FOI release

Internal audit of Home Office record management procedures

We have a received a request under the Freedom of Information Act 2000 for the following:  Please disclose the contents of the internal audit…



We have a received a request under the Freedom of Information Act 2000 for the following: 

Please disclose the contents of the internal audit report(s) relating to the internal audit of Home Office record management procedures referred to in paragraph 14 of the Information Tribunal case, Peter Quinn v Information Commissioner (addl party Home Office) EA/2006/0010:

We released the following information on 30 October 2009, which can be found in the attached document.

Since the report was written (January 2006) a number of changes have been introduced across the Home Office to address issues raised in the audit report and ensure compliance with the Code of Practice.  These changes have had a positive impact on how the Home Office manages its information.  A corporate-wide fileplan, to house all business information, has been established and rolled out across the organisation.  An Electronic Document and Records Management System (EDRMS) has been procured and implemented throughout the Home Office headquarters.  This provides a more efficient method for storing and searching for corporate information.  The Home Office appointed its first Chief Information Officer in 2006 one of whose roles has been to review and implement a revised Information Management suite of policies which support the development of a co-ordinated, strategic approach to managing Home Office information.  In addition, following publication of the Hannigan Report (2008) the Home Office issued ten golden rules for staff to follow when handling data and all staff are required to complete Information Assurance training. Further information concerning the changes implemented in the Home Office to address the reports issues can be found listed below. Improving the Home Office’s information management remains a priority and is an ongoing process.

• Established a board-level Senior Information Risk Owner for the Home Office, and counterparts in each of our agencies and NDPBs;
• Established a Home Office Information Assurance risk assessment and management process;
• Created a register of all information assets, identified owners for all those assets and trained them in managing information handling risks;
• Carried out training and awareness and started to deliver other cultural change activity to ensure all staff handle information appropriately;
• Set up a bureau to allow for the encryption of restricted or personal data;
• Restricted the ability to write data to removable media to those that have a real business need to do so.
• Replaced USB sticks with encrypted ones and undertaken a clean up campaign of unencrypted removable media
• Obtained assurances from all commercial partners that they will handle our data in line with the Hannigan requirements.
• Produced a self-assessment tool for commercial and other relevant partners
• Implemented new arrangements for dealing with security incidents
• Established a process for all relevant programmes to carry out a Privacy Impact Assessment
• Introduced new controls on emails being sent outside the secure Government network

Date: Fri Sep 17 15:07:00 BST 2010