Information is a vital asset of the National Army Museum, whether it is information about our collections, visitors, or our business records. A failure to protect our assets can lead to a failure to deliver as an organisation, and potentially to legal, financial and reputational damage.
Information assets can be defined as 'a body of information defined and managed as a single unit so it can be understood, shared, protected and exploited efficiently'.
Information assets held by the National Army Museum, and covered by this policy, include, regardless of format, some of the following:
This policy applies to all permanent and temporary staff, volunteers, contractors, interns, academics and students who have access to the Museum’s information assets; information security is the responsiblility of all.
The purpose of this policy is to document responsibilities, and relevant roles, in regard to information assets at the National Army Museum, and guide staff on how they should manage and protect the information within their responsibility.
The Director of the National Army Museum is responsible to the Museum’s Council for all security at the Museum. Support specifically for information assets is provided in a tiered approach to ensure that a culture of good information governance exists throughout the Museum.
A dedicated group for discussing information management issues was created at the Museum in 2011, and it was decided to adopt a model headed by a Senior Information Risk Officer and supported by Information Asset Owners. This group, meeting first on a quarterly basis and then on a monthly basis, has grown to cover all matters of information security, data protection, information management and intellectual property.
The position of SIRO is held by the Museum Deputy Director, who has undertaken relevant training led by the National Archives.
The SIRO is responsible for managing information risk and security in the following ways:
Information Asset Owners are senior/responsible individuals involved in the running of the Museum. An IAO has been assigned to represent each area of information assets across the Museum:
Responsibilities of IAOs include:
The Records Officer, who is a professional archivist and information manager, takes the lead on data protection issues for the National Army Museum.
As a Data Controller, the National Army Museum, under the Museum Director, is responsible for compliance with data protection laws.
The Records Officer is responsible for:
Legal responsibility for compliance with the Freedom of Information Act lies with the Museum Director, who is responsible for the Museum’s action if a complaint or review associated with FOI goes to court.
The position of Review Freedom of Information Officer is held by the Deputy Director, who is responsible for leading the Review Committee and making a decision in the case of an appeal.
The Records Officer is responsible for coordinating and monitoring information requests received by the Museum, monitoring and updating the Museum’s Publication Scheme, and providing advice where necessary.
All staff must:
Information risks are added to the Museum’s risk register by the SIRO following regular reviews by the Information Asset Owner’s Group.
All new projects, systems or processes must be assessed for risk to personal data which is held by the Museum. Guidance and templates for Privacy Impact Assessments (PIAs) are available from the Records Officer. All PIAs are reviewed by the Information Asset Owners’ Group.
It is the responsibility of all staff to report any concerns over the use, security and integrity of the Museum’s information and collections. The Museum operates a tiered approach to information security:
This policy is supported by the following policies and procedures:
The following sources, guidance and requirements have been used to inform and guide this policy, and supporting policies and procedures:
This policy was last updated in July 2021 from the version signed off in March 2020, and will be reviewed within two years or in the event of any major changes to the information structure and governance.