The Information Management Journey Sheffield City Council October 2013 Paul Green Director of Business Information and Transformation Service Sheffield City Council Information Matters! “Most councils could and should improve their information” Exemplar councils have the right culture, people and standards to provide good information, but most councils do not, and so are missing opportunities to improve services and save money. The Audit Commission Is There Something I Should Know – June 2009 Central Government and Local Government Digital Strategies • INFORMATION at the heart of both strategies • Outcomes that service users value delivered by people, performing processes, with INFORMATION, underpinned and enabled through technology • Services, whether internal or external should be designed as" digital by default” • CIO leadership role critical to make more intelligent and collaborative use of INFORMATION and technology • Political and Executive Leadership need to recognise transformational change will only be realised with effective information management Who should own Information? • Information Assets (IA) are organised sets of validated Information that are valuable and easily accessible to those who need it. • Information Asset Owners (IAO) are individuals within the organisation appointed and responsible for ensuring that specific information assets are handled and managed appropriately. • Role of the CIO – To provide a robust Governance framework for the organisations Information Assets – “Information Management” Why is it important to manage Information corporately? • • • • • • • • • Information Strategy Information Management Policy Information Security Policy Records Management Policy Data Management Policy Senior Information Risk Owner (SIRO) Information Governance Information Assurance All of the above managed by the organisations CIO Information management, assurance and transparency – in 5 years time will… • • • • • • • • be managed at every point in its lifecycle Create or Acquire Information Validate – is it fit for purpose Store – it is stored securely and accessible Protect – is it classified correctly Update – controlled by the IAO Publish – to those who need access Dispose – appropriately via a retention policy What happens if we ignore these dimensions? • Organisations run the risk of penalties for failure to safeguard sensitive or personal information assets. • The above can place the public at risk • Up to date Information is unlikely to be easily available, accessible and of value for the organisation in making key and critical decisions • Service redesign will be difficult – can the current baseline data be trusted on which to make changes • The public lose trust with us Getting Started Sheffield City Council – Information Management Journey Appointment of CIO – January 2007 Created Business Information Solutions (BIS) Team Convinced Chief Executive to allocate ownership of Information Management to BIS (no previous owner allocated or identified) Identified need to take action – what were the issues Secured monthly 1:1 with Chief Executive Recommended a ‘Proof of Value’ exercise to validate suspicions The Information Management Proof of Value Project • Commissioned by Executive Management Team (EMT) in August 2008 • EMT Objectives: • Identify how much current IM processes are impacting on service delivery • Where are the current Information Security Risks and potential organisational and customer impact • What actual benefits would ‘best practice’ IM bring for the service and constituents of Sheffield The Information Management Proof of Value Project Project Objectives: • Report IM impact to EMT • Develop scalable approach for subsequent IM initiative Project Approach: • Executive Management Team to volunteer a service area for scrutiny • Single process within Adult Social Care identified • Tested Information Audit Survey • Validated via interviews and mapping of information flows Example: Care in the Home Information Flow CARE PLAN NEED Customer highlights need Care Manager assesses need Care worker delivers care plan & meets need Care in the Home Information Flow PERCEPTION OF NEED Customer highlights need PERCEPTION OF NEED Customer Services gather required info CARE REQ Care Manager assesses need Resource management team log req CARE REQ DELIVERED CARE FAPRA charge for care CARE PLAN Care worker delivers care plan & meets need Home Care Manager creates detailed care plan CARE REQ Planning coordinator plans resource Care in the Home Information Flow PERCEPTION OF NEED Customer highlights need PERCEPTION OF NEED Customer Services gather required info CARE REQ Care Manager assesses need Resource management team log req CARE REQ DELIVERED CARE FAPRA charge for care CARE PLAN Care worker delivers care plan & meets need Home Care Manager creates detailed care plan CARE REQ Planning coordinator plans resource Care in the Home Information Flow PERCEPTION OF NEED Customer highlights need PERCEPTION OF NEED Customer Services gather required info CARE REQ Care Manager assesses need Resource management team log req CARE REQ DELIVERED CARE FAPRA charge for care CARE PLAN Care worker delivers care plan & meets need Home Care Manager creates detailed care plan CARE REQ Planning coordinator plans resource Information Management Proof of Value Project – Findings • • • • • • • SCC and its customers are exposed to unacceptable levels of risk through loss of information SCC senior management is at risk of action by the Information Commissioner’s Office (ICO) as a result of breach of Data Protection legislation Information is not accessible to staff Key data sets are inaccurate Access to information is dependent on physical access to information – a direct obstacle to mobile/flexible working (Workstyle) initiatives. Avoidable costs are incurred due to lack of efficiency Data sets are not currently structured to support a Modern and Efficient Council Alongside IMPOV - Identify & close down security risks • Establish Information Governance Board • Information Security Health Check with Strategic ICT partner • Developed Corporate Information Security Risk Register • Reviewed fortnightly at 1:1 with Chief Executive • Reported to Portfolio Leadership Management monthly across organisation Immediate mitigations included: • Laptop encryption • Blackberry Protection • Sanctuary Deployment • Installation of blinds in printing room – Network protection • Securing windows in server room – Data Leakage • Rigorous USB process implemented • Virus Protection The Result? "As an information wealthy organisation, alongside people, information is one of our greatest assets. How we manage, exploit, manipulate and protect this key asset will increasingly determine our success in transforming our organisation and the way we deliver services" John Mothersole Chief Executive, Sheffield City Council "In an environment of ever increasing customer expectations, spiralling pressures to demonstrate efficiency and a desire to deliver modern, efficient and customer focused services, we have to recognise information as a key corporate asset and a major responsibility" Cllr Simon Clement-Jones Cabinet Member for Finance and Customer Focused Services Next Steps: Initiate the Information Management Programme (IMP) • EMT Approval - Joint sponsorship of IMP with Chief Executive and CIO • Programme Board of Portfolio Reps, Strategic IT partner and Information Services • Dedicated Programme Manager reporting to the CIO • IM Vision & principles developed in collaboration with all Portfolios and Major Transformation Programmes • Blueprint to meet IM best practice developed and approved • Work streams shaped to deliver blueprint capability – all with Directorate input IMP Work Stream Summary The Information Management Programme Vision, Strategy & Policy •IM Vision •IM Policies •IM Strategies IM Governance •Info Governance Board •IM Steering groups •PIRO /IAOs IM Toolkit •Function Analysis •Information Asset Register •Info Risk Assessment •Risk / Opportunity Register •Action Plan •Retention Schedules •Classification Schemes •E-Mail Management •R&R for IRO/ IAO Education & Awareness •Directors Workshops •Senior Manager Workshops •Member's Workshops •Info Security Training for all employees across the organisation and key partners •Programme Communications Enterprise Content Management •Gap Analysis •Rationalisation Opportunities •Advise on Technology Investment Metrics & Benefits Realisation •Range of measures to monitor BR Critical Success Factor: Education & Awareness • Mandated attendance for all Senior Directors at 3 hour workshop • Mandated attendance for all Senior Managers at 2 hour workshop • Mandated attendance for Members (delivered alongside allocation of IT) Key Tool: The IMPOV findings • Mandated completion of Information Security Training by all officers and members driven by business Directors • E-learning for IT users (5000 staff trained in 12 months) • Workbooks for non-IT users (1500+ staff trained in 12 months) Communication, Communication, Communication • 1:1 with Chief Executive & Lead Member for Information Services • IMPOV findings at EMT • Director’s & Manager’s workshops – IMPOV & Soham case making it relevant to all • Updates in Member’s quarterly briefings, mandated attendance at IM Session • Presentation at all Senior Management Team Meetings • Attendance at all Risk Management Meetings (publishing Risk Register, driving through initiatives) • Pilots to demonstrate value of IM assessment in each Portfolio • Policies circulated to all Directors and relevant stakeholder for feedback • Launch training via: • Monthly news letter, Key Brief and First Monday • Poster campaign • Intranet Articles (Training) Weekly progress on training to Directorates Additional comms generated to help cascade Audit Committee Board of Elected Members Corporate Risk Management Group Officers from Portfolios & Key Corporate Processes Information Governance Board Senior Information Risk Owner (SIRO) Strategic Partner IT Director Director of Information Services Enterprise Architect Portfolio Information Risk Owners (PIRO) DP \ FOI Advisor Portfolio Directors Information Risk Owners (IRO) Information Security Officer Place RMG CYP ICT Strategy Communities RMG Resources RMG Deputy CEX SIG Service Managers IROs are individuals charged with identifying and managing information risk within their area of responsibility Information Asset Owners (IAO) Senior Portfolio Managers (Examples shown) Solutions Architect (Information) Property Information Schools Information Council Tax Information IAOs are individuals charged responsibility for assessing and managing risk for particular information assets – they ensure the asset is used within the law & should look to encourage exploitation where possible Process Owners Staff and Managers Process Owners are individuals or roles who own a documented and defined business process that may utilise information assets from one or more IAO’s Critical Success Factor: Position IM in Transformation & Efficiency Agendas Customer First Programme Integrated Children's Services Information Management Transforming Adult Social Care Workstyle Lessons Learned • Chief Executive ongoing commitment and support essential • CIO or similar Senior Director/head of IT must be allocated responsibility for Information Management and ideally be appointed Senior Information Risk Owner (SIRO) • Passion and Vision (and perseverance) needed to drive initiatives & raise interest • Dedicated resource (Programme Manager) needed • Bring it home - have an illustration that service delivery can relate to • Clear message - ‘IM is not IT & it will help you overcome your issues’ • Involve non technical colleagues at every step • Regular communications to maintain profile (up and down) Benefits Already Seen • Significant reduction in the impact of Information related security incidents • Increased proactive engagement from users with the Information Management Team in addressing issues • Increased readiness for change – better quality information on which to make key Business Change decisions • Increasing recognition of Information Management as an efficiency opportunity • Information Management Team seen to add more value to the organisation and have a bit more clout! • Developed and implemented an Information Management service offering to include IM services for schools - 70 schools signed up since 2010 Public Health Integration Information Management challenges • Requirements gathering • Lack of detailed knowledge of business processes/systems/information • Stakeholder engagement and sign-off • On-going engagement with business users • Lack of support from PCT IT colleagues • Post transfer to LA’s gaining approval to access to key Information Final Key Messages • Drive through Information Risk assessment work with Information Management (IM) steering groups • Start to deliver on strategies to implement policies • Look to demonstrate IM and technology exploitation as efficiency opportunities – we must use Information more effectively • Establishment of Directorate/Portfolio Risk Groups with appropriate Senior Director as chair • Always be aware of the ever changing legislation and law around Information – weekly check of Information Commissioner Officer (ICO) Website Thank You Contact: Paul Green at paul.green2@sheffield.gov.uk Tel:0114 273 6818