On Thu, 19 Nov 2009, Bradshaw, Phillip wrote:

> Jethro said :
> 
> "I'm surprised at your policies only being 2 pages long..." 

Just to be clear, I didn't say that, Doreen did :)  I approve of short 
policies.

> I agree. Having gone through a review this year our DP policy statement
> is now under 2 pages. With a bit of context setting and stuff about
> implementation the whole document is less than 4 pages.
> 
> I took some persuading to expand it from my first draft which was simply
> "Cardiff Council will comply with the 8 Principles of Data Protection as
> set out in the Data Protection Act 1998 and will at all times comply
> with its duties under that Act. The Council will at all times in
> handling personal data comply with the rights of privacy and respect for
> personal and family life set out in Article 8 of the Human Rights Act
> 1998."

I think this nicely illustrates that there is a balance to be drawn ... 
there's a short Policy, then there's a _short_ Policy!

Jethro.


 > 
> >From a practical perspective there is a very good practical reason to
> keep it short. All the rest - guidance, rules, best practice, I can
> change today in the light of experience and lessons learned - and on my
> own authority. To change a policy needs Executive approval which can
> take several months.
> 
> 
> Phillip Bradshaw
> 
> Information Manager 
> Clerk to the Council
> 
> Room CY4A, County Hall
> 
> EMail: [log in to unmask]
> 
> Phone:         029 2087 3346
> Mobile :        07890 265987 
> 
> Fax:              029 2087 3349
> 
> Mae Cyhoeddi Cynnar yn Codi Canfod Cadarnhaol 
> Proactive Publishing Promotes Positive Perceptions
> 
> -----Original Message-----
> From: This list is for those interested in Data Protection issues
> [mailto:[log in to unmask]] On Behalf Of Jethro R Binks
> Sent: 18 November 2009 20:12
> To: [log in to unmask]
> Subject: Re: [data-protection] Data Protection and Information Security
> Policies
> 
> On Wed, 18 Nov 2009, Broom, Doreen wrote:
> 
> > I'm surprised at your policies only being 2 pages long.  Our Data 
> > Protection Policy which has gone through the Plain English Campaign is
> > 25 pages long, I also have Procedure document which is about the same 
> > length.  Staff guidance documents are usually only 2/3 pages long and 
> > they are very basic. When dealing with sensitive personal data, data 
> > sharing, proposed fines/imprisonment for data leaks etc. and all the 
> > other areas in the Council we could not take that chance.  There is a 
> > separate Security Policy which does link with the DP Code of Practice 
> > and vice-versa.
> 
> Generally, on policies:
> 
> In my experience, what you describe is probably the wrong way around.  
> Most parent policies should, as previously commented, be clear, easy to
> read, and not terribly specific at anything.  They should provide very
> general points, and not prescribe particular procedures, tools,
> technologies, and whatnot.  Policies are usually to be approved at a
> senior management level, and as such should not change frequently: too
> much detail means too much likelihood to change, and that can be a
> drawn-out procedure.  The role of senior management is to approve
> general principles of policy, not to get bogged down in operational and
> procedural detail and practice.
> 
> Policies should devolve responsibility for creating and approving
> related procedures, guidance, best practice and other more detailed
> documentation to other bodies or committees.  These documents are still
> controlled, but are more dynamic, and can be easily modified to suit
> circumstances but without the time-consuming senior management approval
> route.  They are the ones that are usually referenced day-to-day by end
> users, but breach of them is considered breach of the parent policy to
> which all staff agree to abide.
> 
> I don't know your policy of course, but it sounds like there should be
> more of the detail moved to the staff guidance document, and less in the
> actual policy itself.  If the Policy describes specific ways of working
> or procedures, it probably should be rewritten to move that detail to
> other documents.  Documents bearing titles such as "XYZ Policy" are
> often mixtures of policy and procedures or guidance/best practice rather
> than actual "statements of policy".
> 
> Jethro.
> 
> 
> > 
> > -----Original Message-----
> > From: This list is for those interested in Data Protection issues 
> > [mailto:[log in to unmask]] On Behalf Of Tony Brookes
> > Sent: 18 November 2009 17:25
> > To: [log in to unmask]
> > Subject: Re: Data Protection and Information Security Policies
> > 
> > Having just gone/going though in another University, I hope this will 
> > help. We have suggested an information security policy as the "top"
> > information policy backed up by our version of the PIP. I'd then 
> > expect a load of other policies to support them both (e.g. records 
> > managment, techncial policies etc etc). Note - we've come to the 
> > conclusion that no policy should be more than two pages long, but the 
> > associated guidence may well be much longer than that. It is a similar
> 
> > approach to that used in H & S.
> >  Mind you, I'm well aware that what works or is being tried in one 
> > University might not suit another. Tony 
> > ________________________________
> > 
> > From: This list is for those interested in Data Protection issues 
> > [[log in to unmask]] On Behalf Of Tim Trent 
> > [[log in to unmask]]
> > Sent: 18 November 2009 16:10
> > To: [log in to unmask]
> > Subject: Re: [data-protection] Data Protection and Information 
> > Security Policies
> > 
> > 
> > I would say that neither of these policies is what I would term a
> "master policy" 
> > 
> > Data Protection has many of the facets of Information Security
> embedded within it it. Examples are a Data Destruction Policy - very
> much required - and the additional security that must surround sensitive
> data. yet InfoSec is not a subset of Data Protection, nor is Data
> Protection, because of the privacy element, a subset of InfoSec.
> > 
> > Instead these are two parallel and often intersecting areas where each
> policy and set of sub-policies must relate to the other stream, and
> where some policies - Data Destruction - need only exist in one or the
> other, but be referred to as part of each.
> > 
> > Your mileage may vary, of course, but my belief is that the overall 
> > policy is the Human Resources Policy that covers disciplinary action 
> > against workers who break either (any) of the other policies
> > 
> > On 18 Nov 2009, at 15:42, Barlow, Jackie wrote:
> > 
> > 
> > 	Dear colleagues,
> > 	
> > 	I am fairly new to the role of Records Manager here at Anglia
> Ruskin and I
> > 	have recently revised our Data Protection Policy.  Our
> Information Security
> > 	Policy is also currently being  revised and I am unsure which of
> these
> > 	policies should be the overarching one.
> > 	
> > 	I would be grateful for your opinions on this and any
> information on your
> > 	current practices.
> > 	
> > 	Kind regards
> > 	Jackie
> > 	
> > 	
> > 	
> > 	Jacqueline Barlow ACIB MBA
> > 	University Records Manager
> > 	
> > 	Anglia Ruskin University
> > 	Office of the Secretary and Clerk
> > 	3rd Floor
> > 	Tindal Building
> > 	Chelmsford
> > 	CM1 1SQ
> > 	
> > 	Direct dial  0845 196 4215
> > 	
> > 	
> > 	
> > 	-- 
> > 	EMERGING EXCELLENCE: In the Research Assessment Exercise (RAE)
> 2008, more than 30% of our submissions were rated as 'Internationally
> Excellent' or 'World-leading'. Among the academic disciplines now rated
> 'World-leading' are Allied Health Professions & Studies; Art & Design;
> English Language & Literature; Geography & Environmental Studies;
> History; Music; Psychology; and Social Work & Social Policy &
> Administration. Visit www.anglia.ac.uk/rae for more information.
> > 	
> > 	
> > 	
> > 	This e-mail and any attachments are intended for the above named
> > 	recipient(s)only and may be privileged. If they have come to you
> in
> > 	error you must take no action based on them, nor must you copy
> or show
> > 	them to anyone please reply to this e-mail to highlight the
> error and
> > 	then immediately delete the e-mail from your system.
> > 	
> > 	Any opinions expressed are solely those of the author and do not
> > 	necessarily represent the views or opinions of Anglia Ruskin
> University.
> > 	
> > 	Although measures have been taken to ensure that this e-mail and
> > 	attachments are free from any virus we advise that, in keeping
> with good
> > 	computing practice, the recipient should ensure they are
> actually virus
> > 	free.
> > 	
> > 	Please note that this message has been sent over public networks
> which may
> > 	not be a 100% secure communications
> > 	
> > 	Email has been scanned for viruses by Altman Technologies' email
> management service -
> > 	www.altman.co.uk/emailsystems
> > 	^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> > 	    All archives of messages are stored permanently and are
> > 	     available to the world wide web community at large at
> > 	     http://www.jiscmail.ac.uk/lists/data-protection.html
> > 	    If you wish to leave this list please send the command
> > 	      leave data-protection to [log in to unmask]
> > 	All user commands can be found at
> http://www.jiscmail.ac.uk/help/commandref.htm
> > 	Any queries about sending or receiving messages please send to
> the list owner
> > 	             [log in to unmask]
> > 	 Full help Desk - please email [log in to unmask]
> describing your needs
> > 	       To receive these emails in HTML format send the command:
> > 	        SET data-protection HTML to [log in to unmask]
> > 	  (all commands go to [log in to unmask] not the list
> please)
> >
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> > 	
> > 
> > 
> > ________________________________
> > 
> > Tim Trent - Consultant
> > Tel: +44 (0)7710 126618
> > web: ComplianceAndPrivacy.com - where busy executives go to find the 
> > news first personal blog: timtrent.blogspot.com/ 
> > <http://timtrent.blogspot.com/>  - news, views, and opinions personal 
> > website: Tim's Personal Website <http://www.trent.karoo.net>  - more 
> > than anyone needs to know
> > 
> > 
> > Marketing by Permission 
> > <http://feeds.feedburner.com/~r/MarketingByPermission/~6/1>
> > 
> > Important: This message is private and confidential. If you have
> received this message in error, please notify us and remove it from your
> system. This email and any attachment(s) are believed to be virus-free,
> but it is the responsibility of the recipient to make all the necessary
> virus checks. This email and any attachments to it are copyright of
> Meadowood Associates, owners of Compliance And Privacy, unless otherwise
> stated. Their copying, transmission, reproduction in whole or in part
> may only be undertaken with the express permission, in writing, of
> Meadowood Associates, at Meadowood House, 30 Redditch, Bracknell,
> Berkshire, RG12 0TT.
> > 
> > 
> > ________________________________
> > 
> > All archives of messages are stored permanently and are available to 
> > the world wide web community at large at 
> > http://www.jiscmail.ac.uk/lists/data-protection.html
> > 
> > Selected commands (the command has been filled in below in the body of
> the email if you are receiving emails in HTML format):
> > 
> > *	Leaving this list: send leave data-protection to
> [log in to unmask] <mailto:[log in to unmask]&BODY=LEAVE
> data-protection>  
> > *	Suspending emails from all JISCMail lists: send SET * NOMAIL to
> [log in to unmask] <mailto:[log in to unmask]&BODY=SET *
> NOMAIL>  
> > *	To receive emails from this list in text format: send SET
> data-protection NOHTML to [log in to unmask]
> <mailto:[log in to unmask]&BODY=SET data-protection NOHTML>  
> > *	To receive emails from this list in HTML format: send SET
> data-protection HTML to [log in to unmask]
> <mailto:[log in to unmask]&BODY=SET data-protection HTML>  
> > 
> > All user commands can be found at 
> > http://www.jiscmail.ac.uk/help/commandref.htm 
> > <http://www.jiscmail.ac.uk/help/commandref.htm>  and are sent in the 
> > body of an otherwise blank email to [log in to unmask]
> > 
> > Any queries about sending or receiving messages please send to the 
> > list owner [log in to unmask] 
> > <mailto:[log in to unmask]>
> > 
> > (Please send all commands to [log in to unmask] not the list or 
> > the moderators, and all requests for technical help to 
> > [log in to unmask], the general office helpline)
> > 
> > ________________________________
> > 
> > 
> > ________________________________
> > 
> > The University of Derby has a published policy regarding email and 
> > reserves the right to monitor email traffic. If you believe this email
> 
> > was sent to you in error, please notify the sender and delete this 
> > email. Please direct any concerns to [log in to unmask] The policy is
> 
> > available here: http://www.derby.ac.uk/LIS/Email-Policy
> > 
> > ________________________________
> > 
> > All archives of messages are stored permanently and are available to 
> > the world wide web community at large at 
> > http://www.jiscmail.ac.uk/lists/data-protection.html
> > 
> > Selected commands (the command has been filled in below in the body of
> the email if you are receiving emails in HTML format):
> > 
> > *	Leaving this list: send leave data-protection to
> [log in to unmask] <mailto:[log in to unmask]&BODY=LEAVE
> data-protection> 
> > *	Suspending emails from all JISCMail lists: send SET * NOMAIL to
> [log in to unmask] <mailto:[log in to unmask]&BODY=SET *
> NOMAIL> 
> > *	To receive emails from this list in text format: send SET
> data-protection NOHTML to [log in to unmask]
> <mailto:[log in to unmask]&BODY=SET data-protection NOHTML> 
> > *	To receive emails from this list in HTML format: send SET
> data-protection HTML to [log in to unmask]
> <mailto:[log in to unmask]&BODY=SET data-protection HTML> 
> > 
> > All user commands can be found at 
> > http://www.jiscmail.ac.uk/help/commandref.htm and are sent in the body
> 
> > of an otherwise blank email to [log in to unmask]
> > 
> > Any queries about sending or receiving messages please send to the 
> > list owner [log in to unmask]
> > 
> > (Please send all commands to [log in to unmask] not the list or 
> > the moderators, and all requests for technical help to 
> > [log in to unmask], the general office helpline)
> > 
> > ________________________________
> > 
> > 
> > **********************************************************************
> > This email and any files transmitted with it are privileged,
> confidential and subject to copyright. Any unauthorised use or
> disclosure of any part of this email is prohibited. If you are not the
> intended recipient please inform the sender immediately; you should then
> delete the email and remove any copies from your system.
> > The views or opinions expressed in this communication may not
> necessarily be those of Scottish Borders Council.
> > Please be advised that Scottish Borders Council's incoming and
> outgoing GSX email is subject to regular monitoring and any email may
> require to be disclosed by the Council under the provisions of the
> Freedom of Information (Scotland) Act 2002.
> > 
> > **********************************************************************
> > 
> > ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> >      All archives of messages are stored permanently and are
> >       available to the world wide web community at large at
> >       http://www.jiscmail.ac.uk/lists/data-protection.html
> >      If you wish to leave this list please send the command
> >        leave data-protection to [log in to unmask] All user 
> > commands can be found at http://www.jiscmail.ac.uk/help/commandref.htm
> >  Any queries about sending or receiving messages please send to the
> list owner
> >               [log in to unmask]
> >   Full help Desk - please email [log in to unmask] describing
> your needs
> >         To receive these emails in HTML format send the command:
> >          SET data-protection HTML to [log in to unmask]
> >    (all commands go to [log in to unmask] not the list please)
> >     ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> > 
> 
> .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .
> .
> Jethro R Binks
> Computing Officer, IT Services, University Of Strathclyde, Glasgow, UK
> 
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>      All archives of messages are stored permanently and are
>       available to the world wide web community at large at
>       http://www.jiscmail.ac.uk/lists/data-protection.html
>      If you wish to leave this list please send the command
>        leave data-protection to [log in to unmask] All user
> commands can be found at http://www.jiscmail.ac.uk/help/commandref.htm
>  Any queries about sending or receiving messages please send to the list
> owner
>               [log in to unmask]
>   Full help Desk - please email [log in to unmask] describing your
> needs
>         To receive these emails in HTML format send the command:
>          SET data-protection HTML to [log in to unmask]
>    (all commands go to [log in to unmask] not the list please)
>     ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> 
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>      All archives of messages are stored permanently and are
>       available to the world wide web community at large at
>       http://www.jiscmail.ac.uk/lists/data-protection.html
>      If you wish to leave this list please send the command
>        leave data-protection to [log in to unmask]
> All user commands can be found at http://www.jiscmail.ac.uk/help/commandref.htm
>  Any queries about sending or receiving messages please send to the list owner
>               [log in to unmask]
>   Full help Desk - please email [log in to unmask] describing your needs
>         To receive these emails in HTML format send the command:
>          SET data-protection HTML to [log in to unmask]
>    (all commands go to [log in to unmask] not the list please)
>     ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> 

.  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .
Jethro R Binks
Computing Officer, IT Services, University Of Strathclyde, Glasgow, UK

^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
     All archives of messages are stored permanently and are
      available to the world wide web community at large at
      http://www.jiscmail.ac.uk/lists/data-protection.html
     If you wish to leave this list please send the command
       leave data-protection to [log in to unmask]
All user commands can be found at http://www.jiscmail.ac.uk/help/commandref.htm
 Any queries about sending or receiving messages please send to the list owner
              [log in to unmask]
  Full help Desk - please email [log in to unmask] describing your needs
        To receive these emails in HTML format send the command:
         SET data-protection HTML to [log in to unmask]
   (all commands go to [log in to unmask] not the list please)
    ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^