I second that!!! Many thanks Simon I second that!!! Many thanks Trish Trish-louise Bailey (MSc) Information Governance (IG) (responsible for: Information Sharing & Confidentiality, Informtaion Security, Information Quality & Assurance, Data Protection, Freedom of Information, Records & Information Management) -----Original Message----- From: This list is for those interested in Data Protection issues [mailto:[log in to unmask]] On Behalf Of Simon Howarth Sent: 19 November 2009 11:57 To: [log in to unmask] Subject: Re: Data Protection and Information Security Policies To some extent I agree with what Paul is saying and the NHS have "got around" this issue by adopting "Information Governance" which incorporates all the requirements of information compliance, security, confidentiality and corporate assurance. More recently it's taking on more of a risk assurance role. www.igt.connectingforhealth.nhs.uk If you want to construct a hierarchy then it's my belief that Information Governance (and therefore DP and other stuff) should actually fall under Records Management. The reason for this is that unless information (records) is properly managed you do not know what you do not know (Rumsfeld?) and therefore cannot be sure of complying with DP, FOI or confidentiality requirements. It is my view that Records Managers have been too silent on this issue and should be championing more their critical role in information management and whilst there is no "right" way to structure information management in an organization it is my firm belief that until RM is implemented properly and oversees records and information in an organization, that information management is not being done properly. Simon Howarth. -----Original Message----- From: This list is for those interested in Data Protection issues [mailto:[log in to unmask]] On Behalf Of Paul Ticher Sent: 19 November 2009 11:10 To: [log in to unmask] Subject: Re: [data-protection] Data Protection and Information Security Policies There may be some government agencies where Information Security is the overarching issue (especially after all the recent kerfuffle), but surely Data Protection is about compliance with all eight Principles, not just Principle 7? In many organisations Information Security is possibly less important than offering the right choices to comply with Principle 1 (or have I misunderstood what InfoSec is?). I feel there must be a matrix, not a hierarchy. For example, Confidentiality is a major component of Data Protection and Information Security, but also stands in its own right, because confidentiality covers information that is not personal data, and may not even be recorded, and it is subject to both common and contractual law. So now we've got three interlocking policies, as a minimum, all giving a different and important slant. For the record, I'm with the 'short policy, backed up with explanation and procedures (which may be long), and staff guidance (which must be short)' brigade. Paul Ticher 0116 273 8191 22 Stoughton Drive North, Leicester LE5 5UB <snip> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ All archives of messages are stored permanently and are available to the world wide web community at large at http://www.jiscmail.ac.uk/lists/data-protection.html If you wish to leave this list please send the command leave data-protection to [log in to unmask] All user commands can be found at http://www.jiscmail.ac.uk/help/commandref.htm Any queries about sending or receiving messages please send to the list owner [log in to unmask] Full help Desk - please email [log in to unmask] describing your needs To receive these emails in HTML format send the command: SET data-protection HTML to [log in to unmask] (all commands go to [log in to unmask] not the list please) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -------------------------------------------------------------------------------------------------------------------- This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the originator of the message. Any views expressed in this message are those of the individual sender, except where the sender specifies and with authority, states them to be the views of Telford & Wrekin Council. The content of this email has been automatically checked in conjunction with the relevant policies of Telford & Wrekin Council. ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ All archives of messages are stored permanently and are available to the world wide web community at large at http://www.jiscmail.ac.uk/lists/data-protection.html If you wish to leave this list please send the command leave data-protection to [log in to unmask] All user commands can be found at http://www.jiscmail.ac.uk/help/commandref.htm Any queries about sending or receiving messages please send to the list owner [log in to unmask] Full help Desk - please email [log in to unmask] describing your needs To receive these emails in HTML format send the command: SET data-protection HTML to [log in to unmask] (all commands go to [log in to unmask] not the list please) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^