CPPM Policy Chapter 12: Information Management and Information Technology Management

This comprehensive Core Policy and Procedures Manual chapter includes policy for information management and information technology management.


12.0 Application

This policy applies to government Information management (IM) and Information technology (IT) management.

This Chapter does not list all corporate government IM IT requirements and must be read in conjunction with:

Government IM IT includes, but is not necessarily limited to:

  • Access to information, including Proactive disclosure
  • Data
  • Data sharing and information sharing
  • Digital platforms
  • Digital service design, development, and delivery
  • Enterprise architecture
  • Enterprise design
  • Enterprise solutions
  • Identity management
  • IM IT investment, including digital investment
  • Information security and cyber security
  • IT infrastructure, such as government networks and systems
  • Management of government IT resources, including device management
  • Privacy and Personal information
  • Records management

12.1 Objective

The objective of this Chapter is to establish a policy framework for the management of government information and technology as the Province of British Columbia embraces digital government. The Digital Principles for the Government of British Columbia will evolve over time and are meant to guide the work of public servants during this transition and beyond.

12.1.1 Digital Principles v. 1.1

1. Deliver value for British Columbians & cultivate trust

Recognize that government products and services should ultimately improve people’s lives. Build products and services for outcomes rather than outputs, prioritizing according to citizens’ needs. Use resources judiciously to benefit citizens and BC’s homegrown digital economy. Build trust in every interaction, using data to make fair, ethical and evidence-based decisions.

2. Design with people & embed inclusion

Deliver simple, effective products and services in response to citizens’ needs. Apply human-centered design practices, working directly with people who will use the product or service. Communicate in plain language. Strive to meet the highest standards of accessibility, inclusion and equity. Endeavour to create a seamless experience across government’s various digital and physical channels.

3. Integrate ethics

Take an ethical approach to designing or modifying digital products and services. Evaluate the potential ethical, social, cultural and environmental implications of emerging priorities. Ensure there is clear oversight and documentation for automated decision-making processes (e.g., when using artificial intelligence).

4. Continuously learn & improve

Iterate and improve products and services to support learning and innovation. Use modern tools and approaches. Be flexible to change, even at the last minute. Seek and accept feedback on an ongoing basis. Test early and often. Try to “fail fast” and accept failures as learning opportunities.

5. Work in the open

Collaborate, co-design and co-create with product and service users transparently. Default towards open licences, open and interoperable standards and open-source code. Share information and data whenever possible.

6. Take an ecosystem approach

Think holistically. Design and deliver forward-thinking, adaptable and scalable solutions. Support interoperability, common components and enterprise approaches. Share work and learnings with the aim of contributing to the wider community. Strive to collect data from users only once, re-using and sharing data whenever possible.

7. Take care of information & data

Act as a trusted information steward. Manage information, including data, as a public asset in accordance with its value and user needs. Strive to improve the quality of information and data. Recognize that people own their personal data and have a stake in how it’s used. Work with citizens to ensure they understand how and why government collects their information.

8. Manage risks proportionately

Promote a risk-balanced approach that addresses security and privacy by design. Recognize risks associated with maintaining the status quo — remember that no decision is also a decision. Design clear and flexible risk-mitigation strategies.

9. Build diverse teams & internal capacity

Empower all public servants and vendor partners to deliver excellent products and services. Create and support teams with diverse skillsets and backgrounds. Enable teams to use technology as an effective collaboration tool. Encourage innovation and controlled experimentation. Build an organizational culture and structure to support constant learning and engagement.

10. Express cultural & historical awareness & respect

Acknowledge the historical relationships, inequity, trauma, and discrimination created by government. Work in the spirit of reconciliation and BC’s Declaration on the Rights of Indigenous Peoples Act. Respect that First Nations have control over data-collection processes in their communities, and that they own their information and control how it can be used.


This Chapter also:

  • defines roles and responsibilities for information and technology management; and
  • establishes IM IT policy requirements based on the Digital Principles.

12.2 Roles and Responsibilities

The Office of the Chief Information Officer (OCIO) is led by the Government Chief Information Officer (GCIO) and includes the Office of the Chief Records Officer (CRO).

The OCIO is responsible for the corporate management of information and technology and plays a key role in IM IT governance.

12.2.1 Government Chief Information Officer (GCIO)

The GCIO has the responsibility to:

  1. Provide corporate strategic direction for government IM IT.
  2. Provide expert advice and recommendations related to IM IT to senior decision makers across government and to Cabinet and its committees, including Treasury Board.
  3. Manage provincial IM IT legislation, including FOIPPA, the IMA, the Statistics Act, the ETA and the Personal Information Protection Act (PIPA).
  4. Collaborate with ministries to develop and set corporate IM IT policies, standards, processes, procedures, and guidelines for the Province, and to identify best practices.
  5. Deliver enterprise services related to IM IT.
  6. Develop corporate communications, educational materials and training on IM IT, and promote IM IT literacy across government.
  7. Identify, advance and evaluate Enterprise architecture, shared/enterprise services and shared/Enterprise solutions, including Common components and digital platforms.
  8. Provide leadership in setting corporate priorities for IM IT investment, and manage related enterprise contracts, planning and programs in accordance with CPPM Chapter 5 and CPPM Chapter 6.
  9. Support ministry workforce plans and work with the Public Service Agency (PSA) on IM IT human resource capacity and skills required to achieve government's strategic priorities. This includes advising Deputy Ministers on the hiring of Ministry Chief Information Officers (MCIOs) and other positions related to IM IT as necessary.
  10. Assess and provide tools to evaluate ministries’ IM IT maturity and compliance with:
    1. IM IT legislation (including FOIPPA, the IMA, the Statistics Act, the ETA and the PIPA) and regulations,
    2. Ministerial directions, directives and orders issued under FOIPPA,
    3. CRO directives issued under the IMA, and
    4. Corporate IM IT policies, standards, processes and procedures.
  11. Promote efficient and effective IT management across government and propose measures for improvements in the application of technology in alignment with the Digital Principles.
  12. The GCIO may delegate responsibilities defined in this section and any delegations must be documented and employees must be made aware of their delegated responsibilities.

12.2.2 Chief Records Officer (CRO)

Under the IMA, the CRO has statutory powers and a mandate that includes:

  • promoting the preservation of valuable government information for current and future use.
  • approving information schedules governing the holding, transferring, archiving and disposal of government information.
  • managing the digital archives and promoting its availability to the public.
  • promoting effective IM within government.
  • examining, evaluating, and reporting on government IM, including making recommendations considered advisable; and
  • issuing directives and guidelines regarding matters under the Act.

Further to this mandate, the CRO has the responsibility to:

  1. Provide expert IM guidance, training, and advice to help ministries meet their IM obligations.
  2. Promote efficient and effective IM across government to ensure that government information remains accessible (i.e., discoverable, available and usable) over time.
  3. Should the CRO choose to delegate statutory powers, delegation must be done in the manner specified in section 2 of the IMA.

12.2.3 Deputy Ministers

Deputy Ministers (DMs) are accountable for:

  1. Overseeing information, including data, and IT management in their ministries.
  2. Ensuring ministry alignment and compliance with:
    1. IM IT legislation (including FOIPPA, the IMA, the Statistics Act, the ETA and the PIPA) and regulations,
    2. Ministerial directions, directives and orders issued under FOIPPA,
    3. CRO directives and guidelines issued under the IMA, and
    4. Corporate strategic direction, IM IT policies, standards, processes and procedures.
  3. Delegating responsibility for ministry IM IT administration to an Assistant Deputy Minister, MCIO, or equivalent position depending on the size, structure, and activities of the ministry.
  4. Ensuring that ministry Employees are aware of their IM IT responsibilities and delegated authority.
  5. Setting ministry-level strategic direction for IM IT, including ministry-specific direction in support of government’s priorities.
  6. Aligning IM IT decisions with the Digital Principles identified in 12.1.1.
  7. Ensuring that ministry-specific IM IT policies, standards, processes, procedures, guidelines and training are developed as needed, are appropriately documented and align with corporate IM IT direction.
  8. Supporting ministry workforce plans and work with the PSA and the OCIO on ministry IM IT human resource requirements to ensure that their ministry is adequately resourced to meet its IM IT obligations.

12.2.4 Comptroller General

In addition to the powers and duties under the Financial Administration Act, the Comptroller General is responsible for:

  1. Performing internal audits and compliance reviews.

12.3 Policy

12.3.1 Government Employees

  1. All government employees are responsible for ensuring that government information and IT resources are appropriately managed and secured. To this end, all employees must follow the Appropriate Use of Government Information and Information Technology Resources Policy (PDF) (Appropriate Use Policy).
  2. Supervisors must ensure that employees are made aware of the Appropriate Use Policy and any IM IT requirements, including training requirements, applicable to their positions.

12.3.2 Privacy and Personal Information

  1. In addition to FOIPPA and its regulations, ministries must also comply with government’s privacy management program outlined in the Privacy Management and Accountability Policy (PDF) (PMAP). PMAP is designed to help ministries meet their legislative obligations and sets clear expectations for promoting privacy accountability, education and awareness, and identifies more detailed requirements such as privacy assessment tools and agreements.
  2. Deputy Ministers must designate an individual responsible for privacy within their respective ministry. This individual will be designated the Ministry Privacy Officer (MPO).
  3. Personal information must be collected, used, disclosed, protected and disposed of with due care in accordance with applicable legal and policy requirements.

12.3.3 Information Security and Cyber Security

  1. Ministries must comply with the Information Security Policy (PDF) (ISP). The ISP establishes the government’s corporate framework for information security management, which also includes standards, procedures, training and awareness material, all of which are used to protect government networks, systems and information.
  2. Deputy Ministers must designate an individual responsible for information security within their respective ministry. This individual will be designated the Ministry Information Security Officer (MISO).
  3. Ministry-specific programs must be in place to manage information and cyber security risks in accordance with applicable legislation and corporate policies, standards, processes, and procedures.
  4. Ministries must comply with the Information Incident Management Policy (PDF) (IIMP). The IIMP is the government’s corporate policy for responding to and mitigating risks arising from actual or suspected information incidents, including privacy breaches.

See CPPM Chapter 15 (Security), CPPM Chapter 16 (Business Continuity Management) and CPPM Procedure L (Loss Reporting) for additional related policy requirements.

12.3.4 Information and Data Management

  1. Information and Data must be created, collected, used, classified, protected, preserved, and disposed of in accordance with applicable legislation, including but not limited to the IMA and FOIPPA, CRO Directives, such as the Directive on Documenting Government Decisions, and corporate policies, standards, processes and procedures.
  2. Ministries must comply with the Managing Government Information Policy (PDF) (MGIP), which sets out ministry obligations for managing government information, specifically as they relate to IMA requirements. MGIP includes requirements that build on the IMA to ensure that ministries have an appropriate system in place for managing and securing government information throughout its lifecycle.
  3. Government records must be preserved in a manner that protects authenticity, accessibility and context throughout the information’s lifecycle.

12.3.5 Open Information, Open Data and Open Solutions

  1. Reasonable efforts must be made, in alignment with the Open Information and Open Data Policy (PDF), to expand public access to government information and data by making it available online, under the applicable open government licence, unless restricted by law, contract or policy. The Open Information and Open Data Policy establishes a framework for the public release of government information and data.
  2. Ministry-specific programs must be in place for managing and responding to requests for information made under FOIPPA.
  3. Default to open licences and open standards, whenever possible.
  4. Use, re-use and publicly release open-source code whenever practicable, unless restricted by law or policy.

12.3.6 Enterprise Solutions

  1. The OCIO must take a leadership role in the design, development, delivery, maintenance, evaluation, and continuous improvement of Enterprise solutions.
  2. Ministries must engage with the OCIO when designing or before making significant modifications to an IT system or application to determine whether components already exist.
  3. Use enterprise or shared IT solutions, resources, and services to avoid duplication when available, appropriate and/or required by corporate policies, standards, processes, or procedures. This includes leveraging existing Common components when reasonable.
  4. When practicable, partner with the OCIO and/or other ministries to design, build and evolve common components.
  5. Identify opportunities for new or improved shared or Enterprise solutions based on business needs.
  6. Ensure that IM IT systems and solutions utilize government’s shared identity services and related technology when identity information management and authentication of individuals, businesses and government workers is required.

For financial systems, see CPPM Chapter 13 (Financial Systems and Controls) for additional requirements.

12.3.7 User-centred Approach

  1. When designing, developing, implementing or evaluating an IM or IT product or service, the OCIO and ministries must work directly with individuals and groups, who use or will use or who are or could be impacted by the product or service, to ensure their needs are understood, considered and addressed.
  2. Products and services should be accessible to all users or provide accessible alternatives to reduce the barriers experienced by people with disabilities and those with distinct needs.

Transportation < Previous | Next > Financial Systems & Controls