Information management system
These are the rules that govern how you should handle data and information on our behalf.
What we expect from you as a supplier
We expect you to comply with our security policy, or to demonstrate corporate security policies providing equal assurance.
This applies when:
- accessing or processing Highways England information assets, whether on site or remotely
- subcontracting to other suppliers
Information requirements and specifications
Our policy is supported by:
Requirements - what you need to do
Our requirements specify what we expect you to do and who needs to do it.
They will include contact information for our subject matter experts and relevant documentation.
Specifications - how you do it
Our specifications will tell you how we expect you to meet the requirement and how you need to document this where necessary.
Our information principles
Our information principles set out the standards that we expect everyone we work with to follow when managing information for us:
- We'll use information as best we can, even if it’s not perfect
- We'll increase the trust people have in our information by assuring its fitness for purpose
- Information can affect people’s lives and we'll use it transparently and ethically
- We need to understand how the information we collect is used by others to make sure it's good enough for everyone
- We must continually earn the right to look after our customers' data
- Information is a valuable resource that will be kept safe and secure from accidents and attacks
- Looking after information has a cost - we should understand and account for it
- We all have a responsibility to look after our information so that it's fit for purpose
- Decisions made with information create better outcomes for our customers, stakeholders and ourselves
- The value of information is only realised when it's used to help make decisions
Legal and regulatory obligations
We have a responsibility to comply with all current UK and EU legislation as well as a variety of further regulatory and contractual requirements.
Here's a summary of the key legislation governing how we must use information:
General Data Protection Regulation (2018)
|The use of personal data by organisations|
|The Security of Network and Information Systems Regulations (2018)||The overall level of security of network and information systems for the provision of essential services|
|The Freedom of Information Act (2000)||An individuals right of access to information|
|The Privacy and Electronic Communications Regulations (2003)||The use of electronic communications|
|Regulation of Investigatory Powers Act (2000)||The powers of public bodies to carry out surveillance and investigation|
|The Copyright, Designs and Patents Act (CDPA)||Copyright law in the UK|
|The Computer Misuse Act (1990)||Misuse of computer equipment in conducting unauthorised activity|
|The Public Records Act (1958 and 1967)||Public records in the UK, establishing a cohesive regulatory framework for public record|
Related requirements and specifications detail other applicable legislative requirements or provide further detail on the obligations arising from legislation.