INFORMATION GOVERNANCE POLICY

(1)

1

INFORMATION GOVERNANCE

POLICY

(2)

2

Document history, consultation and approval

Title SCRA Information Governance Policy

Version Version 1

Other relevant approved document

SCRA Case Information Policy SCRA Records Management Policy

SCRA Information Security Handbook V3.1 Date of issue of policy 2014 (following Board approval)

Date of issue of this version August 2014

Review date and by whom July 2015 (To be reviewed at least annually);

Information Governance Working Group Prepared by Information & Research Manager Consultation Executive Management Team

Approved by To be approved by Board in September 2013

(3)

3

Contact

For further information please contact:

Gillian Henderson

Information & Research Manager

Email: [email protected]

(4)

4 INFORMATION GOVERNANCE POLICY

1. Introduction

1.1 SCRA has statutory responsibilities as an organisation to the information it holds. This includes legislation governing use of personal information, principally the Data Protection Act 1998 (DPA), Human Rights Act 1998, Children (Scotland) Act 1995 and Children’s Hearings (Scotland) Act 2011). It also includes legislation governing wider information held by organisations, such as Public Records (Scotland) Act 2011 (PRSA), and the Freedom of Information (Scotland) Act 2002 (FOISA).

1.2 SCRA also has accountabilities as a Non Departmental Public Body to Scottish and UK Governments. Cabinet Office guidance in its Security Policy Framework requires that all Government organisations have information governance arrangements in place for all the information assets they own.

1.3 Information on children and families is essential for Reporter decision-making and the delivery of SCRA’s service. SCRA as an employer has responsibilities for the information it holds on its staff. Information is also an asset - SCRA’s statistical data and research influences and informs development of policy at local and national levels. The handling and security of information must be afforded the highest priority to safeguard those for whom we work and the organisation. Confidence and trust in public authorities can be won or lost by the track record of a public body in managing information, especially highly sensitive, personal information.

2. Strategic aim

2.1 To continually improve SCRA’s information governance and security to become a trusted leading public body in the management and governance of information¹. SCRA seeks to achieve this aim and meet its statutory requirements and accountabilities through sound governance, clear roles and responsibilities, and detailed guidance and subject specific policies covering all aspects of work.

3. Scope

3.1 This Policy covers all the information that SCRA holds in all formats, this includes:

 personal information related to children referred to the Reporter and information on members of staff

 aggregated statistical and research information

 financial information

 corporate information.

1 SCRA’s Business Plan 2012-13.

(5)

5 4. Statutory requirements and accountabilities

Data Protection Act 1998

4.1 SCRA is a Data Controller in terms of the DPA. SCRA provides an annual notification to Information Commissioner on the purposes to which it processes personal data. In 2011, the Principal Reporter signed an Undertaking with the ICO that SCRA would meet certain requirements to ensure compliance with the DPA. Information on how SCRA processes personal data is provided on SCRA’s web site www.scra.gov.uk.

Freedom of information (Scotland) Act 2005

4.2 SCRA is listed in Schedule 1 of the Freedom of Information (Scotland) Act 2005. SCRA’s Publication Scheme was approved by the Scottish Information Commissioner and is on SCRA’s web site www.scra.gov.uk. Guidance on making a FOISA request to SCRA is provided on SCRA’s web site.

Public Records (Scotland) Act 2011

4.3 SCRA is listed in the Schedule to the PRSA. SCRA will adopt the Model Records Management Plan to be completed by July 2015.

Children (Scotland) Act 1995 and Children’s Hearings Act 2011

4.4 The main powers of the above legislation relate to investigation of referrals by the Reporter (s56 of the 1995 Act and s66 of the 2011 Act). Notifications which are prescribed in the Children’s Hearings (Scotland) Rules and also in s56 of the 1995 Act and s68 of the 2011 Act specify who can be notified of decisions of the Reporter.

The Principal Reporter’s powers to share information are largely defined by the 1995 Act. New provisions to extend SCRA’s powers to share information have been introduced by the 2011 Act and associated secondary legislation;

however these are still limited to certain specified circumstances.

Accountability to UK Government - HMG Security Policy Framework 4.5 SCRA, via Scottish Government, is accountable to UK Government for the

security of its information assets. SCRA provides an annual return to Scottish Government on its compliance with the mandatory standards set by the Security Policy Framework.

Accountability to Scottish Government - Scottish Public Finance Manual 4.6 The Scottish Public Finance Manual (SPFM) requires that Accountable

Officers of public bodies include a governance statement in their Annual Reports and accounts. Essential features of this governance statement are details of any significant lapses of data security and consideration of issues that may cause data integrity to be put at risk.

(6)

6 Staff information

4.7 SCRA is committed to ensuring that the personal information it holds on staff is held and managed in accordance with the legislation outlined above as well as complying with the Information Commissioner’s Employment Practices Code. The Single Equality Act 2010, including both the general and specific duties, requires SCRA to gather and publish anonymised data on protected characteristics. This data is gathered during recruitment and selection exercises and staff in post are required to update their own data using self- service e-hr.

Statistical information

4.8 SCRA data and statistics are accredited as Official Statistics. This requires that statistical data is honest, objective and impartial; made available equally to all without cost to the end user with publishing dates openly announced far in advance.

Research information

4.9 SCRA works to the Social Research Association’s Ethical Guidelines on the personal information it uses in research.

5. Governance

5.1 SCRA’s Board’s Audit Committee is the accountable Committee for information governance. An SCRA Board member has been assigned responsibility for information governance. Information Governance is listed as a risk in SCRA’s Operational Risk Register and Strategic Risk Register; these are reviewed on a quarterly basis by the Audit Committee and Executive Management Team (EMT).

5.2 The Information Governance Working Group supports the Audit Committee, Board and EMT in monitoring and improving SCRA’s regulatory and statutory compliance for the personal data it holds and processes. The Group is Chaired by a Board Member. The Group’s Remit and Terms of Reference are attached at Appendix 1. An Information Governance Plan, which covers all activity in SCRA related to personal information, is overseen by the Group.

Information Governance Leads are identified for each Locality and come together as a Group on a quarterly basis to support operational implementation of information governance.

(7)

7 6. Roles and Responsibilities

6.1 The Director of Support Services is the Senior Information Risk Owner (SIRO). There are Information Asset Owners (IAO) for each of SCRA major information assets and systems. The Information & Research Manager, Data Protection Officer, Information Security & Technical Assurance Officer and Information Assistant have specific responsibilities for information governance. Details of roles and responsibilities are contained in the Information Security Handbook. Staff carrying these roles and responsibilities are appropriately trained or have a programme of training prepared for them.

6.2 Information security and DPA compliance is included in the Job Descriptions of all operational managers (Locality Reporter Managers and Locality Support Managers).

6.3 Every member of SCRA’s staff is responsible for the information they have access to and use. This is reinforced through mandatory Data Protection training and SCRA’s Staff Code of Conduct.

7. SCRA subject specific policies and guidance

7.1 All SCRA staff must comply with SCRA’s policies on information governance.

Failure to do so is a breach of SCRA’s Staff Code of Conduct.

 Information Security Handbook - incorporates all of SCRA’s Information Security policies and procedures to provide a single reference point for all SCRA Staff and those working for SCRA.

 Case Information Policy – provides the framework for SCRA on how information on children’s cases is held, used and destroyed, and aims to ensure compliance with the DPA. There is further guidance under this policy on specific areas including Office Moves, Retention of Case Information After 18^th Birthday, Dealing with Information Requests, etc.

 Information Sharing Guidance - explains under what circumstances it is lawful to share information on children outwith the Principal Reporter’s statutory powers.

 Practice Instruction Note 36 ‘Non Disclosure of Place of Safety, Place of Residence, or Whereabouts’ and Operational Guidance Note 8 ‘Non Disclosure Case Handling’ - provide direction on dealing with Non Disclosure Order cases.

 Records Management Policy - sets out how all information, which is not covered by the Case Information Policy (e.g. financial, staff and corporate information), is managed. This includes the retention and disposal schedule.

 Information Security Policies – set out security requirements on electronic information. In addition, all staff as users of the Scottish Governments SCOTS network must comply with the SCOTS IT Code of Conduct.

(8)

8 Appendix 1 to Information Governance Policy

INFORMATION GOVERNANCE WORKING GROUP Terms of Reference

Approving Body SCRA Board Date Approved June 2011

Reports to: SCRA Audit Committee

Chair: Louise Macdonald, Board Member Members: Director of Support Services

Head of Practice & Policy

Information and Research Manager Data Protection Officer

Information Security & Technical Assurance Officer Locality Reporter Manager (x2)

Locality Support Manager (x2) Press & Communications Manager Executive Officer

(9)

9 INFORMATION GOVERNANCE WORKING GROUP

Aim and purpose

That SCRA is seen as a leading public body in the management and governance of personal information, and is trusted by those we provide a service to.

Remit

To drive forward the improvement of information governance in SCRA so that:

 SCRA fully meets its statutory obligations for all personal information that it holds and processes.

 All SCRA staff understand their statutory and ethical obligations to personal information, and the individuals concerned.

 All SCRA staff treat others’ personal information with the same respect they would expect for their own.

Terms of Reference

Review the Strategic Framework for Information Governance.

Promote, improve and monitor information governance arrangements in SCRA.

Provide assurance to the SCRA Audit Committee and Board, Scottish Ministers, Scottish Information Commissioner, Information Commissioner and Keeper of the Records of Scotland of SCRA’s compliance with relevant legislation.

Engage with staff to ensure that they respect and understand their obligations to the personal information they work with and the individuals concerned.

Work with partners to improve information governance across the Children’s Hearings System.

To listen to service users concerns and suggestions regarding personal information, and act to address these.

Develop and implement an Information Governance Action Plan for continuous improvement, with clear deliverables.

Report on quarterly basis to EMT, Audit Committee and all staff on SCRA’s compliance with relevant legislation and progress on Action Plan deliverables.

Develop indicators to monitor and assess SCRA’s progress in improving its information governance.

(10)

INFORMATION GOVERNANCE POLICY