Information Governance Policy
1. Policy Statement
The University is committed to complying with data protection and freedom of information legislation. The University will take all reasonable steps to ensure that its processing of personal data is fair, lawful, and compliant with data protection legislation.
The objective of the Policy is to ensure that the University complies with data protection and freedom of information legislation and relevant Codes of Practice issued by the Information Commissioner and that it upholds the rights of data subjects with regard to the processing of their personal data. This applies when the University is acting as sole data controller, joint data controller or as a data processor.
The purpose is to specify the University's policy on information governance.
This policy has been developed in the context of the new General Data Protection regulation (GDPR) and the Data Protection Bill which, subject to Royal Assent, will become the Data Protection Act 2018 and will repeal the Data Protection Act 1998. The Privacy and Electronic Communications (EC Directive) Regulations 2003 are also likely to be replaced by the proposed new Regulation on Privacy and Electronic Communications.
Other relevant legislation includes:
- The Freedom of Information Act 2000
- The Environmental Information Regulations 2004
This policy applies to all staff/employees of the University including:
- employees of the University;
- members of the Board of Governors and other Committee members;
- employees directly or deemed employed by subsidiary or associated companies;
- employees directly or indirectly employed by overseas offices and branches;
- associate lecturers;
- agency staff working for the University;
- any other third parties who work on delivering University services and are paid through a contract for services;
- students who are not employees but are provided with work experience pursuant to a training course or with training for employment at the University, but in either case this must not be part of their University course
5. Policy Details
The University will
- ensure that its processing of personal data is in accordance with data protection legislation, in particular the data protection principles set out in the GDPR;
- put in place appropriate policies and procedures to ensure compliance with the legislation;
- appoint a Data Protection Officer (DPO) and ensure that the DPO is able to carry out the tasks specified in the GDPR;
- implement appropriate technical and organisational measures for ensuring the security of personal data appropriate to the risk;
- maintain records of its processing activities;
- notify the Information Commissioner and data subjects of data security breaches in line with legal requirements and guidance from the ICO;
- take appropriate measures to ensure that the rights of data subjects are upheld;
- carry out privacy impact assessments where appropriate;
- cooperate fully with the ICO when requested to do so;
- ensure that any data processors it engages provide sufficient guarantees of compliance and enter into an appropriate written contract;
- ensure compliance with the Freedom of Information Act and the Environmental Information Regulations;
- ensure that it maintains appropriate records.
6. Roles and Responsibilities
All staff will comply with data protection legislation and will:
- adhere to related University policies and procedures;
- ensure that they are familiar with related guidance;
- undertake data protection training appropriate to their role;
- report data security incidents immediately in accordance with reporting procedures;
- ensure personal data is collected in accordance with the legislation and that Privacy Notices are issued when required;
- ensure that data is shared appropriately and securely;
- ensure that data is deleted/destroyed when no longer required and is destroyed in a secure manner;
- process personal data in accordance with the rights of data subjects and assist with the collation of information for Subject Access Requests (SARs);
- assist in the completion and maintenance of Information Asset Registers and records retention schedules;
- raise concerns with their Information Governance Guardian or the Data Protection Officer in a timely manner;
- assist with responses to requests for information made under the Freedom of Information Act and the Environmental Information Regulations;
- ensure that they manage records appropriately and in line with University guidelines.
Senior Information Risk Owner (SIRO)
The SIRO is the Chief Operating Officer and has overall responsibility for information as a strategic asset of the University, ensuring that the value of information to the University is understood and recognised and that measures are in place to protect against risk. This information includes personal data as defined by the Data Protection Act 1998 and the General Data Protection Regulation.
The SIRO's responsibilities are:
- leading and championing information governance across the University;
- fostering a culture that values, protects and uses information for the success of the University and the benefit of our stakeholders;
- ownership and oversight of information risk management ;
- advising the University Leadership Team and the Audit and Risk Committee on information risks and controls.
The SIRO will be supported by the University Secretary.
The University's Secretary's responsibilities are:
- to support the SIRO in managing information risk;
- to line manage the Data Protection Officer and the Information Governance Team;
- to manage the budget and resources for the DPO role and the Information Governance Team;
- to chair the Information Governance Forum for Professional Services;
- to chair data security incident management team meetings.
Data Protection Officer (DPO)
The role of the Data Protection Officer is set out in Articles 37-39 of the General Data Protection Regulation and can be summarised as follows:
- to inform and advise the University and University staff of their data protection obligations;
- to act in the interests of data subjects in providing advice and guidance to the University in information governance compliance;
- to monitor the University's compliance with data protection legislation;
- to provide advice where required on data protection privacy impact assessments;
- to cooperate with and be the point of contact for the ICO.
The Data Protection Officer will be a member of each Information Governance Forum and attend Data Security Incident Management meetings.
Information Governance Team in Governance Services
The Information Governance Team will:
- develop and maintain information governance policies, procedures and guidance
- coordinate requests for information (SARs, FOI requests, EIR requests)
- provide advice and support to the SIRO, the IGGs and other staff
- provide briefings and training
- carry out data protection audits
- carry out privacy impact assessments where required
- manage data security incidents
- oversee the effective handling of complaints relating to information governance
Information Governance Guardians (IGG)
Each academic department and professional services area shall nominate an IGG. IGG's will:
- lead and champion information governance in their department;
- ensure that the processing of personal data in their department is compliant with data protection legislation;
- approve any new data sets of processes which involve the use of personal data, ensuring that they are in line with data protection legislation and University policies;
- put into place appropriate procedures in their department;
- assess, monitor and manage information governance risks in their department;
- ensure that any data protection or information security incidents are swiftly addressed locally and correctly notified in line with relevant University procedures ;
- maintain information governance continuous improvement action plans for their department and monitor progress against the action plan;
- ensure that staff within their department have undertaken appropriate data protection training and information security training and are aware of relevant policies, procedures, and guidance;
- ensure that appropriate technical and organisational measures are in place within their department to protect personal data;
- attend the appropriate Information Governance Forum.
Information Governance Forums
Three forums will meet quarterly to monitor information risks and controls, data protection compliance, and to monitor progress against continuous improvement action plans:
- Academic Departments from College of Health, Wellbeing and Life Sciences and College of Social Sciences and Arts
- Academic Departments from College of Business, Technology and Engineering and Sheffield Business School
- Professional services areas
The membership of the forums will be as follows:
- Information Governance Guardians from the areas concerned
- Data Protection Officer
- Information Governance Team staff
- Other members from relevant areas nominated by the respective Information Governance Guardians
The University Secretary will chair the professional services forum. The Information Governance Guardians of the other two forums will chair those forums on rotating basis.
7. Definitions and Abbreviations
- personal data
- data controller
- data processor
- data subject
are defined in the legislation.
The Information Commissioner is the UK regulator for data protection legislation.
8. Associate Documents
Data Protection Guidance
Data Protection and Freedom of Information section of University website
General Data Protection Regulation
Data Protection Bill (subject to Royal Assent this will become the Data Protection Act 2018)
The Privacy and Electronic Communications (EC Directive) Regulations 2003
Proposed new Regulation on Privacy and Electronic Communications
Freedom of Information Act 2000
Environmental Information Regulations 2004