Newsflash_Archive_05_09_08

Document Sample
Newsflash_Archive_05_09_08 Powered By Docstoc
					OGC Gateway™ Newsflash Archive


   NEWSFLASH No.1a (July 2003)

   Purpose

   1.       This note is to remind RTLs of the appropriate use of the RAG status
            Guidelines. It answers a number of questions from RTLs and points out the
            way forward.


   The RAG Guidelines


             Red Status – To achieve success the project should take remedial action
              immediately.

             Amber Status – The project should go forward with actions on
              recommendations to be carried out before the next OGC gate.

             Green Status – The project is on target to succeed but may benefit from the
              uptake of the recommendations.

              In all cases it is the SRO who decides what to do with the
              recommendations.



   Issues

   2.       Q. What do I do if the project makes future promises regarding urgent
               recommendations?

        A. You must ignore these since the RAG status is at the time of the
            review.

   3.       Q. The SRO applies pressure and says the project will be cancelled if
               RED and they‟ll suffer career blight.


            A. The entire idea of independent RTLs is to avoid these age old
          pressures which have submerged the truth and led to expensive
          failures.
          You must remain independent!

4.    Q. There are shades of grey which as an RTL, I‟d like to clarify before
         awarding an RAG. What do I do?

      A. The Gateway Project Directors are available and happy to discuss.
         Just phone the helpline on 020 7271 1396.


5.    Q. Can the SRO appeal the RAG status?

      A. Whilst the SRO can discuss the final reports with the Gateway Team
         there is no appeal. The SRO can of course choose to disregard the
         recommendations if they are really believed inappropriate.

Why is it important to get the RAG status right?

6.    Current Government project monitoring depends heavily on RAG
      to decide whether to focus on the project. An inappropriate RAG
      status can and has led to issue avoidance and major failures.

7.     The Gateway Review Process is Governments prime method for
      ensuring a greater degree of delivery. The RAG status is a way of projects
      getting help. It is not embarrassing to have a RED status at Gate 0 or 1. Clearly
      it becomes harder later in the life cycle. At all times though OGC has envisaged
      the Permanent Secretaries to use RAG status constructively.

Conclusion

8.     Part of the success of yourselves and Gateways is that the results are
      used at the highest levels of Government to ensure projects are on a route to
      success before proceeding.
      Independent, factually based assessments are vital. RAG is a tougher, more
      disciplined assessment for projects than pre Gateways but is making a
      difference. We need, as RTLs to keep on making that difference.
NEWSFLASH No.1b (March 2004)

1. Dealing with difficult relationships inside projects

On rare occasions it becomes clear to the review team that staff shortcomings or poor
relationships are threatening project success. We have been asked by many of you
how to manage these situations, so recommend the following good practice:

      Don‟t ignore the issues, even if they are difficult to handle - these can
       determine project success or failure.
      Remember that the main Gateway report may be used widely and is not the
       best way to handle the situation.
      Do write a formal additional letter from you, the RTL, to the SRO specifying the
       concerns and refer to it in the main report to avoid it becoming „lost‟, but
       without details.

2. OGC Gateway and the press

The unquestioned success of the OGC Gateway process has brought us a lot of
press attention recently - not all of it welcome! Some of the articles have contained
unattributed quotes from Gateway representatives who, although we cannot prove it,
may be consultant RTLs. Without wishing to lead a witch hunt, we would like to
remind you that review details are confidential to the project team, and our agreement
with reviewers is quite specific in this respect. Can I ask you to please refrain from
any such contact with the press with regard to specific projects.

3. Report templates

One deliverable from the Gateway Refresh project was a set of templates for use in
completing reports. We are pleased with the general acceptance of this format and
report quality is rising, however there are still a few RTLs not using the templates.
These, and a user guide, are to be found hyperlinked from the RTL briefing note that
is sent to each RTL. Please ensure that you use the templates: we need to analyse
all the information provided to us to aid the 'Lessons Learned' initiative, which is a
vital and value creating activity. In free format, this becomes a very arduous and
almost impossible task. We need your help, and the templates provide the structure!

Finally, if you are an RTL and have led at least one review, please remember to
register on the RTL workshop. We expect all RTLs to attend at least one of these
events every 18 months. To arrange this, please contact the Gateway Helpdesk on
020 7271 1396.
NEWSFLASH No.2 (April 2004)

1. Feedback on Reviewers

We are seeing a healthy increase in the personal feedback forms we receive on
Reviewers from Team Leaders. As Community Manager, I am using this information
to search for promotion candidates for varying categories of Reviewer; and to provide
real information for individuals looking for developmental support. OGC Gateway is
totally dependent on the quality of its Reviewers so this information is invaluable.
Please ensure that we receive this information promptly, preferably within one week
of the review‟s completion. We also welcome any detailed comments you may like to
give.

2. RAG status

As you know, we analyse all reports to provide background for our Lessons Learned
process. We still see many examples of reports which show a mismatch between the
rating of individual findings and recommendations and the overall RAG status e.g.
evidence of „Amber‟ recommendations but an overall review rated as „Green‟.

This is not consistent with the OGC Gateway Process and, although it is appreciated
that the RAG status is often difficult to deliver, it is nonetheless vital for it to be done
in a clear and consistent manner. Please do not shy away from this important final
deliverable. If this proves to be difficult the Gateway team is here to support you to
press home any tough messages that must be acted on to ensure project success.

3. Handling Detail

Reviewers may sometimes identify potentially deep-rooted defects in a project, which
indicate further investigation is needed and which puts extreme pressure on Review
timescales. It is important to remember that review teams should not always expect
to resolve all the issues in a time-boxed review. The appropriate response may be to
identify an issue as a concern that requires specific in-depth follow up. This follow-up
can come from OGC consulting or other consultancy services commissioned by the
SRO or Project Manager.
NEWSFLASH No.3 (May 2004)

We'd like to alert you to two recent developments in Gateway:

Introduction of 360 degree feedback process

In the 14th edition of our Gateway Newsletter, we informed you that a new 360
degree feedback process would be introduced by the end of April. This process is
now in place, effective from 1st May. Introduction of 360 degree process means that
Review Team Members will now have an opportunity to provide written feedback on
the performance of the Review Team Leader during the review. As you will be aware,
Review Team Leaders already feed back on the RTMs and Senior Responsible
Owners comment on the conduct of the Review.

The feedback process is valuable in monitoring the performance of reviewers and
thus assisting the OGC to maintain a high quality Gateway review process.

Revision of the Report Template

A mini review of the 'refreshed' template has taken place following mixed feedback on
its use over the last 3 months. We conclude that the benefits of flexibility outweigh
the automation of a true template driven by macros. The consistency of reporting will
be maintained by a more flexible template based on an MS Word document. The
new templates for each of the Gates are currently undergoing QA checks. They will
be user tested in the next two weeks before being rolled out, via the web site link
contained in the RTL Briefing Note, at the end of May.

And finally,

Have you spotted Appendix C in the report template?

In case you missed it - the report template has an Appendix C, which provides a
ranking of recommendations by RAG status. Please ensure that the appendix is
completed as it provides a very helpful summary.
NEWSFLASH No.4 (April 2004)

Please note the following:

RTL Team Leader Workshop

The Gateway Team expects that review leaders will attend the RTL workshops at
least every 18 months. As you know this workshop lasts one day and is specifically
designed for those who have experience of leading OGC Gateway review teams - the
format encourages the open sharing of ideas and experiences. The workshop is of
benefit to both Review Team Leaders and the OGC Gateway team - it enables RTLs
to learn from the benefit of a wealth of experience, and to develop their own personal
effectiveness, and it enables the Gateway team to learn from this experience in
developing its own policy and Best Practice. In addition, the Gateway team is keen
that OGC Gateway Reviews be conducted consistently and in a manner conducive to
reinforcement of the OGC Gateway brand; RTL attendance at this workshop is the
best way for us to ensure that this occurs.

Please contact the Gateway Helpdesk on 020 7271 1396 if you are interested in
attending a workshop.

Note: There is high demand for the RTL workshops. To avoid confusion, please do
not assume that application alone guarantees attendance.
NEWSFLASH No.5 (June 2004)

Following your feedback we have revised the report template:

Revised Report Templates

The new Report Templates (version 2.0) were released on June 18th in response to
feedback received. They will be made available to RTLs through the Briefing Note
mechanism, as usual, in advance of specific reviews. The main changes revolve
around a reversion to the original open and unprotected style of template. There are
no macros or passwords and no drop down menus. The template is consequently
much more flexible and easy to use. The accompanying guide sheet is more
straightforward but worth a read to avoid any misconceptions on navigation and
formatting. GPDs will be monitoring report production for consistency.

We hope that report completion will be simplified by the revision.

Thank you for your continued support.
NEWSFLASH No.6 (July 2004)

Following feedback relating to the provision of preparatory information for conducting
an OGC Gateway™ Review we would like to draw your attention to the following:

OGC Gateway™ Review Briefing Note

The OGC Gateway™ Review Briefing Note, sent to the RTL, has been specifically
designed to support the team members providing key information for the forthcoming
Gateway Review.

The note is designed to allow easy access to a number of linked files, including the
following:

Planning Meeting Agenda
Writing the Report, including RAG status
OGC Gateway™ Review Report Templates
Various Feedback Forms

We hope that you will find the Briefing Document an invaluable aid in preparing for an
OGC Gateway™ Review.
NEWSFLASH No.7 (September 2004)

Two issues are covered in this newsflash. First, some best practice pointers on
drafting report recommendations that have arisen from our feedback discussions with
SROs; and second, guidance on the handling of affordability and financial approval at
Gate 1.

Guidance on drafting recommendations

Report recommendations should be:

   1. SMART (Specific, Measurable, Actionable, Realistic & Timely).
   2. Focused on high impact improvement - ideally a maximum of 10
      recommendations.
   3. Designed to bring a programme/project back on course, or improve the
      chances for success.
   4. Drafted to clearly identify when the recommendation has arisen because of a
      lack of evidence that planned and/or necessary actions are being undertaken.
   5. Drafted to clearly identify where the recommendation has been driven by a
      need to revise the current programme/project plan.

Please note there is no minimum number of recommendations; identify the key
recommendations that can add value to the programme/project‟s chances of success.

Recommendations should not:

   1. Propose planned tasks stated on the programme\project plan where evidence
      exists that the activities are being taken forward in accordance with the agreed
      programme/project plan. In such cases, endorsement of the actions can be
      reflected in the text of the report or, if appropriate, identified as an example of
      good practice. If evidence suggests that to date, tasks have not been
      achieved or are not realistic, then this should/could be reflected in the
      recommendation.
   2. Rely on promises of action by SROs or project teams made during a review to
      fix problems identified by the review team, in particular where the promise is
      made in order to reduce the RAG status of any recommendation.

If you have any queries about whether or not issues should be raised as
recommendations and, if so, the appropriate RAG status then please contact the
relevant GPD before presenting the final draft report to the SRO.

Gate 1: Affordability and financial approval

A key purpose of the Gate 1 review is to confirm that the business case is robust –
i.e. the case meets the business need, is affordable, achievable, with appropriate
options explored and is likely to achieve value for money. Projects must demonstrate
affordability at a Gate 1 review, but may not have obtained financial approval and
authority to proceed at the time of the review. Provided that the project plan shows a
milestone seeking financial authorisation and approval to proceed, then an adverse
recommendation would not be expected. In such cases RTLs are advised to place a
comment in the body of the report.
NEWSFLASH No.8 (October 2004)

Cross-Cutting Programmes

The management of Government delivery programmes which involve more than one
organisation is particularly challenging. OGC recently reviewed existing information
on this topic and concluded that the issues that typically arise in such programmes
are covered by the available guidance and, in particular, by "Managing Successful
Programmes" (MSP). However, it is clear that following the guidance is particularly
difficult in the cross-cutting environment. The attached 'list of tips' is intended to
highlight best practice and ensure that cross-cutting programmes do not suffer from
the most common causes of failure. The recommendations have been discussed and
agreed by the OGC Supervisory Board, which includes Permanent Secretaries of the
main Departments.
NEWSFLASH No.9 (January 2005)

Three issues for your consideration:
- Best Practice information
- Timing of the next review
- Report production.


BEST PRACTICE - Managing Successful Programmes (MSP) and Projects
(PRINCE2)

Reviewers are required to be familiar with Best Practice, in particular MSP and
PRINCE2. Due to licensing issues it is not possible for Gateway to make electronic
or hard copies of the MSP or PRINCE2 workbooks available to the Reviewer
Community. However, your attention is drawn to the Successful Delivery Toolkit
which provides a mapping of all Gateway Review 'Areas to Probe' workbook
questions linked to the relevant area of Best Practice, including elements of both MSP
and PRINCE2.

On-line access to the Toolkit link is at:

http://www.ogc.gov.uk/sdtoolkit/workbooks/gateway/index.html

The material is also available on the Toolkit CD available from the Service Desk
(0845 000 4999)

[Note: the 'mapping' of 'Areas to Probe' to 'Best Practice' for each of the 6 Gates
commences about half way down the first page so please do not be put off if it is not
immediately apparent at the top!]


Recommendation for the timing of the next Review

Review Teams should not attempt to 'establish' the date of the next Review as part of
their feedback. Indeed it is not the intention of Gateway to time the next Review to
'check' that any particular document or action has been carried out from the previous
recommendations.

Any recommendation suggesting the timing of the next Review should be linked to the
maturity of the project or programme and not to a specific date. Reviews are only
arranged when the SRO triggers the process by forwarding an RPA to the Gateway
Team.


Production of the Review Team’s Report

It is the Review Team Leader's responsibility to ensure that the Report is available to
the SRO on the final day of the Review. All members of the Review Team have a
responsibility to make a contribution to the report and share in its physical production.
The practical issue of producing the report eg. how sections will be drafted, how it will
be typed and compiled, availability of a printer, etc, must be addressed at the
Planning Day and agreed between the Team members. Support required from the
host organisation must also be identified.
NEWSFLASH No.10 (February 2005)

Praise for projects – views of the Review Team

The report template prompts the review team to identify examples of good practice.
However, Review Teams are requested NOT to record their subjective 'personal' view
of the project or draw comparisons with other projects reviewed, for instance using
phrases like 'in our opinion the project is in the top 10% of those we have reviewed',
as this may be misconstrued as formal OGC ranking or endorsement.


Following up recommendations from the previous Review

Please note that the team are required to follow up recommendations from the
previous review as part of their update briefing from the Project Team. The findings
from this activity must be documented in reasonable detail in the current review
report.


How many Gates?

There still seems to be some confusion amongst team members regarding the
               number and relationship of the various Gate Reviews.

To clarify:

      in all there are six workbooks covering the Gate Reviews

      Gate O is to be applied to PROGRAMMES only, and may be applied
       repeatedly to that PROGRAMME. The frequency of programme review will
       reflect its development but, as a 'rule of thumb', an annual review may be
       appropriate often aligned with major milestones being achieved or significant
       changes of scope occurring. Gate 0 is NOT a precursor to Gate 1! The Gate
       0 workbook is designed to be applied appropriately e.g. the section on 'Review
       of Current Phase' would not apply to a programme in definition or start-up
       phase, but would apply further into the lifecycle.

      Gates 1 - 5 are relevant to PROJECTS and reflect the maturity of the scheme.

      We DO NOT carry out 'combined' reviews. However, a review may be phased
       eg. interim Gates 2, 2a, 2b - when there is a long period of time between Gates
       2 & 3 - Gates 3a and b - where there is multiple procurement - and 4a, b, etc to
       capture different releases of a product, system or building.

The link between Gate Reviews, business lifecycle and Best Practice
information

The OGC Successful Delivery Toolkit provides a matrix showing the relationship &
mapping between each of the 6 Gateway Reviews (Gateway Reviews 0 and 1 to 5),
and the 10 most important topic areas encountered during a complete business
lifecycle. So, at any co-ordinate of the matrix, you get both a short statement on what
you should be looking for at that stage, together with a link from that statement,
straight to the most relevant Best Practice guidance.

For example, the co-ordinate which maps the Gateway Review No 4 (Readiness for
Service) to the lifecycle topic of Risk management, provides the short statement "put
shared processes in place for risk management", which is itself a link to the actual
best practice guidance in the form of a Workbook on Risk management that
underpins it.

The link is: http://www.ogc.gov.uk/sdtoolkit/delifecycle/overview.html

These 10 business lifecycle topic areas are as follows:

   1. Strategy formulation and management;

   2. Business case;

   3. Requirements development;

   4. Programme management;

   5. Project management;

   6. Procurement;

   7. Contracts and Supplier management;

   8. Risk management;

   9. Benefits management; and

   10. Performance management.
NEWSFLASH No.11 (February 2005)

Please take careful note of the following guidance:

Requests for Gateway Information

If, as a Gateway reviewer, you receive a verbal request for Gateway information you
should say that Gateway information is not generally published/disclosed - it is still for
the SROs to decide how, when and with whom they share the information.

If you receive a written request for disclosure of Gateway information it is likely that it
will be treated as a request under the Freedom of Information Act and will have to be
considered on a case by case basis as per the Act. If you do receive a written
request you should refer to the SRO of the relevant project/programme or the
Gateway Team. Civil Servants in departments should refer to their FOI practitioner
within their department for advice. But please be aware that, as per our guidance,
you must dispose of the report and all supporting documents immediately after
the delivery of the Final Report.




NEWSFLASH No 12 (April 05)

A number of issues for your information:
Newsflashes available to Leaders and Members

We are aware that Newsflashes are initially distributed to Review Team Leaders but
that Members would also find them useful. Please note that the Review Briefing Note
sent to the RTL and RTM‟s now include a link to an archive of Gateway Newsflashes.

The Briefing Note also includes a link to the OGC Website for information on FOI and
how it applies to Gateway.

Review Attendance

In assembling the team the RTLL‟s ensure that all the members will be available for
both the Planning Day and the Review itself. Circumstances change and it is
important that the availability of the team is checked at the Planning Meeting.
However, the expectation is that all team members will be available for the whole of
the Review.
Absense of a team member for part of a review will only be allowed in exceptional
circumstances and this should be discussed with the relevant GPD or RTLL as early
as possible.

360 degree feedback – quality of information

The RTL and RTM feedback sheets are an important part of the review quality
assurance process. However, although we now receive all the feedback sheets the
information would be greatly improved if a few sentences of explanation could be
added to the „marking‟ in each section.

Report navigation

We have received feedback from a number of SRO‟s that they would have found it
useful to have had numbering of report paragraphs to aid navigation through the
document.

We do not intend to change the report template but suggest that you consider
numbered paragraphs as a reference aid in the report.




Newsflash No 13 (July 05)

Please note the following information:
Review Cancellation

Review Team Leaders (RTL‟s) are reminded that they must confer with the relevant
Better Projects Director (BPD) before a decision is made to cancel a Review.

The BPD needs to be satisfied that cancellation is the appropriate action. However,
the RTL remains the final decision maker.

Management and Creation of documents with a ‘Protective Marking’

On occasion it may be necessary for Review Teams to have access to or create
material bearing a „protective marking‟. The following guidance should be noted by
Team Leaders and Members:

   1. The Team Leader must seek guidance from the SRO at the Planning Meeting
      regarding any „protective marking‟ that might be necessary for the report.
      Typically reports should not bear a „protective marking‟.

   2. Where a „protective marking‟ is required the standard categories should
      be used, as directed by the SRO.

   3. Distribution of documents:
         - only „unmarked‟ documents may be freely transmitted e.g. e-mailed,
             outside the Government Secure intranet (GSi) system. Where
             necessary documents bearing a protective marking of „restricted‟ may
             be e-mailed over the GSi.
         - the SRO‟s/Owning Department‟s guidance must be sought on the
             handling of specific documents if they bear a „protective marking‟.
         - generally, documents carrying protective markings above „restricted‟
             should not be transmitted or removed from the local site.

 During a Review, if there is any doubt over the management of documents with
protective markings this must be clarified with the SRO/Project Team as soon as
possible.




NEWSFLASH No. 14 (23 December 2005)

Two items for your consideration:
- Shared services across government
- The new OGC Successful Delivery Toolkit

Shared services between central government organisations
Gateway Review team members are advised that on the 6 October 2005 the Cabinet
agreed to a more demanding approach with respect to the Efficiency Programme.
Departments will now have to take account of what else is happening in their sector
when making their own plans for providing common services.

Shared Services are a centrepiece of the Transformational Government strategy
published by the Chancellor of the Duchy of Lancaster on 2 November 2005. The
document can be found at: -

<http://www.cio.gov.uk/transformational_government/strategy/contents/>

Issues relevant to a Review include:

      Shared services are needed to release efficiencies across the system and
      support delivery focussed on customer need. They provide public service
      organisations with the opportunity to reduce waste and inefficiency by re-using
      assets and sharing investments with others.

      Sharing can apply to customer facing services, such as call centres, the
      transactional elements of corporate services such as finance and human
      resources, and to infrastructure such as IT or identity management.

      The Government now wishes to implement Shared Services across the whole
      public sector, remove blockers to progress (real or perceived), make the
      difficult staffing decisions, which result, consider carefully the role that the
      market can play in achieving the objectives and be open to innovative
      approaches.

      Work is already being undertaken to identify and plan how common services
      might be shared across the sectors across government. These include Health,
      Education, a Home Office grouping, Local Government, Defence, Work and
      Pensions, HMRC and a sector addressing the remainder of government
      organisations. An Efficiency Network ministerial group being set up by the
      Chief Secretary will, as part of its work, oversee progress on Shared Services
      in government.

Review Teams are asked to bear in mind this important new initiative when
undertaking Gateway Reviews and to check that any projects or programmes which
involve shared services give due cognisance to the new requirements as described
above.


The new OGC Successful Delivery Tool Kit

The latest edition, version 5, of the OGC Best Practice Toolkit is now available on the
website. The Toolkit link is: -

             http://www.ogc.gov.uk/sdtoolkit/

The material is also on a CD available from the OGC Service Desk (0845 000 4999).
The most noticeable differences are the appearance of the toolkit and navigation from
the home page. It now has more of an OGC look and feel and includes two new ways
of finding information:

          a)
             lets the user drill down into the detailed guidance relevant to the Gate,
             programme or project stage;
          b) a role based entry point so that people involved in programme or project
             management can find all the guidance relevant to their respective roles.

The new version includes some significant updating of guidance.

A complete list of changes is provided in a “change log”, accessible from the home
page.




NEWSFLASH No. 15 ( March 2006)

If its not too late - a happy New Year from the Better Projects team. Your continuing
support for Gateway is appreciated and we have a challenging year ahead both in
terms of the number and scope of anticipated reviews.

Please note the attached messages regarding new procurement requirements and
the submission of reports:


The new Public Procurement Directives

Your attention is drawn to the important changes introduced by the New EU
Directives
The new European Union Directives covering public sector and utilities procurement,
which simplify, clarify and update the EU rules, were implemented in the UK by the
required Commission deadline of 31 January 2006.
Guidance notes are available from the link below, covering new issues in these
directives - including framework agreements, reserved contracts for supported
businesses and factories, dynamic purchasing systems, mandatory exclusion of
economic operators, central purchasing bodies, electronic auctions and competitive
dialogue procedure.
New EU Directives and guidance notes <http://www.ogc.gov.uk/index.asp?docid=1000084>


Final Reports

Review Team Leaders are reminded that completed Final Reports from Gateway
Reviews should be sent to the relevant OGC Resource Leader and not to the OGC
Better Projects Director. This instruction has been included in the Briefing Pack for
Review Team Leaders.

Peter Clark
Capability Director
OGC Better Projects




NEWSFLASH No. 16 (20th June 2006)

Two items for your consideration:

   RAG Status Reminder
   Sustainable Development


RAG Status Reminder

It is essential that the Red/Amber/Green assessment is applied rigorously to Gateway
review recommendations. The distinction between Red and Amber is one of urgency
of implementing the recommendation:

Red - action should be taken immediately

Amber - action needs to be completed before the next Gateway review
In the case of an Amber recommendation, where completion by the next review would
be too late, the review team should specify an earlier project milestone, event or date
by which the recommendation should be implemented.

Sustainable Development

Your attention is drawn to the importance of the Government's Sustainable
Development Strategy and the implications for Gateway Reviews.

Background
The public sector has a key role in furthering sustainable development through its
procurement of buildings, goods and services. The UK Government Sustainable
Development Strategy published in March 2005, committed the public sector to lead
by example in delivering those objectives.

All central Government departments and their executive agencies are required to
produce focused Sustainable Development Action plans based on this strategy by
December 2005.

What is sustainable development?
The Strategy defines sustainable development in broad social, environmental and
economic terms. The term sustainable procurement therefore encompasses all issues
where procurement is seen as having a role in delivering economic, social and
environmental policy objectives.

Implications for Gateway™Reviews
Review teams will wish to assure themselves that sustainability has been considered
as part of the Review and that proposals are in harmony with the department's or
agency's Sustainable Development Action Plan.

Further information
Further information can be obtained from the OGC Website sustainability page and
the Government Sustainable Development Strategy document.


Kindest regards

Peter Clark
Gateway Capability Director
OGC Better Projects
NEWSFLASH No. 17 (10th August 2006)

IMPORTANT: UPDATE REGARDING FOI ENQUIRIES REGARDING GATEWAY™
REVIEW REPORTS
For some time Reviewers have been asking for feedback on the OGC's position
regarding the release of Gateway™ Review information requested under FOI
proceedures.
OGC has received two decisions from the Information Commissioner (IC) regarding
requests under the FOI Act for key Gateway information.
The queries both relate to the Home Office ID card programme and requested:
      'provision of pre-stage zero and stage zero Gateway Reviews of the Home
      Office ID cards programme' (raised by Mark Dziecielewski), and
      'what traffic light (RAG) status was awarded to the ID cards scheme by the
      OGC at the Gateway Review 1 Stage' (raised by Mark Oaten MP)
The text of the IC's responses are available on the Information Commissioner's
website (www.ico.gov.uk). In both cases he has ruled that the requested information
should be disclosed in full.
OGC, in consultation with other Departments, are currently deciding what to do next.
Should the decision be made to appeal, OGC have 28 days to submit grounds to the
Information Tribunal. In the meantime the current position relating to the release of
Gateway™ Review information stays the same.
We will keep you informed of progess regarding this issue.
Sent on behalf of Peter Clark,
Gateway Capability Director






NEWSFLASH No. 18 (18th September 2006)


IMPORTANT: UPDATE ON FOI ENQUIRIES RELATING TO OGC GATEWAY™
REPORTS


In Newsflash 17 we informed you of two decision notices issued by the Information
Commissioner (ICO) relating to requests for key Gateway information issued under
the FOI Act. In both cases he decided that the requested information should be
disclosed in full. Having carefully considered these decision notices and consulted
Home Office and legal advisors, OGC has concluded that we have good legal
reasons to appeal.

Following ministerial approval, we served grounds of appeal for the first decision
(relating to the request raised by Mark Dziecielewski) on the Information Tribunal on
Tuesday 29th August 2006. We are currently resolving a procedural issue on the
second decision (relating to the request raised by Mark Oaten MP) and as soon as a
new decision notice is received the grounds of appeal on that case will also be
issued.
The Information Tribunal has received the grounds of appeal and will establish a
timescale for hearing our case. In the meantime our position on the release of
Gateway information remains unchanged. Please visit our website
(http://www.ogc.gov.uk/ogc_gateway_review_for_programmes___projects_gateway_
and_foi.asp) for full guidance.
To recap, both initial queries relate to the Home Office ID card programme and
requested:
      'provision of pre-stage zero and stage zero Gateway Reviews of the Home
      Office ID cards programme' (raised by Mark Dziecielewski), and
      'what traffic light (RAG) status was awarded to the ID cards scheme by the
      OGC at the Gateway Review 1 Stage' (raised by Mark Oaten MP)
The text of the ICO's responses are available on the Information Commissioner's
website (http://www.ico.gov.uk/)


We will keep you informed of our progress in pursuing this appeal.


If you have any queries, please contact Neil Irving Neil.Irving@ogc.gsi.gov.uk


Sent on behalf of Peter Clark,
Gateway Capability Director



NEWSFLASH No. 19 (October 2006) supersedes the information on the same
subject given in Newsflash No 13 (July 2005)

                                 Security of Information

In setting up a Review the Better Projects Director (BPD) and Resource Leader (RL)
will have queried security issues with the Programme or Project Team. However,
Reviewers are reminded that security of information is of continuing importance.

RTL’s should check security arrangements with SRO’s. Only ‘unmarked’
documents may be freely emailed outside the Government Secure Intranet (GSI)
system.

The following guidance should be noted:

1. Protective Marking

RTL‟s must seek guidance from the SRO at the Planning Meeting regarding any
„protective marking‟ that might be necessary for the report. Typically reports should
not bear a „protective marking‟. Where a „protective marking‟ is required the standard
categories should be used, as directed by the SRO.

2. Distribution of documents:
       Only „unmarked‟ documents may be freely emailed outside the GSI system.
        Where necessary documents bearing a protective marking of „Restricted‟
        may be emailed over the GSI

        The SRO‟s/Owning Department‟s guidance must be sought on the handling
        of specific documents if they bear a „protective marking‟

        Generally, documents carrying protective markings above „Restricted‟
        should not be transmitted or removed from the local site.


Remember that all documentation and interview notes must be securely destroyed or
returned to the Programme/Project Team for disposal as appropriate at the end of a
review. RTL and RTM‟s must not retain copies of the review report.


Sent on behalf of Peter Clark
Gateway Capability Director




NEWSFLASH No. 20 (January 07)

Happy New Year from the Better Projects Team!

2006 was a year of achievement for Better Projects. In particular we delivered the
2000th OGC Gateway™ Review, £1bn VFM savings from Central Government
programmes and projects and established authorised „hubs‟ in Defence and Health.
Feedback from the Client Opinion Survey, carried out as part of the Gateway Refresh
project, highlights the overwhelming stakeholder support for the OGC Gateway™
Review process.

You may be aware that Gateway refresh is nearing completion. We will shortly be
sending you details of the changes to Reviews, together with details of the updated
Workbooks and supporting materials.

Thank you for your continued support and commitment to Gateway.

The first newsflash of 2007 (see attachment) highlights several issues
regarding Review process and execution. Please ensure that you take the
messages on board, together with those in previous Newsflashes, for your next
review to ensure we maintain the high standard of delivery that our
stakeholders have come to expect.

Best wishes
Peter Clark
Better Projects - Gateway Community Director


       





NEWSFLASH No. 21 (May 07)


The OGC Gateway™ Process continues to develop and this newsflash focuses on
refresh and the establishment of the on-line listing of OGC accredited Reviewers.
GATEWAY REFRESH

You will be aware of the recent work to update the OGC Gateway™ Process. The
refreshed OGC Gateway Process applies to the whole of the public sector, and for
central civil government, and the phased implementation will begin with Assessment
Meetings from the 8th May 2007. Implementation for areas outside central civil
government may differ.
The main changes arising from the OGC Gateway™ Refresh are outlined below.
Review 0:
* Early Review 0 – at Programme Brief stage. The revised workbook clearly shows
how a Review 0 could be used at an early stage in the lifecycle of a programme to
provide a clear evaluation of objectives, desired benefits, risks, costs and timeframe.
The revised workbook clearly indicates how OGC Gateway Review 0's can be
repeated throughout the lifecycle of delivery.
Review 2, 3 and 4:
* Review 2 is renamed 'Delivery strategy' to clearly signal that the scope of this
Review is wider than procurement alone and indeed applies to projects with little or
no procurement.
* Minor enhancements to all workbooks to bring them up to date
* Updated areas to probe in Review 4 regarding arrangements from project to
operations
Review 5:
*Revised workbook emphasis on repeatability of the Review, with a first Review 5
after project implementation.
*Subsequent Reviews should consider the operational benefits of projects at a point
4-5 years (or less) after implementation and repeated as required (say every 3 - 5
years for long-term contracts such as PFI)
Updated Report Templates for all Reviews:
* Amended to include a consistent formal recording of previous recommendations and
follow up.
Best Practice information:
* The workbooks and the website now include a section showing links to sources of
Best Practice.
You will be able to order your copy of the updated OGC Gateway Process Pack from
the 8th May 2007 via the following:
*Your Departmental Gateway Coordinator
*OGC website (where PDF copies will be available)
*OGC Service Desk 0845 000 4999
Updated report templates will be sent along with the updated Briefing Notes in the
normal manner when you are commissioned to conduct a Review.
Thank you to all of you who assisted in the development of this Refresh.
OGC ACCREDITED REVIEWERS - ONLINE LISTING
We have commenced a process to issue certificates to accredited Reviewers and,
with their agreement, list their names and status on the OGC website. See link:
http://www.ogc.gov.uk/how_to_become_an_ogc_gateway_reviewer_accredited_gate
way_reviewers.asp
The list will be regularly updated to keep pace with the issue of certificates.
Thank you for your continued support for the OGC Gateway Process.

Peter Clark
Better Projects - Gateway Community Director













NEWSFLASH No. 22 (June 07)

Dear Gateway Reviewer


REMINDER - CONFIDENTIALITY OF OGC GATEWAY REVIEW MATERIAL
You will be aware of the interest being taken by the media in the Gateway process
and the ongoing work addressing the release of reports under the Freedom of
Information Act (FOI).
Recently we have been made aware that updated presentation material reserved for
review team members has been made available to journalists and taken out of
context, which has led to misrepresentation of the facts and inaccurate publicity.
OGC guidance on the retention of review documentation has been in place since the
Gateway process was introduced in 2001 and was not introduced in reaction to the
FOI legislation, which came in to force in January 2005 . Reviewers have always
been instructed to dispose of all documentation once the final report has been given
to the SRO. There is no need to retain duplicate copies of documents already held by
Departments or OGC which, from time to time, could contain sensitive information.
In order to prevent any further misunderstanding I‟d be grateful if you could ensure
that any request from a journalist for Gateway material is referred, in the case of Civil
Servants, to your Departmental Press Office or to the OGC if you are a consultant.


Regards
Peter Clark
Gateway Community Director








NEWSFLASH No. 23 (September 07)

I thought it would be useful to notify you of some of the key changes underway at
OGC.

              NEW CHIEF EXECUTIVE AND EXECUTIVE DIRECTOR

Nigel Smith our new CEO arrived in early September and Jonathan Simcock is now
the Executive Director responsible for Capital Group, including Gateway™ Review
delivery. Nigel and Jonathan are getting to know the organisation and both have
applied to be Gateway Reviewers.

 WE ARE MOVING! OUR NEW ADDRESS – 1 HORSE GUARDS ROAD, LONDON

The London office of OGC is moving to the fourth floor of 1 Horse Guards Road. The
move will be completed by 1st October 2007.

Co-locating with HM Treasury will enable OGC to work more closely with Treasury
colleagues to deliver the objectives of Transforming Government Procurement.

OGC staff will be retaining their telephone numbers and e-mail addresses.

                               GATEWAY ON VIDEO

A new video presentation of the OGC Gateway™ Review process may be viewed at
the OGC website:
http://www.ogc.gov.uk/ogcgatewayvideos.asp

The video presentation is also available on DVD (order via the Servicedesk).

The presentation covers the Review process and includes four case studies.

                    A REMINDER – REFRESHED WORKBOOKS

We have noticed that out of date Gateway Workbooks have appeared at recent
Reviews!

Please ensure that you are using the up to date „refreshed‟ version of the Workbooks
when you carry out reviews. The workbooks are available at the OGC website and
may be downloaded as .pdf documents:

http://www.ogc.gov.uk/ppm_documents_ogc_gateway.asp

Hard copies can be ordered from the OGC Servicedesk.

                           GATEWAY AND FOI – UPDATE

We await notification of the date for the High Court hearing and will keep you
informed of progress.

                          GATEWAY CONTACTS AT OGC

You will have noticed that there have been several changes in personnel within the
Gateway delivery team. Currently the contacts are:

Gateway Portfolio Leaders                Resource Leaders
Philip Ashill                            Olivia Burman
Adrian Cooper                            Nicola Kaya
Philip Cooper                            Kristel McDevitt
Paul Everist                             Noelle O‟Connor
Deborah Hopkins-Hurt
Dave Richards
Tom Siddell
Chris Stebbing
Steve Whittle

….and finally

As I will be departing OGC at the end of October, and this may be my last „newsflash‟
opportunity, I would like to thank you all for your friendship, participation, feedback
and commitment to the Gateway Review process.

May your programmes and projects be „Green‟ and your Reviews rewarding!

Best wishes - hopefully we will meet on a future Review.
Regards

Peter Clark
Gateway Community Director






NEWSFLASH No. 24 (February 08)


Dear Reviewer Community


We are in the process of reviewing the CCG Gateway report template and have
agreed the following initial changes to take effect immediately:
1) To aid clarity from now on as a footnote on the CCG report template will include
the following statement:
"This report is an evidence-based snapshot of the project's status at the time of the
review . It reflects the views of the independent review team, based on information
evaluated over a three to four day period, and is delivered to the SRO immediately at
the conclusion of the review."

2) There is no longer a requirement to list the documents the review team has looked
at - as this information should be held by the person who is co-coordinating the
review in the project office.

Note to DGCs: those Departments which have Medium Risk Delegation should be
using the standard Gateway Report Templates and Documentation. If anyone
requires these templates they should contact the OGC Gateway Helpdesk at the
following email address:

gateway.helpdesk@ogc.gsi.gov.uk

Kind regards
Stephanie Minns

Head of External Resources








NEWSFLASH No. 25 (February 08)


Dear Reviewer Community


This is a reminder that the FOI High Court Case will take place next week. The
hearing will last from the 3rd of March to the 5th of March. Please note that the way
we handle FOI requests on Gateway reports remains the same, until the court's
decision is issued. You may find more detailed background information in the
attached note. We will update you again after the Hearing.




Kind regards

Stephanie Minns

Head of External Resources












NEWSFLASH No. 26 (March 08)


Dear Reviewer Community


Freedom of Information - Update
The High Court hearing regarding the release of OGC Gateway™ reports concluded
this morning. The Judge indicated he would give his judgment after Easter.
The current arrangements for the release of reports should therefore continue in line
with the MoJ working assumptions.
OGC will advise on the judgment when it becomes available.

Kind regards

Stephanie Minns

Head of External Resources











NEWSFLASH No. 27 (April 08)


Dear Reviewer Community

The High Court has handed down it‟s ruling in respect to OGC‟s appeal on disclosure
of Gateway™ reviews, as ordered by the Information Tribunal.
The judge has quashed the decisions made by the Information Tribunal, thereby
upholding the appeal made by the OGC.
The OGC is now considering the points made in the Judges decision and how to
proceed from this point.
The current arrangements for the release of reports should therefore continue in line
with the Ministry of Justice working assumptions.
For a full transcript of the decision please follow this link:
(Link to decision transcript)
Kind regards

Tom Willmot
Business and Performance Officer



NEWSFLASH No. 28 (May 08)


Dear Reviewer Community,

Many of you will be aware that OGC has been piloting some changes to the Gateway
process. This e-mail is to provide you with an update on progress and to let you know
about new arrangements that will apply to all High Risk reviews arranged and
managed by OGC.

With effect from 1st June all High Risk reviews arranged and managed by OGC will
include a Delivery Confidence assessment. That assessment will replace the current
RAG status derived from the individual recommendations and will be the overall
Gateway status in the future.

Gateway Reviews have always been intended to provide an independent opinion on
how best to ensure projects are successful. Extensive feedback has suggested that
the current system can produce misleading results. . Projects that are progressing
well and on track to deliver successful outcomes can receive Red reviews because of
the urgency of a single recommendation and, conversely, projects that have a much
lower chance of succeeding can receive Amber reports because the
recommendations, while very serious, lack immediacy. The introduction of the
Delivery Confidence is designed to address this and to more explicitly capture the
views of Review Teams on a project or programme‟s likelihood of succeeding and to
help drive an improved success rate in projects and programmes. Attached is a copy
of “Delivery Confidence – Guide for Review Teams” for your information.




A number of decisions follow from this:
1) The Gateway Report template for High Risk Reviews has been changed. A
copy of the new template (for a Gate 0) for High Risk Reviews is attached. Our
consultation exercise generated a plethora of suggestions for other changes to the
Report Template; in the short term the priority has had to be the incorporation of
Delivery Confidence, however, those valuable suggestions have not be discarded and
we will be revisiting the Report template in slower time.




2) RAG will no longer be applied to individual recommendations in High Risk
Gateway Reports. Feedback from the pilots indicated that it would be too confusing
to have different RAGs for Delivery Confidence and for individual recommendations,
particularly if Red had different meanings. After extensive consultation we have
decided to adopt the following means of prioritisation.
      Critical (Do Now) – To increase the likelihood of a successful outcome it is of
      the greatest importance that the programme/project should take action
      immediately.

      Essential (Do By) – To increase the likelihood of a successful outcome the
      programme/project should take action in the near future. [Note to review teams –
      whenever possible Essential recommendations should be linked to project milestones
      e.g. before contract signature and/or a specified timeframe e.g. within the next three
      months.]

      Recommended – The programme/project should benefit from the uptake of this
      recommendation. [Note to review teams – if possible Recommended
      recommendations should be linked to project milestones e.g. before contract signature
      and/or a specified timeframe e.g. within the next three months.]


3) The approach to escalation of Red reports will change. At the moment if a
project or programme receives two consecutive Red Gateway Reports OGC‟s Chief
Executive writes to the appropriate Permanent Secretary. After consultation with the
NAO it has been agreed that that letter will be sent on the first Red Delivery
Confidence Report. As now the letter will be copied to Sir Gus O‟Donnell, the Cabinet
Secretary, and Tim Burr, the Comptroller and Auditor General. The NAO will continue
to report periodically to the PAC. We have agreed with the NAO that we will revisit
this decision in 3 to 6 months to ensure that it provides the right coverage.

Medium Risk Reviews
Initially this change will only apply to High Risk reviews arranged and managed by
OGC. We will be piloting Delivery Confidence in Medium Risk Reviews as soon as is
practical.

We would like to take this opportunity to thank all those who took part in the pilot
Delivery Confidence reviews and who shared their experience and knowledge with
us. Thanks also to the many RTLs who joined us for an evening workshop on 6th May
and provided us with invaluable feedback.

Kind regards

Helen Parker
External Resources Community Manager



                   OGC GATEWAY NEWSFLASH 29

                          OGC Gateway Training Contract
Following an open competitive procurement exercise I am pleased to announce that the
contract for the provision of OGC Gateway Training has been awarded to Xafinity Skillbase.
The new 3-year (+1) contract commenced on July 9 2008.

As the Authorised Training Organisation (ATO) for OGC Gateway, Xafinity Skillbase will be
the sole provider of training required for any mandatory training required for OGC Gateway
reviewer accreditation. Xafinity Skillbase will therefore be the only ATO provider of the
Preparing to carry out an OGC Gateway Reviews workshop and the OGC Gateway Review
Team Leader Master Classes.

Xafinity Skillbase also offers a range of other OGC Gateway related training and awareness
seminars. Full details of their all OGC Gateway training services can be found at:
http://www.ogc.gov.uk/ogc_gateway_review_for_programmes___projects_supporting_guidan
ce_and_training.asp

The training course charges in new contract are different from the previous contract, however,
if anyone has already booked a course at the old rates and that course has yet to take place, the
old contract rates will still apply. Full details of the new charges can be obtained from Jennie
Shannon at Xafinity Skillbase on 02392 239014 or e-mail
jennie.shannon@xafinityskillbase.com

OGC will be working closely with Xafinity Skillbase to ensure the provision of training
courses and seminars remains up to date, fresh and meet the needs of the Gateway community.
If you have any questions regarding the contract please contact:

Liz Pattison on 07900 608375 or email Elizabeth.Pattison@ogc.gsi.gov.uk

or

Phil Kemp on 020 7271 1495 or email phillip.kemp@ogc.gsi.gov.uk



Phil Kemp

Head of Gateway Brand Assurance
OGC Major Projects Directorate
4th Floor
1 Horse Guards Road
London
SW1A 2HQ
                        OGC GATEWAY NEWSFLASH 30

INFORMATION RISK MANAGEMENT

INTRODUCTION

1. The Cabinet Office has issued new policy guidance relating to how information
risk should be managed within Government Departments and their delivery
partners. This new policy introduces mandatory measures that shall be applied
at the project and programme level. Not all projects and programmes are
impacted by these measures, but many will be, and it is advised that all RTLs
and RTMs read the following Newsflash and take appropriate action.

BACKGROUND

2. Following the loss in late 2007 by HMRC of computer disks containing millions
of personal details the Cabinet Office has conducted a Review into the Data
Handling Procedures in Government. Returns submitted by departments to the
Review Team have highlighted that renewed emphasis needs to be given to the
implementation of effective Information Risk Management (IRM) within
departments.

3. The policy direction concentrates on measures to implement a sound IRM
regime within each department from the Management Board through to the
delivery of services to the public. Much of the direction reinforces existing policy,
but there are new elements and the Review makes it clear that the policy applies
equally to the department and its delivery partners. In this respect Departments
must insist on action where they can, and seek to influence others where
necessary.

4. There is overwhelming evidence to show that taking IRM into consideration
early in the project lifecycle delivers benefit in terms of reducing the cost of re-
design and re-work. This is applicable not only to specific ICT projects, but to
any programme where ICT resources are used within the design, build or
delivery of a service. For example a very large construction project has to rethink
the security of the ICT resources used by its design partner, because of the
potential threat that unprotected access to the designs might have on the
security of the installation being built.

PROJECT RELATED MEASURES

5. With immediate effect departments should be implementing a range of
measures for new projects and they should be conducting a risk-based analysis
of whether they should retrospectively implement them for existing projects:
a. IRM Measures Applicable to All Projects.

(1) Accredit all ICT systems [1], handling protectively marked material. Special
note should be made of the fact that the confidentiality of aggregated information
often requires higher levels of protection than that afforded to individual items of
information.

(2) Mandatory use of the OGC model contract clauses relating to information
risk.

(3) Appointment of an Information Asset Owner (IAO). Within every organisation
a senior individual must be appointed from within the business to be the IAO.
The role of the IAO is to understand and address risks to information and ensure
information is fully used within the law for the public good.

b. IRM Measures Applicable to Projects Handling Personal Data.

(1) The definition of Personal Data has changed, and mandatory measures to
protect it have been strengthened.

(2) The use of Privacy Impact Assessments (PIAs) by projects is mandatory for
all new projects which involve the use, disclosure or sharing of personal data.
Details about PIAs are contained in a new handbook produced by the
Information Commissioner. See
http://www.ico.gov.uk/upload/documents/pia_handbook_html/html/1-intro.html for
further details.

6. A copy of the Report from the Data Handling Review can be found at:
http://www.cabinetoffice.gov.uk/csia. Any questions relating to this policy change
and/or its application should be addressed to: datareview@cabinet-
office.x.gsi.gov.uk.

RELEVANCE TO THE GATEWAY REVIEW PROCESS

7. Consideration of risk management is an integral part of the OGC Gateway
Review process and therefore, where relevant, RTLs and RTMs should consider
information risk alongside other sources of risk. However, before discounting
consideration of information risk when reviewing non-ICT projects, it would be
worth considering whether aspects of the project in the design, construction or
delivery stages might involve information that should be afforded protection to
ensure its integrity, availability or confidentiality. [2]

8. In due course, when the Gateway Review Workbooks are due for amendment
these aspects of Risk Management will be reflected in the new versions, but until
then, RTLs and RTMs should, in appropriate projects and programmes, ensure
that IRM is addressed. Where a project specifically delivers an ICT based
capability areas to probe would include the accreditation status of the project and
the existence of an identified Information Asset Owner. Additionally, where the
project involves Personal Data areas to probe would relate to the use of a PIA,
knowledge of the changes to the degree of protection to be afforded to personal
data and compliance with the Data Protection Act.

CONCLUSION

9. The new Cabinet Office policy relating to IRM makes mandatory changes,
which will impact on how projects and programmes deal with information risk
issues. With immediate effect all Gateway Reviews being undertaken on projects
and programmes that are impacted by this new guidance should ensure that
they probe for evidence that the new policy is being applied.

10. if you require any further guidance on this matter please do not hesitate to
contact me.

Phil Kemp

Head of OGC Brand Assurance

OGC Major Projects Directorate

1 Horse Guards Road

London

SW1A 2HQ

Tel: 020 7271 1495

Email: phillip.kemp@ogc.gsi.gov.uk

[1] Departments should refer to existing CESG guidance when considering the accreditation of
systems that do not handle protectively marked material but where assurance in the integrity and
availability of the system and the data it carries is required.

[2] Departments should consider CESG's IS2, it aligns Risk Management and Accreditation
processes with the OGC Gateway Review Process.
*************************************************************************************************
*************************************************************************************************
                                           **********

                  OGC GATEWAY NEWSFLASH 31



Data and Information Security – Guide for Review Teams

Dear

Attached is a Data and Information Security guide for all OGC GatewayTM Review
Team Leaders and Members. This document is not a substitute for departmental data
and information security policies but should be used as a tool to ensure that reviewers
support the Governments data and information security policies.

Please read the document, ensuring that you are aware and supporting the
Government data and information security policies.

Kind regards,



OGC Gateway Team
  OGC Gateway™ Process
                                                                      Gateway to success
  Data and Information Security – Guide for Review Teams


 How to use this Guide

 This guide is intended for OGC GatewayTM Review Team Leaders and Members who will be conducting a Gateway
 Review. This document is not a substitute for departmental data and information security policies but should be
 used as a tool to ensure that reviewers support the Governments data and information security policies. This
 document can also be used by the SRO and programme/project team for awareness of data and information security
 within central Government. If you require guidance on programme/project Information Risk Management (IRM) or
 the Privacy Impact Assessments (PIA), which are mandatory for all new projects that involve the use, disclosure or
 sharing of personal data, links to the appropriate websites have been provided within this document.


 Data and Information Awareness

 In order to conduct a Gateway Review, review teams are provided with programme/project documentation that will
 have the appropriate security markings identified by the programme/project team. At the Assessment and Planning
 meetings, the programme/project should be asked to identify any information and data security practices that may be
 required and agree the detailed practical arrangements for exchange, storage and disposal of programme/project
 documentation giving regard to the following guidance:

 1. Know what you have - Information is a significant business asset for Government and is key to the delivery of
    business. All reviewers should understand the application of the protective markings and document security
    scheme (see Annex A). This includes awareness of how the data or information in your care should be stored,
    posted, emailed and disposed.

 2. Look after information - All reviewers have an individual responsibility to ensure that all appropriately
    marked, sensitive or critical business information provided to them, whether on paper or in electronic form is
    secure at all times.

 3. Commercial and Personal information – Programmes/projects may hold sensitive commercial or personal
    information. Should reviewers receive any documentation that is commercially sensitive or holds personal
    information, they are responsible for ensuring that the data or information is secured.

 4. Laptops – The following advice and guidance is provided for the use of all laptops:
         Take care of laptops when in transit - don’t leave them unattended.
         Avoid drawing unnecessary attention to portable IT equipment especially if travelling or passing
            through public areas.
         Be particularly alert when leaving laptops to go through x-ray machines at airports, etc.
         Leave laptops out of sight in locked hotel rooms.



Office of Government Commerce, Zone 4/E1 & 4/E2, 4th Floor, HM Treasury, 1 Horse Guards Road, London SW1A 2HQ
Service Desk: 0845 000 4342 E: ServiceDesk@ogc.gsi.gov.uk W: www.ogc.gov.uk
             Lock laptops in the car boot rather than inside whilst on the road but be aware of potential thieves
              observing you placing a laptop in the boot.
             Laptops must not be left in your vehicle overnight.
             Store any access key devices away from the laptop and make sure that there is no indication of their
              purpose.
             Take care of the information when you are travelling - remember fellow travellers can look over your
              shoulder if you are working on information private to the programme/project.

5. Transmission of Materials and Data – Restrictions for the transmission of classified data (e.g. material marked
   as Restricted) may apply (see Annex A). Reviewers should consider transmission methods at the Planning Day
   and use alternative options if appropriate (e.g. onsite reading days or hard copy transfer of documents).

6. Disposing of Data and Information – As a reviewer, you are responsible for ensuring that all data and
   information (electronic, hard copy - including notes) that has been provided to you for the Gateway Review or
   generated by you for the Gateway Review is provided to the programme/project team for disposal at the end of
   the Gateway Review. Any reviewer that is discovered to be holding any data or information after the Gateway
   Review is completed (including the Final Gateway Review Report) may have their Gateway Reviewer
   Accreditation revoked.


Procedures for Misplaced Data or Information whilst in a Reviewers Care

If you are conducting a Gateway Review and have become aware of data or information in your care that is missing,
the following steps must be taken:
           You should identify the last time the information was seen and take appropriate actions (e.g. contacting
              the lost and found services at the appropriate train station, train services, nearest police station, etc).
           The SRO and programme/project team must be contacted to inform them of the incident and actions
              that you have taken to try and recover the data and information. The programme/project team may
              request that further actions be conducted, if deemed appropriate.
           The Review Team Leader (RTL) who is leading the Gateway Review should be informed of the
              incident. The RTL will be responsible for ensuring that the appropriate Gateway Representative within
              the Department (i.e. DGC) is informed of the incident, as is the Gateway Hub (i.e. OGC, MoD, DH,
              etc).


Further details

             Information Commissioner Office – Privacy Impact Assessments (PIA)
              http://www.ico.gov.uk/upload/documents/pia_handbook_html/html/1-intro.html.
             A copy of the Report from the Data Handling Review can be found at: www.cabinetoffice.gov.uk/csia.
              Questions relating to this policy change and/or its application should be addressed to:
              datareview@cabinet-office.x.gsi.gov.uk.




                                                                                                                   2 of 47
                                         Annex A – Protective markings and document security – extract

Marking                                    Which level of document classification to choose                              Storage                                                                         Disposal                                                                       Postage                                                         Emailing Classified
                                                                                                                                                                                                                                                                                                                                                           Documents
                              Cause substantial distress to individuals




                                                                                                                         with Mersey Key (double sided)
                                                                                                                         lockable cabinet. CONFIDENTIAL should be stored in a Security Cabinet
                                                                                                                         PROTECT and RESTRICTED material may be kept in any suitable


                                                                                                                                                                                                 SECRET documents must be formally recorded.
                                                                                                                                                                                                 placed into the confidential waste bin. Destruction of SECRET and TOP
                                                                                                                                                                                                 CONFIDENTIAL documents should also be torn in four pieces before
                                                                                                                                                                                                 material is by shredding or use of the confidential waste bins.
                                                                                                                                                                                                 The most secure and environmentally friendly way of disposing of sensitive



                                                                                                                                                                                                                                                                              envelope marked CONFIDENTIAL top and bottom in red.
                                                                                                                                                                                                                                                                              RESTRICTED however a Double envelope is required with the inside
                                                                                                                                                                                                                                                                              can be sent through Royal Mail. CONFIDENTIAL is identical to
                                                                                                                                                                                                                                                                              marked “Addressee Only” – with no classification on the envelope. This
                                                                                                                                                                                                                                                                              RESTRCTED should be addressed to an individual by name or job title and



                                                                                                                                                                                                                                                                                                                                                        subject line of an email.
                                                                                                                                                                                                                                                                                                                                                        Remember to include any security classification/privacy marking in the

                                                                                                                                                                                                                                                                                                                                                                                                                                 secure. This should be discussed at the Assessment and Planning meeting.
                                                                                                                                                                                                                                                                                                                                                                                                                                 may be required before the Gateway Review, ensuring that the data remains
                                                                                                                                                                                                                                                                                                                                                                                                                                 after the Planning Meeting but within the programme/project teams office
                                                                                                                                                                                                                                                                                                                                                                                                                                 RESTRICTED and cannot be sent over the “gsi” network, a Reading day
                                                                                                                                                                                                                                                                                                                                                                                                                                 which is either UNCLASSIFIED or PROTECT. Where documents are
                                                                                                                                                                                                                                                                                                                                                                                                                                 Addressees outside the “.gsi” community may only be sent information
PROTECT                       Breach proper undertakings to maintain the confidence of information provided by
                               third parties
                              Breach statutory restrictions on the disclosure of information (except the Data
                               Protection Act – which can be addressed by other impact statements and or/the e-
                               government Security Framework).
                              Cause financial loss or loss of earning potential to, or facilitate improper gain or
                               advantage for, individuals or companies
                              Prejudice the investigation or facilitate the commission of crime
                              Disadvantage government in commercial or policy negotiations with others

                    For documents that would be likely to:
RESTRICTED                  Adversely affect diplomatic relations
                            Cause substantial distress to individuals
AND                         Make it more difficult to maintain the operational effectiveness of security or UK
CONFIDENTIAL                 allied forces
                            Cause financial loss or loss of earning potential to, or facilitate improper gain or
                             advantage for, individuals or companies
                            Prejudice the investigation or facilitate the commission of a crime
                            Breach proper undertakings to maintain the confidence of information provided by
                             third parties
                            Impede the effective development or operation of government policies
                            Breach statutory restrictions on the disclosure of information (except the Data
                             Protection Act – which can be addressed by other impact statements and/or the e-
                             Government Security Framework
                            Disadvantage government in commercial or policy negotiations with others
                            Undermine the proper management of the public sector and its’ operations


NB: The information provided above should be seen as a guide only. Data and Information Security for the Gateway Review must be checked with the
programme/project team at the Assessment and Planning Meeting. The storage, disposal, postage and emailing of Secret and Top Secret Data and Information
should be discussed with the programme/project team at the Assessment and Planning meeting. Where deemed appropriate by the programme/project team and in
consultation with the review team, the review team may be required to have an internal Reading Day within the programme/project office before the Gateway
Review is conducted.




v1.4                                           Page 46 of 47                                              03 Sept 2008
v1.4   Page 47 of 47   03 Sept 2008

				
DOCUMENT INFO
Shared By:
Categories:
Tags:
Stats:
views:11
posted:6/12/2011
language:English
pages:47