Organisations should ensure that when new processes, services, systems and other information assets are introduced that the implementation does not result in an adverse impact on information quality or a breach of information security, confidentiality or data protection requirements. For best effect, requirements to ensure information security, confidentiality and data protection and information quality should be identified and agreed prior to the design, development and/or implementation of a new process or system.
There is a documented procedure and structured approach for ensuring that new or proposed changes to organisational processes or information assets are identified and flagged with an appropriate information governance group or equivalent and that information security, confidentiality and data protection, and information quality requirements are defined at an early stage of the project cycle.
Responsibility for documenting a procedure to ensure that new or proposed changes to organisational processes or information assets are identified has been assigned to an individual or group.
There is a documented procedure for the identification and assessment of new processes and information assets that might impact on information security, confidentiality and data protection, and information quality that sets out a range of responsibilities for those involved in making decisions about whether to permit implementation of a new process or information asset. The type of roles that would typically be involved would be the senior people that lead on confidentiality (e.g. Caldicott Guardian), information risk (e.g. SIRO, IAO), information security officers, IG leads, etc.
The procedure also sets out a structured approach for appropriate IG security accreditation documentation, procedures and controls to ensure new information assets are developed and introduced in a secure manner.
Documented project management approach
All staff members who may be responsible for introducing changes to processes or information assets have been effectively informed about the requirement to seek approval from the appropriate group. All new implementations follow the documented procedure. Where the proposed new process or information asset is likely to involve a new use or significantly change the way in which personal data is handled, an appropriate privacy impact assessment is always carried.
All staff members that are likely to introduce new information processes or information assets are effectively informed about the requirement to obtain approval from the IG forum (or equivalent) at the proposal stage of the new process or information asset. Staff might be informed through team meetings, awareness sessions, or staff briefings.
All implementations of new processes and information assets follow the documented procedure, including adhering to the structured project management process for the implementation of new information assets. Information governance requirements are well defined and selected, and risks and issues are identified early and addressed routinely. An appropriate privacy impact assessment is carried out whenever a new process or information asset is likely to involve a new use or significantly change the way in which personal data is handled. Robust change control processes are applied.
Project documentation, formal risk analysis of information governance considerations identified prior to implementation, and where necessary privacy impact assessment documentation.
Change control documents.
Compliance with the guidance is monitored by reviewing any new processes or information assets that have been introduced. Project assurance processes are in place and the results are fed through project boards or similar groups. Remedial or improvement action is documented and taken where appropriate.1
Specific project IG assurance processes are in place to review the new processes and information assets. Results are appropriately fed through to appropriate personnel/groups (e.g. information risk leads, IG group, project boards, etc). Where a need for improvement is identified, this is documented within plans and appropriate action taken.
Latest Information Governance Review meeting
Providing staff with written materials or briefings does not provide sufficient assurance that the procedure has been understood and that the advice and approval of the IG group is obtained before new processes or information assets that might impact on information security, confidentiality and data protection, and information quality are introduced. Therefore, compliance spot checks and routine monitoring are conducted.
Latest Information Governance Review meeting