Information Governance and Security
- / Information Governance and Security /
- Information Governance /
- Information Governance For The University /
- Information Governance Roles & Contacts /
Every process in the university is dependent on the collection and management of information. It supports research and teaching, funding applications, administration (including employee administration), engagement with customers and businesses, and compliance with the requirements of bodies such as HESA, the funding councils and law enforcement and border agencies. The management of information is paramount to the successful and continued operation of the institution.
Information legislation provides key frameworks and boundaries for our actions in respect of the University’s information resources. Understanding what is required in the protection of information and the circumstances in which information may be requested, disclosed or withheld, informs processes and procedures and ensures that the University and its staff do not take actions which could attract significant institutional and personal penalties. Understanding the appropriate ways to mitigate problems should they arise helps to minimise the potential for harm to the University, its students, stakeholders and other partners. Such awareness is fundamental to the successful operation of a modern organisation.
Information Governance Framework
The IAO role sits within the framework of responsibility and accountability for the effective, efficient, safe and compliant management of the University’s information assets.
The framework aims to ensure that each information asset has a clearly defined administrator/manager who is responsible for that asset on a day to day basis. That manager implements the Information Governance policies, procedures and instructions to manage that asset and provides regular (and exceptional) reports to the IAO for that asset, who is responsible and accountable for ensuring that information assets within their area are managed compliantly. The IAO in turn provides compliance reports (regular and exceptional) through the Senior Information Asset Owner (SIRO) to UEC.
IAO Role & Responsibilities
Information Asset Owners (IAOs) must be senior /responsible individuals involved in running the relevant business units. Their role is to understand what information is held, what is added and what is removed, how information is moved, and who has access and why. As a result they are able to understand and address risks to the information, and ensure that information is fully used within the law for the public good. They provide a written judgement of the security and use of their asset annually to support the audit process.
Information Asset Owners are directly accountable to the SIRO and must provide assurance that information risk is being managed effectively in respect of the information assets that they ‘own’.
It is important to distinguish IAOs from those staff who have been assigned responsibility for day to day management of information risk on behalf of the IAOs, but are not directly accountable to the SIRO (these will be known as Information Asset Administrators).
The SIRO/IAO hierarchy identifies accountability and authority to effect change where required to mitigate identified risk.
IAOs are responsible for:
- Leading and fostering a culture that values, protects and uses information for the success of the organisation and benefit of its customers
- Knowing what information comprises or is associated with the asset, and understands the nature and justification of information flows to and from the asset
- Knowing who has access to the asset and why, whether it be system or information to ensure access is monitored and compliant with policy
- Understanding and addressing risks to the asset, and providing assurance to the SIRO
The University needs to ensure that its IAOs possess the necessary support, knowledge and skills to undertake their role effectively and to provide periodic evidenced statements of information assurance to the SIRO. The IAO should undertake information risk management training at least annually to be able to demonstrate their skills and capabilities are up to date and relevant to the needs of the organisation.
Lead and foster a culture that values, protects and uses information for the success of the organisation and benefit of its customers
- to understand the Organisation’s plans to achieve and monitor the right IG culture, across the Organisation;
- to take visible steps to support and participate in that plan (including completing own training);
- to ensure that staff understand the importance of effective information governance and receive appropriate education and training;
- to consider whether better use of any information held is possible, within applicable information governance rules, or where information is no longer required .
Knows what information the asset holds, and what enters and leaves it and why
- to maintain an understanding of ‘owned’ assets and how they are used ;
- to approve and minimise information transfers while achieving business purposes;
- to approve arrangements where it is necessary for information to be put onto portable or removable media like laptops, tablets/phones and USB drives and ensure information is effectively protected to University information governance standards
- to approve the information disposal mechanisms for the asset
Knows who has access and why, and ensures their use is monitored and compliant with policy
- to understand the organisation’s policies on the use of information and the management of information risk;
- to ensure decisions on access to information assets are taken in accordance with University information governance good practice and the policies of the organisation;
- to ensure that access provided to an asset is the minimum necessary to satisfy business objectives;
- to ensure that the use of the asset is checked regularly and that use remains in line with policy.
Understands and addresses risks to the asset, and provides assurance to the SIRO
- to seek advice from information governance subject matter experts when reviewing information risk;
- to conduct Data Protection Impact Assessments (DPIA) for all new projects;
- to undertake regular risk assessment reviews for all ‘owned’ information assets in accordance with guidance and report to the SIRO, ensuring that information risks are identified, documented and addressed;
- to escalate risks to the SIRO where appropriate and to make the case where necessary for new investment to secure ‘owned’ assets;
- to provide an annual written assessment to the SIRO for all assets ‘owned’ by them
The IAO will be required to undertake initial induction training and an annual update.
Online training resources and toolkit are available as well as access to advice and support from the Information Governance Team (see Resources below)