Information Governance Policy
This policy outlines Bath Spa University's approach to information governance.
Purpose
- Establish the overarching structure for, and consistent approach to, information governance across Bath Spa University.
- Ensure that clearly defined responsibilities and procedures are in place, designed to set out the minimum protocols required across the University.
- Develop and embed professional and appropriate behaviours when handling information and build trust with partners and customers.
- Establish and maintain resilient IT services able to withstand testing, scrutiny and attack in order to build trust between departments and with partners and students, and to offset uninsurable incident and compliance related risks.
Scope
- The policy will be implemented across the University through an Information Governance Programme. This programme will continuously develop, direct and inform the resource, processes and technology in each department to enable the University to operate as an organisation with appropriately strong and mature information governance.
- This policy, including the related protocols, intends to be consistent with all applicable legal and regulatory compliance requirements including, but not limited to, Principle 7 of the Data Protection Act (1998), the Accountability and Governance aspects of the General Data Protection Regulations (2016) and Freedom of Information Act (2000).
- Commercially, this policy intends to be sufficient to support the attainment of Cyber Essential Plus accreditation, the establishment of an open-data research capacity, and compliance with the Payment Card Industry Data Security Standard.
Policy statement
- It is the policy of Bath Spa University to have a robust, consistent and effective approach to information governance and to ensure that protocols and procedures are in place covering related IT resilience, professional and entrepreneurial conduct and trust building activity.
- The policy will facilitate the establishment of a holistic management process for information governance. It will ensure the University community understands the risks related to information handling and processing and develops an ability to prevent and respond to potentially disruptive events related to information governance, protecting the interests of students, employees, research partners, and the University’s brand.
- Implementation of this policy complements the Data Protection and Records Management policies by establishing who is responsible and accountable for their implementation. It complements the Risk Management policy by providing a means of discovering, assessing, reporting and treating risks related to information governance.
- This policy recognises there are some potential disruptive events that may affect information governance which are dependent on the effective implementation of other University policies (Appendix 2).
Policy detail
The Policy Owner is accountable for the establishment and correct operation of an Information Governance Programme Board and the Information Governance Programme.
The Information Governance Programme Board (IGPB) is accountable for:
- Establishing the necessary resource and processes in each department, able to respond to the changing needs of information governance.
- Informing Senior Management and line managers in departments of the gaps in current practice, emerging threats and vulnerabilities, opportunities and the front line information governance realities for customers and suppliers.
- Setting targets and directing production of appropriate information governance protocols, practices and procedures.
- Developing an organisational capability that brings coherence to information governance and ensures the University is able to manage any disruption, complexity and/or change.
The Information Governance Programme Board is responsible for the establishment of a programme plan to:
Develop an adaptive capacity:
- With the support of the Senior Management Team (SMT) establish a network of Data Assessors in each department to develop a positive information governance risk culture and co-ordinate promotion, continuous improvement activity and reporting in departments as part of normal business.
- Heed advice from subject matter experts, engage with Data Assessors in each department to alert them to operational risks and consequences of information governance failure, and support any necessary change in operating protocol, practices and procedures.
Be informed:
- Monitor and report the application of operating protocols, practices and procedures to the Bath Spa University community, and where this identifies gaps and exceptions, commission external audits if appropriate.
- Identify and validate emerging information governance threats and vulnerabilities, impending changes and potential opportunities.
- Inform and consult other working groups where dependencies or overlaps exist in operational areas of concern, for example, the Research Data Management Group.
- Promote the open sharing of the information governance incidents, threats and vulnerabilities with the Bath Spa University community, including consideration of worst case scenarios.
Set direction:
- Set targets for the Data Assessors to progress development and implementation of protocols, practices and procedures, work toward information governance assurance targets, engage subject matter experts and commission external assistance where necessary, making informed choices, prioritising areas of action and monitoring progress.
- Develop Data Assessor capability through training and devolved responsibility for production of relevant practices and procedures and operation of resources aligned to agreed protocols.
Strengthen the organisation:
- Support Data Assessors in responding to and recovering from disruptions and crisis, identifying the changing expectations and concerns of customers, partners and suppliers.
- Recognise and manage complexity by handling requests for exceptions to protocols, practices and procedures, and by presenting current and accepted operational risks to the Bath Spa community. This includes formalising variations to protocols to cover operations overseas.
- Learn lessons from incidents and through exercises to ensure future stability.
Bring coherence:
- Develop tools and campaigns to embed a set of Information Governance behaviours in departments as set out in protocols, practices and procedures.
- Act as a conduit for working with National agencies, partners and the police where required.
Responsibilities
- Each member of the Senior Management Team (SMT) will be responsible for ensuring the appointment of a suitable Data Assessor and active support of the Information Governance Programme within every department across the University, and where appropriate at every site.
- The Data Assessors will inform the development of practices and procedures.
- Whenever there is a significant change in the operating environment or a practice or procedure, the Data Assessors must review this within their departments and assist with formal reviews led by the Information Governance Programme Board (IGPB).
- The Policy Controller is responsible for identifying, informing and consulting subject matter experts and any other working groups, outsiders or other independent professional advice where dependencies or overlaps exist in operational areas of concern.
- These responsibilities form the IGPB terms of reference.
Accountability
- The University Executive, currently the Vice-Chancellor’s Advisory Group (VCAG), has ultimate responsibility and authority for approving this policy and the related Information Governance Programme Board terms of reference.
- The Information Governance Programme Board are accountable to the VCAG for the maintenance of the Information Governance Programme.
- The Policy Owner is responsible for maintenance of the policy and circulation to relevant parties.
- The Policy Controller and Policy Owner are responsible for identifying any required updates to this policy.
- The Data Protection Officer and Information Security Manager are responsible and accountable for the appropriateness of the protocols, the practices and procedures intended to support Information Security Management.
- VCAG must approve this policy and any changes to it.
- Employees are accountable and responsible for their own actions.
- All managers are accountable and responsible for ensuring that the policy is effectively applied and adhered to at all times.
- Those providing services directly to students will instruct them on good information governance where they need to ensure appropriate management of data and resources, for example through Research Data Management Plans, and the Regulations for the use of computer facilities.
Information and communication
- This policy and any updates to it are accessible on the Bath Spa University website.
- The Chief Operating Officer will communicate this policy to all employees.
- Training for this policy will be by notification to departments and through the coordination activity of the Policy Controller to others in the business.
- The Information Governance Programme Board will develop communications about how the changing nature of Information Governance affects employees and suppliers' roles and their part in planned responses to disruptive events.
Policy monitoring and maintenance
- The Policy Controller is responsible for monitoring adherence to and effectiveness of this policy.
- All instances of internal control risks and/or non-compliance with the policy must be reported to the Policy Owner, in the first instance, and will be reported to the Programme Board and VCAG where appropriate.
- The Policy Controller must maintain an appropriate monitoring plan, based on measures agreed with the Policy Owner for assessing adherence to the policy and its effectiveness.
Affected areas and exceptions
- The areas affected by this policy are the departments located at every operational site.
- Any disruptive potential affecting a department alone should be considered by the Data Assessors, but with reference to their Senior Manager should the potential disruption go beyond their limit of delegation.
- All breaches of this policy or requests for exception must be referred to the Policy Owner for a decision on treatment or acceptance as a risk to the correct operation of the Information Governance Programme Board.
Review cycle
- The Policy Owner will review this policy annually or more frequently if required. Additional reviews may be triggered by major changes in University strategy, the regulatory environment, or customer expectations.
- This version of the policy remains effective until VCAG either withdraws this policy or approves any updates to it.
Effective date
This Policy is effective 1 September 2017 and supersedes all previous versions and/or other policies that cover the same subject matter.
Date of last approval: 18 December 2017
Approved by: Interim Vice-Chancellor, Nick Foskett
Date of next review: 1 January 2019
Department/Post responsible: VCAG