e e 7.0303 123 1113 F 01625 524510 Mr David Sterling Head of the Civil Service and Permanent Secretary The Executive Office GD36 Stormont Castle Stormont Estate BELFAST BT4 31T 19 October 2018 Dear David, I refer to our recent meeting regarding information governance in the NI Civil Service (NICS) and, in particular, the need to record and preserve decision-making appropriately in the interests of accountability and transparency. I found our discussions very helpful and I was also encouraged by the views expressed at the Permanent Secretaries’ Stocktake the following day. I now have greater confidence that the leaders of the Civil Service in Northern Ireland are committed to improving practice. Taking the opportunity now to review and revise procedures during the suspension of the NI Executive with an aim to implement them in advance of its re- establishment will, I anticipate, result in much more effective governance in future. We agreed in our meeting that I would provide you with some recommendations relating to principles I would urge to be adopted within those revised operating procedures. In part, these principles reflect the new technologies which are becoming integral to day-to-day working practices in government but which, without due diligence, may impact negatively upon transparency. In summary, the procedures should: * Command buy-in from all staff, including senior management; * Be supported by regular information governance training for all staff; * Record all key decisions and actions, and the rationale behind them; * Ensure integrity in the use of new communication technologies; and * Manage all information effectively and appropriately according to a need.More detail underlying these principles is contained in the Annex to this letter. Effective record-keeping is essential for transparency of government and it also assists organisations demonstrate compliance with all forms of statutory requirements. As you will know, my own remit is in relation to the upholding of people’s information rights as stated within data protection and freedom of information regimes. It is now a statutory requirement for organisations to properly record their processing of personal information and the decisions lying behind that processing. The same duties are not stated explicitly within the freedom of information legislation but I am nevertheless strongly advocating that pubic authorities adopt a “duty to document” as a matter of good practice. I am also advocating this to the UK Government as a future amendment to the Freedom of Information Act 2000 or in other appropriate legislation. Adopting these principles - which we also will be promoting to other administrations - as part of your revised procedures, would put you in a strong position should this become a legal requirement in the future. I also welcome your commitment to review the Northern Ireland Civil Service Code to ensure it reflects modern responsibilities in relation to transparency and open government. In doing so, I do hope that you will give these principles your due consideration. As agreed at our meeting, my team in Northern Ireland, headed by Ken Macdonald, will be happy to work with your own staff in developing the new approach to be adopted by the NICS. With best wishes, CA— Elizabeth Denham Information CommissionerANNEX Command buy-in from all staff, including senior management In order to achieve all the key elements of good practice, the NICS must have in place organisational arrangements that support effective information governance. This includes leadership of the Permanent Secretaries and their Senior Management teams to ensure information governance is viewed as a core corporate function, as well as a statutory obligation, with clearly defined roles and responsibilities for all staff. By endorsing these arrangements, a culture of accountability will be promoted. This may be achieved through a top level information and knowledge management strategy together with policies and procedures that are supported throughout all levels of the organisation. It is, of course, also essential to ensure departments are properly resourced to implement the new practices. Departments may already have introduced new policies and procedures in relation to aspects of information governance as part of their preparations for the introduction of the new data protection regime. It should be possible to adapt many of those policies and procedures to apply to other types of information as part of a wider move to strengthening information rights compliance. Be supported by regular information governance training for all staff The policies and procedures adopted by NICS to achieve good information governance will only be fully effective if staff understand the importance of proper record keeping. This can be achieved through the provision of regular - and compulsory - information governance training. On commencement of their employment, all NICS staff should undertake mandatory information governance training regardless of their role or function. Compulsory refresher training should also be provided at appropriate intervals. Training packages should be regularly reviewed and updated to reflect best practice (including ICO guidance) and to ensure that new and emerging techniques and technologies are properly considered.