added questions about access to other data (grants access to G-Suite/O365 or installs into the browser)
Thoughts:
163 is something the guidance has to say, but I doubt whether people do this!
Should we add some further technical details such as using MOJ G-Suite or O365 for SSO to the OIT if its available?
Should we add something about not paying for things by GPC, and to use a proper procurement?
I'm not a fan of links to the Intranet on the basis not everyone can access the Intranet at the same time (I usually operate a group inbox and list that in every place under the sun)
Overall, I like it (a lot) but I think its too long once the person has read it once. I almost feel like there should be a checkbox or summary bullet point structure as well for quick referencing - example, so the person looking at the OIT can show what s/he has checked to their line manager.
Stepping back a bit, I think I have a few other macro thoughts that probably can be summarised into how many risks we're willing to take...:
generally in government departments, signatory delegation is down the Finance & Estates Management (FEM) line, which means regular Band A (etc) cannot sign contracts - including accepting T&Cs as MOJ
while I believe we're working on data evangelism in the sense of information managers / data guardians etc (I forget the phrasing used here) it is unlikely between a 'regular' member of MOJDT staff (and their line manager) can sufficiently interpret OIT T&Cs; privacy notices and ascertain legal status such as jurisdiction and offshoring (not just data, supply chain) -- further, general advice from the Government Legal Department is that non-England&Wales jurisdictions are not preferred on the basis that we (MOJ) would have to present a case in a foreign court (however slim that might be!)
the guidance doesn't require the individual or manager to register the use of the OIT, and I think that is very important for data handling reviews and macro risk reviews... PRA/FOI/DPA and all that as well
we don't de-dupe OIT (ask users to consider a corporate tool we already use; another OIT in-use etc) as run-away OIT is also a data nightmare
Thoughts:
163 is something the guidance has to say, but I doubt whether people do this!
Overall, I like it (a lot) but I think its too long once the person has read it once. I almost feel like there should be a checkbox or summary bullet point structure as well for quick referencing - example, so the person looking at the OIT can show what s/he has checked to their line manager.