Good information governance is necessary for projects to succeed; it’s necessary to guide innovation; and it’s necessary to protect individuals and build trust with our residents, customers and clients.

As the Pan-London Information Governance (IG) Lead, working on many collaboration and innovation projects, I want to share with you the role information governance plays to help innovation. I describe below the use of Data Protection Impact Assessments (DPIAs), but even where a DPIA isn’t legally mandated, its structure is very helpful to follow for information governance discussions.

What are the benefits of good information governance?

• Saves money and time.
  Your IG team can help identify gaps, errors and areas for improvement. It can be much harder and more expensive to retrofit standards or practices after a project has begun.
• Can attract funding.
  Good information governance encourages trust and participation, which can support funding bids. Evidence from previously successful projects, evidenced through information governance reviews, provides confidence to funders that you can achieve your ambitions safely.
• Protects individuals and builds trust.
  Poor information governance allows projects to intrude inappropriately into people’s privacy, and can put a person and their data at risk. Good information governance, with transparency, builds trust and confidence.
• Helps to sharpen the vision for the project and identify operational necessities.
  Often, your IG team can identify and provide guidance on operational needs for, for example, the tools for data transfer, the need for consultation, and how you will tell people what you’re doing.
• Introduces healthy challenge.
  Through a DPIA, your IG team can provide an independent challenge that helps you see aspects of the project in different ways. Changing your plan after a challenge is not a failure.
• Prepares for future use.
  Through a DPIA, your IG team can help you identify what you can do now to make future roll out smoother for organisations and individuals. You can consider digital preservation and similar variables.
• Allows suitable flexibility for pilots and considers scalability.
  While you can’t gather data ‘just in case’, there are projects where there is genuine uncertainty about which data fields will be needed to achieve your outcomes. Good information governance helps you to manage this privacy risk and your IG team can provide guidance on how processes or documentation may need to change if the project or process is extended.
• Supports legal compliance.
  Obviously compliance is legally required, so good information governance lowers the risks of challenge from regulators or individuals, which can cost time and money.

“I don’t have time for a DPIA.”, or “It’s only a pilot, why do I need a DPIA?”.

I try to help people to see information governance in context. I occasionally hear, “[Insert activity] trumps data protection”. Whether it’s safeguarding or health and safety, one law does not trump another. We must comply with all, adjusting our risk tolerances and approaches as necessary.

Good information governance is a dependency for successful innovation projects, not just to make things better, but to avoid unmitigated or unknown risks. Trust and reputation are more critical when you’re trying something new, particularly with limited access to resources. 

Absent or poor information governance practices mean a failure to identify and anticipate or avoid risks. This can cause:

• Project delays as you have to stop to wait for an expert to be available or to rectify a foreseeable problem.
• Lack of trust, leading to poor participation from other organisations or data subjects.
• Negative feedback and complaints for the use of the data – people don’t know what you’re doing or haven’t understood it.
• Poor accountability and lack of records to show risks and outcomes; what worked and what didn’t, meaning you can’t justify the project or repeat any success.

These negative outcomes impact other innovation projects because you haven’t built or shown trust in innovation work. Your project gives innovation a bad name and it becomes much harder to try something new again.

A positive cycle of good IG

Good information governance is so much more than ticking a box on a form, and it has a direct impact on the success of a project and ambitions for funding. 

Project example: Rough Sleeping Insights Project

The Rough Sleeping Insights Project brings data together to support London’s goal of making rough sleeping rare, brief and non-recurrent. 

Knowing the sensitivity of the data and the vulnerability of the data subjects, I produced  project-specific information governance guidance for all the proposed parties, which helped to:

• show the lawful basis route by which charities could feel confident taking part.
• describe the requirements for the contractor building the system.
• minimise data needed while allowing suitable flexibility of data use.
• establish a timetable to assess information governance and proportionality throughout the project.

One charity used the guidance to review and improve some of its practices and the success of this project has created confidence that this type of research project is possible to replicate.

Risk example: Your Choice Project

The Your Choice Project is a £12.5m pan-London randomised controlled trial aimed at reducing youth violence and helping young people to achieve their goals. 

I worked together with the project team to demonstrate the  importance of good information governance and they embraced the approach. When a risk was identified that young people may not understand what would happen with their personal data, the team produced specific resources, including a privacy notice for young people in video format. Young people were asked about their understanding through the project, and responses were assessed during the information governance review at the end of the pilot. 

Evidence was documented that allowed the project to:

• lower the risk and feel more confident for the next phase.
• show it had built trust with young people. 
• show accountability to the organisation and funders.

As funding for the project was dependent on minimum participation numbers, the trust these actions created was directly linked to participation and therefore to successful funding.

How to build good IG into your processes

Your council has policies and processes that officers must comply with for:

• Data protection compliance including due diligence checks on contractors/suppliers
• IT security for procurement and use of systems and applications

Your first, and most basic, step is to comply with them.

You should also build information governance into your corporate approach through:

• Procurement practices
• Financial/resource approval mechanisms
• Designated officer, senior officer and committee approval processes

You can find guidance on the LOTI IG Hub, such as: 

• How to undertake an information governance review.
• Information governance considerations for system or process testing

Help yourself

• Decide and document how good information governance practices fit with your team’s activities.
• Publish DPIAs and seek out ones published by others.
• Have short guidance documents for project managers, data analysts and similar about how IG at your council applies to them.
• Share positive case studies and identify areas for improvement.

When you see success

If you’re blessed with people who understand and want to work with good information governance practices, thank them and provide feedback to their management chain and project boards. 

Seek out and document positive outcomes where the project undertook good information governance. Build these into the project outcome reports and describe them in corporate resources.