Information Governance and Security
- / Information Governance and Security /
- Information Governance /
- Information Governance For The University /
- Information Governance Roles & Contacts /
Every process in the university is dependent on the collection and management of information. It supports research and teaching, funding applications, administration (including employee administration), engagement with customers and businesses, and compliance with the requirements of bodies such as HESA, the funding councils and law enforcement and border agencies. The management of information is paramount to the successful and continued operation of the institution.
Information legislation provides key frameworks and boundaries for our actions in respect of the University’s information resources. Understanding what is required in the protection of information and the circumstances in which information may be requested, disclosed or withheld, informs processes and procedures and ensures that the University and its staff do not take actions which could attract significant institutional and personal penalties. Understanding the appropriate ways to mitigate problems should they arise helps to minimise the potential for harm to the University, its students, stakeholders and other partners. Such awareness is fundamental to the successful operation of a modern organisation.
Information Governance Framework
The SIRO role sits within the framework of responsibility and accountability for the effective, efficient, safe and compliant management of the University’s information assets.
The framework aims to ensure that each information asset has a clearly defined administrator/manager who is responsible for that asset on a day to day basis. That manager implements the Information Governance policies, procedures and instructions to manage that asset and provides regular (and exceptional) reports to the Information Asset Owner (IAO) for that asset, who is responsible and accountable for ensuring that information assets within their area are managed compliantly. The IAO in turn provides compliance reports (regular and exceptional) through the SIRO to UEC.
SIRO Role & Responsibilities
The SIRO is an executive who is familiar with and takes ownership of the organisation’s information risk policy, and acts as advocate for information risk at UEC level.
The SIRO's role is therefore to ensure information assets and risks within the organisation are managed as a business process rather than as a technical issue.
UEC must consider all key risks associated with the diverse businesses and functions of the University. The SIRO will ensure information risks which affect business objectives are highlighted to UEC and addressed. The SIRO should act as a figurehead for information governance within the organisation.
The SIRO’s responsibilities can be summarised as:
- Leading and fostering a culture that values, protects and uses information for the success of the organisation and benefit of its customers
- Owning the organisation’s overall information risk policy and risk assessment processes and ensuring they are implemented consistently by IAOs
- Advising UEC on the information risk aspects of his/her statement on internal controls
- Owning the organisation’s information incident management framework
The following explores the functions and responsibilities of the SIRO in greater detail.
Lead and foster a culture that values, protects and uses information for the success of the organisation and benefit of its customers
- to ensure the Organisation has a plan to achieve and monitor the IG culture across the Organisation;
- to take visible steps to support and participate in that plan (including completing own training);
- to maintain sufficient knowledge and experience of the organisation’s business goals with particular emphasis on the use of and dependency upon internal and external information assets
- to ensure the Organisation has Information Asset Owners (IAOs) who understand their roles and are supported by the information risk management specialists that they need ;
- to initiate and oversee an information risk awareness / training programme of work to communicate importance and maintain impetus ;
- to ensure that good information governance assurance practice is shared within the organisation.
Own the organisation’s overall information risk policy and risk assessment processes and ensure they are implemented consistently by IAOs.
- to act as the focal point for information risk management in the organisation including resolution of any escalated risk issues raised by Information Asset Owners, the Data Protection Officer, Auditors etc ;
- to develop and implement an IG Information Risk Policy that is appropriate to all departments of the organisation and their uses of information setting out how compliance will be monitored ;
- to initiate and oversee a comprehensive programme of work that identifies, prioritises and addresses IG risk and systems’ accreditation for all parts of the organisation, with particular regard to information systems that process personal data
- to ensure that Data Protection Impact Assessments are carried out on all new projects when required;
- to review all key information risks of the organisation on a quarterly basis and ensure that mitigation plans are robust;
- to ensure that IG Policy, information risk management method and standards are documented, applied and maintained consistently throughout the organisation’s information governance risk assessment and management framework
- to understand the information risks faced by the organisation and its business partners ensuring that they are addressed, and that they inform investment decisions including outsourcing
- to ensure that information risk assessment and mitigating actions taken benefit from an adequate level of independent scrutiny
Advise UEC on the management of information risk and provide assurance
- to ensure that regular update are tabled at UEC to brief, discuss or report upon matters on information governance risk assurance and information risk culture affecting the organisation, including input to the annual IG reporting processes
- to sign off an annual assessment of performance, including material from the IAOs and specialists, covering Information Governance reporting requirements Own the organisation’s information incident management framework Responsibilities:
to ensure that the organisation has implemented an effective information incident management and response capability that supports the sharing of lessons learned
The SIRO will be required to undertake initial induction training and an annual update.
Online training resources and toolkit are available as well as access to advice and support from the Information Governance Team (see Resources below)