PARLIAMENTARY AND HEALTH SERVICE OMBUDSMAN

Information Asset Register

Version 3.0

Document Control

Title: / Policy and Guidance - Information Asset Register
Original Author(s): / Head of Information and Records Management
Owner: / Chief Operating Officer (SIRO)
Reviewed by: / Information and Records Manager
Quality Assured by: / Head of Information and Records Management
Meridio Location: / 1.07 APPROVED STRATEGIES, POLICY AND GUIDANCE / Business Policy and Guidance
Approval Body: / EB
Approval Date: / TBA
Change History
Version / Date / Status / Update by / Comment
1.0 / Approved / Suzanne Wright
2.0 / 15/06/12 / Review / Katharine Stevenson / Addition of Meridio rules relating to disposal
Addition of retention reasons
Addition of new information assets
3.0 / 25/06/13 / Update / Katharine Stevenson / Changes to IAR following organisational structural changes
SIRO and IAO terms of reference added (as agreed by SIRO in March 2013)
Casework Retention and Disposal (4.01) updated following EB approval 06/11/12
Addition of new information assets:
  • Management Information (originally in 6.03), upgraded to a Class: 6.10.
  • Contract Management Classes added for Advisory Board, Clinical Advice and Audit Committee to hold contractual information in 2.07
  • Organisational Development Resources added to 6.02
  • Back-up tapes.
  • PHSO Archive
  • Engage, HR Pro and FMI
Moved 8.01 Historical Volumes to 5.02; replaced with Archive Management.
HR Recruitment retention period change from 7 years to 1 year.
Approved by SIRO 25/06/13

1.Introduction

1.1The PHSO Information Asset Register identifies and organises the information assets within the Office – that is, the information that is required to run or support the organisation. It provides an overview of what information is owned, available and maintained.

1.2PHSO’s register lists the types of information held and follows the corporate file plan. It describes the type of asset, identifies the asset owner and the retention period for the asset and the reason for its retention. The retention periods apply to both paper and electronic assets.

1.3The Information and Records Management function will be responsible for maintaining the register, assigning relevant retention periods for all information assets which will enable disposal activity to be carried out in a consistent and controlled manner. It will be available on Ombudsnet for all staff to view and will be issued to asset owners so they are aware of the assets they own and the retention periods applied to them.

1.4The retention periods set out in the register have been set according to business need, as agreed originally by the Executive Board and Information Asset Owners in 2011, and meet legislative and regulatory requirements. Information Asset Owners can request a review of retention periods by contacting the Head of IRM.

1.5The Information and Records Manager will make amendments and additions whenever legislation or business needs change. Once approved, changes will be made when there is agreement between the Head of Information and Records Management and the relevant Information Asset Owner. These changes will be reported to the Chief Operating Officer in her role as SIRO.

2.Role and Responsibilities of the Senior Information Risk Owner (SIRO)

2.1Role

The Senior Information Risk Owner (SIRO) is a member of the PHSO Board who has responsibility for ensuring that information risks are managed appropriately, balancing this with the requirement to make public data open and re-usable. The SIRO is accountable to the Accounting Officer and is required to submit an annual report providing an assessment of information risks in PHSO.

2.2Responsibilities

The SIRO is responsible for leading and fostering a culture that values, protects and uses information for the public good. This includes:

  • ensuring that PHSO has a plan to achieve and monitor the right culture, across the Office, balancing the requirements of the effective management of information risks and the benefits of greater transparency of public data;
  • taking visible steps to support and participate in that plan (including completing own information assurance training e.g. internal training, external workshops);
  • ensuring that the Office has Information Asset Owners (IAOs) who are skilled, focussed on the issues, and supported; in addition to any specialists the Office needs.

The SIRO owns the overall information risk policy and risk assessment process, tests its outcome, and ensures that it is used effectively. This includes:

  • ensuring that the risk policy comprehensively provides for PHSO to implement at least the minimum mandatory compliance measures in force from time to time; that it covers its own activity and that of its delivery partners; and specifies how compliance will be monitored;
  • ensuring that a risk assessment is completed at least quarterly taking account of PHSO guidance;
  • taking account of the risk assessment, understanding the information risks to PHSO; ensuring that they are addressed, and establishing that they inform business decisions;
  • ensuring that risk assessment and actions taken in mitigation benefit from an adequate level of independent scrutiny;
  • considering any requests from the Office to deviate from the policy (the SIRO is the only person who may approve deviations).

The SIRO leads in championing greater transparency of public data. This includes:

  • providing advice to the Accounting Officer and PHSO Board on the implications of transparency initiatives for PHSO
  • responding to requests for greater transparency from external stakeholders and the public
  • ensuring that all business areas assess data within their control based on the assumption of transparency
  • oversee the transparency section in the corporate business plan and ensure delivery of this

The SIRO is responsible for advising the Accounting Officer on the information risk aspects of the annual Governance Statement. This includes:

  • receiving an annual assessment of performance, including material from the IAOs and specialists;
  • providing advice to the Accounting Officer on the information risk elements of the Governance Statement.

3.Role and Responsibilities of the Information Asset Owners

3.1Role

Information Asset Owners (IAOs) are senior people involved in running a relevant business area which uses a registered PHSO Information Asset. Their role is to understand what information is held, what is added and what is removed, how information is moved, and who has access and why. As a result they are able to understand and address risks to the information, and ensure that information is fully used within the law for the public good, and provide written input to the SIRO annually on the security and use of their asset.

3.2Responsibilities

Lead and foster a culture that values, protects and uses information for the public good

  • understand PHSO’s plans to achieve and monitor the right culture, across the Office
  • take visible steps to support and participate in that plan (including completing own training)
  • participate in and contribute to activities of the IAO community at PHSO, identifying best practice and opportunities for continuous improvement

Know what information is held in the asset, and what is added and removed and how

  • keep understanding of the asset and how it is used up to date
  • approve sharing of their information assets while achieving the business purpose
  • enforce the correct handling of information assets in support of PHSO’s Protective Marking Scheme and Handling arrangements
  • approve the disposal mechanisms for paper and electronic information assets, in accordance with the approved retention schedules listed in the Information Asset Register, and with IRM guidance

Know who has access to the asset and why, and ensure their use of it is monitored

  • understand PHSO’s policy on use of the information
  • be aware of and understand relevant statutory requirements with regard to handling information
  • check that access provided is appropriate to achieve the business purpose
  • receive records of checks on use and assures self that they are being conducted
  • report breaches promptly in accordance with PHSO procedures

Understand, identify and control risks to the business in relation to their asset(s), and provide assurance to the SIRO

  • contribute to implementation of the Information Risk Management Policy in their business area
  • contribute to PHSOs information risk assessment
  • provide quarterly written assessments to the SIRO on the use and security of the information assets they are responsible for and the information they hold
  • make the case where necessary for new investment to secure the asset

Ensure the asset is fully used for the public good, including using information to help PHSO deliver its strategic aims

  • consider whether better use of the information could be made
  • consult with the FOI/ DPA team on external requests for access to information
  • work with External Affairs to share the information externally
  • ensure decisions on access are taken accordingly

4.Responsibilities of the IRM Team

The Head of Information and Records Management and the Information and Records Manager will:

  • Ensure that information asset register is accurate, maintained and up to date
  • Define and implement appropriate safeguards to ensure the confidentiality, integrity and availability of the information asset
  • Manage the access controls to the information assets
  • Authorise access to those who have a business need for the information
  • Ensure access is removed from those who no longer have a business need for the information
  • Manage the disposal processes of the assets
  • Assess and monitor safeguards to ensure their compliance and report situations of non-compliance
  • Produce regular audit reports on access to the assets for asset owners and identify any risks to the assets
  • As part of the wider Records Management assurance and compliance procedures, provide an annual written risk assessment to the Executive Board for all assets owned and provide assurance to the Board on the security and use of these assets

5.Information risks tomanage

5.1The Head of Information and Records Management, working with the Information Asset Owners and the Security Manager, will need to assure against:

  • Inappropriate access to, or disclosure of, protectively marked or personal data by staff, contractors and outsiders, whether accidental or deliberate
  • Internal threat – staff acting in error or deliberately, or external parties, getting PHSO’s information illegally and exposing it/ acting maliciously to defraud PHSO or its customers
  • Information loss – particularly during transfer or movement of information, or as a result of business change
  • Loss of digital continuity – i.e. losing the ability to use PHSO information in the way required when required. By use, we mean being able to find, open, work with, understand and trust PHSO’s information

3.2An assessment of the risk level for each section of the file plan has been made and is listed in this register. It should be noted that individual documents/ records within a section may have a higher risk than the section overall and will need to be managed accordingly.

4. Structure of the Information Asset Register

4.1The Information Asset Register contains the following fields:

Field / Explanation
Description of Information Assets / Brief description of what the information asset is
More detail on what the components of the information asset are
What part of the business does the information asset support?
Information Risk / What are the risks to the information asset?
What are the risks to the business from the information asset?
Information Asset / The type of records included in the information asset (arranged according to the classes in the Meridio fileplan)
Information Asset Owner / Who is the Information Asset Owner?
Retention Period and Reason / How long the information asset shouldbe kept. The reason why the information is being retained (i.e. business use, legislation, regulation etc.)
Meridio Action and Review instruction / Guidance for LIRAs on when to close folders (where applicable) to trigger the retention period.
Guidance to Information Asset Owners on what to do with the information once it has reached the end of its retention period (Review).

4.2The register is structured around the corporate file plan. The sections referred to in the register are the sections of the file plan. As the purpose of the register is to group types of assets, rather than list individual ones, the register lists asset types at the third level of the file plan and does not go down to folder level unless required for specific retention and disposal reasons.

Section 1:

Governance and Strategic Management


Page 1 of 164

Information Asset Register v3.0

1

1.01GOVERNANCE/ ANNUAL REPORT (Annual Classes)

Information Asset(s) / Information Asset Owner / Retention Period and Reason / Meridio Action and Review instruction
Annual report – content, data, promotion / Executive Director of External Affairs and Strategy / Retention Period:Destroy 6 years after publication of Annual Report.
Reason: Business Use / Meridio Action: Close folder(s) on publication of Annual Report
Review Instruction: Deletefolder
Annual report –final report / Executive Director of External Affairs and Strategy / Retention Period:Archive 6 years after publication of Annual Report.
Reason: Business Use / Meridio Action: Close folder on publication of Annual Report. At Review (6 Years after publication), move final version of Annual Report to the Archive (ARC 5.01)
Review Instruction: At Review (6 Years after publication), move final version of Annual Report to the Archive (ARC 5.01) then deletethis folder

1.01GOVERNANCE / EB EXPENSES

Information Asset / Information Asset Owner / Retention Period and Reason / Meridio Action and Review instruction
EB Expenses / Director of Finance, Planning & Performance / Retention Period:Destroy 6 years after end of financial year.
Reason:Taxes Management Act, 1970 / Meridio Action: Close folder at end of financial year.
Review Instruction: Deletefolder

1.01GOVERNANCE / STATEMENTS AND MEMORANDA

Information Asset / Information Asset Owner / Retention Period and Reason / Meridio Action and Review instruction
Accounting Officer Appointment / Head of Executive Office / Retention Period: Archive 6 years after Governance Statement approved.
Reason: Business Use / Historical Interest / Meridio Action: Automatic Part closure at end of Business Year.
Review Instruction: Archive final version of Accounting Officer Appointment letter. Delete Part after review complete.
Governance Framework / Chief Operating Officer / Retention Period:Archive 6 years after Governance Statement approved.
Reason: Business Use / Historical Interest / Meridio Action: Automatic Part closure at end of Business Year.
Review Instruction: Archive final version of Governance Statement. Delete Part after review complete.
Memoranda of Understanding / Head of Executive Office / Retention Period:Archive 6 years after Governance Statement approved.
Reason: Business Use / Historical Interest / Meridio Action: Automatic Part closure at end of Business Year.
Review Instruction: Archive final version of Governance Statement. Delete Part after review complete.
Resource accounts (final) / Director of Finance, Planning & Performance / Retention Period:Archive 6 years after Resource Accounts approved.
Reason: Business Use / Historical Interest / Meridio Action: Automatic Part closure at end of Business Year.
Review Instruction: Archive final version of Resource Account. Delete Part after review complete.
Statement of Responsibilities / Head of Executive Office / Retention Period:Archive 6 years after Statement of Responsibilities approved.
Reason: Business Use / Historical Interest / Meridio Action: Automatic Part closure at end of Business Year.
Review Instruction: Archive final version of Governance Statement. Delete Part after review complete.
Governance Statement / Chief Operating Officer / Retention Period:Archive 6 years after Statement of Internal Control approved.
Reason: Business Use / Historical Interest / Meridio Action: Automatic Part closure at end of Business Year.
Review Instruction: Archive final version of Governance Statement. Delete Part after review complete.

1.02CORPORATE MEETINGS

Information Asset / Information Asset Owner / Retention Period and Reason / Meridio Action and Review instruction
Advisory Board / Head of Executive Office / Retention Period:Archive 6 years after end of business year.
Reason: Business Use / Historical Interest / Meridio Action: Close folder at end of Business Year.
Review Instruction: Archive whole folderunder ARC 3.02 CORPORATE MEETINGS /ADVISORY BOARD.
Approved for Publication Corporate Meeting Minutes / Head of Executive Office / Retention Period: Destroy 6 years after end of business year.
Reason: Business Use / Meridio Action: Close folder at end of Business Year.
Review Instruction: Delete folder.
Audit Committee / Head of Executive Office / Retention Period: Archive 6 years after end of business year.
Reason: Business Use / Historical Interest / Meridio Action: Close folder at end of Business Year.
Review Instruction: Archive whole folder under ARC 3.02 CORPORATE MEETINGS /AUDIT COMMITTEE.
Corporate Meetings Governance / Head of Executive Office / Retention Period: Destroy 6 years after end of business year.
Reason: Business Use / Meridio Action: Close folder at end of Business Year.
Review Instruction: Delete folder.
Executive Board
(annual folders) / Head of Executive Office / Retention Period: Archive 6 years after end of business year.
Reason: Business Use / Historical Interest / Meridio Action: Close folder at end of Business Year.
Review Instruction: Archive whole folder under ARC 3.02 CORPORATE MEETINGS /EXECUTIVE BOARD.
Leadership Team
(annual folders) / Head of Executive Office / Retention Period: Archive 6 years after end of business year.
Reason: Business Use / Historical Interest / Meridio Action: Close folder at end of Business Year.
Review Instruction: Archive whole folder under ARC 3.02 CORPORATE MEETINGS /EXECUTIVE BOARD.
Pay Committee / Head of Executive Office / Retention Period: Archive 6 years after end of business year.
Reason: Business Use / Historical Interest / Meridio Action: Close folder at end of Business Year.
Review Instruction: Archive whole folder under ARC 3.02 CORPORATE MEETINGS /PAY COMMITTEE.
Programme Boards / Head of Executive Office / Retention Period: Archive key documents 6 years after end of programme board, destroy all other documentation.
Reason: Business Use / Meridio Action: Close folder at end of Programme Board.
Review Instruction: Retain key documents (i.e. PID, PIR, key outputs) by saving into a new folder in the Archive (ARC 3.08) and then delete this folder.

1.03MANAGEMENT MEETINGS