Read about how organisations in the health sector have benefited from implementing records management policies.
Hayley Gidman, Information Governance Lead at Midlands and Lancashire CSU, discusses how a new Information Asset Register has had practical business benefits.
"We started looking at changing our records management approach out of absolute frustration with the system we had, which was spreadsheet based. The risk assessment process was so clunky: we asked people to fill in a spreadsheet that staff didn't really understand, and then the Information Governance team would review. If there was a problem we'd spend weeks going backwards and forwards. It was a huge task for us and for the organisation.
"At the same time we had a serious data incident, which prompted an Enforcement Notice from the ICO (we were still a PCT at the time). It gave us the impetus and the senior buy in to do things differently.
"Our first step was setting out to better understand what information we had that needed risk assessing. We created a questionnaire that meant staff could identify the information they held by answering a series of questions. We tried to keep it simple - ten questions per asset at most - and grouped assets by type.
"We asked nominated Information Asset Officers and Heads of Service to fill it in. We know everyone has a full time job without this extra work on top, but we were keen to show this was part of their job. We asked people 'if this information went missing, how would it impact on your service?'. And as soon as people saw the system, they realised it would make their lives easier.
"We started by identifying information assets and data flows, but what started as an information asset register quickly snowballed into an evolving feature, as it became clear it was sensible to have all of this information in one place. We included data sharing agreements, and then contracts. We added information security audits. We included a register of systems and software, so we could see which data was held on which systems.
"What we have now is something that is broader than an IAR. Instead of focussing on information risk, it's now a good records management tool that shows the business all the information we have. It has a real business use, and that's meant we've been able to get more investment in it as it has grown.
"We're really proud of our UAssure system, and it's put us in a good position to prepare for GDPR : knowing what records we hold and what the legal basis for that is such a good starting place for the new law."
Andrew Harvey, Head of Information Governance at the CQC Outstanding rated Western Sussex Hospitals NHS Foundation Trust, discusses implementing a new Information Asset Register.
"The Trust's prompt to update its Information Asset Register (IAR) was twofold. First, the employment of a new Head of Information Governance in spring 2015, who had worked in NHS Information Governance for a decade, but in a different arena, so arrived with a new perspective as to what was required. Secondly, the Trust, as a believer in transparency with regulators, invited the ICO in to undertake an Information Risk Review later in 2015.
"These influences identified that the existing IAR documentation was not up to the task of assessing and managing information risks. Updating it has been a process of continual improvement, taking advice from staff, the ICO, Information Governance Toolkit (IGT) auditors and peers. The Information Governance Team has also been open to updating documentation within a financial year to ensure its accuracy, rather than waiting until an easier point in the year (i.e. after IGT submission).
"Risk management and criticality of assets were key drivers to the new IAR. By incorporating an 'impact X likelihood' risk score with regard to the assets identified, and the risk of things going awry from an Information Governance / Security perspective, the Trust has identified potential problems and amended processes around those systems.
"Similarly, by ensuring the IAR has triaging questions, the Trust can now easily identify which of its systems are organisation critical, and would cause the greatest concern if unavailable. Both of these allow for prioritisation of resources when managing multiple IT systems, and are key indicators to the new process being deemed a success.
"Ultimately an IAR needs input from Information Asset Owners (IAO) to ensure its realisation. The Trust manages this through its Information Governance Team, with members of the team regularly meeting with IAOs to ensure the data held in the IAR is up-to-date. IAOs too are increasingly more aware of their role, following recently rolled out bespoke face-to-face training, replacing the (now-defunct) former NHS e-learning package.
"It has been a detailed process of change, and one where we have identified more modifications that are required shortly, but the Trust are keen to maintain that continual improvement.
"One of most central pieces of work to strong information governance is a well-functioning Information Asset Management process, specifically comprising an Information Asset Register and Data Flow Mapping. We're pleased we've put it in the time to carry out this work, and the benefits are already clear."