Designing an Information Governance approach for London

by Eddie Copeland

Data Collaboration is one of six major workstreams for the London Office of Technology and Innovation (LOTI).

As part of our Year One focus on fixing the plumbing, we’ve been working to remove some of the barriers that make data collaboration between London’s boroughs and other public sector organisations hard. (I’ve written previously about what those factors are.)

A key one that was identified in LOTI’s earliest weeks is boroughs’ differing approaches to Information Governance (IG): the process through which organisations ensure they are sharing and using data legally, ethically and securely.

As separate legal and democratically elected entities, it’s completely reasonable that boroughs should satisfy themselves that they’re using data in keeping with their values and commitments. Yet, when signing one information sharing agreement (ISA — a joint agreement on what data partners will share, for what reason and how) can take six months or more, boroughs are keen to explore whether the process can be streamlined.

It’s for that reason that LOTI, in a project led by Ed GarcezSudip Trivedi and Fozlu Miah from the borough of Camden, has been working with service managers, Chief Information Officers and IG professionals to identify what could be done differently.

Why it’s hard

In workshops and interviews with boroughs held last year, we identified a number of specific IG-related challenges:

Many public sector staff outside the data profession feel ill-equipped to know what data they need to enable a given outcome. I’ve often heard teams propose that “we should get all the data together and see what it tells us”. While that might work if the data comes from one team within one organisation, it’s likely to be a non-starter for data collaboration purposes. That’s because unless you’re very specific about exactly what data is needed and why, it’s not possible to complete the IG process. Without a better framework for understanding the role of data, projects can be misguided or never get off the ground.

IG Leads are involved too late in the process. A frustration for many IG Leads is that they are often not consulted about data collaboration projects until their final stages. Some reported being asked to sign off ISAs the day before go-live. Inevitably, asking for their support so late in the day may force them to have to pause proceedings and sometimes ask for major changes. It also treats IG Leads like data gatekeepers rather than as expert advisors on how a given data collaboration project could be successfully conducted.

Lack of awareness of which IG role should be consulted and when. On the flip side, service managers reported feeling unsure about which IG professionals should be consulted and when. That’s understandable given that there’s a range of different roles with the IG profession, including Information Governance Leads, Data Protection Officers, Senior Information Risk Owner (SIRO), and Caldicott Guardians.

Differences in approaches, templates and steps followed by boroughs. Variability in the workflow and documentation used by boroughs to complete the IG process creates difficulties in creating agreements that satisfy the needs of all parties. It also leads to basic version control issues. When creating Data Privacy Impact Assessments (DPIAs) and Information Sharing Agreements, it’s currently common for a Word document to be created by one group, which then sends it around for feedback from others. Multiple different IG teams will then add comments to separate versions of the document that then have to be reconciled.

Differences in organisational perspectives and risk appetite. More fundamental than any paperwork, different public sector organisations perceive the risk of data collaboration initiatives differently. As I said, that’s reasonable. Arguably the best way of addressing excessive risk aversion is to have more collaboration and active dialogue between organisations.

What LOTI’s doing about it

There’s no silver bullet to address all these challenges, but here are a few things we’re doing to make progress.

Helping staff understand what data they need. To help public sector staff think critically about which (if any) data is essential to deliver their desired outcome, we’ve started combining the four-step method I sketched out in a previous article with LOTI’s outcomes-based methodology to encourage teams to ask themselves the following questions.

  1. What real-world outcomes are we trying to enable?
  2. What specific problems currently prevent us from achieving those outcomes?
  3. Who could do what differently about those problems if they had better information?
  4. What would that person need to see on a screen in order to do that thing? (We call this the “data product” – for example: a map, a heatmap, a prioritised list, a dashboard, etc.)
  5. What data would be required to create that data product?
  6. Beyond the data product, what else would need to be in place to enable the desired new way of working?

The focus on outcomes (1) and how things could be done differently (3) helps keep conversations action-orientated. Talking about data products (4) helps narrow conversations about what data is necessary. Question 6 is an explicit reminder that data alone is almost never enough to enable a meaningful change.

Agreeing common IG steps and role involvement. To address the issues that IG leads are often involved too late in projects and face difficulties when their peers follow different processes, we’ve worked to sketch out a seven-step IG process (see below) that clarifies what needs to happen in what order, and who should ideally be involved in each step. It’s still a working draft, but also a starting point for aligning organisations’ approaches. It should also help service managers understand which specific IG roles need to be included at each step. In summary, those steps are:

  1. Generate ideas — coming up with the idea for a data collaboration project
  2. Review concept — vetting the idea and its legality, ethics and risks
  3. Assess feasibility — agreeing the partners that will be involved, the data and tools to use and any risk mitigation steps that need to be in place
  4. Co-create DPIA — co-creation of a Data Privacy Impact Assessment (DPIA) to capture the agreed outcomes of the Review Concept and Assess Feasibility stages
  5. Complete ISA — co-creation of the Information Sharing Agreement and formal sign-off
  6. Implement project — putting the data collaboration project into action
  7. Evaluate & Learn — learning from what works and doesn’t work to refine the previous steps.

Using technology to avoid version control issues. We’re encouraging all boroughs to sign up to trial the use of the Information Sharing Gateway, a platform that enables organisations to collaborate online on the creation of ISAs. The GLA and London Fire Brigade (LFB) have paid for 100 licences, which are available for use by boroughs. LFB are happy to offer demos and help organisations get set up on the platform.

To complement this, we’ll shortly start work with CC2i, the Greater Manchester Combined Authority, Norfolk County Council and the University of Nottingham on the design of a digital DPIA tool. NHSX and the Information and Records Management Society (IRMS) are now both confirmed to be supporting the project. The Information Commissioner’s Office has also agreed to be a strategic partner, “providing oversight and guidance to ensure the resulting Digital DPIA product properly reflects due process and law to deliver a solution that will fit local, regional and national needs alike.” We’re excited to work with all these partners, and particularly to learn from Greater Manchester’s amazing Information Governance Team, who have significant experience and expertise in this area.

Testing these new ways of working on actual data collaboration projects. LOTI boroughs are embarking on discovery phases for four data collaboration projects, which will trial all the methods and tools outlined above to see what works. They include exploring:

  • The role of data to improve the provision of cross-borough Special Educational Needs Transport.
  • Whether more granular Univeral Credit data from DWP could help boroughs support vulnerable individuals and families earlier and more effectively.
  • Whether creating a pan-London map showing all Electric Vehicle charging points could benefit citizens and boroughs;
  • How boroughs can learn from each other in their use of machine learning models designed to identify unlicensed House in Multiple Occupation (HMOs).

Working with the Information Governance Group for London (IGfL). As well as working directly with LOTI boroughs, we’re also collaborating with IGfL — a convening group for London’s Information Governance Professionals — to ask for their expert advice on LOTI projects and to involve them in our work to create a digital DPIA tool.

Running workshops on how to innovate responsibly with data and AI. On 14 February, the London borough of Brent hosted a LOTI workshop to explore five frameworks that can help guide organisations’ use of data and artificial intelligence. In a second workshop, planned for 30 March, we’ll explore the even more important issue of how to embed the best guidance into boroughs’ policies, processes and governance.


Data collaboration is hard but worth the trouble to get right. Ensuring that London’s public sector organisations can use data in a way that’s legal, ethical and secure — in short, worthy of citizens’ trust and confidence — is key. Having an effective approach to Information Governance is therefore vital.

We look forward to working with London boroughs’ IG professionals to rehearse some of the new ways of working described in this article over the coming weeks and months. Keep following LOTI’s blog for reports on our progress and the lessons we learn along the way.

Find me on Twitter

You may also like