DOC

Implementing information and IM governance

By Marilyn Robinson,2014-06-13 20:35
15 views 0
Implementing information and IM governance

Implementing information

    governance

    Final

    December 2009

    v1.0.1

PUBLIC

    PUBLIC Implementing information governance QGCIO

    Document details

    Security classification PUBLIC

    Date of review of security December 2009

    classification

    Authority QGCIO

    Author Queensland Government Chief Information Office (Enterprise Architecture &

    Strategy)

    Documentation status Working draft Consultation release Final version ;

    Contact for enquiries and proposed changes

    All enquiries regarding this document should be directed in the first instance to: Director, Enterprise Architecture and Strategy

    Queensland Government Chief Information Office

    qgcio@qld.gov.au

    Acknowledgements

    This version of the QGEA was developed and updated by the Enterprise Architecture and Strategy Unit, Queensland Government Chief Information Office.

    Feedback was also received from a number of staff from various agencies, which was greatly appreciated.

    Copyright

    Implementing information governance

    Copyright ? The State of Queensland (Department of Public Works) 2009 Licence

    Implementing information governance is licensed under a Creative Commons Attribution 2.5 Australia licence. To view a copy of this licence, visit http://creativecommons.org/licenses/by/2.5/au. Permissions may

    be available beyond the scope of this licence. See www.qgcio.qld.gov.au.

    Information security

    This document has been security classified using the Queensland Government Information Security Classification Framework (QGISCF) as PUBLIC and will be managed according to the requirements of the QGISCF.

     Final v1.0.1, December 2009 Page 2 of 12 PUBLIC

    PUBLIC Implementing information governance QGCIO

    Contents

    1 Introduction .................................................................................................................................................... 4

    1.1 Purpose ................................................................................................................................... 4

    1.2 Audience .................................................................................................................................. 4

    1.3 Scope ...................................................................................................................................... 4 2 Background .................................................................................................................................................... 4

    2.1 What is information governance? ............................................................................................. 4 3 The Information Sponsor ............................................................................................................................... 5 4 Information governance body ........................................................................................................................ 6

    4.1 Membership ............................................................................................................................. 6

    4.2 Role ......................................................................................................................................... 6

    4.3 Responsibilities ........................................................................................................................ 6

    4.4 Authority..................................................................................................................................10

    4.5 Reporting requirements ...........................................................................................................10

    4.6 Delegation ...............................................................................................................................11

    4.7 Operation ................................................................................................................................11

    4.8 Review ....................................................................................................................................11 Appendix A Suggested meeting agenda .............................................................................................................12

     Final v1.0.1, December 2009 Page 3 of 12 PUBLIC

    PUBLIC Implementing information governance QGCIO

    1 Introduction

    1.1 Purpose

    This guideline specifies the practices for implementing information governance in line with the policy

    requirements and targets of the Queensland Government Enterprise Architecture (QGEA)

    Information Policy and Information Position.

    1.2 Audience

    This document is primarily intended for:

    ; senior executives, including the senior executive management group

    ; information governance bodies

    ; information management operational areas.

    1.3 Scope

    This guideline is intended to be of value to all departments.

    2 Background

    In its response to the 2008 independent review of its freedom of information laws, the Queensland

    Government acknowledged that a whole-of-government information management strategic 1framework was essential to achieve an open, accountable and participatory government. The

    government considered that governance and clear authorising environments were key elements of 2this framework.

    The Queensland Government Chief Information Office (QGCIO) was tasked with developing this

    framework in 2009. As part of this work, QGCIO developed the QGEA Information Policy and

    Position which require agencies to implement formal information governance. This guideline provides

    agencies with the recommended practices for implementing this requirement and meeting its

    associated targets.

    2.1 What is information governance?

    Information governance is the system by which the current and future use of information and its

    management is directed and controlled through a system of policies, procedures, standards and 3guidelines. The Queensland Government Information Management Policy Framework defines the

    sub-domains of information governance for Queensland Government in more detail, see Figure 1.

    Full domain definitions are available in the QGEA Information Management Policy requirements

    checklist.

     1 Queensland Government, The right to information: a response to the review of Queensland’s Freedom of Information Act, 2008, p. 4. 2 Ibid, p. 5. 3 Queensland Government Chief Information Office, Queensland Government Enterprise Architecture: Information policy framework, 2009, p.6; Standards Australia, ISO/IEC 38500:2008 Corporate governance of information technology, 2008,

    p.6

     Final v1.0.1, December 2009 Page 4 of 12 PUBLIC

null

    PUBLIC Implementing information governance QGCIO

    ; corporate information responsibilities are met.

    4 Information governance body

    The QGEA Information Policy and Position requires agencies to establish formal information

    governance roles and responsibilities. Agencies must either:

    ; establish a body responsible for information governance (the body); or

    4; assign responsibility for information to an existing body (e.g. Information Steering Committee).

    The QGEA Information Position requires agencies to achieve this by December 2009.

    4.1 Membership

    Membership of the body should reflect the size, geography and complexity of the agency. Membership should include:

    ; the sponsor

    ; appropriately empowered representatives of information management operational areas (e.g.

    records management, library, custodians, enterprise architects, right to information officers,

    information privacy officers, intellectual property officers, knowledge management, data

    management, web officers, etc.)

    ; stakeholders (e.g. business area managers, legal, finance, internal auditors, business planners,

    business analysts, ICT professionals, etc.).

    4.2 Role

    The role of the body is to:

    ; evaluate, provide strategic direction for, and direct the use of, information and its management ; provide leadership in and direct the preparation and implementation of information management

    policies, principles and architecture

    ; review and monitor conformance to obligations and performance

    ; develop agency information management capability.

    4.3 Responsibilities

    The information governance body fulfils this role by meeting the responsibilities detailed in this section.

    4.3.1 Evaluate and direct the use of information and its management

    It is a role of the information governance body to evaluate, provide strategic direction for, and direct the use of, information and its management.

    Direct the preparation of, endorse and implement the annual information management strategy and work plan

    An information management strategy:

    ; defines the strategic direction for the utilisation and management of information as a valued

    core strategic asset

    ; is consistent with the agency’s overarching business strategy and is supported by the ICT

     4 Queensland Government Chief Information Office, QGEA Information position, 2009.

     Final v1.0.1, December 2009 Page 6 of 12 PUBLIC

    PUBLIC Implementing information governance QGCIO

    strategy

    ; includes performance indicators.

    The information management work plan articulates the agency’s planned information management

    initiatives for that financial year.

    From 30 June 2011 agencies are required to prepare an information management work plan on an annual basis. An objective of the information and IM plan is to maintain and improve the agency’s information management maturity. It should be informed by the agency’s information management maturity self-assessment and be consistent with the agency’s information management strategy. The

    plan should include performance indicators.

    QGCIO will develop a guideline on the requirements and contents of an agency annual information management work plan by 30 September 2010.

    In preparation of the information management strategy and work plan, the agency should monitor and analyse external (e.g. economic and social trends, new technologies) and internal influences (e.g. business needs, organisational objectives) on information and its management. These influences should be examined for the impact they may have on agency information and information management, including whether they provide strategic opportunities.

    Information management strategies and work plans relating to the particular domains of the Information Management Policy Framework (Figure 1) may also be developed where required.

    Direct the preparation of, endorse and implement agency’s strategic recordkeeping plan

    Information Standard 40: Recordkeeping requires agencies to implement a strategic approach to

    recordkeeping that is endorsed by the agency’s Chief Executive.

    The body should review and endorse the agency’s recordkeeping strategy, prior to forwarding for

    endorsement by the agency’s Chief Executive.

    4.3.2 Direct the preparation and implementation of information management policies, principles and architecture

    It is a role of the information governance body to assign responsibility for and direct the preparation and implementation of information management policies, principles and architecture. Direct the preparation of, endorse and implement information management policies The body should utilise the Information Management Policy Framework (Figure 1) to identify and

    prioritise requirements for agency policies by mapping current policy effort and identifying gaps or duplications.

    Policies must be consistent with whole-of-Government information management policies, standards and the QGEA Information Principles as required by the QGEA Information Policy and Position.

    Prepare, endorse and implement an authorising and accountability environment for the routine and proactive disclosure of information

    The authorising and accountability environment should support all information access and release mechanisms, including:

    ; publication schemes

    ; disclosure logs

    ; administrative access schemes

    ; administrative release (i.e. release to the public upon request from a member of the public, not

    under the Right to Information Act 2009 which should be the last resort).

    The body should oversee the development of the elements of such an authorising and accountability environment, which may include:

     Final v1.0.1, December 2009 Page 7 of 12 PUBLIC

    PUBLIC Implementing information governance QGCIO

    ; policies

    ; business processes (e.g. internal approval processes for release upon request or publication in

    a publication scheme)

    ; procedures

    ; roles and responsibilities (e.g. who approves release)

    ; supporting tools and systems.

    Further implementation considerations and guidance is available in the following documents: ; Information Standard 33: Information Access and Use (revised version under development)

    ; QGEA Guideline: Determining the ex ante release status of information (under development)

    ; QGEA Government Information Licensing Framework (GILF) Policy, Position and Guideline

    (under development)

    ; Office of the Information Commissioner Guideline: Proactive disclosure and publication

    schemes

    ; Office of the Information Commissioner Guideline: Administrative release of information.

    Contribute information management policies and tools to the QGEA where beneficial Due to the federated nature of the Queensland Government Enterprise Architecture 2.0 (QGEA)

    artefacts can be developed by any party that identifies a need and has the appropriate expertise. Agency information governance bodies are encouraged to contribute information management policies and tools to the Queensland Government Chief Information Office for possible inclusion in the QGEA.

    Oversee the development and approval of the agency’s Retention and Disposal Schedule

    The information governance body should oversee the development of the agency’s core business Retention and Disposal Schedule. This should include approving the Retention and Disposal Schedule for forwarding to the CEO and/or senior executive management group for approval, followed by the State Archivist. Further guidance is available in Information Standard 31: Retention

    and Disposal of Public Records.

    4.3.3 Monitor conformance to obligations and performance

    It is a role of the information governance body to monitor conformance to legislative, policy, principles and architecture requirements and performance. Refer to QGEA information management

    policy requirements checklist for further guidance.

    Direct the preparation of and/or review and endorse information management initiatives The body should review and endorse specific information management initiatives. This applies particularly to those initiatives that involve the whole agency or where costs are to be shared. Where required, the body should ensure that the transition of initiatives to operational status is properly planned and managed.

    Ensure that information and information management risk and quality management is in place

    The body should ensure that:

    ; the agency acts on compliance issues identified by recordkeeping reviews or audits ; the agency complies with Information Standard 31: Retention and Disposal of Public Records

    including internal authorisation for the disposal of public records in accordance with an

    approved Retention and Disposal Schedule

    ; an Information Profile is completed as part of the ICT Resources Strategic Plan annually (see

    Information Standard 2: ICT Resources Strategic Planning Toolbox GovNet users only)

     Final v1.0.1, December 2009 Page 8 of 12 PUBLIC

    PUBLIC Implementing information governance QGCIO

    ; GEA self assessments are undertaken annually (see Information Standard 2: ICT Resources

    Strategic Planning).

    Manage information asset custodianship

    This requires the body to:

    ; oversee implementation/progress of custodianship in the agency

    ; ensure custodianship responsibilities are effectively undertaken across all agency

    information

    ; ensure that standards relating to custodianship are uniformly applied

    ; report to senior executive management group on appropriate custodianship delegations

    ; recommendations on continuance of custodianship delegations.

    Further information on information asset custodianship is available in Information Standard 44:

    Information Asset Custodianship.

     Assign responsibility for and oversee maintenance of information registers There are several information registers that the body must assign responsibility for and ensure are maintained, including:

    ; agency Information Asset Register (see Information Standard 44: Information Asset

    Custodianship);

    ; agency Register of Information Security Classified Information often implemented as part of the

    agency's Information Asset Register (see the Queensland Government Information Security

    Classification Framework);

    ; agency Register of the ex ante release status of agency information if other system not in place

    (see QGEA Determining the ex ante release status of information guideline currently in

    development).

    5; Register of Statistical Information (ROSI) (GovNet users only)

    6; Queensland Government Catalogue (GovNet users only)

    7; Queensland Government Intellectual Property Register.

    Agencies may choose to maintain these as attributes in a single information asset register. Monitor performance against the information management strategy and work plan The information governance body should monitor performance against the information management strategy and work plan’s performance indicators. This should occur quarterly to ensure implementation is on track.

    4.3.4 Develop information management capability

    The information governance body is responsible for fostering excellence in information management, including developing the information management capability of its information management professionals and all employees.

    This requires the information governance body to assign responsibility for and direct preparation and implementation of information management training and communications and assess its information management maturity annually.

     5 Agencies are required to participate in whole-of-Government information registers. See Queensland Government Chief

    Information Office, Information Standard 34: Metadata. 6 Ibid. 7 Queensland Government, Queensland Public Sector Intellectual Property Guidelines, 2007, p. 24.

     Final v1.0.1, December 2009 Page 9 of 12 PUBLIC

    PUBLIC Implementing information governance QGCIO

    Training and communications

    A summary of whole-of-government requirements for the provision of information management

    training and communications within agencies is available in the QGEA information management policy requirements check list (see the IM Workforce Management domain).

    Assess the agency’s information management maturity annually From 30 June 2010 agency’s must conduct an annual assessment of the agency’s information 8management maturity against the QGEA Information Management Maturity Models. The information governance body should oversee and analyse the outcomes of these assessments.

    4.4 Authority

    The information governance body must have the appropriate authority to fulfil its role and

    responsibilities as identified in its terms of reference. This should be coupled with clear reporting

    lines to the senior executive management group.

    4.5 Reporting requirements

    The following are suggested reporting requirements, organised by role. Role Reporting requirement Audience

    Evaluate and direct the Submit proposed IM strategies and work Senior executive management use of information and plans for approval/information. group

    its management QGCIO

    Submit recordkeeping strategy for Chief Executive

    approval.

    Prepare and implement Submission of IM policies, principles and Senior executive management information and IM architecture for approval, including the group

    policies, principles and agency’s core business Retention and

    architecture Disposal Schedule.

    Monitor conformance Submit IM initiatives for approval. Senior executive management and performance group

    Report on recordkeeping reviews or Senior executive management

    audits including exceptions and group

    recommendations on remedial action.

     8 Queensland Government Chief Information Office, QGEA Information position.

     Final v1.0.1, December 2009 Page 10 of 12 PUBLIC

Report this document

For any questions or suggestions please email
cust-service@docsford.com