Information Management policies and procedures underpin the Information Management Plan in supporting information management priorities.  This includes how the information will be created and managed, appropriate to risk, and specific to agency context.

Relationship to the Information Management Standard

Information Management policies and procedures are the formal mechanisms outlining how information management priorities will be supported by your agency.  This includes how the information will be created and managed, appropriate to risk, specific to your agency’s context (Behaviour 2.2).

Your agency should have a clear strategic vision of its own information management values and practices.  This will assist in fostering an organisational culture that values and manages information as an asset and supports business objectives and activities (Behaviour 1.5).

All staff should be inducted and trained in information management policies and procedures (Behaviour 1.4).  Staff adherence to the information management policies must be monitored and addressed as required (Behaviour 2.9).

Policies and procedures should be regularly reviewed to ensure they continue to support your agency’s business and information requirements (Behaviour 2.8).

Information Management Policy

Develop the Information Management Policy (Policy) as a high-level set of requirements to be implemented according to the scale and complexity of your agency or business function, and the level of risk. It should contain objectives that reflect the principles and behaviours in the Information Management Standard as well as address your agency’s information requirements (Behaviour 2.2).

An Information Management Policy:

• takes an agency-wide approach. It applies to all functions where information assets are created, controlled, stored, preserved, retained, destroyed or transferred
• is developed within the style and structure of your agency’s policy framework
• is broad and should remain applicable over time
• should be short, concise and easily understood by the reader to communicate the guiding principles for creating and managing your agency’s information assets
• should be formally authorised by an appropriate senior manager and sent to staff, contractors and volunteers that create or access the information assets
• should contain links to related policies
• should be easily accessible
• has a policy owner and is reviewed regularly and updated.

The Policy can be a single document, or the requirements can be built into one or more existing policies, such as Information or Cyber Security Policy, Information and Data Access Policy, Risk Management Policy etc.

Generally, your agency should have policies that cover:

• roles and responsibilities relating to information assets including education and training
• the management of information assets , including use, disclosure and storage on-and-offsite
• information asset privacy
• information asset security
• the disposal of information assets

All information management policies must comply with relevant Standards, including Information Security and Cyber Security requirements

Information Management Procedures

An Information Management Procedure:

• provides step by step instructions to achieve the objectives in the Policy
• includes a detailed description of activities, including what, how, when or who
• should be regularly reviewed and updated to reflect any process changes or responses to regulatory changes and risk
• is easily accessible
• should be short, concise and easily understood.  Lists, tables, checklists and drawings are useful ways of presenting guidance in a concise manner
• should have a procedure ‘owner’ that is responsible for reviewing, updating and championing its use.

Procedures should be developed according to need.  This will be dependent on the:

• size and complexity of your agency and the functions it performs
• level of regulatory compliance and risk, requiring rules-based controls
• amount of detail required to provide the appropriate level of operational guidance.

A small agency might only need one or a few procedures covering the main aspects of information management practice.  Whereas a large agency might need many procedures detailing information management practice for different functions of the agency.

Information management requirements can be one or more standalone procedural documents or can be built into other procedures.  For example: incident management planning for information assets can be included as part of a business continuity procedure and planning or as a standalone plan or procedure.

Your agency should also ensure it has processes in place for engaging with third party providers who will manage information assets on your agency’s behalf, in particular those that are sensitive or contain personal information.

Review and adherence

Policies and procedures should be reviewed regularly to ensure they remain up-to-date, relevant and continue to support your agency’s information requirements (Behaviour 2.8).  Regular review ensures:

• changes to regulatory or business requirements are incorporated and communicated to staff
• policy gaps are identified and addressed
• feedback received from stakeholders can be incorporated to improve current policies and services.

A large part of the success of the Information Management Program , and in turn fostering a culture that values information, relies on staff adherence to information management policies and procedures (Behaviours 1.5 and 2.9).  It is important to educate and train staff (Behaviour 1.4) appropriately in:

• the value of your agency’s information assets
• their information management responsibilities
• the relevant information management and business systems
• your agency’s information management policies and procedures.

All relevant policies and procedures should be communicated to staff.  Training should be provided where required.  If appropriate, staff should provide an affirmation that they have read and understood the polices applicable to them.