Policy Introduction and Purpose

This policy sets out the high-level principles and policies for information governance across the University and makes clear the responsibilities and reporting lines for members of staff. It is part of an overarching information management framework.

The University acknowledges that information is a key asset for the institution. Adherence to this policy and the overall framework is therefore mandatory to ensure good governance.

Scope and Definitions

This Policy applies to everyone who has a contractual relationship with the University including all employees (both full-time and part-time across all grades) and those engaged via the Variable Monthly Staff (VAM) Payroll and Unitemps/other agency contracts. It also includes visiting professors, consultants/ self-employed carrying out roles which if carried out by an employee would require disclosure. For purposes of this Policy we will refer to everyone covered as “staff”.

This policy applies to all information held for the purposes of the University’s operations including, but not limited to, the provision of teaching and education, research, student and staff support, commercial activity, internal and external reporting and publications. It applies to information created by members of the University and to information received from third parties.

A glossary of the terms used throughout the Policy can be found in Document IM03 – Glossary of Terms for Information Management. This policy sits within the Information Management Policy Framework and should be read in conjunction with the over-arching policies IM01 – Information Management Policy of Policies and IM02 – Information Management Training Policy.

Responsibilities

Policy Responsibilities

Chief Information & Transformation Officer (CITO):

1. The CITO is responsible for the strategic management and ongoing development of all areas and aspects of information management at the University.
2. As such, the CITO is also responsible for ensuring the effective implementation, monitoring of compliance and reviewing and managing all information management policies.
3. The CITO can be contacted using helpdesk@warwick.ac.uk

The Data Protection Officer (DPO) is responsible for:

1. Providing information and advice on all data protection related matters
2. Monitoring and auditing conformance with statutory requirements
3. Providing advice on Data Protection Impact Assessments (DPIA) and monitoring the DPIA process
4. Cooperating with the Information Commissioner’s Office and acting as the contact point between the University and the Information Commissioner’s Office (ICO)
5. The DPO can be contacted using DPO@warwick.ac.uk

Operational Responsibilities

Principles of this Policy

The University will adopt the following principles in the design and implementation of its Information Governance Framework:

• Adequacy and Accuracy – ensuring that all information held is both sufficient to properly fulfil our stated purpose and is correct and not misleading
• Public by Default– information is classified at the lowest level of classification by default, being restricted only if it meets a genuine restriction criterion
• Digital by Default – adopting a "digital by default" approach to information management
• Transparency – using information to increase trust with the University's staff, students and other stakeholders.
• Enabling – using information effectively to support the University's wider vision and strategy
• Discoverability – information should be tagged and stored in such a way that makes it easy to retrieve
• Integrity – ensuring information is of a consistent high quality across the University and that information is used and represented honestly by all.
• Ownership – ensure that all information created or held by the University has a designated owner and is appropriately managed
• Value – recognising the importance of the University's information assets and ensuring that maximum value is obtained from them
• Security – ensuring that information, especially protected and confidential information, is handled safely and securely at all times
• Collaboration – easily and securely sharing relevant information with external partners
• Continuity – ensuring the University's key information assets are protected and accessible for as long as required
• Accessibility – ensuring that staff and students are able to securely access the information they require, whenever and wherever they are
• Preservation – ensuring that University records are preservedappropriately and efficiently
• Embedded – ensuring good information management practices are ingrained and followed across the University
• Minimisation – aiming to hold the least possible amount of information required to operate effectively, to improve efficiency, storage pressure and to mitigate risks
• Governance – ensuring there are clear structures and processes in places for managing information, with senior level ownership
• Risk Appropriate – ensuring that processes are fit for purpose given the risk profile of a given process

Legal and Compliance

The University’s information governance framework will ensure compliance with various pieces of legislation relating to the handling and use of information, as well as the common law duty of confidentiality. These include, but are not limited to:

• Data Protection Act 2018
• General Data Protection Regulation (Regulation (EU) 2016/679)
• Freedom of Information Act 2000
• Privacy and Electronic Communications (EC Directive) Regulations 2003 (as amended)
• Environmental Information Regulations 2004
• Regulation of Investigatory Powers Act 2000
• The Telecommunications (Lawful Business Practice) Regulations 2000
• Computer Misuse Act 1990
• Human Rights Act 1998
• Copyright, Designs and Patents Act 1988
• Official Secrets Act 1989
• Malicious Communications Act 1988
• Digital Economy Act 2010
• Intellectual Property Act 2014
• Investigatory Powers Act 2016

There also other non-legislative compliance requirements the University must adhere to (both internal and external), such as:

• Payment Card Industry Data Security Standard (PCI DSS)
• JANET acceptable use and security policies
• NHS Information Governance Toolkit
• Requirements set out by ethics committees and in line with other regulatory or institutional approvals
• Requirements detailed in contract and funding terms

Information and Records Management

The University’s Information & Records Management Policy (IG03) sets out the consistent standards that staff should use when creating, using and disposing of information. All staff are required to operate within the Information & Records Management policy at all times.

Information Classification Levels  

The University operates an Information Classification Policy (IG05).

All staff are required to know and respect the classification of the information assets they create, manage, share or to which they have access. The consistent and correct handling and protection of these assets relies on correct classification.

‘Data Processor’ Compliance

Statutory regulations and University of Warwick financial regulations require the assessment of all University data processors and service suppliers.

The process for registering new services will include risk assessment as part of the IAO handbook responsibilities.

For some data types, there will be a requirement to complete a data protection impact assessment (DPIA). Where this is necessary, support will be available from the Chief Information & Transformation Officer (CITO) organisation and additional advice may be sought from the Data Protection Officer (DPO).

The University operates a Data Protection Impact Assessment (DPIA) Policy IG06.

Processor Compliance Audits

As a data controller, the University cannot rely solely on policy and contractual clauses to show that we are protecting personal data. The University will reserve the right to carry out audits of processors’ data protection compliance measures throughout the term of a contract or agreement.

The University has an obligation to know the location of data under its control and the processing that is being carried out on its behalf. The University will maintain a close relationship with processors and may (if possible) undertake both scheduled and unscheduled audits, at the University’s discretion, to ensure that the correct data protection procedures and security controls are being followed and maintained.

Data Minimisation and Pseudonymisation

Data minimisation is defined within the GDPR as ensuring that the collection and processing of personal data shall be “adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.”

Pseudonymisation is defined as “the processing of personal data in such a way that the data can no longer be attributed to a specific data subject without the use of additional information.”

Unlike anonymization, minimisation and pseudonymisation will not exempt the University from compliance with GDPR, and the requirements must be clear.

Minimisation

In order to comply with the Data Protection Act 2018 and GDPR, the University must make sure that personal data collection and processing is limited to what is necessary and that it does not hold more than needed.

The University will therefore only collect, and process personal data and information needed for specified and stated purposes. It will have only sufficient personal data to fulfil those purposes and will periodically review the data it holds, deleting anything that is no longer required.

Pseudonymisation

Where pseudonymised data is in use, for example for research purposes, there is a residual risk of re-identification. The risk may be low, but tests must be used by the Information Asset Owner or lead researcher to assess the likelihood of this. Once assessed, a decision can be made on whether further steps to de-identify the data are necessary.

By applying this test and documenting the decisions, the research project or programme, and by extension the University, will have evidence that the risk of disclosure has been properly considered.

Training.

The University has an Information Management Training Policy (IM02) to ensure relevant training is in place to assist staff and those granted access to use University systems in their day to day handling of information. All training requirements related to Information management will be found through this policy.

Interaction with Other Policies and Procedures

This policy sets out the high-level principles and policies for information governance across the University. It is the over-arching policy governing the wider information governance framework. Other policies relating to information governance sit under this policy. These are (not exhaustive):

Exemptions

‘Exemption requests’ under this policy must be submitted to the CITO or their designate. Exemptions to this policy may only be granted by the CITO or their designate. Activities that have received prior approval by the Research Ethics Committee will be exempt, but the CITO must be notified.

This policy may have an impact on users of assistive technology or assistive software due to their disability. These individual cases will be considered on a case by case basis.

Compliance Monitoring

Compliance to this policy will be monitored on an ongoing basis. The compliance focus will be on:

• Data Processor Compliance
• Processor compliance audits
• Data Minimisation and Pseudonymisation

Compliance performance will be reported monthly by the Information Asset Owners to the University Information Management Committee.

A failure to comply with this policy will be deemed to be a disciplinary offence and will be subject to the University Information Management Executive Committee escalation process (see link above) and may lead to proceedings being taken through the University Disciplinary Process.