--- tags: rse-tre --- # Breakout discussions notes **Session 2, Room 2** **Topic**: Information Governance best practice ## Attendees * Chair: * Facilitator/note taker: * [Insert screenshot of Zoom attendance list if easier]  ## Prompts - How best to classify data? - Do we see IG as a primary focus for this community? - Are there other communities of IG practitioners we need to engage with? ## Communities we should engage with * [Safe Data Access Professionals network](https://securedatagroup.org/) * PPIE/members of the public * NHS Information Governance folk (who?) - ICS/ICBs * Regulators? * Information Commissioner's Office. They have had an [anonymisation guide] for some years and are consulting on an update incorporating GDPR require * Financial Conduct Authority. They have a [regulatory sandbox](https://www.fca.org.uk/firms/innovation/regulatory-sandbox) to support experimentation in this space (have done hackathons on synthetic data) ## Notes * MOR how do we decide when to make the decission as risk owner or when to go out to the community to ask about how to handle it. A lot of the value of the work we do is to get assurance and confidence in the work that others have done, there is huge difference between figuring it out yourself or looking at other's approach.. Formalising processes or practices informally by many doing it in the same way * Work the relationship between IG and infrastructurers * CC there is definitly the capacties for TREs to contribute to IG * It's easy to make a rod for your own back with IG - as soon as you say you're going to do something you're really bound to doing it (...or failing your audit) * It should be about really being capable and doing a good job, and making security audits etc more than a paper exercise * Openness of IG supports openness in general and building trust with the public * How to document? Is it for us or for the accreditor? If we document in code is that going to cause problems at audit stage? * All documentation around e.g. ISO27001 has a context, so just sharing the docs/processes might not be that helpful * HS Sharing a thought before closing - agree with Martin, I think even some clarity on ‘here are a few options that we’ve found work well’ can be really helpful * CC grants keep focusing on specific developments and on adding features to them, instead we need to see fuding into standarizing and sharing those that exist * Might make sense to structure any docs/guidance around this in terms of successful approaches to certain problems/elements of standards - there may be one or several * Currently at the mo we are doing things differently across the group, so not suggesting we ditch everything overnight, but over time we may converge The relationship (or lack of) with IT over years, orgnaisations and teams is a shared comment and one issue to overcome It appear that the IG-IT relationship is an important thing to focus on The processes that we are going through, the documentation, which is mostly repos would eb easy to transform into business processes for organisations. How much of this has been produced as part of our ways of work and how much produced explicitly to be read for people outside developing it. Dundee make their [standard operating procedures](https://www.dundee.ac.uk/corporate-information/standard-operating-procedures-hic) available online The Manchester Connected Health Cities TRE made their [Information Security Management System documents](https://github.com/connectedhealthcities/chc-gm-isms) available online. ## Actions/next steps * X * X * X