- About this website /
- Privacy and GDPR /
- Information Governance Policy
Information Governance Policy
1. Policy Statement
The University is committed to complying with data protection and freedom of information legislation. The University will take all reasonable steps to ensure that its processing of personal data is fair, lawful, and compliant with data protection legislation.
2. Objectives
The objective of the Policy is to ensure that the University complies with data protection and freedom of information legislation and relevant Codes of Practice issued by the Information Commissioner and other applicable regulators, and that it upholds the rights of data subjects with regard to the processing of their personal data. This applies when the University is acting as sole data controller, joint data controller or as a data processor.
3. Purpose
The purpose is to specify the University's policy on information governance.
The relevant legislation is:
- the UK General Data Protection regulation (UK GDPR)
- the Data Protection Act 2018
- the EU General Data Protection Regulation (where processing falls within the territorial scope of the EU legislation)
- the Privacy and Electronic Communications (EC Directive) Regulations 2003
- The Freedom of Information Act 2000
- The Environmental Information Regulations 2004
4. Scope
This policy applies to all staff/employees of the University including:
- employees of the University;
- members of the Board of Governors and other Committee members;
- employees directly or deemed employed by subsidiary or associated companies;
- employees directly or indirectly employed by overseas offices and branches;
- associate lecturers;
- agency staff working for the University;
- any other third parties who work on delivering University services and are paid through a contract for services;
- students who are not employees but are provided with work experience pursuant to a training course or with training for employment at the University, but in either case this must not be part of their University course
5. Policy Details
The University will
- ensure that its processing of personal data is in accordance with data protection legislation, in particular the data protection principles set out in the GDPR;
- put in place appropriate policies and procedures to ensure compliance with the legislation;
- appoint a Data Protection Officer (DPO) and ensure that the DPO is able to carry out the tasks specified in the GDPR;
- implement appropriate technical and organisational measures for ensuring the security of personal data appropriate to the risk;
- maintain records of its processing activities;
- notify the Information Commissioner and data subjects of data security breaches in line with legal requirements and guidance from the ICO;
- take appropriate measures to ensure that the rights of data subjects are upheld;
- carry out privacy impact assessments where appropriate;
- cooperate fully with the ICO when requested to do so;
- ensure that any data processors it engages provide sufficient guarantees of compliance and enter into an appropriate written contract;
- ensure compliance with the Freedom of Information Act and the Environmental Information Regulations;
- ensure that it maintains appropriate records.
6. Roles and Responsibilities
All staff
All staff will comply with data protection legislation and will:
- adhere to related University policies and procedures;
- ensure that they are familiar with related guidance;
- undertake data protection training appropriate to their role;
- report data security incidents immediately in accordance with reporting procedures;
- ensure personal data is collected in accordance with the legislation and that Privacy Notices are issued when required;
- process personal data in accordance with the data protection principles which state that “Personal data shall be:
- processed lawfully, fairly and in a transparent manner in relation to individuals (‘lawfulness, fairness and transparency’);
- collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes (‘purpose limitation’);
- adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’);
- accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’);
- kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals (‘storage limitation’);
- processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).”
- ensure that data is shared appropriately and securely;
- ensure that data is deleted/destroyed when no longer required and is destroyed in a secure manner;
- process personal data in accordance with the rights of data subjects and assist with the collation of information for Subject Access Requests (SARs);
- assist in the completion and maintenance of Information Asset Registers and records retention schedules;
- raise concerns with their Information Governance Guardian or the Data Protection Officer in a timely manner;
- assist with responses to requests for information made under the Freedom of Information Act and the Environmental Information Regulations;
- ensure that they manage records appropriately and in line with University guidelines.
Senior Information Risk Owner (SIRO)
The SIRO is the Chief Operating Officer and has overall responsibility for information as a strategic asset of the University, ensuring that the value of information to the University is understood and recognised and that measures are in place to protect against risk. This information includes personal data as defined by the Data Protection Act 1998 and the General Data Protection Regulation.
The SIRO's responsibilities are:
- leading and championing information governance across the University;
- fostering a culture that values, protects and uses information for the success of the University and the benefit of our stakeholders;
- ownership and oversight of information risk management ;
- advising the University Leadership Team and the Audit and Risk Committee on information risks and controls.
The SIRO will be supported by the University Secretary.
University Secretary
The University's Secretary's responsibilities are:
- to support the SIRO in managing information risk;
- to line manage the Data Protection Officer and the Information Governance Team;
- to manage the budget and resources for the DPO role and the Information Governance Team;
Data Protection Officer (DPO)
The role of the Data Protection Officer is set out in Articles 37-39 of the General Data Protection Regulation and can be summarised as follows:
- to inform and advise the University and University staff of their data protection obligations;
- to act in the interests of data subjects in providing advice and guidance to the University in information governance compliance;
- to monitor the University's compliance with data protection legislation;
- to provide advice where required on data protection privacy impact assessments;
- to cooperate with and be the point of contact for the ICO.
The Data Protection Officer will lead the Information Governance Team, will chair the Information Governance Forum and will chair Data Security Incident Management meetings.
Information Governance Team in Governance Services
The Information Governance Team will:
- develop and maintain information governance policies, procedures and guidance;
- coordinate requests for information (SARs, FOI requests, EIR requests);
- provide advice and support to the SIRO, the IGGs and other staff;
- provide briefings and training;
- carry out data protection audits;
- carry out privacy impact assessments where required;
- manage data security incidents;
- oversee the effective handling of complaints relating to information governance.
Directors, Deans and, Heads of Department
Senior leaders will, in their respective areas:
- ensure that the processing of personal data is compliant with data protection legislation;
- lead and champion compliance with data protection legislation;
- sign off relevant Data Protection Impact Assessments (DPIA)s and ensure that their teams manage any risks identified.
Information Governance Guardians (IGG)
Each area of the University will be represented by at least one IGG. IGG's will:
- lead and champion awareness of information governance in their respective team or area;
- acts as a point of contact for information governance matters in their respective areas;
- put into place appropriate procedures in their department;
- assess, monitor and manage information governance risks in their department;
- ensure that any data protection or information security incidents are swiftly addressed locally and correctly notified in line with relevant University procedures ;
- work with the Information Governance Team to address any lessons learnt from data breaches and implement appropriate remedial actions and to agree to maintain information governance continuous improvement action plans for their department and monitor progress against the action plan;
- ensure that staff within their department have undertaken appropriate data protection training and information security training and are aware of relevant policies, procedures, and guidance;
- ensure that appropriate technical and organisational measures are in place within their department to protect personal data;
- attend the Information Governance Forum and cascade relevant information governance guidance in their areas.
Information Governance Forum
The forum will meet three times each year to discuss and monitor information risks, issues, controls, and actions required to ensure compliance, staff training and awareness, and to promote privacy by design and by default.
The membership of the forums will be as follows:
- Information Governance Guardians
- Data Protection Officer (Chair)
- Information Governance Team staff
- Other members from relevant areas nominated by the respective Information Governance Guardians or by the Data Protection Officer.
The Information Governance and Cyber Security Oversight Group
The Terms of Reference for the Group are:
- To provide oversight, scrutiny and assurance in the areas of information governance and cyber security in order to ensure adequate and robust legal compliance and cyber security by reviewing and challenging:
- Key performance indicators, risks and issues
- Data security and critical IT incident management, statistics, trends and lessons learnt
- Development and action plans and priorities particularly in the context of changes to requirements within the University and changes in legislation and the external environment.
- To make reports, where appropriate, to the University Leadership Team, the Audit and Risk Committee, the Board of Governors.
The membership of the group will comprise:
- Senior Information Risk Owner – Deputy Vice-Chancellor (Strategy and Operations) (Chair)
- Chief Information Officer
- Head of Digital Architecture
- Head of Information Governance and Data Protection Officer
- University Secretary
7. Definitions and Abbreviations
The terms:
- personal data
- processing
- data controller
- data processor
- data subject
are defined in the legislation.
The Information Commissioner is the UK regulator for data protection legislation.
8. Associate Documents
Data Protection Guidance
Data Protection and Freedom of Information section of University website
Monitoring Policy
DTS policies
9. References
The UK GDPR
The EU General Data Protection Regulation
Data Protection Act 2018
The Privacy and Electronic Communications (EC Directive) Regulations 2003
Freedom of Information Act 2000
Environmental Information Regulations 2004