Information Management Framework structure

The Information Management Policy Framework is made up of policies, standards, SOPs and guidance. Within the framework these documents perform the following roles:

Policies - the top-level basis for internal decision-making and are mandatory. They reflect Warwick’s values, assign responsibilities and ensure compliance with legislation. The policies in the framework set the principles for their specific specialist area which shape the requirements for their supporting standards and SOPs. All policies in the framework have the reference ‘IMP’ followed by a unique number.

Standards - are more prescriptive than policies and sets out the requirements for implementing its parent policy and are mandatory. All standards in the framework have the reference ‘IMST’ followed by a unique number.

Standard Operating Procedures (SOPs) - provide detailed step-by-step instructions that describe how standards and policies will be implemented and can be tailored to reflect departmental or function-specific practices. All SOPs in the framework have the reference ‘IMSP’ followed by a unique number. Individual departments may maintain related SOPs, but these do not form part of the framework.

Guidance - is not mandatory but provides advice on good practice related to a specific area in which there is sometimes no overarching legislation, regulation or single way of achieving a desired outcome. Guidance may be published in different forms and in different places.

Scope and definitions

The policy covers everyone who has a contractual (formal or informal/implied) relationship with the University, including employees, students, visiting academics, and consultants. Please note that this list is not exhaustive.

Policy responsibilities

The Chief Information & Transformation Officer (CITO) retains overall accountability for the Information Management Framework. The Chief Information Security Officer (CISO) has delegated authority for ensuring the framework meets legal and regulatory requirements; for keeping its constituent policies, standards and SOPs up to date.

Each individual policy will be discussed at the Information Security and Data Protection Committee and the Digital and Operations Committee before the Policy Oversight Group (POG) recommends it for approval by the University Executive Board.

It is the accountability of the CISO to ensure that this policy is implemented effectively across the University and reviewed as per the agreed regularity.

It is the responsibility of managers to respond to requests for information that supports the effective execution of this policy.

It is the responsibility of managers to manage non-compliance incidents in line with the processes that are attached to this policy.

It is the responsibility of managers designated as Information Asset Owners, or the product owner for a university-wide system, to comply with the processes for the management of risk as it applies to Information.

Operational responsibilities

Role	Function
Designate of Head of Department (e.g. academic lead on research, individuals with delegated authority for information, system administrators)	Responsible - for overseeing the use of the policy within areas of responsibility
Head of Department	Accountable - for use of the policy within Departments
Information Risk and Compliance Team (with escalation to CISO and CITO required)	Consult - to discuss organisational level use of the policy
IDG Digital Business Partners	Inform - must be informed of the content of the policy to communicate it to their departments

Information Security Risk and Compliance teams

To varying extents all working roles have responsibility for Information Management. However, the University maintains a team of specialists in IDG that performs the following functions.

The Information Risk and Compliance Team has within its remit operational responsibility for the maintenance, and further development of, the Information Management Policy Framework, along with advising on its use including its supporting standards and SOPs as well as other regulatory requirements. The team manages compliance, risk and training in relation to Information Security.

Information Management Policy Framework principles

The principles of this policy mandate how Information Management and Security is undertaken at the University (e.g. the design and implementation of security controls in an information system). All policies in the Information Management Policy framework are built on these principles.

Policies within the framework will in some cases contain principles which govern their specialist area (e.g. Information and Records Management) but the foundation for these will be the principles contained in this overarching framework policy.

1. Confidentiality: Information will only be accessible to those with a legitimate need based on an individual’s role. Measures will be taken to prevent unauthorised access to information.
2. Integrity: The accuracy of information must be maintained.
3. Availability: Information must be available to authorised users when needed.
4. Asset ownership and security: Each information asset will have an assigned owner responsible for defining its appropriate use and ensuring security measures are in place.
5. Classification: All information will be classified based on confidentiality (refer to the Information Classification standard).
6. Responsibility: Individuals granted access to information must handle it appropriately according to its classification.

Policy review and revision

Each individual policy, standard and SOP in the framework will be reviewed within IDG annually with a substantial review involving consultation across the University every three years in line with the University’s Policy Framework. In some cases, review may be required earlier if there is a change of legislation, regulation or a change in approach at the University. The review date will be taken from the date of publication of the latest version of the policy.

The approach to review should be driven from the individual policy need but reference must be made to the rest of the framework to ensure alignment, and where necessary changes proposed elsewhere in the framework.

Exceptions

‘Exception requests’ under this policy must be submitted to the CITO or their designate. Authority to approve exception requests is delegated to the Information Risk and Compliance Team. Activities that have received prior approval by the Research Ethics Committee will be exempt, but the CITO must be notified.

This policy may have an impact on users of assistive technology or assistive software dependent on circumstances. These individual cases will be considered on a case-by-case basis.

Compliance monitoring

Committees with oversight of information management will be responsible for monitoring compliance with this policy.

Each individual policy will establish the ‘Compliance Monitoring’ requirements for that policy.

Legal and compliance

One of the main functions of the Information Management Policy Framework is to ensure compliance with the University’s legal and regulatory obligations relating to the processing of information.

The following is a list of legal and regulatory obligations that the University is required to abide by in relation to the management and security of information (this list is not exhaustive).

JANET policies

The University, along with other UK educational and research institutions, uses the ‘JANET’ (Joint Academic NETwork) electronic communications network and must therefore comply with JANET’s Acceptable Use and Security Policies. Both policies are available from the JANET policy website.

Payment Card Industry Data Security Standard (PCI DSS)

The University must comply with the Payment Card Industry Data Security Standard (PCI DSS) when processing payment (credit/debit) cards.

UK General Data Protection Regulations (UK GDPR)

UK GDPR governs the processing of personal data in the UK and is aligned with the EU’s GDPR to provide a high level of protection for personal data.

Equality Act 2010

The Equality Act protects people from discrimination in the workplace and in wider society and sets out the different ways in which it’s unlawful to treat someone (please also see Public Sector Accessibility Regulations 2018).

Freedom of Information Act 2000

FOIA provides public access to information held by public authorities (including the University) unless certain specified exemptions set out in the Act apply to a particular access request.

The Computer Misuse Act 1990

The Computer Misuse Act 1990 is a law in the UK that deals with illegal computer activities. It makes it a crime to:

• Access someone’s computer files without permission, use unauthorised access to a computer to do something illegal or to help someone else do something illegal.
• Do something without permission that causes a computer to not work properly or that creates a serious risk of it not working properly.
• The Act aims to protect people from having their computers misused or damaged.

The Regulation of Investigatory Powers Act 2000 (RIPA)

RIPA regulates the powers of public bodies to carry out surveillance and investigation. It covers the interception of communications and ensures that such activities are conducted within a legal framework to protect individuals’ privacy rights.

Privacy and Electronic Communications Regulations 2003 (PECR)

PECR provides specific privacy rights concerning electronic communications. The regulations include rules on marketing calls, emails, texts, and faxes; the use of cookies and similar technologies; securing communication services; and customer privacy related to traffic and location data, itemised billing, line identification, and directory listings.

Public Sector Bodies Accessibility Regulations 2018

The accessibility regulations make provision for ensuring that services and content can be used and understood by the widest audience possible. This means making sure website and mobile apps are ‘perceivable, operable, understandable and robust. Services must meet the international WCAG 2.2AA accessibility standard and have in place an accessibility statement that explains the accessibility of the service or app.

Network and Information Systems Regulations 2018 (NIS Regulations)

The regulations aim to provide legal measures to enhance the level of security (both cyber and physical resilience) for essential services such as transport, energy, water, health, and digital infrastructure, as well as for digital services like online marketplaces, search engines, and cloud computing services.

Waste Electrical and Electronic Equipment (WEEE)

The regulations aim to reduce the amount of electrical and electronic waste going to landfill sites and improve recovery and recycling rates of these products. They apply to all businesses that import, manufacture, or re-brand electrical and electronic equipment in the UK.

Version/document control

Version	Date created	Date published	Next review	Notes/outcomes
1.0	December 2024	05 February 2025	December 2025	A new policy that replaces IM01: Policy of Policies, IG01: Information Governance Policy and IS01: Information Security Policy