NetIKX meeting on Information Asset Registers

Information Asset Registers are inventories of records systems and other information assets. The UK Government now demands that all government departments and public bodies compile them, in the interests of information security. What are they, how are they created – and what other uses do they have? Are they relevant to private sector and third sector bodies?

(This is a report by Conrad Taylor of a meeting of the Network for Information and Knowledge Exchange, held in London on 17th November 2010.)


The Network for Information and Knowledge Exchange meets in London throughout the year. For more information, visit the Web site.

This meeting of the Network for Information and Knowledge Exchange took place in the afternoon of 17th November 2010, and was so popular that the venue had to be changed. We met in a top-floor room at the British Dental Association, a well-appointed space which easily accommodated the NetIKX meeting pattern, in which one or more presentations in plenary are followed by some small-group syndicate work.

In this instance, a single presentation was given by Dr Alec Mulinder of The National Archives (TNA), we then spilt into three syndicate groups, and each group heard in turn three case studies, from presenters who made their rounds of the tables. The event had been organised by Noeleen Schenk, and Graham Robertson of Bracken Associates; Graham chaired the meeting.

In the account that follows, the case study accounts are based on what happened at the table that I was on: other group conversations may have proceeded differently. At the end, I append my own reflections.
 


Dr Alec Mulinder on
‘Information Asset Registers: Purpose, Scope and Design’

Dr Alec Mulinder

 
Dr Alec Mulinder works at The National Archive, in Change Management and IT Service Continuity. He has been seconded to the Digital Continuity Project, to write best-practice guidance for the UK government sector about how to ensure continuity of its digital information.

Alec reminded us that in 2007 there had been a number of high-profile losses of collections of personal data about citizens, by various departments of government such as DCMS and HMRC.

The government response to this was to set up the Data Handling Review, which led to the Hannigan Report in 2008; this in turn led to the defining of the government’s Security Policy Framework or SPF (see http://umbr1.cabinetoffice.gov.uk/spf.aspx), and the HMG Information Assurance Maturity Model or IAMM (see http://www.cesg.gov.uk/products_services/iacs/iamm/index.shtml).

Considering the political circumstances, it is understandable that the urgent emphasis was on Information Assurance; nonetheless, Alec believes that these concerns can be seen as fitting within a broader Information Management agenda.

(Later in the day, there was mention of an earlier IAR project in the late 1990s at the Department of Health, led by TSO. In that case, the focus of the project had been on understanding the information base so as to open it up to the private sector – therefore, there wasn’t the same focus on security.)

The Data Handling Review defined two roles which should henceforth exist within government departments. The Senior Information Risk Officer (SIRO) would be a single senior officer responsible to government for a department’s handling of ‘risky’ information and data. There would also be one or more, probably several ‘Information Asset Owners’, whose responsibility it would be to protect the information under their care, but also to ensure that it would be shared as appropriate and exploited for the benefit of the business.

Assets, registers and templates

This begs the question of just what an Information Asset is. The National Archives has evolved a working definition in collaboration with the Information Assurance Policy Committee: ‘An Information Asset is a body of information, defined and managed as a single unit so that it can be understood, shared, protected and exploited effectively.’ Spelling this out, Alec remarked that information assets have recognisable and manageable value, risk, content and lifecycles.

‘An Information Asset is a body of information, defined and managed as a single unit so that it can be understood, shared, protected and exploited effectively.’

The phrase about an asset being managed as a single unit shows the direction that government wants to go in terms of governance and responsibility. Within any given department, the SIRO is to delegate responsibility for the management of information assets by appointing Information Asset Owners who will identify just which units or clusters of information will be considered to constitute an asset.

A Department is then expected to document all of its identified Information Assets within an Information Asset Register. The TNA working definition goes: ‘An Information Asset Register is the means by which you document the relationships between your business requirements and your information assets.’ It is therefore apparent that TNA believes an IAR should be more than just an inventory.

To assist government departments in creating and maintaining IARs, the TNA has developed a template for IARs, and this is available online. The template addresses these issues:

  • Who has to be able to find this information?
  • What resources do they need to be able to access and open it?
  • How are you able to use or work with this information?
  • Is it possible for users to understand what the information is, and what it is about?
  • Can you trust that the information is what it says it is?

The TNA guidelines suggest that when you construct an Information Asset Register, you should do so in a way that makes it valuable to you and to your business. As an optional but highly recommended extra, you should also map the technical dependencies of your information assets, being aware that future changes to technology could impact changes to information, and vice-versa.

It is not necessarily the case that an Information Asset should all be stored in a single location, so long as it can be managed in a unified way, but it is highly recommended that there should be a Master Copy. Alec noted that there could be a role for configuration management practices in assuring continuity for information management systems of this kind.

Departments are also being told that they should not forget to include the information that is managed on their behalf by ‘arms length’ bodies and by third parties.

Implementing IARs in practice

Implementation of Information Asset Registers is now under way. Jennifer Perkins at DCMS has designed their IAR, and has also helped the British Library to design theirs. At the Home Office, the IAR has been designed by David Critchley. The Ministry of Defence has created a very good IAR, which Alec described as being quite a sophisticated piece of software.

The structure of IARs vary from one body to another, but there are a lot of fields which crop up again and again, such as the volume of information, the format, access controls, retention and disposal dates, whether there is risk attached to the information, whether it is shared with other bodies icluding arms-length bodies and third parties, location (physical and logical), whether it is unique or duplicated, a title and description fields, and a unique ID for tracking.

In defining Information Assets it is also important to be clear about ownership and responsibilities, and to take this to some degree of detail, including who sets them up, and their ongoing management. According to the Data Handling Review, the SIRO is supposed to define a Senior Responsible Officer who should manage a multidisciplinary team including IT people, information assurance professionals, information management professionals and so on.

What is the difference between an Information Asset List and an Information Asset Register? The government’s Information Assurance Maturity Model had already mentioned Lists. It seems that the Office of Public Sector Information (OPSI) then adopted the term ‘Information Asset Register’, though Alec suggested that the OPSI use of the term does not mean amything much different from a simple list of the information assets held.

It has been TNA and the Information Assurance Policy Committee who between them have taken the definition further. At the same time they have recommended that a department or body need make their IAR only as complex as it needs to be to meet their business and security need: it need go no further.

The first step is an information audit

Alec suggested that the first step in setting up an Information Asset Register should be to conduct an Information Audit, or perhaps people would prefer the term Information Survey. This need not be built from scratch, as it is highly likely that there will be available information about the assets that has already been collected.

For example, the records management systems will probably contain existing retention and disposal schedules. Even if they are out of date, it is a start. There may even be an old abandoned Information Asset Register or Information Risk Register to build on, or some business catalogues. IT departments also have a lot of information in their systems that can help.

Challenges and costs

Building an Information Asset Register takes effort, and is obviously not without cost. This is a challenge in the wake of the Comprehensive Spending Review: there are going to be fewer people to do more work on all fronts. However, setting up an IAR needn’t be expensive: the output could be as simple as a Word document or a spreadsheet.

Building an IAR needn’t be expensive, and there is a cost to doing nothing.

Alec reminded us that there is a cost to doing nothing, and referred to the ‘FOGBANK fiasco’… In the late 1990s the US government decided to refurbish the W76 class of thermonuclear warheads. It was discovered that there were no records of the manufacturing process for a highly classified chemical substance used within the warhead ignition train, codenamed FOGBANK. Documents about the manufacturing process had been lost, Facility 9404-11 where it had been made had long been decommissioned, and people who worked on the project had moved on or retired. The extra cost of meeting the information gap was at least $67 million, and the refurbishment programme was delayed by several years.

Change is a challenge, as always; all organisations go through structural change, that impacts on information, and those changes have to be managed through the Information Asset Register. People change jobs or leave, and there are constant changes in technology; business drivers also change year by year.

Opportunities unlocked by the IAR process

The creation of an Information Asset Register can however also bring a number of opportunities. By mapping the technology resources applied to information, it is made easier to identify what is redundant, what is out of date, and what needs to change. It can show which systems could be integrated, and it can focus and prioritise investment by helping you concentrate on the information assets that are most important to the business. The BBC do this in their Information Asset Register; in their case, they prioritise according to the marketing potential of their information.

An Information Asset Register helps the organisation identify efficiencies and savings through better knowledge and management of what it has. At TNA they have developed a tool called DROID (Digital Record Object Identification), a free-of-charge platform independent file recognition application which scans through servers, and probes into the internal byte sequences of digital files to identify what file format and even what specific version of the file format they are.

As a test, DEFRA ran DROID 6 on just one of their servers: they discovered that 30% of the information they were holding was more than seven years old, and some of that was no longer usable; much of the information was obsolete in business terms, and much of it was duplicated. Had they run DROID 6 across all their servers, you might expect it would point towards quite considerable potential savings.

Increased efficiencies can also come through re-use of hardware, software and information, especially when applied to the unstructured information on shared drives. Many organisations don’t manage this resource, but it can be exploited to deliver a great deal of business value if it can be re-used; and IARs help us to identify and target those resources.

Compiling an IAR can also build in better management controls to information risk registers, and business continuity plans and policies, and these can also be linked to control-based processes and change processes, IT change management, and programme and project management. If you have an IAR and an IT service catalogue, or a business portfolio of services, you can link them all in. Any change to one that will impact the others can then be more easily tracked.

IARs naturally help with issues of legal compliance, and there are huge benefits for auditing purposes. It gives better focus to measuring and reporting, and helps to develop an information management lifecycle.

Getting going, getting help

What are the next steps? Getting an information survey is crucial and it is also important to map that to the technology infrastructure for information. The important point here is collaboration between information management and the IT department: what we could really do with is a new breed of people who are more versatile and familiar with the cultural divide between IT sectors and information management sectors. They really need to share the same language – or at least, understand each other’s languages.

TNA has loads of guidance on their Web site about IARs, the role of the SIRO, the role of Information Asset Owners, how to map information to business need, and to technology. They will also be running free training events, the first of which will be in January 2011.

TNA can go out and help public sector bodies to do information management assessments, and give advice. However TNA is not involved in ‘enforcement’ – that is the job of the Information Commissioner.

For more information, see http://www.nationalarchives.gov.uk/information-management/projects-and-work/digital-continuity.html
 


 
Case study syndicate sessions

The process here was that we had already sat ourselves around three tables, each with about a dozen people. In turn we heard from Noeleen Schenk, Chris Beetham and Bob McLean.
 


Noeleen Schenk:
two case studies from ‘arms-length bodies’

Noeleen Schenk

Noeleen Schenk is a highly experienced management consultant, specialising in all aspects of information, content and knowledge management. She works with both the public and private sectors.

 
Noeleen described the IAR process for two ‘arms-length’ bodies in the cultural heritage sector: the Tate Galleries, and the Natural History Museum. Each had taken quite a different approach to this task. Noeleen’s involvement in both was as an external consultant, providing peer-to-peer mentoring and training to make sure that these bodies developed the internal capacity to continue the process after she had left.

In both cases, Information Asset Register projects were undertaken as a response to the requirements of the Cabinet Office Security Policy Framework (SPF). All arms-length bodies received a letter from their sponsor department, demanding compliance, including Information Assurance Standards numbers one to six. (Numbers one and two talk about IT security, number six talks about handling personal information; these are ‘scary documents’, says Noeleen, and they are also hard to understand.)

The other drivers for these two organisations were increased awareness about the risks around potential loss of data, data integrity, risks to confidentiality, and appropriate access policies so that the right people get the right information at the right time. In fact, said Noeleen, this side of the requirement is simply the standard records management and library agenda.

What was new and urgent was the need to comply with the new reporting requirements: the head of every arms-length body is required to report every quarter and every year to the sponsor body, and this report goes up to the Cabinet Office. Assurance is required that your information is being looked after properly, and part of that requires confirmation that you know where and what your assets are, and who is using them.

If there have been any losses, you must report those too, and say what remediation path has been followed. If the data loss has included private personal data, there must also be evidence that the issue has been escalated appropriately.

An appropriate and proportionate response

Both these organisations approached the IAR issue from a risk-based perspective. They quickly realised that not all seventy listed compliance requirements applied to them: for example, the counter-terrorism issues were in their case irrelevant. Because they needed to do something quickly and without spending much money, they quickly sorted out which issues applied to them and which didn’t, and it worked out at about 50 percent.

Both these bodies realised that they didn’t have a department naturally responsible for creating the Information Asset Register and ensuring information governance and assurance. In the Natural History Museum the Director of Human Resources became the SIRO, and worked with the IT department and Records and Archives.

Within the Tate, the SIRO is the Director of IT, who then worked with the Director of Collection Care, who had a regulatory responsibility to look after all the information around the collection; their Records Management team was roped in as well. Both of these approaches were expedient, and tailored to the business model of each organisation.

IAR at the Natural History Museum

The Natural History Museum first made a gap analysis of the Security Policy Framework requirements against what they had currently got in place in terms of policies, procedures and ways of working. From that, Noeleen worked to create an overarching information assurance framework, and then drew into this all the issues of IT security, physical security, security of the information and data handling processes.

This included the creation of a PIA, a Privacy Impact Assessment. If you add a new system or create a new process, you should do a PIA to make sure you are still looking after your data properly. At the NHM they were also very clear in defining roles and responsibilities right at the beginning, in terms of defining who was the SIRO, who were the Information Asset Owners, what would be the roles of the Heads of Department and so on.

To create the IAR, they started from what they already had. They had already done a Vital Records Survey, so they already knew all the key records that were vital and valuable to the organisation. They also had a retention schedule, signed-off and up to date. So they combined those two, and structured the IAR by records series. That was taken back to the Department to be signed off, after which they added extra columns and brought them back to the Museum staff in a quest for further information. As for the Master List, that was looked after by the Archives and Records Management team: thus there was a recognised owner, and a recognised process for keeping it up to date.

The key fields captured included:

  • the record series (and a description of what it was)
  • the owner
  • protective marking required (this is based on the Government scheme for protective markings e.g. unprotected, protected, confidential, secret and top secret)
  • access rights
  • information sharing protocols
  • storage requirements
  • retention schedule

IAR at the Tate

The Tate approached this very differently. They devoted less time to it, and less money. It should aso be said that there was also less political buy-in internally. The driver came from the IT support team, building on a security issue that had been raised in an internal audit. Noeleen did a skeleton study for them on their information security, looking at it from the IT point of view; but then pulled that into a wider framework about managing their information and knowledge overall, because they did want to move that up a level.

They created a work-plan, to remediate the immediate IT security concerns, and the Information Asset Register became a natural outgrowth of this because it was recognised that without knowing what you’ve got, who’s got it and where it is, you cannot manage and mitigate IT risk. Within that, they created the information security policies. (In fact, Noeleen was able to recycle much of what had been developed for the Natural History Museum in terms of access rights, data handling and so on.)

In terms of internal process, this was done by getting together a group with representatives from the key business functions. In contrast to the NHM where the record series provided a starting point, at the Tate they started by defining the key categories of information which they hold: information about the collection, information about the movement of the collection, about its valuation, about the artists and so on. Because this is all in any case governed by legislation about the kind of information they have to collect, it made sense to break the information down that way.

Within each of those categories they then identified all of the repositories, the protective markings, the access rights and so on. When all of that was collated, it was then sent back to the Information Asset Owners to verify and to fill in any gaps. The other aspect that they looked at was business continuity, asking, ‘How long could you carry on working without this information?’ That helped the IT department make sure that the business continuity plans they had would meet business need.

The lessons learned

Coming to the lessons learned, Noeleen highlighted the need to identify right from the outset all the stakeholders: IT, HR, information security, building security, records management, directors and heads of department and heads of teams. The importance cannot be overemphasised of making sure that all these people understand their roles, clarifying them if need be.

Response to the demand for an IAR should be proportionate to the organisation’s risk and resources.

Another lesson is to make the response to the demand for IAR reporting is proportionate to the organisation’s risk, their resources and indeed their appetite for risk. When people realised that the response was going to be proportionate, Noeleen found she got plenty of stakeholder buy-in.

For example, neither the Tate nor NHM have to lock everything down to an MoD standard of security! (Frankly, if information has a protect marking of Confidential or above, the level of encryption you are required to apply is very expensive to implement. These two bodies were lucky not to have that kind of costly security requirement.)

Another thing which should be embedded from the beginning is a training process. A cultural change is needed, whereby people begin to realise that information isn’t theirs alone, that it belongs to the organisation and that they should treat it as valuable. Most people in organisations are still very casual about information, and one of the hurdles that Noeleen had to overcome was to get the HR departments to recognise the importance of this and come up with funds for the training.

It was also challenging to try to get senior managers to ‘walk the talk’. It’s all too common to find that senior managers direct staff to treat information in a better way, but they don’t change their own old habits; for example they might still keep their passwords stuck to the bottom of their keyboards. People learn from example; if you see that your senior manager doesn’t care, why should you?

Organisations are constantly being beset with new trends, new directives, new issues to chase, so there can be a problem in maintaining momentum. The key is to make sure everyone understand the purpose of the IAR process and what its value is. It helps if you can keep it simple, not larger and cleverer than it needs to be. Nor does it have to be perfect the first time round; you can improve the system incrementally, so long as you can keep the enthusiasm and momentum going.

Hopefully the Information Asset Register process actually results in something that makes people’s daily work easier. If you need access to some information, an IAR can give you some clarity about how to look for it. For that reason, the IAR should be a document freely available to staff within the organisation: neither the Tate nor the NHM would put an IAR on the public Internet, but it was certainly available on their Intranets.

Noeleen reported that the process at NHM took about nine months full time until she left them to get on with it, and at the Tate it took six months. Alec reported that Jennifer Perkins who did the DCMS and British Library IARs also said between six to eight months was standard.
 


Chris Beetham: Department of Work and Pensions

Chris Beetham

Chris Beetham (foreground) leads the Department for Work and Pensions project to develop, implement and maintain an Information Asset Inventory supporting improved information risk management. In the background is Graham Robertson, who organised and chaired this NetIKX meeting.

 
Chris Beetham has worked at the DWP for a long time, and for the last two years specifically in information management. He was specifically brought in in December 2008 to put in place what they call an ‘Information Asset Inventory’.

This was happening after the October 2007 HMRC loss of two CD-ROM discs containing personal data of millions of child benefit claimants, and the Department had a Permanent Secretary who knew that there but for the grace of God he might have gone the way of Paul Grey, who ‘resigned’ as Permanent Secretary of HMRC over the matter.

Roles and responsibilities from top to bottom

Their first step at DWP had been to appoint a SIRO who had some serious clout within the Department: a man who had been the Director of their Legal group, and who is also a specialised risk practitioner, he really had the ideal background for his new role.

Their next step was to identify Information Asset Owners, and they appointed one for each of DWP’s thirteen key business areas. (A business area may be such as ‘Human Resources’, or a large customer-facing section such as ‘Jobcentre Plus’.) The people appointed to be IAOs were primarily finance directors, because it is a DWP practice to appoint finance directors who are also risk practitioners. These people were to carry out their IAO duties on top of their main job.

The Information Asset Owners were made to understand what they were going to be accountable for, and what was at stake for them personally. This was done because if you do not get buy-in from the senior managers, it is going to be virtually impossible to put an IAR in place. Rightly or wrongly, DWP deployed fear as the motivating factor!

Some of the areas of responsibility of the IAOs are huge. The JobCentre Plus part of the business has 97,000 staff, and a vast amount of information flowing through it. Obviously the IAOs cannot do this job by themselves, and they don’t do it on a day-to-day basis, but they must make sure that the risks are effectively managed within their patch.

Within DWP there are also Information Asset Co-ordinators. Whereas IAOs tend to come from risk management, Co-ordinators typically have a security background. They have the right attitude of vigilance and inspection, and they know most of the systems already because they have been responsible for ensuring that their are no security breaches. So with this third level in place, the DWP had a structure in place to investigate information assets right down to shop floor level and across all departments.

Chris’ job was to act in an advisory capacity, not to remove any risk management responsibility from anyone. At first he adopted the job title of ‘Information Asset Manager’ – but that appelation had to be dropped because the DWP then invented a class of responsible officers called Information Asset Managers, amongst whom the identifed assets were divided and assigned at a level below the IAOs.

There are now about 500 people at DWP with this Information Asset Manager title, and they are typically people who have a close business relationship with the information. Some manage one asset, some as many as ten.

All these roles have been derived from the Cabinet Office guidelines, but then built upon. It has taken two years to embed this structure and it has not been without some pain and confusion, but on the whole it has been successful.

The inventory, reporting, and improvement

The Inventory currently documents about 7,500 Information Assets – nor is this yet completely comprehensive. Chris’s role is to collate all this information every quarter. All the business areas know they have to comply, and each quarter they send Chris a snapshot of what they currently have.

At an early stage, the Inventory suffered from a lack of accuracy in some areas. So it was announced that everyone reporting an Information Asset would be assessed as to how well they were completing the reports, on a traffic-light system of red, amber and green, against six key measures. Lots of people were awarded ‘red’ on their first pass – but three months later almost everyone was achieving ‘green’.

Because these processes had been initiated by Government in response to losses of personal data, the early Cabinet Office definitions of Information Assets concentrated on ‘protected personal data’. These criteria indicated that a candidate Asset would be a collection of a thousand records or more, in which people could be individually identified, and where there might be information that you would not want others to have, such as National Insurance numbers, bank account details or similar.

That gave them a basis for identifying collections of records to add to the inventory, though common sense suggest that for example if a dataset has even just a few records, but is very sensitive data, that would be collected too.

People often make the mistake of thinking of Information Assets in terms of how their IT systems are structured.

It was a real struggle early on in the process to stop people from thinking of an Information Asset as being defined by the structure of their IT systems. For example, Chris could think of one IT system that has fifteen different Information Assets on it. One dataset is three million customers receiving pension credit, another is eleven million receiving the State pension, and another is the 500,000 who receive invalidity benefit. Each of those clusters of data is stored and used for a different purpose, even though they are all managed by the same IT system.

(Alec confirmed that there is a strong tendency for departments to think first in terms of how their IT systems are structured rather than their information.)

Reflections and looking forward

Chris suggests that some people prefer order (librarians score high for order). There are lots of people involved in Information Risk in the Civil Service who are risk-averse. Then there are those who think data.gov.uk is cool; they want to mash up data and re-use it in novel ways.

All of these attitudes to information are valuable, and worth integrating. Suppose you are able to identify 120 datasets which are anonymised and capable of being released to the publicdomain: you could then be contributing to the wider statistical picture. DWP already has some such information out on data.gov.uk.

Managing access versus privacy is a balancing act, and not easy to achieve. Across government there is a need to understand the demands of knowledge (what we need to know), the value of re-use of information, freedom of information, and protection. If you can take all of these into account, you are likely to build a really useful Information Asset Register.

To those four aspects, Conrad Taylor suggested we might add the demand of Quality, which he divides into two parts: the first to do with the accuracy of information, while the other is the quality of the encoding and structuring of information – attributes which make it easier to process and make sense of with machines.

Although the DWP Information Asset Inventory is set up with a strong oriented towards risk management, Chris hopes that as time goes by other facets of the information assets will be recorded in support of better knowledge management. As it is, even now they know a lot more about the information they have, and this can enable re-use, even if only because they now have a list of what they’ve got.

Malcolm Weston commented that from the perspective of a business like his which has to deal with many branches of government, it can be deeply frustrating that each department comes up with its own set of compliance rules. If all the departments are trying to achieve the requirements of one Cabinet Office document, why is there so little coherence in the approach?

Conrad wondered if the experience of the Dublin Core Metadata Initiative might be inspirational: there could be a shared common set of fields, standard across all government-reporting IAR implementations, without an obligation necessarily to use them all – plus a mechanism for extensibility where needed.

Chris replied that the Cabinet Office have given only a high-level view of what they expected, without dictating just how it should be done. He thought that is a good thing because it means that each department can structure their IAR to suit their business model. However it would be valuable to see what scope there could be for bringing in some measure of standardisation.
 


Bob McLean, Wellcome Trust

Bob McLean

Bob McLean is a Records Manager and Archivist who has worked extensively in the financial and banking sector, and is currently Information Governance Manager at the Wellcome Trust, one of the world’s largest biomedical research-funding charities. Here he is showing the Timeline from the Wellcome Trust public Web site – an interactive multimedia product derived from the Wellcome Archives.

 
Bob described the Wellcome Trust, where he is the Information Governance Manager, as a very information-rich organisation, with an archive that goes back to 1936. However, it has had a history of not organising itself well, and forgetting what it has learned in the past.

He told us about a Trust project called Infoscape, which has created an Information Asset Register with the specific purpose of bringing order and method to information management, using some discovery tools to find out about what records and information the Trust has.

They started by doing some desk research about what was already available, using the Intranet and Trust publications, to survey what the various departments did. The Wellcome Trust employed only about 500 people at the time this started, but the spread of activities is remarkably diverse. As well as departments that you might expect such as facilities, HR, IT and so on, the Trust also has public-facing activities, public engagement, science funding, and a big investments department.

Bob specifically described one department, the function of which is to look for commercial opportunities to go along with the research funding that they give out. So for example if something comes out of Wellcome Trust funded research, rather than see it fall into the hands of some large pharmaceutical company, Wellcome Trust retains some share in the intellectual property, so that income from that can be fed back into the Trust’s pool of resources for funding future research.

An information survey

Bob’s team went and interviewed every single department – probably about 50 interviews all together, over a period of six months or so. They did this by taking along the information they’d already collected by desk research and asking the departments, ‘What do you do? What information do you need, and create and capture?’ Mostly this information was obtained by talking to the manager of the department, but that might be followed up with an interview with a colleague.

The team started with an information survey of all departments, guided by questionnaire forms.

These interviews were conducted using some information collection forms, which Bob showed us. The result was a combination of a free-text record of what they had been told in interview, together with some more structured data. This survey helped in understanding the core functions of each department.

Incidentally this exercise also gave a framework that, had they been planning to introduce an EDRMS system across the Trust, would have conveniently provided a taxonomy. (In fact there is no such enterprise-wide EDRMS system yet, though there are hopes for one.)

One part of the survey form was designed to produce retention schedules. There is an agreed retention policy for the Trust’s records, which establishes that there are four reasons why the Trust keeps records, and there are retention periods associated with each of those four. Administration records are kept for two to three years; seven years is the norm for most financial and legal records, unless there are specific legislation-mandated periods for some classes of record; and then there are the documents which contain the developmental history of the Trust, which are kept all the way back to 1936. There are documented definitions which help people to decide what kind of record belongs in which of these categories.

Organising the register

All this information was transferred to a Microsoft Access database. The database makes it easier, for example, to check the record for validity, alter it and then re-issue retention schedules. Since the initial exercise, more fields have been added.

The value of this discovery process was recently illustrated when one of Bob’s colleagues in the IT department had had to transfer over to work with the Investments department, and asked if there was anything he could read to understand ‘just what they did over there’, and what kind of information they managed. The product of their IAR project told him everything he needed to know. All those outputs are available on the Wellcome Trust Intranet.

Including paper-based records

The next step involved gathering the paper records and information systems into the system too. For this they developed a spreadsheet to feed data into the archive process, which is called TRAC – the Trust Records and Archives Centre. This spreadsheet includes the Record Transfer List, where people list what they want to put into the archive; that includes a drop-down menu list with all of the categories which have been set up in Infoscape, and which also appear on the retention schedules. The drop-down list helps people unambiguously to assign their collection to a category (though there is one that says ‘Other – see Records Manager’!)

Before the boxes of physical archive material are sent to Bob, the spreadsheet comes to him first. He checks this over, and clarifies it if necessary; occasionally, when a new category is proposed, he works that back into the database and the retention schedules. Tuning the database as it goes along like this makes it easier to manage than than having to cope with a lot of changes on a two to three year revision cycle.

With the exception of confidential records, the spreadsheets are posted to a global shared drive so that the assets are visible throughtough the organisation. In time Bob will transfer all of these to Hewlett-Packard’s TRIM records and information management software. He showed us a screen shot of TRIM into which the historic documentation has been recorded, and is described to ISAD(G), the General International Standard Archival Description.

One advantage with TRIM is that you get a layered system of scope notes which are very descriptive, much more so that the brief notes in the spreadsheets. At the high levels of the collection, the scope notes are quite extensive and encompassing, but as you drill down into the collections through categories the scope notes get shorter and more precise.

Extra benefits

One nice example of pulling a practical application out of this is that on the Wellcome Trust Web site (under ‘About Us’ and then ‘Timeline’) there is a Timeline displayed. It is a visual history of the Wellcome Trust from 1936 until last year, and if you click on any of the pictures along the timeline you get an expanded view of what happened in that time period. There are two threads shown: what Wellcome Trust was funding at the time, and what else the organisation was doing. The entire contents of the Timeline comes from the Trustees’ Minutes, as stored in the Archives.

There are other ways in which the Trust could expand its IAR to bring more value to the business. If there were a disaster, they would obviously want to restore the IT systems in a sequence that makes sense in terms of to what is most urgent and relevant to the business. Some time ago they worked out a process of ranking the recovery of systems, and what information to restore on those systems; Bob said he could now map that to the Infoscape project, which would add further value.
 


Reflections by Conrad

 
Meanings on the move

It is easy to become distracted by discussions of the difference between a List, a Register and an Inventory; likewise between Information Assets and Information Resources. A few days after this event I was at the Open Government Data Camp, where there was a session about Data Catalogues, which didn’t feel hugely different either. There may be some point at which defining these terms and the relationships between them more precisely could be useful; for now, I think it wise to recognise that terms are being used loosely – and, to a degree, interchangeably.

Within the story as we have heard it from Alec, Chris and Noeleen, it is clear that the security concerns of the Cabinet Office, CESG and other government enforcers means that a particular definition of Information Asset Registers is becoming dominant within the public sector. Yet even this definition is on the move, as TNA’s concern with general digital continuity and with encouraging the maximum efficiency in the use and re-use of information is gaining greater traction, and as the departments and bodies who have embarked on creating an IAR realise that there are other uses for it beyond security compliance.

At DWP, Chris has also been responsible for the Department’s response to the Making Public Data Public initiative, and his comments draw attention to what some civil servants must feel is a set of mixed messages: on the one hand to button data down, on the other to open it up and make it free. Hopefully the process of compiling IARs helps to clarify which kind of data should be treated in one way or the other.

Beyond government records

I am glad that we had the Wellcome Trust case study included in this meeting, because otherwise we might have been left with the impression that IAR exercises (whatever you call them) are for the public sector only. Whereas it seems to me that any organisation which really wants to stay on top of its information resources would be wise to create and maintain an inventory of what it has got, where it is kept, who is responsible and what is required technically to work with it.

The government focus also seems to be on stuff that is kept in fields in databases; in other kinds of organisation, much of the useful information is in text form, including email archives. The minutes of Trustee Board meetings that Bob referred to is one good example of textual information, and perhaps if we were to revisit the subject, ‘textbases’ might be given more scrutiny within that.

Dealing with text repositories brings in a whole extra set of questions about how, for the purposes of a formal Register or Inventory, you characterise the content, its quality and accuracy, and the technical dependencies for working with these resources (e.g. file formats, encodings etc.).

The Information Audit

I was interested that Alec declared that the first stage of creating an IAR should be to do ‘an Information Audit’. Essentially what is being described in this context is a rigorous process of researching, analysing and documenting the information resources or assets of an organisation.

Some people prefer the term ‘information survey’, and indeed as Bob illustrated in his case study, the process often involves a form of questionnaire, or interview schedule of questions, that is gone through in meetings with heads of various departments.

However, the more technical-sounding term ‘audit’ does capture some of the flavour of ‘opening the books’, using all manner of catalogues and lists, including those data records held by IT, and recording the results systematically in some kind of electronic ‘ledger’ that will be kept up to date on a regular cycle of months and years.

The word ‘audit’ also conveys some investigatory thoroughness, and the sense that one is trying to set standards for information-handling which are going to be kept under scrutiny by people to whom that responsibility has unambiguously been handed.

Learning and sharing

Finally, I was interested by Noeleen’s insight into what might be the role of the external consultant or facilitator in these processes. Her insistence on building in training from the outset, and transferring skills and cultural insights so that the work can be sustained within the organisation going forward, seems very valuable to me.

There also seems to be a huge potential for public bodies to learn ‘the Art of IAR’ from each other, as shown by Noeleen’s ability to transplant some learnings from NHM to the Tate, and Jennifer Perkins from DCMS to help out at the British Library.

Might this in time lead to some kind of Community of Practice approach to sharing IAR experiences? Might TNA take the lead in this, and also in bringing more standardisation to the process?

Meanwhile, the informal setting that NetIKX provides should help in the transfer of experience – and I hope that this written account of the meeting also helps to spread the word.

LINKS: There is a slightly edited version of this meeting account, illustrated and formatted for print, and available as a PDF for download. You may also wish to visit the NetIKX Web site.