Policy Introduction and Purpose

This policy is concerned with the management of information, its processing, storage and sharing.

It provides the umbrella for a series of more detailed policies for information governance and security. This Policy applies to everyone who has a contractual relationship with the University including all employees (both full-time and part-time across all grades) and those engaged via the Variable Monthly Staff (VAM) Payroll and Unitemps/other agency contracts. It also includes students, visiting professors, consultants/self-employed carrying out roles which if carried out by an employee would require disclosure.

This policy also details the monitoring, reporting and responses to non-compliance for all policies in this framework.

Scope and Definitions

This policy sets the rules for all policies in the framework regarding:

• All monitoring and reporting
• The handling of incidents of non-compliance
• The process of review and revision
• The approach to risk and risk appetite that underpins the University’s approach to Information Management

The policies within the Policies Framework are:

Responsibilities

Policy Responsibilities

The University has allocated the accountability for this policy framework to the Chief Information and Transformation Officer (CITO), who is Chair of the University Information Management Executive Committee (UIMEC). Each individual policy will be discussed at the University Information Management Committee before UIMEC recommends it for approval by the University Steering Committee (or any succession Committee).

 The University Information Management Committee (UIMC): This Committee will be the primary forum for discussions relating to information issues across the University. Its membership will include staff from the relevant parts of the University having the highest risk of information issues. It will also be responsible for providing and enabling best practise.

The University Information Management Executive Committee (UIMEC): This Committee owns the policy framework, the risk appetite, and risk register for Information Management. It holds the accountability for proposing changes to the policy framework and for reporting on compliance. The terms of reference for UIMEC set out the remit of the Committee and any delegated authority that it has.

It is the accountability of the CITO to ensure that this policy is implemented effectively across the University and reviewed as per the agreed regularity.

It is the responsibility of managers to respond to requests for information that supports the effective execution of this policy.

It is the responsibility of managers to manage non-compliance incidents in line with the processes that are attached to this policy.

It is the responsibility of managers designated as Information Asset Owners, or the lead line manager for a University-wide system, to comply with the processes for the management of risk as it applies to Information.

Operational Responsibilities

Monitoring and Reporting

Every policy within the framework will report as defined in the UIMEC reporting process.

The handling of incidents of non-compliance

Every incident of non-compliance with any of the policies within the framework will be handled using the process approved by the UIMEC.

The Process of Review and Revision

Each individual policy has a defined period at which it will need a formal review. Whilst this should be driven from the individual policy need, reference must be made to the rest of the framework to ensure alignment, and where necessary changes proposed elsewhere. The normal University policy review process will be used.

Risk Management

The UIMEC will ensure that, on an annual basis a risk management review is undertaken which:

• Establishes the appropriate level of risk appetite in Information Management
• As a result of this, creates a register of key risks in Information Management which allocates ownership and establishes a process for regular review of mitigation strategies

The risk register will be reviewed monthly by UIMC. High risk areas will be elevated to UIMEC and the Audit and Risk Committee as appropriate.

Exemptions

‘Exemption requests’ under this policy must be submitted to the CITO or their designate. Exemptions to this policy may only be granted by the CITO or their designate. Activities that have received prior approval by the Research Ethics Committee will be exempt, but the CITO must be notified.

This policy may have an impact on users of assistive technology or assistive software due to their disability. These individual cases will be considered on a case by case basis.

Compliance Monitoring

Compliance with this policy will be monitored on an ongoing basis. The compliance focus will be on:

• Annual risk appetite review
• Quarterly Risk Register mitigation review by University Information Management Executive Committee.

Compliance performance will be reported monthly by Information Asset Owners to the University Information Management Committee.

A failure to comply with this policy will be deemed to be a disciplinary offence and may lead to proceedings being taken through the University Disciplinary Process.