Warwick District Council maintains large amounts of sensitive information and with that comes an obligation to protect this information. It is crucial that the public has confidence that any data they provide is treated with appropriate confidentiality and kept safe from any risk of misuse or unauthorized disclosure.
Information Governance Framework
Information is a vital asset for the provision of services to the public and for the efficient management Council services and resources. As well as protecting confidentiality and ensuring rights to access public and personal information, it plays a key part in governance, service planning and performance management.
Information governance is concerned with how information is held, obtained, recorded, used and shared by the organisation to achieve compliance with information governance laws and current best practice. Information is used here as a collective term to cover terms such as data, documents, records, web content, images and biometric data.
It is essential that the Council has a robust information governance management framework, to ensure that information is effectively managed with accountability structures, governance processes, documented policies and procedures, staff training and adequate resources.
This is a key policy in a set that is underpinned by a number of other related policies, codes of practice and guidelines that form the WDC’s Information Governance Framework. The Framework covers the wider requirements for compliance with information law and best practice.
Data Protection legislation requires Warwick District Council to handle personal information relating to living identifiable individuals in a fair, safe, responsible and secure manner. There are other rules relating to information privacy, such as, the Privacy and Electronic Communications Regulation and the common law of confidentiality. In additional a range of information is defined as exempt from disclosure under the Freedom of Information Act and should also therefore be treated as private and confidential.
This policy sets out the Council’s requirements regarding the appropriate and responsible use of personal and private information.
Information Access and Rights
This document sets out the Council’s policy in relation to both access to information and the exercise of information rights, including compliance with information law, primarily Freedom of Information and Data Protection legislation and the associated best practice.
This policy aligns with other policies in the Information Governance Framework, these are:-
- the Information Security and Conduct Policy; and,
- the Records Management and Retention Policy
There is also more detail guidance in sub-policies and procedures also falling within the scope of the Information Governance Framework.
This policy is to ensure that the Council gets the balance right between:
- Being transparent and proactive by making information accessible whenever it can be and by disclosing and sharing information when necessary
- Being helpful in ensuring people can exercise their information rights
- Protecting information that needs to be retained, secure and confidential
Records Management Policy
Information is one of the Council’s corporate assets; in the course of carrying out its’ various functions, the Council accumulates information from both individuals and external organisations. The Council also generates a wide range of information, which is recorded in documents and collected into records.
The documents and records are in several different formats, examples of which include, (but are not limited to) communications such as letters, emails and attendance notes; financial information including invoices, statements and reports; legal documents such as contracts and deeds; and information relating to various types of applications, including forms, plans, drawings, photographs and tape recordings.
This policy sets out the Council’s approach to records management that requires
active management throughout their life cycle. The key issues covered are:-
- Information Asset Register
- Information Security
- Records Metadata
- Network Drives
- Protective Marking
- Evidential Integrity
- Record Retention Schedule
- Disposal of Records
Information Security Incident Management Policy
This policy is a constituent part of Warwick District Council’s Information Governance Framework which sets out a framework of governance and accountability for information governance across the Council.
Safe use of the Council's information and IT systems is essential to keep it working effectively. All users of Council information have a responsibility to
- Minimise the risk of vital or confidential information being lost or falling into the hands of people who do not have the right to see it
- Protect the security and integrity of IT systems on which vital or confidential information is held and processed
- Report suspected information security incidents promptly so that appropriate action can be taken to minimise harm.
This document provides a framework for information security incident/event handling and response within Warwick District Council. Underpinning the Council’s approach is the need to take prompt action in the event of any actual or suspected breaches of information security or confidentiality to avoid the risk of harm to individuals, damage to operational business and severe financial, legal and reputational costs to the organisation. This document outlines the steps to be taken when information security events are discovered and establishes the organisational requirements, including roles and responsibilities for incident processing and protection. Using this document, incident handling and response can be performed in a consistent manner.