IMP 04: Information Management and Security Training and Awareness Policy
Information Classification - Public
Policy Introduction and Purpose
The purpose of the policy is to specify arrangements for training and awareness for data protection, Information Management and Security as a fundamental part of creating security awareness aimed at safeguarding sensitive data, mitigate cyber risks and ensure regulatory compliance thereby maintaining a secure university environment to carry out work and study. This is also essential in meeting regulatory requirements for data protection which prescribe mandatory training.
Scope and Definitions
The policy covers everyone who has a contractual (formal or informal/implied) relationship with the University, including employees, students, visiting professors, and consultants. Please note that this list is not exhaustive.
The policy covers all information processed by the University, regardless of ownership or format.
For a glossary of terms used in this policy, refer to Glossary of Terms for Information Management.
For purposes of this Policy, we will refer to everyone covered as “members.”
The training and awareness programme covered in this policy refers to the following distinct areas:
- Information Management (IM) Induction Training: The elements associated with induction training are applicable to all new staff joining the university and for all students enrolled in the university.
- Data Protection Training and Awareness: This is about the protection of individual rights and focuses on laws and regulations governing personal data.
- Technology Onboarding Training: This is training on any information systems you need to carry out your work.
- IM Role Based Training: This refers to specialised and additional training that is associated with particular roles and applies to staff in those roles.
- IM Refresher Training: This covers general topics covered during the induction and applies to all members and requires annual completion.
- An ongoing programme of awareness initiatives: These initiatives are designed to foster a culture of awareness, ensuring every member stays updated with the latest information and best practices.
- An ad hoc programme of information management training: These flexible, on-demand training sessions will be administered to all members on a needs basis.
Policy Responsibilities
The Chief Information & Transformation Officer (CITO) retains overall accountability for this Policy.
The Chief Information Security Officer (CISO) has delegated authority for ensuring the Policy meets legal and regulatory requirements; for keeping this Policy up to date; and for ensuring that controls, checks, and audits are carried out as part of compliance with this Policy.
Line managers are responsible for ensuring that the University members they supervise have completed their training.
HR Business Partners will engage with line managers to facilitate conversations and identify support needs to ensure that training is complete in the areas they look after.
Every University member having access to university information and systems is expected to complete their training when due.
Operational Responsibilities
Role | Function |
Line Managers and Designate of Head of Department (e.g. academic lead on research, individuals with delegated authority for information, system administrators) |
Responsible – for overseeing compliance with the Policy within areas of responsibility |
Head of Department |
Accountable – for compliance with this policy within Departments |
Information Risk and Compliance Team and DPO (with escalation to CISO and CITO required) |
Consult – to discuss organisational level compliance with the Policy and training materials/content |
IDG Digital Business Partners |
Inform – must be informed of the content of the Policy to communicate it to their departments |
Principles of this Policy
Training Requirements
Training will be delivered in an accessible manner to enable all members to access the training. Alternative methods of delivering training and awareness can be sought through the exceptions process.
Training is specified according to the University’s Information Management (IM) training needs assessment carried out by the Information Risk and Compliance team. The IM Training Needs Assessment will identify those in roles where there is a need for additional training due to having responsibilities to handle or process personal data and/or specific data handling and security management responsibilities.
All members carrying out work on behalf of the University and those who have been identified to have additional information security needs through the training needs analysis will receive training in information security which is relevant and proportionate to the type of information they are required to access and their role in maintaining the technical, physical, and environmental security of the University.
It is the line manager's responsibility to communicate any specialist IM training requirement to the relevant staff and ensure this is completed successfully.
The IM Training Needs Assessment is reviewed annually by the Information Risk and Compliance Team.
Training completion rates will be reported against a Key Performance Indicator to the approved University governance forum(s).
Participation and Completion of Training
For all new members (or new to role) carrying out work on behalf of the University, the Information Management Induction training must be completed within two weeks of the start date. Initial access to the University’s information and systems is provided only for completion of training. Upon completion of training, this access is upheld.
If training is not completed within the defined period for University’s information resources, IDG reserves the right to withdraw a member’s access to University’s information resources. Refresher training is mandatory and will be due exactly a year from completion of the initial or previous training and must be completed in a 4-week window (i.e. from 2 weeks prior to the due date to 2 weeks after).
When members are returning from extended leave (3 months or greater), or where there is a fundamental change to legislation, refresher training will be a requirement on returning to work or the legislation being implemented.
In the event of a member being involved in an information security incident, it may be mandated that the member retake the training and any ad hoc training as seen fit by IDG and Legal to retain continued access to the University’s information systems and resources.
Content
All training content is sourced by, developed, and/or designed by IDG in consultation with subject experts where required.
Once developed and designed, it will be shared with the Data Protection Officer (DPO) for review and advice.
All training content must be reviewed and, where necessary, refreshed annually. Responsibility for this sits with the Information Risk and Compliance Team within IDG.
Training Pedagogy & Delivery
The CISO is accountable for developing a methodology according to the needs of identified groups. Their responsibility is to ensure the training is delivered with the greatest relevance and impact to those identified as requiring it, to meet their needs and ensure compliance.
The CISO is responsible for defining training responsibilities.
All training activities; online, blended, or face-to-face will be subject to participant feedback and regular reviews which will be presented at summary level to the Information Security and Data Protection Committee.
The CISO is accountable for ensuring that training records are kept up to date and completion is recorded regularly.
Exceptions
‘Exception requests’ under this policy must be submitted to the CITO or their designate.
Activities that have received prior approval by the Research Ethics Committee will be exempt, but the CITO must be notified.
This policy may have an impact on users of assistive technology or assistive software due to their disability. These individual cases will be considered on a case-by-case basis.
Compliance Monitoring
It is everyone’s responsibility to report instances of non-compliance with this policy to the Information Risk and Compliance Team. The Information Risk and Compliance Team will use report data, and any other tools made available to it to monitor compliance with this policy, standards, SOPs (Standard Operating Procedures).
The compliance focus will be on:
Training completion rates
Training effectiveness (i.e., the number of policy breaches per trained individual)
Training engagement (i.e. participant feedback on training activity)
Issues that are deemed to merit escalation or further discussion will be brought to the attention of the Information Security and Data Protection Committee via the CISO. Where non-compliance presents a significant risk, it will be subject to the disciplinary process.
Committees with oversight of information management will be responsible for monitoring compliance with this policy.
Version/document control
Version | Date created | Date published | Next review | Notes/outcomes |
|
1.0 | June 2025 | 29 July 2025 | July 2026 | This policy replaced IM 02: Training Policy |