joelgsamuel
commented
6 years ago Stepping back a bit, I think I have a few other macro thoughts that probably can be summarised into how many risks we're willing to take...:
- generally in government departments, signatory delegation is down the Finance & Estates Management (FEM) line, which means regular Band A (etc) cannot sign contracts - including accepting T&Cs as MOJ
- while I believe we're working on data evangelism in the sense of information managers / data guardians etc (I forget the phrasing used here) it is unlikely between a 'regular' member of MOJDT staff (and their line manager) can sufficiently interpret OIT T&Cs; privacy notices and ascertain legal status such as jurisdiction and offshoring (not just data, supply chain) -- further, general advice from the Government Legal Department is that non-England&Wales jurisdictions are not preferred on the basis that we (MOJ) would have to present a case in a foreign court (however slim that might be!)
- the guidance doesn't require the individual or manager to register the use of the OIT, and I think that is very important for data handling reviews and macro risk reviews... PRA/FOI/DPA and all that as well
- we don't de-dupe OIT (ask users to consider a corporate tool we already use; another OIT in-use etc) as run-away OIT is also a data nightmare
Thoughts:
163 is something the guidance has to say, but I doubt whether people do this!
Overall, I like it (a lot) but I think its too long once the person has read it once. I almost feel like there should be a checkbox or summary bullet point structure as well for quick referencing - example, so the person looking at the OIT can show what s/he has checked to their line manager.