Information management system

These are the rules that govern how suppliers should handle data and information on National Highways' behalf

Information management system (IMS)


Supply Chain Data Governance Manager

UK General Data Protection Regulation (UK-GDPR)

National Highways' information security

Managing National Highways' records

Digital continuity

Classifying and marking information

Data science: machine learning

Information governance assurance

Information ethics

What National Highways expects from the Supplier

The IMS is to be read in conjunction with the relevant National Highways contractual requirements with the Supplier.

 For the purpose of the IMS the Supplier is equivalent to the terms Contractor or Consultant found in different contract forms with National Highways.

The term Supplier includes any sub-suppliers at any stage of remoteness to National Highways.

The Supplier to comply with National Highways' security policy, or to demonstrate corporate security policies providing equal assurance which is accepted by National Highways.

This applies when:

  • accessing or processing National Highways information assets, whether on site or remotely
  • subcontracting to other suppliers

Information requirements and specifications

National Highways policy is supported by:

Requirements - what the Supplier needs to do

National Highways requirements specify what is required for the Supplier to do and who needs to do it.

They will include contact information for National Highways subject matter experts and relevant documentation.

Specifications - how the Supplier does it

National Highways specifications will tell the Supplier how they are to meet the requirement and how the Supplier needs to document this where necessary.

National Highways information principles

National Highways information principles set out the standards required to be followed by all parties when managing their information:

  1. Use information as best as possible, even if it’s not perfect

  2. Increase the trust people have in the information by assuring its fitness for purpose

  3. Information can affect people’s lives and it is used transparently and ethically

  4. Need to understand how the information collected by National Highways and its Suppliers is used by others to make sure it's good enough for everyone

  5. National Highways and its Suppliers must continually earn the right to look after customers' data

  6. Information is a valuable resource that is kept safe and secure from accidents and attacks

  7. Looking after information has a cost - this is understood and accounted for

  8. All parties have a responsibility to look after the information so that it is fit for purpose

  9. Decisions made with information create better outcomes for customers, stakeholders and ourselves

  10. The value of information is only realised when it's used to help make decisions

Legal and regulatory obligations

National Highways and its Suppliers have a responsibility to comply with all current UK and EU legislation as well as a variety of further regulatory and contractual requirements.

Here's a summary of the key legislation governing how National Highways and its Suppliers must use information:

Legislation Governs:

UK General Data Protection Regulation (2018)

The use of personal data by organisations
The Security of Network and Information Systems Regulations (2018) The overall level of security of network and information systems for the provision of essential services
The Freedom of Information Act (2000) An individuals right of access to information
The Privacy and Electronic Communications Regulations (2003) The use of electronic communications
Regulation of Investigatory Powers Act (2000) The powers of public bodies to carry out surveillance and investigation
The Copyright, Designs and Patents Act (CDPA) Copyright law in the UK
The Computer Misuse Act (1990) Misuse of computer equipment in conducting unauthorised activity
The Public Records Act (1958 and 1967) Public records in the UK, establishing a cohesive regulatory framework for public record

Related requirements and specifications detail other applicable legislative requirements or provide further detail on the obligations arising from legislation.