Government Car and Despatch Agency Information Risk Policy
This policy is part of the Agency’s risk management framework and specifically covers the
risks involved in handling information.
What we mean by “Information Risk”
The information we hold is an asset. If we use it well it helps to make our business more
efficient and improves the services we offer to our customers. The risks in handling
information are not only in failing to protect it properly, but also in not using it appropriately.
Managing information risk is about taking a proportionate approach so that both these aims
Statement of Intent by the GCDA Board
The Board is committed to making the best use of the information held within GCDA to
provide efficient services to our customers, while ensuring that adequate safeguards are in
place to keep information secure and to protect the right of the individual to privacy. In
managing information, GCDA will exercise its responsibilities within the framework of relevant
legislation and the strategic information and security framework as administered by the
Cabinet Office, and corporate governance and accountability requirements as promulgated by
We fully support the measures introduced by the Cabinet Office as part of their data handling
review and the core measures that have been implemented throughout the Agency and along
our delivery chain as far as practicable. Where we are not able to mandate the use of these
measures to our delivery partners we are taking all reasonable steps to encourage their use.
Information Risk Management Structure
Information handling represents a significant corporate risk in the sense that failures can
have a damaging impact on the Agency’s reputation with customers, the public and other
public sector bodies. Furthermore, because the Agency often acts as a trusted delivery
partner, any failure on our part will reflect badly on our partners. This in turn could affect our
ability to do business effectively and have significant financial implications.
The Agency Board owns and is responsible for ensuring that the Agency has an information
risk policy. The Accounting Officer (AO) has overall responsibility for ensuring that
information risks are assessed and mitigated to an acceptable level.
The Senior Information Risk Owner (SIRO) is the focus for the management of information
risk at Board level and is responsible for providing written advice to the AO on the content of
the annual Statement of Internal Control (SIC) relating to information risk. The SIRO is
responsible for developing and implementing the risk policy and for reviewing it regularly to
ensure that it remains appropriate to the business objectives and the risk environment.
Information Asset Owners (IAOs) are senior individuals involved in running the relevant
business. Their role is to understand what information is held, what is added and what is
removed, how information is moved, and who has access and why. As a result they are able
to understand and address risks to the information; ensure that information is fully used both
within the law and appropriately, and provide written input to the SIRO annually on security
and use of their assets.
All managers are responsible for ensuring that they and their staff recognise and understand
the need to proactively manage the information they create and to handle it in line with the
Agency’s information policies.
IAOs will assess risks to the confidentiality, integrity and availability of information in their
possession on a quarterly basis, taking account of extant Government-wide guidance, and
plan and implement proportionate responses. At least once a year the risk assessment will
examine forthcoming potential changes in services, technology and threats. The DSO and the
ITSO will examine the IAO’s annual assessment of threat to their information assets and
make recommendations as appropriate
Legal & Regulatory Requirements
In managing information risk the Agency will comply with all relevant legislation, including the
Data Protection Act, Human Rights Act, Computer Misuse Act and Freedom of Information
The Agency will also comply with central government security standards and apply the
Government's minimum mandatory measures and other policies and guidance in the
management of information risk, in particular the strategic information and security
framework as administered by the Cabinet Office, and corporate governance and
accountability requirements as promulgated by HM Treasury.
Managing Information Risk
The Agency will adopt an approach to information risk management which is consistent with
guidance prepared by The National Archives with the support of the Cabinet Office, CESG,
CSIA, the Information Commissioner's Office and the Ministry of Justice. This guidance seeks
to support the non-information specialist and particularly to help Accounting Officers, Chairs
of Audit Committees and Board members to understand information risk.
Escalation & Anonymous Reporting
Personnel who identify risks to the Agency’s information assets should alert the relevant IAO.
If the IAO is not able to address the risk using the resources within their control, they should
raise the matter with the SIRO, who if appropriate may escalate it to the Accounting Officer.
All significant risks should be included in the IAOs quarterly assessment to the SIRO.
The Agency maintains a whistle blowing policy which allows individuals to anonymously bring
concerns about information risk to the attention of senior management or the audit
GCDA recognises the importance of having the right culture in place to underpin data security
so that information risk is understood and efficiently handled in our daily business. To that
end we have developed plans and have an ongoing programme to implement cultural
changes to lead and foster a culture that values, protects and uses information for the public
good. Our HR processes are designed to reward positive approaches to information risk and
to penalise poor performance.
All new and existing staff who handle personal information will be required to undertake
information risk awareness training on appointment and on an annual basis. IAOs will
undertake information management training on appointment and annually. AOs, SIROs &
audit committee members will undertake strategic information management training.
All instances of staff failing to comply with the Agency’s policy on information handling will be
taken seriously and dealt with in accordance with the disciplinary procedures set out in the
Staff Handbook. A major breach of security and/or a serious breach of the Agency’s IT policy
may be so serious that they are dealt with as gross misconduct.
Inspections, Reviews, Monitoring & Audit
The GCDA Board and the audit committee will discuss information risk assessments at evry
board meeting in order to manage existing risks and identify new ones.
There will be an annual assessment of information risk made by internal audit, which will
support the SIRO in providing written assurance / advice to the AO. The assessment will
cover the effectiveness of the overarching policy. It will be informed by the written
judgement of the IAOs and the chair of the audit committee. In preparing for the annual
assessment a number of assurance checks and inspections will be undertaken on information
assets by internal audit.
External Accountability & Progress Reporting
The Agency has published an Information Charter on its website which sets out our standards
for handling personal information. All staff should be aware of and uphold the Charter.
Each year GCDA will set out in its Annual Report summary material on information risk,
covering the overall judgement in the Statement of Internal Control, numbers of information
risk incidents sufficiently significant for the Information Commissioner to be informed, the
number of people potentially affected, and actions taken to contain the breach and prevent
Incident Reporting, Recovery & Contingency Policy
GCDA will have in place procedures for reporting, managing and recovering from information
risk incidents, including losses of protected personal data and ICT security incidents. These
procedures are consistent with current HMG guidance.
ICT System Accreditation
All new GCDA ICT systems will be accredited to the Government standards. GCDA policy is
that all major systems handling protectively marked information will be re-accredited annually
whilst all other systems will be re-accredited every two years. All ICT systems which undergo
significant change will be subject to the re-accreditation process.
GCDA’s Information Risk Management Strategy
Guidance on the GCDA Risk Management strategy and risk assessment methodology will be
available to view on the GCDA intranet.