Introduction

Every process in the university is dependent on the collection and management of information. It supports research and teaching, funding applications, administration (including employee administration), engagement with customers and businesses, and compliance with the requirements of bodies such as HESA, the funding councils and law enforcement and border agencies. The management of information is paramount to the successful and continued operation of the institution.

Information legislation provides key frameworks and boundaries for our actions in respect of the University’s information resources. Understanding what is required in the protection of information and the circumstances in which information may be requested, disclosed or withheld, informs processes and procedures and ensures that the University and its staff do not take actions which could attract significant institutional and personal penalties. Understanding the appropriate ways to mitigate problems should they arise helps to minimise the potential for harm to the University, its students, stakeholders and other partners. Such awareness is fundamental to the successful operation of a modern organisation.

Information Governance Framework

The SIRO role sits within the framework of responsibility and accountability for the effective, efficient, safe and compliant management of the University’s information assets.

The framework aims to ensure that each information asset has a clearly defined administrator/manager who is responsible for that asset on a day to day basis. That manager implements the Information Governance policies, procedures and instructions to manage that asset and provides regular (and exceptional) reports to the Information Asset Owner (IAO) for that asset, who is responsible and accountable for ensuring that information assets within their area are managed compliantly. The IAO in turn provides compliance reports (regular and exceptional) through the SIRO to UEC.

SIRO Role & Responsibilities

The SIRO is an executive who is familiar with and takes ownership of the organisation’s information risk policy, and acts as advocate for information risk at UEC level. 

The SIRO's role is therefore to ensure information assets and risks within the organisation are managed as a business process rather than as a technical issue.

UEC must consider all key risks associated with the diverse businesses and functions of the University. The SIRO will ensure information risks which affect business objectives are highlighted to UEC and addressed. The SIRO should act as a figurehead for information governance within the organisation.

The SIRO’s responsibilities can be summarised as: 

  • Leading and fostering a culture that values, protects and uses information for the success of the organisation and benefit of its customers
  • Owning the organisation’s overall information risk policy and risk assessment processes and ensuring they are implemented consistently by IAOs
  • Advising UEC on the information risk aspects of his/her statement on internal controls
  • Owning the organisation’s information incident management framework 

The following explores the functions and responsibilities  of the SIRO in greater detail. 

Lead and foster a culture that values, protects and uses information for the success of the organisation and benefit of its customers 

Responsibilities: 

  • to ensure the Organisation has a plan to achieve and monitor the IG  culture across the Organisation;
  • to take visible steps to support and participate in that plan (including completing  own training);
  • to maintain sufficient knowledge and experience of the organisation’s business  goals with particular emphasis on the use of and dependency upon internal and  external information assets 
  • to ensure the Organisation has Information Asset Owners (IAOs) who  understand their roles and are supported by the information risk management  specialists that they need ;
  • to initiate and oversee an information risk awareness / training programme of  work to communicate importance and maintain impetus ;
  • to ensure that good information governance assurance practice is shared within  the organisation.

Own the organisation’s overall information risk policy and risk  assessment processes and ensure they are implemented consistently  by IAOs. 

Responsibilities : 

  • to act as the focal point for information risk management in the organisation  including resolution of any escalated risk issues raised  by Information Asset Owners, the Data Protection Officer, Auditors etc ;
  • to develop and implement an IG Information Risk Policy that is appropriate to all  departments of the organisation and their uses of information setting out how  compliance will be monitored ;
  • to initiate and oversee a comprehensive programme of work that identifies,  prioritises and addresses  IG risk and systems’ accreditation for all parts of  the organisation, with particular regard to information systems that process  personal data 
  • to ensure that Data Protection Impact Assessments are carried out on all new projects  when required;
  • to review all key information risks of the organisation on a quarterly basis and  ensure that mitigation plans are robust;
  • to ensure that  IG Policy, information risk management method and  standards are documented, applied and maintained consistently throughout the  organisation’s information governance risk assessment and management  framework 
  • to understand the information risks faced by the organisation and its business  partners ensuring that they are addressed, and that they inform investment  decisions including outsourcing  
  • to ensure that information risk assessment and mitigating actions taken benefit  from an adequate level of independent scrutiny 

Advise UEC on the management of information risk and provide assurance  

Responsibilities: 

  • to ensure that regular update are tabled at UEC to brief, discuss or report upon matters on  information governance risk assurance and information risk culture affecting the  organisation, including input to the annual IG reporting processes 
  • to sign off an annual assessment of performance, including material from the  IAOs and specialists, covering Information Governance reporting  requirements   Own the organisation’s information incident management framework  Responsibilities: 

to ensure that the organisation has implemented an effective information incident  management and response capability that supports the sharing of lessons  learned 

Training

The SIRO will be required to undertake initial induction training and an annual update.

Online training resources and toolkit are available as well as access to advice and support from the Information Governance Team (see Resources below)

Resources