The Information Management Journey 2013

advertisement
The Information Management Journey
Sheffield City Council
October 2013
Paul Green
Director of Business Information and
Transformation Service
Sheffield City Council
Information Matters!
“Most councils could and should improve
their information”
Exemplar councils have the right culture, people and
standards to provide good information, but most
councils do not, and so are missing opportunities to
improve services and save money.
The Audit Commission
Is There Something I Should Know – June 2009
Central Government and Local Government
Digital Strategies
• INFORMATION at the heart of both strategies
• Outcomes that service users value delivered by people,
performing processes, with INFORMATION, underpinned and
enabled through technology
• Services, whether internal or external should be designed as"
digital by default”
• CIO leadership role critical to make more intelligent and
collaborative use of INFORMATION and technology
• Political and Executive Leadership need to recognise
transformational change will only be realised with effective
information management
Who should own Information?
• Information Assets (IA) are organised sets of
validated Information that are valuable and easily
accessible to those who need it.
• Information Asset Owners (IAO) are individuals within
the organisation appointed and responsible for
ensuring that specific information assets are handled
and managed appropriately.
• Role of the CIO – To provide a robust Governance
framework for the organisations Information Assets –
“Information Management”
Why is it important to manage Information
corporately?
•
•
•
•
•
•
•
•
•
Information Strategy
Information Management Policy
Information Security Policy
Records Management Policy
Data Management Policy
Senior Information Risk Owner (SIRO)
Information Governance
Information Assurance
All of the above managed by the organisations CIO
Information management, assurance and
transparency – in 5 years time will…
•
•
•
•
•
•
•
•
be managed at every point in its lifecycle
Create or Acquire Information
Validate – is it fit for purpose
Store – it is stored securely and accessible
Protect – is it classified correctly
Update – controlled by the IAO
Publish – to those who need access
Dispose – appropriately via a retention policy
What happens if we ignore these
dimensions?
• Organisations run the risk of penalties for failure to
safeguard sensitive or personal information assets.
• The above can place the public at risk
• Up to date Information is unlikely to be easily
available, accessible and of value for the organisation
in making key and critical decisions
• Service redesign will be difficult – can the current
baseline data be trusted on which to make changes
• The public lose trust with us
Getting Started
Sheffield City Council – Information Management Journey
 Appointment of CIO – January 2007
 Created Business Information Solutions (BIS) Team
 Convinced Chief Executive to allocate ownership of
Information Management to BIS (no previous owner
allocated or identified)
 Identified need to take action – what were the issues
 Secured monthly 1:1 with Chief Executive
 Recommended a ‘Proof of Value’ exercise to validate
suspicions
The Information Management Proof of Value Project
• Commissioned by Executive Management Team
(EMT) in August 2008
• EMT Objectives:
• Identify how much current IM processes are
impacting on service delivery
• Where are the current Information Security Risks
and potential organisational and customer impact
• What actual benefits would ‘best practice’ IM bring
for the service and constituents of Sheffield
The Information Management Proof of Value Project
Project Objectives:
•
Report IM impact to EMT
•
Develop scalable approach for subsequent IM initiative
Project Approach:
•
Executive Management Team to volunteer a service area for
scrutiny
•
Single process within Adult Social Care identified
•
Tested Information Audit Survey
•
Validated via interviews and mapping of information flows
Example: Care in the Home Information Flow
CARE PLAN
NEED
Customer
highlights need
Care Manager
assesses need
Care worker
delivers care
plan & meets
need
Care in the Home Information Flow
PERCEPTION
OF NEED
Customer
highlights need
PERCEPTION
OF NEED
Customer
Services gather
required info
CARE REQ
Care Manager
assesses need
Resource
management
team log req
CARE REQ
DELIVERED CARE
FAPRA charge for care
CARE PLAN
Care worker delivers
care plan & meets
need
Home Care Manager
creates detailed care
plan
CARE REQ
Planning coordinator plans
resource
Care in the Home Information Flow
PERCEPTION
OF NEED
Customer
highlights need
PERCEPTION
OF NEED
Customer
Services gather
required info
CARE REQ
Care Manager
assesses need
Resource
management
team log req
CARE REQ
DELIVERED CARE
FAPRA charge for care
CARE PLAN
Care worker delivers
care plan & meets
need
Home Care Manager
creates detailed care
plan
CARE REQ
Planning coordinator plans
resource
Care in the Home Information Flow
PERCEPTION
OF NEED
Customer
highlights need
PERCEPTION
OF NEED
Customer
Services gather
required info
CARE REQ
Care Manager
assesses need
Resource
management
team log req
CARE REQ
DELIVERED CARE
FAPRA charge for care
CARE PLAN
Care worker delivers
care plan & meets
need
Home Care Manager
creates detailed care
plan
CARE REQ
Planning coordinator plans
resource
Information Management Proof of Value Project –
Findings
•
•
•
•
•
•
•
SCC and its customers are exposed to unacceptable levels of risk
through loss of information
SCC senior management is at risk of action by the Information
Commissioner’s Office (ICO) as a result of breach of Data Protection
legislation
Information is not accessible to staff
Key data sets are inaccurate
Access to information is dependent on physical access to information – a
direct obstacle to mobile/flexible working (Workstyle) initiatives.
Avoidable costs are incurred due to lack of efficiency
Data sets are not currently structured to support a Modern and Efficient
Council
Alongside IMPOV - Identify & close down security
risks
•
Establish Information Governance Board
•
Information Security Health Check with Strategic ICT partner
•
Developed Corporate Information Security Risk Register
•
Reviewed fortnightly at 1:1 with Chief Executive
•
Reported to Portfolio Leadership Management monthly across organisation
Immediate mitigations included:
•
Laptop encryption
•
Blackberry Protection
•
Sanctuary Deployment
•
Installation of blinds in printing room
– Network protection
•
Securing windows in server room
– Data Leakage
•
Rigorous USB process implemented
•
Virus Protection
The Result?
"As an information wealthy organisation, alongside people, information is one of our greatest
assets. How we manage, exploit, manipulate and protect this key asset will increasingly
determine our success in transforming our organisation and the way we deliver services"
John Mothersole
Chief Executive, Sheffield City Council
"In an environment of ever increasing customer expectations, spiralling pressures to
demonstrate efficiency and a desire to deliver modern, efficient and customer focused
services, we have to recognise information as a key corporate asset and a major
responsibility"
Cllr Simon Clement-Jones
Cabinet Member for Finance and Customer Focused Services
Next Steps: Initiate the Information Management
Programme (IMP)
•
EMT Approval - Joint sponsorship of IMP with Chief Executive
and CIO
•
Programme Board of Portfolio Reps, Strategic IT partner and
Information Services
•
Dedicated Programme Manager reporting to the CIO
•
IM Vision & principles developed in collaboration with all
Portfolios and Major Transformation Programmes
•
Blueprint to meet IM best practice developed and approved
•
Work streams shaped to deliver blueprint capability – all with
Directorate input
IMP Work Stream Summary
The Information Management Programme
Vision, Strategy
& Policy
•IM Vision
•IM Policies
•IM Strategies
IM Governance
•Info Governance
Board
•IM Steering
groups
•PIRO /IAOs
IM Toolkit
•Function
Analysis
•Information Asset
Register
•Info Risk
Assessment
•Risk /
Opportunity
Register
•Action Plan
•Retention
Schedules
•Classification
Schemes
•E-Mail
Management
•R&R for IRO/
IAO
Education &
Awareness
•Directors
Workshops
•Senior Manager
Workshops
•Member's
Workshops
•Info Security
Training for all
employees
across the
organisation and
key partners
•Programme
Communications
Enterprise
Content
Management
•Gap Analysis
•Rationalisation
Opportunities
•Advise on
Technology
Investment
Metrics &
Benefits
Realisation
•Range of
measures to
monitor BR
Critical Success Factor: Education & Awareness
•
Mandated attendance for all Senior Directors at 3 hour workshop
•
Mandated attendance for all Senior Managers at 2 hour workshop
•
Mandated attendance for Members (delivered alongside allocation of IT)
Key Tool: The IMPOV findings
•
Mandated completion of Information Security Training by all officers and
members driven by business Directors
•
E-learning for IT users (5000 staff trained in 12 months)
•
Workbooks for non-IT users (1500+ staff trained in 12 months)
Communication, Communication, Communication
•
1:1 with Chief Executive & Lead Member for Information Services
•
IMPOV findings at EMT
•
Director’s & Manager’s workshops – IMPOV & Soham case making it relevant to
all
•
Updates in Member’s quarterly briefings, mandated attendance at IM Session
•
Presentation at all Senior Management Team Meetings
•
Attendance at all Risk Management Meetings (publishing Risk Register, driving
through initiatives)
•
Pilots to demonstrate value of IM assessment in each Portfolio
•
Policies circulated to all Directors and relevant stakeholder for feedback
•
Launch training via:
•
Monthly news letter, Key Brief and First Monday
•
Poster campaign
•
Intranet Articles (Training) Weekly progress on training to Directorates
Additional comms generated to help cascade
Audit Committee
Board of
Elected Members
Corporate Risk Management Group
Officers from Portfolios &
Key Corporate Processes
Information Governance Board
Senior Information Risk
Owner (SIRO)
Strategic Partner IT
Director
Director of Information Services
Enterprise Architect
Portfolio Information Risk
Owners (PIRO)
DP \ FOI Advisor
Portfolio Directors
Information Risk Owners
(IRO)
Information Security
Officer
Place
RMG
CYP ICT
Strategy
Communities
RMG
Resources
RMG
Deputy CEX
SIG
Service Managers
IROs are individuals charged
with identifying and managing
information risk within their area
of responsibility
Information Asset Owners
(IAO)
Senior Portfolio Managers
(Examples shown)
Solutions Architect
(Information)
Property Information
Schools Information
Council Tax Information
IAOs are individuals charged
responsibility for assessing and
managing risk for particular
information assets – they ensure
the asset is used within the law
& should look to encourage
exploitation where possible
Process Owners
Staff and Managers
Process Owners are individuals
or roles who own a documented
and defined business process
that may utilise information
assets from one or more IAO’s
Critical Success Factor: Position IM in Transformation & Efficiency
Agendas
Customer
First
Programme
Integrated
Children's
Services
Information
Management
Transforming
Adult Social
Care
Workstyle
Lessons Learned
• Chief Executive ongoing commitment and support essential
• CIO or similar Senior Director/head of IT must be allocated
responsibility for Information Management and ideally be
appointed Senior Information Risk Owner (SIRO)
• Passion and Vision (and perseverance) needed to drive initiatives &
raise interest
• Dedicated resource (Programme Manager) needed
• Bring it home - have an illustration that service delivery can
relate to
• Clear message - ‘IM is not IT & it will help you overcome your
issues’
• Involve non technical colleagues at every step
• Regular communications to maintain profile (up and down)
Benefits Already Seen
• Significant reduction in the impact of Information related security
incidents
• Increased proactive engagement from users with the Information
Management Team in addressing issues
• Increased readiness for change – better quality information on
which to make key Business Change decisions
• Increasing recognition of Information Management as an
efficiency opportunity
• Information Management Team seen to add more value to the
organisation and have a bit more clout!
• Developed and implemented an Information Management
service offering to include IM services for schools - 70 schools
signed up since 2010
Public Health Integration
Information Management challenges
• Requirements gathering
• Lack of detailed knowledge of business
processes/systems/information
• Stakeholder engagement and sign-off
• On-going engagement with business users
• Lack of support from PCT IT colleagues
• Post transfer to LA’s gaining approval to
access to key Information
Final Key Messages
•
Drive through Information Risk assessment work with Information
Management (IM) steering groups
•
Start to deliver on strategies to implement policies
•
Look to demonstrate IM and technology exploitation as efficiency
opportunities – we must use Information more effectively
•
Establishment of Directorate/Portfolio Risk Groups with
appropriate Senior Director as chair
•
Always be aware of the ever changing legislation and law around
Information – weekly check of Information Commissioner Officer
(ICO) Website
Thank You
Contact: Paul Green at [email protected]
Tel:0114 273 6818
Download