Information is a vital asset of the National Army Museum, whether it is information about our collections, visitors, or our business records. A failure to protect our assets can lead to a failure to deliver as an organisation, and potentially to legal, financial and reputational damage.
Information assets can be defined as 'a body of information defined and managed as a single unit so it can be understood, shared, protected and exploited efficiently'.
Information assets held by the National Army Museum, and covered by this policy, include, regardless of format, some of the following:
- Collection items
- Business records
- Publications and branding
- Membership records
- Employment records
This policy applies to all permanent and temporary staff, volunteers, contractors, interns, academics and students who have access to the Museum’s information assets; information security is the responsiblility of all.
The purpose of this policy is to document responsibilities, and relevant roles, in regard to information assets at the National Army Museum, and guide staff on how they should manage and protect the information within their responsibility.
The Director of the National Army Museum is responsible to the Museum’s Council for all security at the Museum. Support specifically for information assets is provided in a tiered approach to ensure that a culture of good information governance exists throughout the Museum.
A dedicated group for discussing information management issues was created at the Museum in 2011, and it was decided to adopt a model headed by a Senior Information Risk Officer and supported by Information Asset Owners. This group, meeting first on a quarterly basis and then on a monthly basis, has grown to cover all matters of information security, data protection, information management and intellectual property.
2.1. Senior Information Risk Officer (SIRO)
The position of SIRO is held by the Museum Deputy Director, who has undertaken relevant training led by the National Archives.
The SIRO is responsible for managing information risk and security in the following ways:
- Ensuring the resources are available for adequate commitment to, and implementation of, policies and procedures relating to information assurance
- Leading on advice on how information risk may impact on business goals
- Setting organisational risk levels and ensuring that the organisation risk register includes information assets
- Including information risks and evaluations in reports to Council and any other relevant reporting bodies
- Managing an effective reporting process for security threats and incidents
- Leading the Information Asset Owner’s Group as a forum for discussing information governance
- Overseeing relevant staff training, security issues, Museum wide and job specific procedures
2.2. Information Asset Owners (IAOs)
Information Asset Owners are senior/responsible individuals involved in the running of the Museum. An IAO has been assigned to represent each area of information assets across the Museum:
- Computers, networks and backups: Head of Computer and Technical Services
- Human resources and organisational culture: Senior HR Officer
- Business records: Records Officer
- Collections documentation: Head of Collections Standards and Care
- Public programmes: Programmes/Learning Assistant
- Website: Website Development Officer
- Commercial interests: Assistant Director (Enterprise)
- Marketing and communications: Head of Marketing and Communications
- Development and fundraising: Membership & Patrons Manager
- Collections access: Templer Studies Centre Manager
- Photograph assets: Head of Collections Development and Review
Responsibilities of IAOs include:
- Knowledge of the content of the information asset under their ownership, what is added or removed from it, how information is moved, and who has access to it and why
- Protection of information held on IT networks and in paper records, and organisational culture and behaviours
- To lead by example in information assurance training and the protection and use of information
- Completing a record of activities and decisions regarding information, including access requests and information sharing agreements
- Conducting of risk assessments for new projects, particularly those involving personal data
- Recognising when information should be published to aid organisational transparency
- Reviewing and auditing information for accuracy
- Reporting any information losses or breaches in information security
- Monitoring compliance with procedures for secure destruction and records management transfers
- Attending meetings of the Information Asset Owner’s Group, or ensuring an informed member of the IAO’s department can attend
2.3. Data Protection
The Records Officer, who is a professional archivist and information manager, takes the lead on data protection issues for the National Army Museum.
As a Data Controller, the National Army Museum, under the Museum Director, is responsible for compliance with data protection laws.
The Records Officer is responsible for:
- Informing and advising staff about compliance with data protection laws, including the GDPR
- Monitoring compliance with data protection laws, including internal data processing activities, privacy impact assessments, staff training and internal audits
- Acting as the first point of contact for supervisory authorities (eg ICO) and data subjects (eg museum users)
- Reporting to the SIRO regarding compliance and audit
- Co-ordinating meetings of the Information Asset Owner’s Group
2.4. Freedom of Information
Legal responsibility for compliance with the Freedom of Information Act lies with the Museum Director, who is responsible for the Museum’s action if a complaint or review associated with FOI goes to court.
The position of Review Freedom of Information Officer is held by the Deputy Director, who is responsible for leading the Review Committee and making a decision in the case of an appeal.
The Records Officer is responsible for coordinating and monitoring information requests received by the Museum, monitoring and updating the Museum’s Publication Scheme, and providing advice where necessary.
4. Risk management
Information risks are added to the Museum’s risk register by the SIRO following regular reviews by the Information Asset Owner’s Group.
All new projects, systems or processes must be assessed for risk to personal data which is held by the Museum. Guidance and templates for Privacy Impact Assessments (PIAs) are available from the Records Officer. All PIAs are reviewed by the Information Asset Owners’ Group.
5. Information security
It is the responsibility of all staff to report any concerns over the use, security and integrity of the Museum’s information and collections. The Museum operates a tiered approach to information security:
- All concerns relating to information security must be reported by staff members to their line manager in the first instance.
- Line managers must report any issues to the relevant IAO immediately. The Records Officer will be notified in order to log the issue and the SIRO informed.
- All issues will be taken to the Information Asset Owner’s Group, to discuss the risk and possible solutions, and also to determine whether it is appropriate or necessary to escalate the issue to Council, inform the Information Commissioner’s Office (ICO), or liaise with the Ministry of Defence as the sponsoring department.
- The Museum’s Information Security Log will record any decisions made regarding the issue, and provide an audit of review and policy recommendations.
- In any instance where there has been significant breach of systems, or loss of personal data, the incident will be made public following guidance from the ICO, sought by the SIRO and in liaison with the Museum’s Marketing Division within 72 hours of breach being discovered.
6. Supporting policies
This policy is supported by the following policies and procedures:
- Collections Management policies - protecting our collections, their integrity and the information within them
- Information Technology policy - guiding staff on use of information technology systems, including the use of passwords, removable media, remote access and encryption
- Internet and Email policy - guiding staff on email use, personal email accounts, internet use and social media
- Freedom of Information policy - providing appropriate access to public information under the Freedom of Information Act (2000)
- Data Protection policy - ensuring secure and appropriate handling and transfer of personal information both within the Museum and with agreed third parties
- Emergency plan - ensuring business continuity to protect vital records and ensure the continued operation of the Museum in the event of an emergency
- Data breach policy and procedures
7. Reference and update
The following sources, guidance and requirements have been used to inform and guide this policy, and supporting policies and procedures:
- Information Commissioner’s Office
- Data Protection Act (1998, 2018) and General Data Protection Regulation (2018)
- Freedom of Information Act (2000)
- Guidance on the DHR Mandatory Role: Information Asset Owner (2009)
- Cross Government Actions: Mandatory Minimum Measures
- HMG Security Policy Framework (2014)
This policy was last updated in March 2020 from the version signed off in April 2019, and will be reviewed within 5 years or in the event of any major changes to the information structure and governance.