guideline information management (im) policy instruments · guideline – information management...

13
Government of Newfoundland and Labrador Office of the Chief Information Officer Information Management Branch GUIDELINE INFORMATION MANAGEMENT (IM) POLICY INSTRUMENTS Guideline (Definition): OCIO Guidelines derive from Information Management and Protection Policy, TBM 2009-335 approved by Treasury Board on November 19, 2009. Guidelines are recommended actions, general approaches and operational behaviors. They recommend actions and are not compulsory, as they take into consideration the varying nature of the information management programs. Guidelines are generally a description that clarifies what should be done and how to achieve the objectives set out in policies and directives (source: ISO/IEC 17799:2005). Issuing Branch Information Management Branch Approval Date Review Date 2015-03-31 OCIO TRIM Number DOC12091/2012 Authorizing Directive (Where applicable) Information Management and Protection Policy, TBM 2009-335 GRC Approval Date DOC12091/2012 Related Directives Related Standards Related Guidelines See References APPROVAL AND SIGN OFF Executive Director, Information Management Branch (name) (signature) (date) Note: Questions related to this guideline should be forwarded to [email protected]

Upload: ngokiet

Post on 20-Jul-2018

222 views

Category:

Documents


0 download

TRANSCRIPT

Government of Newfoundland and Labrador Office of the Chief Information Officer

Information Management Branch

GUIDELINE – INFORMATION MANAGEMENT (IM) POLICY INSTRUMENTS

Guideline (Definition): OCIO Guidelines derive from Information Management and Protection Policy, TBM 2009-335 approved by Treasury Board on November 19, 2009. Guidelines are recommended actions, general approaches and operational behaviors. They recommend actions and are not compulsory, as they take into consideration the varying nature of the information management programs. Guidelines are generally a description that clarifies what should be done and how to achieve the objectives set out in policies and directives (source: ISO/IEC 17799:2005).

Issuing Branch Information Management Branch

Approval Date

Review Date 2015-03-31

OCIO TRIM Number DOC12091/2012

Authorizing Directive

(Where applicable)

Information Management and Protection Policy, TBM 2009-335

GRC Approval Date DOC12091/2012

Related Directives

Related Standards

Related Guidelines See References

APPROVAL AND SIGN OFF

Executive Director, Information Management Branch

(name) (signature) (date)

Note: Questions related to this guideline should be forwarded to [email protected]

Guideline – Information Management (IM) Policy Instruments

OCIO TRIM Number: DOC12091/2012 Page 2 of 13

TABLE OF CONTENTS

1.0 Overview ................................................................................................................ 3

2.0 Scope ..................................................................................................................... 3

3.0 Background ............................................................................................................ 3

3.1 Information Management and Protection Policy Framework .............................................. 3

3.2 OCIO Mandate .................................................................................................................... 3

3.3 Departmental Responsibilities ............................................................................................. 4

3.4 Policy Instruments - Definitions ........................................................................................... 4

4.0 Recommended Approach ....................................................................................... 5

4.1 Review Existing Policy Instruments ..................................................................................... 5

4.2 Define Policy Instruments .................................................................................................... 5

4.3 Identify or Create Templates ............................................................................................... 5

4.4 Define the Review and Approval (Governance) Process .................................................... 5

4.5 Create a Policy Instrument Inventory .................................................................................. 6

4.6 Identify and Prioritize Requirements ................................................................................... 6

4.7 Develop or Update Instruments ........................................................................................... 6

4.8 Review and Update ............................................................................................................. 7

5.0 Glossary ................................................................................................................. 7

5.1 Definitions ............................................................................................................................ 7

5.2 Acronyms ............................................................................................................................. 7

6.0 References ............................................................................................................. 8

7.0 Revision History ..................................................................................................... 9

Appendix A: Sample Information Management (IM) Policy Instruments Listing .............. 10

Appendix B: OCIO Policy Instrument Templates............................................................ 12

Appendix C: Sample IM Policy Instrument Inventory ..................................................... 13

Guideline – Information Management (IM) Policy Instruments

OCIO TRIM Number: DOC12091/2012 Page 3 of 13

GUIDELINE FOR INFORMATION MANAGEMENT (IM) POLICY

INSTRUMENTS

1.0 Overview

Information Management (IM) Policy instruments include the policies, directives, standards, guidelines and procedures implemented by government departments to support compliance with the Management of Information Act and Information Management and Protection (IM&IP) Policy Framework. Developing IM policy instruments will serve to strengthen a department’s information management program and enable it to demonstrate compliance with legal, regulatory and operational requirements. This guideline provides information on developing departmental IM policy instruments.

2.0 Scope

This Guideline applies to or may be used by all public bodies (hereafter referred to as departments), as defined in the Management of Information Act. The audience for this guideline includes all individuals responsible for the operation of an IM program within their department.

3.0 Background

3.1 Information Management and Protection Policy Framework

The Information Management and Protection Policy approved by Treasury Board provides authority for the OCIO to establish mandatory Information Management and Protection directives and standards for the Government of Newfoundland and Labrador and public bodies supported by the OCIO. The Legislature and the Courts may adopt this policy and any related directives or standards, or develop their own, in keeping with the Management of Information Act.

The Policy establishes the overall framework for IM&IP within government in accordance with the Management of Information Act (specifically Section 6), the Access to Information and Protection of Privacy Act (ATIPPA) , the Rooms Act and forms the basis for departments to develop their own directives, standards and guidelines and procedures.

3.2 OCIO Mandate

As part of OCIO’s Mandate the OCIO

develops, publishes and maintains policy instruments as needed;

defines and publishes IM & IP policies, directives, standards and guidelines;

Is responsible for the IM & IP policy, directive, standard and guideline documentation, and identifies requirements for updating and modification as required;

ensures appropriate communications regarding IM & IP policies, directives, standards and guidelines; and

Guideline – Information Management (IM) Policy Instruments

OCIO TRIM Number: DOC12091/2012 Page 4 of 13

manages, maintains and monitors the policies, directives, standards and guidelines for effectiveness and compliance.

3.3 Departmental Responsibilities

Under the Management of Information Act department’s must develop a records management system. As it has been approved by Treasury Board, department’s must also comply with the IM & IP Policy. This includes any mandatory policies, standards or directives that the OCIO develops to support it. In addition to promoting the adoption of OCIO policy instruments through education and awareness, departments should develop their own policy instruments to support internal legal, regulatory and operational requirements. Such instruments must not contradict the policies, directives, and standards established by the OCIO under the IM & IP Policy. Appendix A includes a listing of typical departmental IM policy instruments.

3.4 Policy Instruments - Definitions

Policy: A policy is a high level, strategic statement, authorized by the Executive Management that dictates what type of position the organization has taken on specific issues. Treasury Board approval of Government-wide policy is required, except for policies established by the Legislature and the Courts. Treasury Board approved policies are recognized by all Government departments and compliance with them is mandatory.

Directive: Directives provide specific direction to Government and derive their authority from the “Information Management and Protection Policy”. The Government Records Committee (GRC) will review and approve Information Management directives issued by the OCIO. Compliance with OCIO directives is mandatory for departments. The Legislative and Judicial branches of Government may be exempt.

Standard: Standards are generally mandatory requirements that support individual policies and directives and dictate uniform ways of operating. Standards provide tactical blueprints for implementation of policies and directives. The Government Records Committee will review and approve Information Management standards which are developed by the OCIO for all of Government. Compliance with OCIO standards approved by the GRC is mandatory for departments. The Legislative and Judicial branches of Government may be exempt.

Guideline: Guidelines outline recommended actions, general approaches and operational behaviors. Guidelines are not mandatory. Guidelines support policy and directives by providing a “how to” approach. The GRC will review and approve Information Management guidelines developed by the OCIO for use by departments. Compliance with OCIO guidelines is not mandatory.

Procedure: A procedure is a detailed step-by-step, task-level definition of actions required to achieve a certain result. The procedure answers the "how" question and is generally used in an operating environment. Generally the OCIO will not issue Government-wide procedures because, by their nature, they will be specific to processes and functions, and will therefore be developed by individual departments.

Guideline – Information Management (IM) Policy Instruments

OCIO TRIM Number: DOC12091/2012 Page 5 of 13

4.0 Recommended Approach

4.1 Review Existing Policy Instruments

The OCIO website contains policies, standards, guidelines and best practices for both employees and IM practitioners. Having a solid understanding of the existing materials is the first step in developing a set of departmental policy instruments. This review also minimizes the likelihood that the department will duplicate effort in research and development of instruments that have already been vetted and approved.

4.2 Define Policy Instruments

Departments are encouraged to establish consistent terminology related to policy instruments and accommodate any department specific policy terminology that staff will recognize and know how to apply. The hierarchy of policy instruments is generally accepted as:

Policy

Directive

Standard

Guideline

Procedure

4.3 Identify or Create Templates

Having templates for all policy instruments facilitates consistency. Because content has already been analyzed, using a template makes it easier to prepare a policy instrument. Finally, the content within a template serves as a checklist to ensure that the typical information is collected. You should verify whether the department has templates that must be used. The templates used by the OCIO have been included in Appendix A. The use of these templates is not mandatory; they are provided as samples. These templates should be modified to meet departmental requirements.

4.4 Define the Review and Approval (Governance) Process

Governance needs to be defined for each type of policy instrument.

Stakeholders that may be engaged in these processes include:

the Executive responsible for IM within the department should provide approval for selected type of instruments;

legal counsel responsible for advice and guidance on IM-related issues including legislative and regulatory requirements for records retention and disposal;

Departmental Access to Information and Protection of Privacy (ATIPP) Coordinator ;

divisional or program area management team;

Guideline – Information Management (IM) Policy Instruments

OCIO TRIM Number: DOC12091/2012 Page 6 of 13

director or Executive responsible for policy development within the department; and

director responsible for internal communications within the department.

Also, roles and responsibilities need to be referenced as described in the OCIO Guideline: Information Management Governance, Accountability and Organization.

4.5 Create a Policy Instrument Inventory

There may already be IM policy instruments within the department. Create an inventory of any existing IM policy instruments. A sample is included in Appendix C. Information to include in the inventory:

Title

Applicability (e.g. department-wide, government-wide or program specific)

Linkage to legal, regulatory or operational requirement

Departmental Contact

Approval Date

Review Date

4.6 Identify and Prioritize Requirements

The following procedures should be followed in identifying and prioritizing requirements:

1. Based on the policy inventory identify policy instruments that must be updated using the new templates

2. Create a listing of policy instruments that are needed using the categories identified in the inventory. Existing documentation may provide a good basis for this listing including the Information Management Capacity Assessment Tool (IMCAT) final report, the IM legal and regulatory framework and the IM program plan

3. Reference the goals and objectives as identified in the departmental IM program plan to prioritize this listing

4. Assign resources to lead development, review and approval processes.

4.7 Develop or Update Instruments

Departments are encouraged to reference OCIO policy instruments where possible and to develop internal instruments in compliance with the direction stated within those promoted by the OCIO. In developing procedures for staff departments should:

review what is available that relates to this type of work and ensure that the proposed instrument does not conflict with OCIO policy, directives or standards (e.g., working away from the office, portable storage devices, etc.);

consult with IM advisory services to verify whether the OCIO has any existing information related to the area of development that can help guide the department;

Guideline – Information Management (IM) Policy Instruments

OCIO TRIM Number: DOC12091/2012 Page 7 of 13

use the most current departmental template to prepare draft policy instruments. This may mean transferring content that exists in a program area template or informal format to the approved template. Follow an approved review and approval process; and

publish the policy instrument and communicate it to stakeholders. The OCIO Guideline Education and Awareness for Government Employees can be referenced to support the implementation, adoption and reinforcement of new policy instruments.

4.8 Review and Update

Assign responsibility for ensuring that IM policy instruments are reviewed and updated as required on a regular schedule. Keeping the policy inventory updated will make this process easier. Reviewing instruments ensures that content is valid and accurate and that any linkages on departmental websites or intranets are working properly.

5.0 Glossary

5.1 Definitions

Directive

Guideline

Information Management

Policy

Procedure

Standard

5.2 Acronyms

ATIPP Access to Information and Protection of Privacy

GRC Government Records Committee

IM Information Management

IM&IP Information Management and Information Protection

IMCAT Information Management Capacity Assessment Tool

IP Information Protection

OCIO Office of the Chief Information Officer

Guideline – Information Management (IM) Policy Instruments

OCIO TRIM Number: DOC12091/2012 Page 8 of 13

6.0 References

Management of Information Act

Access to Information and Protection of Privacy Act

Rooms Act

Information Management and Protection Policy, TBM 2009-335

OCIO Guideline: Information Management (IM) Education and Awareness for Government Employees

OCIO Guideline: Information Management (IM) Governance, Accountability and Organization

Guideline – Information Management (IM) Policy Instruments

OCIO TRIM Number: DOC12091/2012 Page 9 of 13

7.0 Revision History

Date Reviewed Reviewed By

2011-04-15 Iris Power, Director of Information Management Services

2011-05-15 Shelley Smith, Executive Director, Information Management

2011-05-17 Information Management Standards Board (IMSB)

2011-05-20

2015-03-31

Government Records Committee (GRC)

Bun Power, IM Consultant, IM Services

Guideline – Information Management (IM) Policy Instruments

OCIO TRIM Number: DOC12091/2012 Page 10 of 13

Appendix A: Sample Information Management (IM) Policy Instruments Listing

The following is a listing of types of Informaiton Management policy instruments that Departments may wish to consider adding to their IM program.

Colleting Information

o Policy – Use of e-mail for ABC application processing

o Guideline - Collecting personal or confidential information from clients in the ABC service area

Creating Information

o Guideline - How to complete the ABC template

o Guideline – Creating complete and accurate records

o Standard – File naming conventions

o Standards – Use of acronyms on dpartmental documents, folders and files

o How to prepare a case/claim file in program area XX

Receiving Information

o Standard – Use of Mail Room Services

Organizing Information

o Guideline - How to classify records using the departmental classification plan

o Policy - Use of the shared drive for records storage

o Standard – Creation of Folder on the shared drive

o Guideline - How to find records on the shared drive

Storing Information

o How to send files to the central stroage room

o How to proepare boxes for transfer offisite

o How to transfer a box of records to offsite storage

Using Information

o Guideline – When/How to create a new document version

o How to recall a box from offsite storage

Sharing Informaiotn

o Policy – Use of Shared Drive

o Policy – Use of TRIM

Guideline – Information Management (IM) Policy Instruments

OCIO TRIM Number: DOC12091/2012 Page 11 of 13

Disposing of Information

o Guideline - Identifying retention and disposal requirements

o Guideline – Use of departmental shredder

o Guideline – Use of secure shredding boxes

o Policy – Recycling information

Guideline – Information Management (IM) Policy Instruments

OCIO TRIM Number: DOC12091/2012 Page 12 of 13

Appendix B: OCIO Policy Instrument Templates

The embedded templates have been developed for OCIO use. These templates are not mandatory and are provided as samples. These templates can be modified to meet departmental requirements.

OCIO Policy Template

S:\Information Management\IMCAT Bundle Guidelines\Guidelines\Miscellaneous\Policy Instrument Templates\TEMPLATE Directive - IM Policy Framework V1 R6.doc

OCIO Directive Template

S:\Information Management\IMCAT Bundle Guidelines\Guidelines\Miscellaneous\Policy Instrument Templates\TEMPLATE Directive - IM Policy Framework V1 R6.doc

OCIO Standard Template

S:\Information Management\IMCAT Bundle Guidelines\Guidelines\Miscellaneous\Policy Instrument Templates\TEMPLATE Standard - IM Policy Framework V1 R7.doc

OCIO Guideline Template

S:\Information Management\IMCAT Bundle Guidelines\Guidelines\Miscellaneous\Policy Instrument Templates\TEMPLATE Guideline - IM Policy Framework V1 R7.doc

Guideline – Information Management (IM) Policy Instruments

OCIO TRIM Number: DOC12091/2012 Page 13 of 13

Appendix C: Sample IM Policy Instrument Inventory

\\psnl.ca\ocio-dfs$\OcioShare\Information Management\IMCAT Bundle Guidelines\Guidelines\Miscellaneous\Policy Instrument Templates\IM Policy Instrument Inventory.xls