Information Lifecycle Management Policy

Data and Information Management is the process by which an organisation manages all the aspects of records whether internally or externally generated and in any format or media type, from their creation, all the way through their lifecycle to their eventual disposal.

This document sets out a framework within which the staff responsible for managing Data Migrators’ records can develop specific policies and procedures to ensure that records are managed and controlled effectively, and at best value, commensurate with legal, operational and information needs.

The aims of our Records Management System are to ensure that:

This policy relates to all technical and non-technical records held in any format by any member of Data Migrators Staff. These include:

Data Migrators recognises that it has a specific corporate responsibility for data management. All contracts of employment must contain dat stewardship standards as laid out in this policy and in guidelines produced by regulatory bodies. Data Migrators must have robust systems and processes that ensure that data are fit for purpose, are stored securely, are readily available when needed, and are destroyed in compliance with the retention and destruction schedule at the end of the cycle of each datum.

The Data Migrators Directors have overall responsibility for data management in the organisation. As accountable officers they are responsible for the management of the organisation and for ensuring appropriate mechanisms are in place to support service delivery and continuity. Data management is key to this as it will ensure appropriate, accurate information is available as required. However the responsibility is delegated to the Senior Information Risk Owner (SIRO).

The SIRO is an Executive Board member who is responsible for identifying and managing the information risks to the organisation and for ensuring the availability of an Information Asset Register. The SIRO will have oversight of the organisation’s information security incident reporting and response arrangements. The SIRO will be supported in their role by one or more Information Asset Owners who have assigned responsibility for the information assets of the organisation.

IAOs must be aware of the information that is held and administered within the division or department for which they are responsible and will be held accountable for its security, currency, and appropriate disposal. IAOs are directly responsible to the SIRO in the discharge of their responsibilities irrespective of their normal line management. IAOs must ensure that they do not retain information any longer than they are required to do so and must be familiar with the time limits set out in the Retention & Destruction Schedule. Where possible, automation will be employed to monitor and enforce the the time limits set out in the Retention & Destruction Schedule.

IAAs will be individuals who have day to day control of information assets. The main function is to complete Information Asset Registration forms for all items current and archived as per the list under 2.1 and make sure that all subsequent changes to the asset i.e. disposal, are recorded. An IAA can also be an IAO. Every data store must have an administrator. There can only be one administrator for each asset irrespective of the numbers of users of the asset.

All Data Migrators staff, whether technical or administrative, who create, receive, and use data have data management responsibilities. In particular all staff must ensure that they keep appropriate records of their work and manage those records in keeping with this policy and with any guidance subsequently produced.

Data Migrators will establish the Information Asset Register (IAR).

The IAR will be searchable to enable each IAO to produce a report showing all the information assets recorded by their IAAs. This report would always be the up to date register attributed to that particular IAO.

It is a fundamental requirement that all Data Migrators data are retained for a minimum period of time for legal, operational, research and safety reasons. The length of time for retaining records will depend on the type of record and its importance of the Data Migrators’ business functions.

Any incident or near miss relating to a breach in the security regarding use, storage, transportation or handling of records must be reported using Data Migrators’ incident reporting framework and the Incidents Policy..

All breaches of confidentiality or information security will be deemed as a Serious Untoward Incident and be reported to the Information Governance Group.

The SIRO be informed immediately of any loss or misplacement of any document that is used to record customer information, including hard copies, laptops, removable data storage devices, or any organisational business. Any loss will be managed as a Serious Untoward Incident and investigated and reported. Staff must seek permission from the Information Governance Manager before sending unsecured data out of the organisation. All information assets must be securely and appropriately protected Staff must ensure that:

Staff need to have an understanding of:

This training will take place either as part of local induction, close observation of others or at a formal training session. The latter particularly applies when it relates to the use of an electronic system. General Information Governance awareness will be provided to all staff at induction and at mandatory training days and in the future via on line e-learning.

The SIRO will include Information Asset risk information gained from the IAOs, other relevant staff and from the incident reporting framework, to the Statement of Internal Controls. All incidences of inappropriate sharing of personal identifiable information will be reported to the Corporate Governance Group chaired by the SIRO.

Any exception to the policy must be approved by the SIRO in advance.

An employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.

Data and Information Management is a discipline which utilises an administrative system to direct and control the creation, version control, distribution, filing, retention, storage and disposal of data, in a way that is administratively and legally sound, whilst at the same time serving the operational needs of the organisation and preserving an appropriate historical record. The key components of data and information management are:

Information Lifecycle describes the life of a datum from its creation/receipt through the period of its ‘active’ use, then into a period of ‘inactive’ retention (such as closed files which may still be referred to occasionally) and finally either confidential disposal or archival preservation.

Recorded Information - In this policy, data are defined as “recorded information, in any form, created or received and maintained by the organiastion in the transaction of its business or conduct of affairs and kept as evidence of such activity”.

Information is a corporate asset. The organisation’s data are important sources of administrative, evidential, and historical information. They are vital to the organsation to support its current and future operations (including meeting various legislative requirements), for the purpose of accountability, and for an awareness and understanding of its history and procedures.