# Breakout: Information Governance best practice

## Prompts

- How best to classify data?
- Do we see IG as a primary focus for this community?
- Are there other communities of IG practitioners we need to engage with?

## Communities we should engage with

- [Safe Data Access Professionals network](https://securedatagroup.org/)
- PPIE/members of the public
- NHS Information Governance folk (who?) - ICS/ICBs
- Regulators?
  - Information Commissioner's Office. They have had an anonymisation guide for some years and are consulting on an update incorporating GDPR require
  - Financial Conduct Authority. They have a [regulatory sandbox](https://www.fca.org.uk/firms/innovation/regulatory-sandbox) to support experimentation in this space (have done hackathons on synthetic data)

## Notes

How do we decide when to make the decision as the risk owner or when to go out to the community to ask about how to handle it.
A lot of the value of the work we do is to get assurance and confidence in the work that others have done, there is huge difference between figuring it out yourself or looking at other's approach.
Formalising processes or practices informally by many doing it in the same way

- Work the relationship between IG and infrastructure
- There is definitely the capacity for TREs to contribute to IG
- It's easy to make a rod for your own back with IG - as soon as you say you're going to do something you're really bound to doing it (...or failing your audit)
- It should be about really being capable and doing a good job, and making security audits etc more than a paper exercise
- Openness of IG supports openness in general and building trust with the public
- How to document?
  Is it for us or for the accreditor?
  If we document in code is that going to cause problems at audit stage?
- All documentation around e.g. ISO27001 has a context, so just sharing the docs/processes might not be that helpful
- Even some clarity on "here are a few options that we’ve found work well" can be really helpful
- Grants keep focusing on specific developments and on adding features to them, instead we need to see funding into standardising and sharing those that exist

Might make sense to structure any docs/guidance around this in terms of successful approaches to certain problems/elements of standards - there may be one or several

- Currently at the moment we are doing things differently across the group, so not suggesting we ditch everything overnight, but over time we may converge

The relationship (or lack of) with IT over years, organisations and teams is a shared issue and to overcome.

- The IG-IT relationship is an important thing to focus on.

The processes that we are going through and the documentation, which is mostly repositories, would be easy to transform into business processes for organisations.

- How much of this has been produced as part of our ways of work and how much produced explicitly to be read for people outside developing it.
- Dundee make their [standard operating procedures](https://www.dundee.ac.uk/corporate-information/standard-operating-procedures-hic) available online
- The Manchester Connected Health Cities TRE made their [Information Security Management System documents](https://github.com/connectedhealthcities/chc-gm-isms) available online.