Breakout: Information Governance best practice#
How best to classify data?
Do we see IG as a primary focus for this community?
Are there other communities of IG practitioners we need to engage with?
Communities we should engage with#
PPIE/members of the public
NHS Information Governance folk (who?) - ICS/ICBs
Information Commissioner’s Office. They have had an anonymisation guide for some years and are consulting on an update incorporating GDPR require
Financial Conduct Authority. They have a regulatory sandbox to support experimentation in this space (have done hackathons on synthetic data)
How do we decide when to make the decision as the risk owner or when to go out to the community to ask about how to handle it. A lot of the value of the work we do is to get assurance and confidence in the work that others have done, there is huge difference between figuring it out yourself or looking at other’s approach. Formalising processes or practices informally by many doing it in the same way
Work the relationship between IG and infrastructure
There is definitely the capacity for TREs to contribute to IG
It’s easy to make a rod for your own back with IG - as soon as you say you’re going to do something you’re really bound to doing it (…or failing your audit)
It should be about really being capable and doing a good job, and making security audits etc more than a paper exercise
Openness of IG supports openness in general and building trust with the public
How to document? Is it for us or for the accreditor? If we document in code is that going to cause problems at audit stage?
All documentation around e.g. ISO27001 has a context, so just sharing the docs/processes might not be that helpful
Even some clarity on “here are a few options that we’ve found work well” can be really helpful
Grants keep focusing on specific developments and on adding features to them, instead we need to see funding into standardising and sharing those that exist
Might make sense to structure any docs/guidance around this in terms of successful approaches to certain problems/elements of standards - there may be one or several
Currently at the moment we are doing things differently across the group, so not suggesting we ditch everything overnight, but over time we may converge
The relationship (or lack of) with IT over years, organisations and teams is a shared issue and to overcome.
The IG-IT relationship is an important thing to focus on.
The processes that we are going through and the documentation, which is mostly repositories, would be easy to transform into business processes for organisations.
How much of this has been produced as part of our ways of work and how much produced explicitly to be read for people outside developing it.
Dundee make their standard operating procedures available online
The Manchester Connected Health Cities TRE made their Information Security Management System documents available online.