07. Information Governance

Contents

Evaluate what user data and information the digital service will be providing or storing, and address the security level, legal responsibilities, privacy issues and risks associated with the service (consulting with experts where appropriate).

How point 7 improves their service

Users won’t use their service unless they can guarantee:

  • it’s confidential
  • they can access their information in the service when they need to

How they’ll be assessed

Their assessment and the questions the assessors ask them will vary depending on their service and what it does.

In the discovery assessment

To pass the discovery assessment, the service team usually needs to show:

  • they’ve identified what user data they’ll be collecting and storing during alpha
  • that they’re aware of legislation, guidance, and policy that is applicable to their service
  • they’ve a plan in place to identify threats to the service

In the alpha assessment

To pass the alpha assessment for point 7 they usually need to explain:

  • how they’ve identified threats to their service, including potential pathways for hackers, and tested ways of reducing them
  • how they plan to keep up to date about threats to their service and how to deal with them
  • any threats of fraud (fraud vectors) which exist and the controls they’re prototyping

In the beta assessment

To pass the beta assessment for point 7 they usually need to:

  • describe their team’s approach to security and risk management
  • describe the security and privacy threats to their service, how they keep their understanding of them up to date and how their understanding of them has changed.
  • explain the fraud vectors that exist and the controls they’re putting in place
  • describe how they’ve worked with the business and information risk teams eg senior information risk owner (SIRO), information asset owner (IAO) and data guardians, and how they’re working to meet any security regulations without putting delivery at risk
  • describe any outstanding legal concerns, eg how they’ll protect data or their policy on sharing it
  • present their cookie and privacy policy and explain how they arrived at it and any changes to it