Introduction

Ontarians want to seamlessly interact with government and have the confidence that investments in public service delivery are efficient and effective while protecting the security and privacy of information and systems. Achieving this requires transparency and a coordinated approach to the governance and management of information, information technology and a commitment to putting the needs of the user first.

Information is central to all government business. As a form of information, data is increasingly core to the effectiveness of government. The Government of Ontario creates, receives, and manages vast amounts of information and data that must be managed as strategic assets. These assets include information in all its forms, both digital and analogue, data, metadata, records, and publications. Like other strategic assets, information and data assets must be governed and managed systematically to maximize their value, mitigate risks and control costs.

Information governance is the overall strategy for information and data and establishes a consistent and logical framework for the organization. Information governance promotes operational transparency and balances the risk that information presents with the value that information provides.

Information management is a set of management practices (planning, directing, controlling, evaluating) that ensure that information and data are collected, managed, and used appropriately, securely, efficiently and cost-effectively. Information management involves a number of processes and domains, including privacy and data protection, data management, open data, freedom of information, intellectual property, librarianship and recordkeeping. The goal of information management is to optimize the use of information within the bounds of policy and regulation so that staff can take actions to maximize the benefits of this resource.

Governing and managing information and data as important assets supports government’s strategic and operational objectives by:

  • driving efficiency and cost avoidance through the sharing, integration and re-use of information and data and by keeping information and data only as long as required
  • accelerating the speed that government can work by ensuring the right information and data are available at the right time to the right people
  • ensuring customer satisfaction through data-driven approaches to the design, measurement and evaluation of government programs and services
  • enabling good decision-making by creating, collecting and using high quality, trustworthy and authoritative information and data
  • enhancing public trust and government accountability through open data, freedom of information, privacy protection, information security and recordkeeping

This directive sets out the requirements and roles and responsibilities for the governance and management of information and data as key strategic assets that enable an effective digital government. The directive is supported by a policy framework that outlines operational expectations and technical standards pursuant to it.

This directive exists alongside The Governance and Management of IT Directive (2021) and Digital and Data Directive (2021). The three directives outline domain-specific requirements, support the achievement of aligned outcomes, and are linked together by a common glossary of terms.

This directive is to be implemented in a manner that is consistent with existing legal obligations, restrictions and requirements, including those set out in:

  • the Archives and Recordkeeping Act, 2006
  • the Simpler, Faster, Better Services Act, 2019
  • the Freedom of Information and Protection of Privacy Act, 1990
  • the Personal Health Information Protection Act, 2004
  • the Anti-Racism Act, 2017
  • the French Language Services Act, 1990
  • the Accessibility for Ontarians with Disabilities Act, 2005
  • other applicable legislation

The Governance and Management of Information and Data Assets Directive is a Management Board of Cabinet Directive, issued under the Management Board of Cabinet Act.

Purpose

The purpose of this directive is to maximize the value and use of government information by ensuring that information and data are managed as strategic enterprise assets.

Application and scope

This directive applies to all Ontario ministries and provincial agencies.

This directive should be read in conjunction with any requirements with respect to the governance and management of information and data assets under other directives and policies.

Administration

This directive is issued under subsection 3 (3) of the Management Board of Cabinet Act and is meant to be read and applied in its entirety.

The Secretary of Treasury Board/Management Board of Cabinet is responsible for approving mandatory operational policies that are consistent with this directive.

Ministries and provincial agencies must seek Treasury Board/Management Board of Cabinet (TB/MBC) approval if, in exceptional circumstances, they require an exemption from all or part of this directive. The rationale for the exemption must be documented.

Before any program area may seek approval to issue a new or revised policy that will inherit its authority from this directive, the Information, Privacy and Archives Division (MGCS) must be consulted to ensure alignment.

Principles

The following principles are intended to guide ministries and provincial agencies in the governance and management of information and data assets. To maximize their value, information and data assets should be governed and managed to ensure that they are:

Discoverable

Those who use information and data can find what they need, when they need it.

Reusable

The value of information and data can be enhanced by re-use, integration, sharing and commercial use where appropriate.

Interoperable

Information and data are managed in a manner that allows for appropriate access, use and reuse across different systems, devices, applications and products.

Protected

Proper security and privacy protections are applied to information and data and actions are taken to ensure ongoing protection.

Trustworthy

Information and data are managed in a manner that promotes high quality and ensures it is fit for its intended uses in operations, decision making, planning and service delivery.

Authoritative

Information and data are designed and managed to, where possible, produce a single authoritative source and to reduce duplication and avoid unnecessary storage costs.

Persistent

Information and data are captured, managed, and available for as long as needed.

Contextualized

The context in which information and data was created is preserved to ensure that its meaning, purpose and value can be understood through time and systems.

Disposed of Appropriately

Information and data are legally and appropriately disposed to mitigate risk and optimize resources.

Requirements

Information and data are important government assets that are subject to an enterprise framework of laws, policies and standards. Ministries and provincial agencies are responsible for governing and managing the information and data assets that they collect, create and receive in accordance with that framework.

They are supported in this at an enterprise level by the:

  • Chief Privacy Officer
  • Archivist of Ontario
  • Chief Digital and Data Officer
  • Corporate Chief Information Officer
  • Chief Information Security Officer

In order to maximize the value of the information and data assets that they collect, create and receive, ministries and provincial agencies must:

  • integrate and align information and data governance considerations into their strategic and business planning
  • identify an executive sponsor to provide oversight of information and data governance activity
  • identify and document the information and data assets that they collect, create and receive through appropriate registries (for example, record schedules, directory of personal information banks, directory of records, data inventory, the Ontario Data Catalogue, etc)
  • identify program areas responsible for the various information and data assets that the ministry or provincial agency holds
  • ensure information and data assets are managed according to their purpose, value, and risk profile
  • ensure information and data-related risks, design considerations and requirements such as privacy protection, information security, access and recordkeeping are integrated into the design of ministry technology projects and procurements and are subsequently operationalized and monitored
  • develop and maintain processes to build information governance and management capability and maturity in their organizations in accordance with need

To support ministries and agencies in the effective governance and management of information and data assets the Chief Privacy Officer, Archivist of Ontario, Chief Digital and Data Officer, the Corporate Chief Information Officer and Chief Information Security Officer must:

  • promote and facilitate the consistent application of information and data governance across ministries and provincial agencies
  • promote and facilitate the sharing of information and data between and among ministries and provincial agencies
  • provide frameworks, advice, standards, guidance and tools to support ministries and provincial agencies in governing and managing information and data assets
  • establish, support and participate in the ongoing operation and effectiveness of governance bodies intended to support ministries and provincial agencies and ensure compliance with this directive
  • ensure the availability of common or shared technology solutions to support the governance and management of information and data assets
  • ensure that information management considerations are integrated into the project governance processes for the design of IT systems, services and products

Specific responsibilities for each of these officers are outlined in the roles and responsibilities.

Roles and responsibilities

Treasury Board/Management Board of Cabinet

  • approve changes to, and exemptions from, this directive in whole or in part through submission of a business case

Secretary, Management Board of Cabinet

  • approve policies and standards pursuant to this directive that outline operational requirements for the governance and management of information and data assets
  • approve any exemptions from the requirements outlined in those policies
  • periodically report to Management Board of Cabinet on the status of policies and their implementation to demonstrate prudence and due diligence
  • periodically recommend updates to this directive to Management Board of Cabinet

Deputy Ministers

  • ensure that ministries and provincial agencies comply with this directive and any policies and standards pursuant to it

Corporate Chief Information Officer

  • ensure the availability of common or shared technology solutions to support the management of information and data assets
  • ensure that information risks, design considerations and requirements, including privacy protection, information security, access and recordkeeping are integrated into project governance processes for the design and/or procurement of IT systems, services and products
  • establish, support and participate in the ongoing operation and effectiveness of governance bodies intended to ensure compliance with this directive, as well as other applicable directives, policies and technical standards

Chief Digital and Data Officer

  • provide frameworks, advice, standards, guidance and tools to support ministries and provincial agencies in managing open data processes and the collection, management and use of data as part of the development and provision of digital services
  • establish, support and participate in the ongoing operation and effectiveness of governance bodies intended to ensure compliance with this directive, as well as other applicable directives, policies and technical standards
  • collaborate with the Chief Information Security Officer and the Chief Privacy Officer to ensure alignment between open data and data protection requirements and policies

Chief Privacy Officer and Archivist of Ontario

  • provide frameworks, advice, standards, guidance and tools to support ministries and provincial agencies in effectively managing and preserving their information and data assets
  • establish, support and participate in the ongoing operation and effectiveness of governance bodies intended to ensure compliance with this directive, as well as other applicable directives, policies and technical standards
  • the Archivist of Ontario, in accordance with the Archives and Recordkeeping Act, will make independent decisions about the disposition and preservation of information and data assets
  • collaborate with the Chief Information Security Officer and the Chief Digital and Data Officer to ensure alignment between open data and data protection requirements and policies

Chief Information Security Officer

  • provide frameworks, advice, standards, guidance and tools to support ministries and provincial agencies to predict, identify and address threats to information security
  • establish, support and participate in the ongoing operation and effectiveness of governance bodies intended to ensure compliance with this directive, as well as other applicable directives, policies and technical standards

Deputy Ministers’ Committee on Technology and Transformation (DMCTT)

  • endorse and recommend policies about the governance and management of information and data assets to the Secretary, Management Board of Cabinet

Definitions

A common glossary has been developed for this directive and the two related directives, The Digital and Data Directive (2021) and The Governance and Management of Information Technology Directive (2021).

Below is a selection of terms from the common glossary that can be found in this directive.

Data: A type of information that is facts and statistics collected together for reference or analysis; things known or assumed as facts, making the basis of reasoning or calculations. Data may be analogue or digital and may be structured or unstructured.

Data Asset: A type of information asset that is any aggregation or grouping of facts and figures stored in a structured format (“dataset”), as well as the additional information necessary for its management, access, and use. This includes databases, algorithms, calculations, and computational models, or any other means used alone or in part to use data to inform government decisions, programs or services.

Information: Knowledge captured in any format, such as facts, events, things, processes, or ideas, that can be structured or unstructured.

Information Asset: An aggregation or grouping of information, including data, records, and publications, that can be defined and managed as a single unit so that it can be understood, shared, protected, and used effectively. Information assets have recognizable and manageable value, risk, content, and lifecycles. Governance and Management of Information and Data Assets Directive 10

Information Management: Information management means applying common management principles (planning, directing, controlling, evaluating) to information and data assets. It involves establishing disciplined and consistent practices related to the planning, creation, capture or collection, organization, use, accessibility, dissemination, storage, protection and disposition of information assets.

Information Technology (IT): The equipment, software, services, processes, and resources used to create, store, process, communicate and manage information.

Open Data: data that has been made proactively publicly available without charge, in a machine-readable format and released under an open licence which allows it to be used, re-used, built upon, and shared without additional permission.

Personal Information: Recorded information about an identifiable individual, as defined by the Freedom of Information and Protection of Privacy Act, 1990.

Publication: Information that is created, collected, produced, or reproduced for public distribution or with the intention to make this information widely available.

Record: A record of information, including data, in any form, including a record made, recorded, transmitted or stored in digital form or in other intangible form by electronic, magnetic, optical or any other means, but does not include a mechanism or system for making, sending, receiving, storing or otherwise processing information.