Greater Manchester Combined Authority
Implementing an Approach to Information Asset Management Project Across GMCA and TfGM
Briefly describe the initiative/ project/service; please include your aims and objectives
Having an effective approach to information asset management is vital in any organisation taking ownership of their information and data. By implementing an effective approach, organisations can manage, maintain and maximise their data assets. In turn this builds accountability for data and information which directly improves the organisations’ ability to demonstrate their compliance to privacy legislation. Most importantly, having control of data and information improves the organisations’ ability to proactively prevent information security incidents and to respond to information security incidents when they occur.
The four main aims of the project were:
1) Deploy a Directorate/functional Areas-led model for information asset management at GMCA and TfGM
2) Empower directorates/functional areas and teams with the knowledge, tools and ongoing support to manage their information and data assets effectively.
3) Enable the delivery of a wider information framework approach from the GMCA-TfGM Information Governance shared service.
4) Embed long term sustained culture and behaviour change to how information and data assets are managed.
At the heart of this project was organisational change. There were issues with practical tools and solutions, but the biggest obstacle was fostering a culture that recognised the importance of the Information Asset Owner (IAO) and Information Asset Administrator (IAA) roles. Prior to the project IAO’s and IAA’s were not established across the organisation. Therefore, ownership of information and data assets was not in the right place, and the understanding of these roles was not known.
Further to this, prior to the project it was not understood why these roles are crucial to the organisation. Overcoming this barrier was the biggest achievement of the project and the structures now in place have created the foundations stones for the both the next phase of the enhancement of the organisation’s maturity around information and data.
What are the key achievements?
The Information Asset Management project has been one of the key successes of the wider Greater Manchester Information Governance Change Programme. It has implemented key roles, responsibilities, tools and processes across the organisations. Most importantly it has demonstrated the need and value in an organisation taking a through a robust approach to Information Asset Management. We are now underway with phase two of the project which has three key workstream areas which align to the main goal. That is to embed, enable and enhance the change delivered in phase one.
The key achievements are what the project delivered:
1) Register of Processing Activities and Information Asset Register – One of the key components we delivered was an overhaul of our RoPA (Register of Processing Activities) and IAR (Information Asset Register). Prior to the project these were held on excel spreadsheets with a minimal amount of organisational ownership and interaction. The project team rebuilt the registers utilising SharePoint and has implemented several processes for maintaining and updating the information held within.
2) Training and HR – The team delivered a series of training sessions across both organisations which have been recorded and are provided on the Learning Management for new IAO’s (Information Asset Owner) and IAA’s (Information Asset Administrator) to complete. A fundamental pillar of establishing effective data management across the organisations and a big achievement for the project was establishing the roles of IAO’s and IAA’s as officially recognised attributes of certain job roles. This has ensured that when people leave, the responsibilities of being an IAA or IAO are not lost and are inherited by the new member of staff. Equally, as part of our recruitment workflow, there is now a question as to whether the role includes IAA or IAO responsibilities. This again ensures that these responsibilities are known from the outset of people applying for roles and further cements the approach across the organisations.
3) Communication and Engagement – We recognised that on-going communication to IAO’s and IAA’s would be a vital component of establishing the roles across the organisations. We wanted to ensure that we as and IG service had an open channel of communication to IAO’s and IAA’s and that they also had a platform that they could use to contact each other and us. We created a Teams channel for all IAO’s and IAA’s, creating a community of practice across the organisations. On a practical level a member of the team volunteers each week to monitor the channel and we commit to posting at least one relevant post a week. The channel has been useful for the ongoing sharing of comms messages throughout the second phase of the project.
4) Embedding in Projects – As a service area at any one time, we are supporting approximately 250 projects across the organisations we support. Most of these projects involve data sharing and as part of embedding information governance framework, we have added steps to our project support process to ensure that all data sets are recorded in the IAR or RoPA with the appropriate controls and measures in place. This takes our support from ‘just’ contributing to the completion of the DPIA (Data Protection Impact Assessment) and to ensuring that a comprehensive data and records management approach is taken.
5) Utilising Governance – We have Information Governance Boards in both GMCA and TfGM. Utilising these Boards has been a powerful way of ensuring that the project aims are adopted by the organisation. We also undertook an audit within one of the organisations on data and information management. This was key to reflect the positive work that the project had done and set the organisation actions to build on this work. We adopted the recommendations across both organisations which has helped to cement ownership of information assets across the organisation.
How Innovative is your initiative?
A number of innovative solutions were implemented as part of this project. One of the main ones was establishing a detailed Information Asset Register and Register of Processing Activities that has been built in SharePoint, is vital to proactively protecting data subjects. If there is no clarity of the data assets an organisation holds and who is responsible for them, when an information security incident occurs, time and energy is wasted on establishing basic level knowledge regarding that asset, when that time should be spent responding to the incident itself. Having properly populated information and data processes with the appropriate accountability, registers and communication, reduces the risk of security incident. This is because each asset can be properly assessed for its own risks and appropriate mitigations put in place. As an organisation we are better equipped to respond to data privacy requests and incidents because of the delivery of this project.
We also established the role of IAO’s and IAA’s as the responsibility for data subject privacy and ensured this was properly dispersed throughout the organisation, both at a strategic and operational level. This mitigates the existing issue across multiple organisations where data subject privacy is seen as solely the responsible of information and data governance teams. This is a short sighted and immature view of data and information management. Data and information management is the responsibility of the entire organisation, and this project has successfully implemented that change. Information Asset Management is a component of what in our organisation we call an Information Governance Framework. This is an encompassing approach to Information and Data Governance which connects associated processes.
The Information Asset Management project has put the tools in place so that when for example a data protection impact assessment is undertaken, data privacy concerns do not just stop there. The owners of the assets are responsible for ensuring that the asset is documented on the appropriate register and that the correct management controls have been put in place. From a data subject perspective this means that as an organisation we are taking a holistic approach to data and information management. Our processes are joined up which makes for a more efficient and more effective service delivery. As an organisation we are measuring the interactions with the Information Asset Register and Register of Processing Activities. Through what the project delivered, today we have approx. 417 assets that have been added to these registers when previously there was something in the region of 20 in a spreadsheet. We have 120 Information Asset Owners and 175 Information Asset Administrators across the organisation.
Further, these roles have become a standard part of our recruitment and HR processes. This ensures that when people leave or move roles, those who replace inherit this responsibility. This has enhanced the organisations resilience around data and information management, which ultimately ensures that data subjects rights are being properly managed when change occurs. The first phase of this project focused on establishing the tools, training, roles and associated change management for Information Asset Management. The next phase of the project is building on these foundations to enable the organisation to maximise the value of its information and data assets. This is a transformational change to data and information management. There are associated programmes of work across the organisation which are utilising the outputs delivered by this project. This demonstrates true collaborative working and is a tangible benefit so that these programmes do not need to replicate the work that has already been done. They can focus on exploiting the outputs of this project’s delivery.
What are the key learning points?
Culture was our key learning point. It took a sustained approach of engagement at senior and operational boards, over a period of a couple of years to raise the buy in to really commit to a change project around Information Asset Management. There was already recognition around the importance and potential value of data, but the buy in to put the foundational pillars in place took time to establish.
We made the case for change through the following mechanisms:
-Engagement at key groups and boards.
-Audits of our organisational maturity around information and data.
-Using real life examples of why this is vital, such as the organisations response to the Covid-19 pandemic.
-Creating a robust, clear and ambitious delivery plan for the project.
-Having the resource within our service to be able to properly form a project team to deliver change.
We also have key lessons we have learned through the delivery of this project:
-Define the dependencies on other areas of work and be clear on the scope of the project. Change is anticipated however being clear up front on the scope will allow for better adaption when change occurs.
-Ensure that communication and engagement are carefully considered in the planning phase of the project. Identifying key messages and sequencing them throughout the project delivery will help to raise awareness and understanding of the project goals.
-Information Asset Owners and Administrators need plenty of time and engagement ahead of training, particularly if it will involve multiple sessions. Planning is key.
-This is a maturity journey for the organisation. The work will continue after the project; however, the project needs to deliver the processes, products, and mechanisms for sustaining change across the organisation.
This is the first phase of the Information Asset Management project. The achievements have laid the foundation stones for good information, data, and records management across the organisations. Phase two of the project will build on this foundation in three ways:
1) Enable the delivery of a wider information framework approach from the GMCA-TfGM IG shared service.
2) Empower directorates/functional areas and teams with the knowledge, tools, and ongoing support to manage their information and data assets effectively.
3) Embed long term sustained culture and behaviour change to how information and data assets are managed.
Additional Comments
By implementing an effective approach, organisations can manage, maintain and maximise their data assets. In turn this builds accountability for data and information which directly improves the organisations’ ability to demonstrate their compliance to privacy legislation. Most importantly, having control of data and information improves the organisations ability to proactively prevent information security incidents and to respond to information security incidents when they occur.
