1. Information Assurance and Information Sharing IMKS Public Sector Forum 7 February 2011 Clare Cowling, Senior Information Governance Adviser Transport for London

2. Transport for London (TfL) TfL was created in 2000 - its main role is to implement the Mayor's Transport Strategy for London and manage transport services across the Capital. These services include: –London's buses –London Underground –Docklands Light Railway (DLR) –London Overground –London River Services –Barclays Cycle Hire Scheme TfL also has a number of other responsibilities: –Managing the Congestion Charge –Maintaining 580km of main roads and all of London's traffic lights –Regulating the city's taxis and private hire trade 2

3. Agenda What is information assurance? What does it mean in practice? What does it mean in terms of information sharing? 3

4. What is information assurance? It is the practice of managing risks related to the use, processing, storage, and transmission of information or data and the systems and processes used for those purposes. In other words identifying information risks and finding practical ways to mitigate them 4

5. What are the risks around sharing information? Security risk Compliance risk Reputational risk Financial risk Litigation risk Business risk 5

6. What is the potential damage? Looking silly, inefficient or secretive (damage to reputation) Losing money (poor project or contract management, fines eg from the ICO) Inefficiencies (re-inventing the wheel) Time wasting (not being able to find anything) Safety compromised (using inaccurate or out of date information)

7. Risk mitigation through information and records management (IRM) Only accurate, up to date and relevant information held Easy to find information on request Confidence in the quality of our information Confidence that information is shared appropriately Information locations and information owners identified Redundant information destroyed 7

8. An example of poor IRM.. A subject access request by an individual for their emails, transmitted while working at TfL, was received. An initial trawl revealed 14,000 emails dating back 10 years. A further trawl reduced this to 6,000, which then had to be evaluated to see which ones were relevant to the SAR, names redacted etc. The excessive cost of complying with this requirement (which is just one of many similar SARs) would have been avoided had a corporate strategy for deleting redundant emails been implemented. 8

9. An example of good IRM... TfL had an FOI request for some week-old congestion charging ANPR data (not relating to a contravention) We were immediately able to respond that we could not provide the data because the disposal policy for non-contravention footage is midnight of the following charging day So responding in full took a matter of minutes 9

10. Mitigating risk: IRM policies and procedures Information and Records Management Policy Information Access Policy Complemented by: Information Security Policy Privacy and Data Protection Policy PCI DSS Standard Information sharing agreements 10

11. Mitigating risk: information sharing agreements (1) Overarching Information Sharing Protocol: Legal requirements Secondary disclosures of personal data Information access rights Data security 11

12. Mitigating risk: information sharing agreements (2) Purpose specific Information Sharing Procedures: Description of the data to be shared Permitted uses of the data Legal basis Means of transfer or access Loss or unauthorised disclosures of data 12

13. Mitigating risk: managing information security Knowing the security classification of a piece of information helps determine when and with whom you can share it Less likely to reveal confidential or personal data in error Comply with Principle 1 of the DPA 13

14. Mitigating risk: managing documents Document naming and version control standards Appropriate security classifications Appropriate storage Information owners identified Scheduled disposal of redundant documents 14

15. Mitigating risk: managing emails Most business transactions are still made by email Rules are crucial on: How to manage business critical emails Encryption or alternative transmission processes for sensitive information Getting rid of redundant or irrelevant emails 15

16. Mitigating risk: managing social media Employees increasingly expect to use social media tools to conduct business Business critical data already lost or unavailable Inappropriate sharing of business - and personal - data Let’s get some rules in place! 16

17. Mitigating risk: managing digital records Scanning to legal admissibility standards Digital migration and preservation strategy Appropriate file formats If you can’t access it any more you can’t share it Comply with Principle 7 of the DPA 17

18. Mitigating risk: managing paper The same rules should apply to paper and electronic records: –Access –Security –Storage –Filing rules –Disposal 18

19. Mitigating risk: information disposal Important to produce a clear disposal policy as evidence of best practice Records disposal schedules – all formats Automated deletion from corporate databases Regular clear-outs of unstructured data Allocating responsibility for implementation Comply with principles 4 and 5 of the DPA 19

20. Mitigating risk: educating and communicating guidance on: Managing requests for information Managing records and information Appropriate information sharing and compliance Because: the biggest information risk is people! 20

21. Integrating responsibilities At TfL information governance, risk and compliance fall within the remit of General Counsel alongside the corporate governance, legal and internal audit functions Specific responsibilities include: –Records management strategy and policy –FOI/EIR/DPA compliance –Privacy, data protection and data breach issues –Information security policy/classification scheme –Information sharing protocols –Information risk register But everyone is responsible for managing information risk! 21

22. 16 October 200622