Cycle Hire Scheme

• TfL also has a number of other responsibilities: – Managing the Congestion Charge – Maintaining 580km of main roads and all of London's

traffic lights – Regulating the city's taxis and private hire trade

2

Agenda

• What is information assurance?

• What does it mean in practice?

• What does it mean in terms of information sharing?

3

What is information assurance?• It is the practice of managing risks

related to the use, processing, storage, and transmission of information or data and the systems and processes used for those purposes.

• In other words identifying information risks and finding practical ways to mitigate them

4

What are the risks around sharing information?

• Security risk• Compliance risk• Reputational risk• Financial risk• Litigation risk• Business risk

5

What is the potential damage?• Looking silly, inefficient or secretive (damage

to reputation)

• Losing money (poor project or contract management, fines eg from the ICO)

• Inefficiencies (re-inventing the wheel)

• Time wasting (not being able to find anything)

• Safety compromised (using inaccurate or out of date information)

Risk mitigation through information and records management (IRM)

• Only accurate, up to date and relevant information held

• Easy to find information on request

• Confidence in the quality of our information

• Confidence that information is shared appropriately

• Information locations and information owners identified

• Redundant information destroyed

7

An example of poor IRM..• A subject access request by an individual for

their emails, transmitted while working at TfL, was received.

• An initial trawl revealed 14,000 emails dating back 10 years.

• A further trawl reduced this to 6,000, which then had to be evaluated to see which ones were relevant to the SAR, names redacted etc.

• The excessive cost of complying with this requirement (which is just one of many similar SARs) would have been avoided had a corporate strategy for deleting redundant emails been implemented.

8

An example of good IRM...

• TfL had an FOI request for some week-old congestion charging ANPR data (not relating to a contravention)

• We were immediately able to respond that we could not provide the data because the disposal policy for non-contravention footage is midnight of the following charging day

• So responding in full took a matter of minutes

9

Mitigating risk: IRM policies and procedures

• Information and Records Management Policy

• Information Access Policy

Complemented by:• Information Security Policy• Privacy and Data Protection

Policy• PCI DSS Standard• Information sharing agreements

10

Mitigating risk: information sharing agreements (1)

Overarching Information Sharing Protocol:

• Legal requirements

• Secondary disclosures of personal data

• Information access rights

• Data security

11

Mitigating risk: information sharing agreements (2)

Purpose specific Information Sharing Procedures:

• Description of the data to be shared

• Permitted uses of the data

• Legal basis

• Means of transfer or access

• Loss or unauthorised disclosures of data12

Mitigating risk: managing information security

• Knowing the security classification of a piece of information helps determine when and with whom you can share it

• Less likely to reveal confidential or personal data in error

• Comply with Principle 1 of the DPA

13

Mitigating risk: managing documents

• Document naming and version control standards

• Appropriate security classifications

• Appropriate storage

• Information owners identified

• Scheduled disposal of redundant documents

14

Mitigating risk: managing emailsMost business transactions

are still made by email

Rules are crucial on:• How to manage business

critical emails • Encryption or alternative

transmission processes for sensitive information

• Getting rid of redundant or irrelevant emails

15

Mitigating risk: managing social media• Employees

increasingly expect to use social media tools to conduct business

• Business critical data already lost or unavailable

• Inappropriate sharing of business - and personal - data

• Let’s get some rules in place!

16

Mitigating risk: managing digital records• Scanning to legal

admissibility standards• Digital migration and

preservation strategy• Appropriate file

formats• If you can’t access it

any more you can’t share it

• Comply with Principle 7 of the DPA

17

Mitigating risk: managing paper

The same rules should apply to paper and electronic records:

– Access– Security– Storage– Filing rules– Disposal

18

Mitigating risk: information disposal

• Important to produce a clear disposal policy as evidence of best practice

• Records disposal schedules – all formats

• Automated deletion from corporate databases

• Regular clear-outs of unstructured data

• Allocating responsibility for implementation

• Comply with principles 4 and 5 of the DPA

19

Mitigating risk: educating and communicating guidance on:

• Managing requests for information

• Managing records and information

• Appropriate information sharing and compliance

Because: the biggest information risk is people!

20

Integrating responsibilities• At TfL information governance, risk and compliance

fall within the remit of General Counsel alongside the corporate governance, legal and internal audit functions

• Specific responsibilities include:– Records management strategy and policy– FOI/EIR/DPA compliance– Privacy, data protection and data breach issues– Information security policy/classification scheme– Information sharing protocols– Information risk register

But everyone is responsible for managing information risk!

21

16 October 2006 22