Information Governance review: executive summary

5. Main recommendations

The IG Review's recommendations are structured around key elements of the ARMA, Accenture and the ISACA IG models.

Based on COBIT 5® Enabling Information and ISO/IEC 38500 definition of governance.

During a workshop for Scottish Government IG professionals, the report's overarching recommendations were ranked based on their importance in meeting the vision, dependencies and quick wins.

Vision

Streamlined Information Governance (IG) in Scotland, to enable the realisation of benefits from digital and data-driven health and care innovation.

A holistic IG approach to enable end-to-end information across public sector

Main recommendations

Lead & Steer

1 Set the National IG Direction for Health & Care

2 Engage effectively to co-produce solutions.

3 Readiness. Prepare.

4 Inspire. Motivate.

Innovate Co-Produce Scale-Up

5 IG People

6 IG Processes and structures

7 IG Tools

8 IG Products (data and digital assets)

Demonstrate success and Assurance

9 IG Maturity baseline

10 Plan for IG improvement

11 Monitor IG progress and assurance.

12 Scale IG up.

Lead & Steer

1 Set the National IG Direction for Health and Care.

Establish a National IG Programme, aligning relevant strategies (e.g. data and digital), strengthening the IG ambition to maximise the realisation of benefits from digital and data-driven health and care innovation.

The National IG Programme should be reviewed on a regular basis in line with the Digital Health and Care and other relevant strategies, adding a "corporate" IG layer to a federated programme of work. This should involve designating clear national roles and lines of accountability at local and national levels; including central accountability and responsibilities for information assets of National value, particularly for the purposes of obtaining assurance at a national level.

The current federated IG model should be adjusted to secure the right balance of centralisation and local autonomy, while improving national leadership. This would require consideration of:

a. clear lines of accountability,

b. alignment of IG roles and responsibilities,

c. centralisation of some functions and services (e.g. centres of IG expertise, National Information Assurance Officer, National Data Guardian or equivalent) and potentially setting a National IG Body in areas of benefit.

Establishing a federated, de-cluttered IG model would allow autonomous data controllers and various central structures to collaborate to meet the needs of the wider health and care system. Data controllers would also have more influence in large-scale data processing decisions through their participation in various IG groups.

2 Engage effectively for the co-production of IG solutions.

Prepare for change and co-production with stakeholders, including the public. Invest the necessary efforts for meaningful stakeholder engagement.

Preparation is essential for success. Due to the variety and large extent of stakeholders within the health and care landscape, it is essential to dedicate the time to prepare for successful engagement, defining clear rules for co-producing IG solutions and managing the expectations.

Co-production should be used as an approach to decision-making and continual improvement based on the Scottish Approach to Service Design (SAtSD), a shared vision and assertive leadership. Co-production should be seen as a long-term habit.

Transformative public engagement models should be adopted, engaging the public in the decision-making and co-production processes, enabling interactive feedback on IG, data and digital matters, through digital and non-digital networks.

Engagement should be based on enhanced transparency from all relevant parties, including Information Asset Owners, Data Controllers, Data Processors and key IG panels, such as those for scrutinising the public benefit and the data and digital ethical dilemmas.

3 Readiness. Prepare.

Raise awareness and understanding of IG, the Scottish Approach to Service Design (SAtSD) and the ARMA model.

Due to the variety of stakeholders within the health and care landscape, and the lack of a universal definition of the Information Governance scope, it is crucial to undertake preparatory work at the early stages of the engagement strategy, as well as thought the longer term stages of the National IG Programme, to raise awareness and understanding of IG, the Scottish Approach to Service Design (SAtSD) and the ARMA model. Awareness and understanding in these specific areas, should be strengthened through training and accessible resources for stakeholders and people that need to be involved in co-producing IG solutions.

4 Inspire. Motivate.

Keep up the enthusiasm for IG improvement. Share the good news. Demonstrate benefits and results.

Many good things have happened in the IG landscape across health and care for many years. This should be recognised more frequently and used for inspiration; it is equally important to focus on areas that need improvement as it is to recognise all the good progress achieved so far.

The COVID pandemic has accelerated progress and transformation of the way health and care makes decisions over - and delivers - data and digital solutions. The professionalism and commitment of people to enable secure data and digital solutions ethically, at an unprecedented speed and complexity, should be used as a source of inspiration as it demonstrates what can be achieved, particularly when national and local efforts come together. The IG path taken as a response to COVID is a good example of how the federated IG model could work.

Innovate. Co-Produce. Scale-Up

5 People.

Empower people to be confident with IG. Empower the public through transformative public engagement and use it to nurture trust. Career pathways and CPD.

People are a key success factor for the data and digital strategies. The National IG Programme must focus on generating people's capabilities over time. This requires understanding resources capacity and capabilities in all the IG dimensions, empowering people to confidently play their IG role, either from the data, digital technologies, data protection, privacy, security or any other point of view.

It is essential to co-produce a revised IG Competency Framework should, aligning responsibilities and skills across the IG landscape, which should include skills and competencies for making decisions, managing, handling and using data and the associated digital technologies efficiently.

The Competency Framework should encompass all the interrelated disciplines within IG.

The Competency Framework should define key roles, core skills, career pathways and continual professional development options, and should consider the professionalisation of key IG roles in data and digital related areas, in collaboration with existing professional bodies, digital academies and other parts of the wider education system; creating a variety of pathways and alternatives that work for a diverse range of people's needs, development styles and preferences.

It is equally essential to empower the public, so they feel confident in using data and digital technologies. This should be achieved in alignment with and embedded in the existing Digital Maturity programmes of work.

Public engagement should be extensively embedded into data and digital work, from the early strategy work to delivering solutions. Transformative public engagement would allow a better understanding of the public expectations from data and digital health and care technologies and services, but also, exploration of the ethical dilemmas that may arise.

Effective transformative public engagement would nurture trust through participation and assurance.

6 Processes and structures

• De-clutter the IG landscape.
• Align the IG responsibilities and processes (the National Federated IG Model).
• A common IG implementation model to improve IG maturity, locally and nationally (ARMA).

Adopt and promote use of a common IG implementations model, such as ARMA, to assess the IG maturity at local and national level, in line with the a National Federated IG Model - overall and with respect to key IG processes. Such models offer a pragmatic approach to continually improve IG and achieve the necessary maturity of each of the key processes.

A common IG implementations model helps build a common understanding and unified implementation approach that bridges people, policy, and more across these critical IG areas and processes.

Make the IG processes and structures leaner to deliver data and digital solutions more efficiently and enhancing results and trust.

Promote a national "Once for Scotland" approach wherever possible for consistency and efficiency.

7 Tools

• Investment in the right tools for the right IG tasks and processes.
• Consider toolkits equivalent to other UK nations (e.g. NHS Digital Data Security and Protection Toolkit, NCSC Cyber Security Toolkit for Boards)
• Continue developing sector-specific IG related policy and guidelines to help with compliance.

Investment is needed in priority IG tools, including digitalisation of IG tasks and processes, management of the information risk at national and local scale, management of IG improvement, as well as tools for transformative IG engagement and co-production, transparency and training on all IG dimensions. Consideration should be given to implementing an equivalent data protection toolkit to those adopted by England, Wales and Northern Ireland.

An ICO approved UK-GDPR Code of Conduct should be developed, setting the specific rules and requirements across health and care, and enhancing compliance, consistency and trust among participating bodies, thereby enabling data and systems across the ecosystem to materialise the benefits set out in the Digital Health and Care strategy. The strategy sets out how technology will support person-centred care, and help to sustain and improve services for the future.

The instruments and tools used to promote transparency should be enhanced, such as those involved in the Digital/Data Ethics Framework (including reports, privacy notices, data protection impact assessments and ethics summaries).

8 Products (data and digital assets)

Establish a central Information Assets Register and establish the ownership model for National Information Assets.

A central information assets register should be established for transparency purposes and to provide added visibility towards enhanced management of existing valuable information assets across the landscape, starting with the national information assets.

The model of accountability for National Information Assets should be revised to ensure data and digital assets at local or national level enable the best possible benefits for the population of Scotland.

A central repository of data and digital assets should promote transparency and trust with regards to how those assets are used, and boost assurance to the public and amongst health and care stakeholders.

Demonstrate success and Assurance

9 IG Maturity baseline (ARMA model and index benchmarking).

Evaluation of core IG processes and the Information Assets (data and digital) lifecycle.

Adopt and promote the use of a common IG implementations model, such as ARMA, to assess the IG maturity at local and national levels, in line with the National Federated IG Model.

A common IG implementation model helps build a common understanding and unified implementation approach that bridges people, policy, and more across these critical IG areas and processes.

Such models offer a pragmatic approach to continually improve IG and achieve the necessary maturity of each of the key processes. Assess the overall IG maturity and with respect to key IG processes at local and national levels to establish the improvement baseline.

10 Plan for improvement.

Local and national IG improvement plans.

Removing duplication, inefficiencies and defects information assets, as well as making the IG processes and structures leaner, helps to deliver more efficient data and digital solutions and to enhance results, therefore boosting people's satisfaction with the ways data and digital systems are used for health and care purposes, and the assurance that this takes place ethically and securely.

Scotland can benefit from using the ARMA IG Implementation Model to plan for improvement at local and national levels on key areas of IG maturity (leadership, people, policies, processes, tools, internal audit capabilities, data structures, and data and digital infrastructure). This will require evaluating the appropriateness of IG processes around the data and digital assets lifecycle.

It is advisable to set up a common body to lead and monitor progress through local and national IG improvement plans, as well as to provide expert support and act as a centre of IG excellence. These functions could be combined with other functions as part of the wider remit of a potential National IG body, interlinking with or embedding existing expert groups expertise (e.g. cybersecurity, records management, data and intelligence and others).

11 Monitor progress and assurance.

Local and national progress. Benchmarking.

Monitor compliance, risk position and benefits to build assurance.

Provide assurance to stakeholders, including the public, for boosting trust.

IG maturity should be monitored across the health and care ecosystem; regular monitoring of progress should be carried out at local and national levels, mapping through the extended use of the ARMA IG index and benchmarking. Each stakeholder should be enabled to undertake quick self-assessments. Central resources should be allocated to collate the results from local assessments and provide a collective national view of the IG maturity across health and care for the interest of the various stakeholders accountable for digital and data, including Ministers.

Monitoring at national and local levels should expand to encompass oversight and coordinated actions on IG progress, compliance, risks and benefits arising from data and digital.

Independent assurance reviews should be reused to promote trust among stakeholders and to inform on improvement actions; other independent reviews may also be required. Examples of such reviews are those by the Network and Information Systems Regulations Auditor or via the UK-GDPR Code of Conduct Monitoring Body for Health and Care (once established).

The national and local assurance mechanisms should evolve over-time. Enhanced audit and internal control should be strengthened in the areas of privacy, data, information systems, security and resilience ("just trust me" is not enough).

Trust should be nurtured through assurance and enhanced transparency in data and digital operations and confidence in the achievement of stakeholder objectives.

12 Scale up.

Scale up IG that works well (e.g. COVID-19 lessons)

Scaling up what worked well:

a. successful models from the COVID-19 pandemic, such as the Data and Intelligence Network and the governance model of the Vaccinations Programme, should be expanded to other areas;

b. examples of good practice/guidance across the wider ecosystem should be shared with key public sector contacts, followed by monthly updates via a simple online open-access registry.