Image Promo description

Register to use our site and access free newsletters, book events and lots more.

You don't have to be a member to use our site. Already registered? Login here

Become a member today

The Chartered Institute of Housing is the independent voice for housing and the home of professional standards

Managing risk and delivering savings


Trish Thomas, information governance specialist at Orbit Group, tells us how Orbit bounced back from a data protection breach to deliver savings and improve staff training.

circuit boardLike other organisations, business practices around information security, data protection and privacy were patchy across Orbit at the time of our breach in 2008. When the breach happened, senior management reacted quickly, identifying that more needed to be done to raise the importance of information security across Orbit, so that we could protect our customers and staff. That internal reaction was formalised by signing an agreement (on 30 November 2008) with the Information Commissioner’s Office  to improve the security of personal and sensitive information.

So what did we do? Well, quite a lot! We developed tools for staff to learn about the importance of data protection. These incorporated classroom-style training covering the basics, as well as introducing a more robust reporting system. We had quizzes for staff, an interactive board game and our ’8 Golden Rule’ keyring cards that staff could take away with them. We also introduced some best practice policies and procedures, such as the clear desk policy and our office move guidance.  Online training became mandatory for all new starters, together with all existing staff undergoing regular ‘refresher’ training.

We did all that quickly after the breach, but over time we became more sophisticated around how we dealt with information security. In 2012 I started at Orbit, bringing over 20 years’ experience of all things information governance. My team and I deliver services (to both external and internal customers) across a range of topics: information security; information and records management; information sharing and Freedom of Information; data protection and privacy; information quality and assurance – such a robust offering means we can be sure people have the knowledge and skills to take information governance seriously.

In mid-2012 we also introduced a robust information security and risk management approach which is designed to be flexible and able to change quickly, responding to threats and the introduction of new technology. 

Four years after our data breach and after all the work we’d put in, we were delighted to gain the ISO27001:2005 Information Security Management standard, then followed by our PCI-DSS accreditation in 2013. 

But we’re still improving…

We are currently working on a new electronic document and records management system, which will be the bedrock of managing Orbit’s information, keeping everything in one place. We’ve also integrated information security into our project management framework to make sure information governance is at the forefront of people’s mind when they start a project, and stays there throughout! And we’ve incorporated questions about information governance and security into our procurement process so that we can assess the governance of our supply chain.  This means that the information governance team can develop an accurate Information Security Risk Assessment (ISRA) report, including options and recommendations to the business to reduce their residual information security risk. 

But information security isn’t just about my team embedding practices, it’s also about giving ownership back to the business in exactly the same way that management are accountable for their financial and HR related risks. By getting managers to take responsibility for information security in their area, we will embed it at all levels of the organisation, provide accountability and ownership of risks, therefore minimising threats and vulnerability of information. My team can then give on-going support and advice as the specialists, which allows us to deal with wider organisational issues, as well as providing services externally.

Now six years on from the breach, our information security approach is recognised externally and internally as highly effective. We can be adaptive and proactive, and we’ve seen tangible results in terms of reducing information security incidents and avoiding reoccurrences. Plus, our approach is contributing to Orbit’s ‘Making it Count’ value for money agenda – by incorporating business process improvements into our information security risk assessments we’ve seen tangible cost savings year on year.

At Orbit, our experience made us realise just how important information governance is – I’d encourage others to make sure that breach never happens!

Please log in to comment

Your comments

No comments made yet

Join today

We’re here to help you make a difference. Join CIH today and discover your potential


Fire safety

All the latest info and fire safety resources for housing professionals


The new housing apprenticeships

With a century of experience equipping housing professionals with the skills they need to do the brilliant work they do, we can help you make the most of the new housing apprenticeships – whatever stage of the journey you are at.