Information management system

These are the rules that govern how you should handle data and information on our behalf.

Information management system (IMS)


General Data Protection Regulation (GDPR)

Our information security

Managing our records

Digital continuity

Classifying and marking our information

Data science: machine learning

Information governance assurance

Information ethics

What we expect from you as a supplier

We expect you to comply with our security policy, or to demonstrate corporate security policies providing equal assurance.

This applies when:

  • accessing or processing Highways England information assets, whether on site or remotely
  • subcontracting to other suppliers

Information requirements and specifications

Our policy is supported by:

Requirements - what you need to do

Our requirements specify what we expect you to do and who needs to do it.

They will include contact information for our subject matter experts and relevant documentation.

Specifications - how you do it

Our specifications will tell you how we expect you to meet the requirement and how you need to document this where necessary.

Our information principles

Our information principles set out the standards that we expect everyone we work with to follow when managing information for us:

  1. We'll use information as best we can, even if it’s not perfect

  2. We'll increase the trust people have in our information by assuring its fitness for purpose

  3. Information can affect people’s lives and we'll use it transparently and ethically

  4. We need to understand how the information we collect is used by others to make sure it's good enough for everyone

  5. We must continually earn the right to look after our customers' data

  6. Information is a valuable resource that will be kept safe and secure from accidents and attacks

  7. Looking after information has a cost - we should understand and account for it

  8. We all have a responsibility to look after our information so that it's fit for purpose

  9. Decisions made with information create better outcomes for our customers, stakeholders and ourselves

  10. The value of information is only realised when it's used to help make decisions

Legal and regulatory obligations

We have a responsibility to comply with all current UK and EU legislation as well as a variety of further regulatory and contractual requirements.

Here's a summary of the key legislation governing how we must use information:

Legislation Governs:

General Data Protection Regulation (2018)

The use of personal data by organisations
The Security of Network and Information Systems Regulations (2018) The overall level of security of network and information systems for the provision of essential services
The Freedom of Information Act (2000) An individuals right of access to information
The Privacy and Electronic Communications Regulations (2003) The use of electronic communications
Regulation of Investigatory Powers Act (2000) The powers of public bodies to carry out surveillance and investigation
The Copyright, Designs and Patents Act (CDPA) Copyright law in the UK
The Computer Misuse Act (1990) Misuse of computer equipment in conducting unauthorised activity
The Public Records Act (1958 and 1967) Public records in the UK, establishing a cohesive regulatory framework for public record

Related requirements and specifications detail other applicable legislative requirements or provide further detail on the obligations arising from legislation.