University Information Audit 2014

Slides:



Advertisements
Similar presentations
Project Cycle Management
Advertisements

The Aged Care Standards and Accreditation Agency Ltd Continuous Improvement in Residential Aged Care.
Identification and Disposition of Official University Records University of Texas at Arlington Records Management.
Department of Environmental Quality Environmental Management System Overview.
1 Auditing in the Public Interest Records Management in the Victorian Public Sector Audit objective Audit had two objectives : The first objective was.
GReening business through the Enterprise Europe Network EN Giovanni FRANCO European Commission Enterprise and Industry EN
Developing a Records & Information Retention & Disposition Program:
QMS Documentation Click the mouse to advance slides and animations in this slide show…
Compliance Policy & Procedures An Overview for Staff Prepared by MSM Compliance Services Pty Ltd.
Preparing Scotland’s first Records Management Plan Ava Wieclawska Records Manager.
Data Protection Paul Veysey & Bethan Walsh. Introduction Data Protection is about protecting people by responsibly managing their data in ways they expect.
Accelerated EMS Session 4 – 28 January 2008.
Unit 2: Managing the development of self and others Life Science and Chemical Science Professionals Higher Apprenticeships Unit 2 Managing the development.
Information Assurance and Information Sharing IMKS Public Sector Forum 7 February 2011 Clare Cowling, Senior Information Governance Adviser Transport for.
1 European Conference on Training Strategies Kieran Cox -NSAI Education & Promotion-
PRM 702 Project Risk Management Lecture #28
9 Closing the Project Teaching Strategies
Basics of OHSAS Occupational Health & Safety Management System
1 Records Inventory & Data Classification Workshop Data Classification Project Note: This is an example of one agency’s approach to meeting the state records.
© 2015 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
David N. Wozei Systems Administrator, IT Auditor.
Equality Impact Assessments: Measuring Impact and Driving Change Lucy Ambrozejczyk Service Improvement Officer Hafod Housing Association.
Legacy Records Programme Update on the Legacy Records Programme Auckland Government Recordkeeping Forum 17/11/2009 Cheryl Pointon, Acting Manager Appraisal.
Risk Management & Corporate Governance 1. What is Risk?  Risk arises from uncertainty; but all uncertainties do not carry risk.  Possibility of an unfavorable.
Microsoft.com/publicsector Records Management Microsoft Records Management for Government Agencies.
REC support is. provided under cooperative agreement 90RC0025/01 from the Office of the National Coordinator for HIT, US Dept. of Health and Human Services.
SCHOOLS FINANCE OFFICERS MEETINGS Records Management, “Paper-Lite” Environments and Procedures when a school closes Elizabeth Barber.
WESTERN PA CHAPTER OF THE AMERICAN PAYROLL ASSOCIATION – NOVEMBER 4, 2015 Risk Management for Payroll.
Information Security January What is Information Security?  Information Security is about the physical security of our equipment and networks as.
1 Information Governance (For Dental Practices) Norman Pottinger Information Governance Manager NHS Suffolk.
Business Continuity Planning 101
Chapter 6 Internal Control in a Financial Statement Audit McGraw-Hill/IrwinCopyright © 2012 by The McGraw-Hill Companies, Inc. All rights reserved.
Understanding Privacy An Overview of our Responsibilities.
Midland DHBs Board Development
Describe the responsibilities of financial-information management in an organization
CPA Gilberto Rivera, VP Compliance and Operational Risk
Information Technology (IT) Audits
University Information Audit 2014
ISO 14001: 2004 Environmental Management Review Presentation
Data Minimization Framework
12.3 Control Procurements The process of managing procurement relationships, monitoring contract performance and making changes or corrections as needed.
Learn Your Information Security Management System
Privacy Impact Assessments (PIAs)
Prepared by Rand E Winters, Jr. ASR Senior Auditor October 2014
Current ‘Hot Topics’ in Information Security Governance Auditing
Electronic Records Management Program
General Data Protection Regulation
General Data Protection Regulations Preparing for the upcoming changes in data protection law David Jones & Angharad Williams.
INTRODUCTION TO ISO 9001:2015 FOR IMPLEMENTATION Varinder Kumar CISA, ISO27001 LA, ISO 9001 LA, ITIL, CEH, MEPGP IT, Certificate course in PII & Privacy.
GDPR and paper records Why it’s not all cyber and fines Gary Shipsey
Security measures Introducing Risk Assessment in GDPR
G.D.P.R General Data Protection Regulations
ScHARR Bite Size Research Ethics and GDPR: legal requirements for research - what you need to know.
Compliance Policy & Procedures
Data Protection What’s new about The General Data Protection Regulation (GDPR) May 2018? Call Kerry on Or .
Our New Integrated Business Management System [“IMS”]
H Horse Care H2.7b Improve Practices
How to build your Integrated
GDPR – General Data Protection Regulation
REGIONAL LOCAL GOVERNMENT BUDGET CONFERENCES
Outlook and Shared Drives
The General Data Protection Regulations 2016
IUC Records Retention Tool: Zasio’s Versatile Retention
ScHARR Bite Size Research Ethics and GDPR: legal requirements for research - what you need to know.
Data Security and Protection Toolkit Assurance 2018/19
OBSERVER DATA MANAGEMENT PRINCIPLES AND BEST PRACTICE (Agenda Item 4)
Why do we need to keep records
CEng progression through the IOM3
HR AUDIT (An Early Evaluation System) (An Early Evaluation System) S.Jayaprakash., M.Sc (IT), PGD.HRM, DLL & AL.
Presentation transcript:

University Information Audit 2014 Improving information and records management as part of the University’s continuous improvement approach (Strategy 2020).

Information Asset Strategy 2020 Risk

Introduction Information is a business asset… As a University we are in the information business – we ‘process’ massive amounts of data and information every day. It is the life-blood of the institution…essential to our continuing functioning. Information is effectively one of the biggest assets of the University and there are a variety of risks associated with its management. Every business process is supported by information, however the information and its management are often seen as secondary to the process. ‘Process’ includes actions such as: receiving, creating, storing or retaining, using, re-using, updating, consulting, imparting, sharing and disposing of information. Data and information includes customer interactions, personal data, internal and external correspondence (emails, web enquiries, letters, social media, etc.), electronic files and system information, paper and hard copy documents and records, our ‘product’ (teaching/learning materials, feedback), confidential and other corporate data.

Risks Keeping information longer than permitted Loss of information Fines of up to £500K or potentially a % of the University’s turnover in future Risks Keeping information longer than permitted Loss of information Difficulties finding or retrieving information Breach of legislation Unlawful disclosure of personal or confidential information The risks which have to be considered when managing information are diverse – from disclosure of personal data in breach of the Data Protection Act (DPA) or retention of information beyond the time limits allowed in breach of the DPA and other legislation, to a loss of information which disrupts business operations or difficulties finding information which costs time, effort and money to retrieve. This can have a damaging impact on the business, causing reputational damage, financial loss, business inefficiency, etc. and it is therefore critical that the University puts measures in place to mitigate against these risks. Destroying information too soon Impact on individuals affected

Why an Audit? The Information Audit is a risk mitigation exercise and quality improvement process. By understanding what information the University holds and how this is being processed, we can assess where there are areas of risk and put procedures in place for improving the management (and security) of our information.

Why now? Strategy 2020 7 years since the last Information Audit Records Management Policy and Strategy urgently require revision. Departmental records management procedures and documentation need establishing/updating New requirement for self reporting of DPA breaches to the ICO and the introduction of stricter sanctions and heavier penalties for breaches – possibly a % of turnover Recent departmental restructuring/office moves ISO27001:2013 – more stringent requirements in the new standard and frequent audits Preparation for being brought into scope for National Records of Scotland (Public Records (Scotland) Act)

Strategy 2020 Build Innovation, Enterprise and Citizenship Adopt a continuous improvement/enhancement approach in all that we do Maximise the value of our [information] assets Information and records are received and created by University staff members and representatives to facilitate and support business processes – they are inputs and outputs of the University’s activities. Ensuring that our information assets are managed correctly corresponds directly with the objectives of Strategy 2020, namely improving the efficiency of business processes. For more information on how the Information Audit will contribute to Strategy 2020 please see: http://staff.napier.ac.uk/services/secretary/governance/Pages/InfoAudit.aspx

Business process : information Business process : information relationship (Generic HR recruitment process example)

Information Audit Aims and Objectives Ensure legislative compliance Understand the current situation with regards to information processing/storage in order to: Assess risk and mitigate where the likelihood of a breach of legislation/regulation is higher Develop an Information Asset Register (IAR) and develop/update Records Retention Schedules (RRS)- both of which are compliance assurance tools. **Records Retention Schedules are particularly important in that they set out the University’s policy for retaining and destroying records, ensuring we are not subject to action for early destruction and undue retention. These give staff confidence that they are retaining information for the correct length of time**. Inform the development of a new Records Management Strategy and Records Management Policy, and other policies and procedures to assist with the continual improvement of the management of University information and records. Generally raise awareness of the importance of good information and records management practices, and the requirements and individuals’ responsibilities in this regard

Documented outcomes Information asset register…linked to… Comprehensive Records (and Information) Retention Schedules (POLICY document to defend the University’s actions regarding retention of information, if challenged) Business process procedures…linked to… Information and records management procedures (including filing arrangements and naming conventions)

Opportunities To improve the processes used to manage corporate information across the University in line with Strategy 2020, resulting in efficient business processes supported by efficiently managed information and records To ensure your departmental business procedure documents are up to date (if they aren’t already) Provide staff members with the tools, knowledge and confidence to manage all the information that they process, including unstructured data (shared drives, SharePoint, email), and transitory records or supporting information which may not necessarily be dealt with in a Records Retention Schedule.

Benefits University: Staff members: Customers: Business efficiencies Risk mitigation Staff members: CONFIDENCE! Departmental RM procedures to follow for correct and consistent practices The right information available to the right people at the right time Assurance that information is reliable, secure, authentic, and can be easily found and retrieved for use and re-use Customers: Confidence that their data is safe and secure with us

How do you eat an (information) elephant…? …one business process at a time

The Audit Process Appraise Evaluate Gap Analysis Improve Governance Services work with depts. to identify areas of risk/ for improvement Collaborate to improve information & records management procedures. Governance Services collate and assess information Initial processes for Audit identified Information Audit gathers information Appraise Evaluate Gap Analysis Improve

Approach There are 3 stages to the Audit 1) Managers Questionnaire and identification of top 3 business processes supported by high risk information 2) Audit Spreadsheet for completion by Records Management Co-ordinators in co-operation with appropriate members of staff 3) All Staff Questionnaire …the plan is to make the audit a manageable task…

What information is high risk?

Outcome examples Work (process) procedure Information Asset Register Records (& info) Retention Schedule File Plan (manual & electronic) and access permissions Naming conventions Annual disposal schedule

Finally… If you have any process improvement work being done as part of the ‘Improving Operational Processes and Procedures’ project it would be a good opportunity to conduct Information Audit work at the same time. Please raise awareness of the Information Audit within your teams and identify members to undertake this work and liaise with Governance Services. Please complete the ‘Manager’s Questionnaire’

Further Information Please contact Governance Services, either Diana Watt Governance Officer (Records Manager) D.Watt@napier.ac.uk (extension 6257) or Helen Mizen Governance Officer (Data Protection & Legal) H.Mizen@napier.ac.uk (extension 6359) or check the intranet for further information and updates: http://staff.napier.ac.uk/services/secretary/governance/Page s/InfoAudit.aspx

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.