What is it?

An IG (information governance) review will benefit your project, process and organisation. However, the outputs of an IG review are especially helpful for public sector knowledge sharing, so that authorities and agencies can learn from the approach of others and not have to start from scratch when undertaking similar work.

This review process is scalable. A review may be completed by one or two people in a short period of time, or it may take place over several months as part of a full project review involving viability and value for money decisions. It may help smaller organisations to self-serve more of the work of identifying and managing risks without needing as much time from an external IG/DP (data protection) specialist.

Why did we create it?

Ongoing and regular review of the processing of personal data should be a part of a continuous improvement approach. This is a positive and effective way to consider the risks and benefits to your organisation and the people whose personal data you are processing. Review is particularly important for pilot and research projects where it is likely that there are higher privacy risks.

This IG review approach is not exhaustive of all an organisation’s data protection and information governance responsibilities. Instead, it provides a structure for conversations between the DP/IG specialist and the project lead, with prompts for the questions you should be answering and the issues to consider when processing personal data.

It will help you to:

• have more focused and efficient conversations between IG/DP professionals and project or process owners and designers
• make sure you’re comfortable with what is happening
• identify risks and issues and identify mitigations and improvements
• revise a Data Protection Impact Assessment (DPIA)
• revise a Data Sharing Agreement (DSA)
• justify funding by evidencing benefits achieved
• reassure individuals that you are meeting your responsibilities when processing their data
• evidence your decision making if asked by the regulator or other agencies.

Who should use it?

This resource is aimed at the public sector, and local authorities in particular, but it can be used by any organisation.

• Anyone – It is designed to be approachable for those without high levels of information governance knowledge, but the review process itself should involve your data protection specialist.
• IG or DP professionals – It acts as a reminder of the questions you should be discussing with the process owner or project lead.