At a glance

Purpose

• The Information Management Related Training Policy outlines University policies relating to the content, design, delivery of and, compliance with all IM training. The purpose of this policy is to ensure everyone engages in appropriate training to ensure compliance with the University’s IM Policy and ICO guidelines. Significant elements of IM Training are mandatory and this policy clarifies what must be followed and by whom.

Scope

• This Policy applies to everyone who has a contractual relationship with the University. The training described refers to three distinct areas: IM Induction Training, IM Systems Training and IM Refresher Training. The policy sets out key principles – on the requirements of training, participation and completion, the content, pedagogy and delivery. Further it outlines the monitoring and reporting of training, the handling of incidents on non-compliance and a process of review and revision.

Responsibilities

• In addition to the general responsibilities noted in the Information Governance Policy (IM01) of the Chief Information & Transformation Officer (CITO), Line Managers and Information Asset Owners (IAO) the following additional responsibilities are associated with this policy: The University Information Management Committee (UIMC) will be responsible for the successful implementation and oversight of this policy including monitoring, reporting and engaging heads of departments to ensure targets are met.

Compliance

• Compliance with this policy will be monitored on an ongoing basis, with a focus on: training completion rates, training effectiveness, training engagement, incidents of non-compliance. Compliance performance will be reported monthly by the Information Asset Owners to the UIMC. A failure to comply with this policy will be deemed to be a disciplinary offence and will be subject to the UIMEC escalation process (see link above) and may lead to proceedings being taken through the University Disciplinary Process.

Full policy

Policy Introduction and Purpose

This Policy is a sub-policy of the Information Management Policy Framework (IM01). It outlines University policies relating to the oversight of the content, design, delivery of and, compliance with all Information Management training. The purpose of this policy is to ensure everyone engages in appropriate training to ensure compliance with the University’s Information Management Policy and ICO guidelines. Significant elements of Information Management Training are mandatory, and this policy provides clarity on what must be followed and by whom.

Scope and Definitions

This Policy applies to everyone who has a contractual relationship with the University including all employees (both full-time and part-time across all grades) and those engaged via the Variable Monthly Staff (VAM) Payroll and Unitemps/other agency contracts. It also includes visiting professors, consultants/self-employed carrying out roles which if carried out by an employee would require disclosure.

For purposes of this Policy we will refer to everyone covered as “staff”.

The training covered in this policy refers to three distinct areas:

1. Information Management Induction Training: The elements associated with induction training are applicable to all new staff who have joined the University from September 2020. There are no exceptions to this policy.
2. Information Management Systems Training: This refers to specialized and additional training that is associated with particular roles and applies to staff in those roles and comes into effect from 1st September 2020. This policy will apply to all new staff without exception from this date. Staff appointed to these roles before 1st September 2020 will be subject to the policy, but there is discretion granted to line managers to achieve compliance no later than December 31st 2020.
3. Information Management Refresher Training (policy introduced across a one-year period to 1st April 2021): This training applies to all staff and will come into effect on the 1st September 2020.

For current staff who have not completed the initial induction training, this will need to be undertaken by 31st December 2020.

For staff who have completed the Induction Training, the refresher training will normally be required no later than 24 months after completion of the initial course.

Responsibilities

Policy Responsibilities

In addition to the general responsibilities noted in the Information Governance Policy (IM01) of the Chief Information & Transformation Officer (CITO),

Line Managers and Information Asset Owners (IAO) the following additional responsibilities are associated with this policy:

The University Information Management Committee (UIMC) will be responsible for the successful implementation and oversight of this policy including monitoring, reporting and engaging heads of departments to ensure targets are met.

Operational Responsibilities

Principles of this Policy

Training Requirements

1. All staff roles at the University are allocated an Information Management Profile (as defined in the User Account Management Policy – IS07) covering their roles and responsibilities within the Information Management Framework. This will govern all Information Management Training requirements (on starting, changing roles or refreshing their knowledge and practice).
2. Training is specified according to the University’s Information Management training needs assessment. The IM Training Needs Assessment will identify those in roles where there is a need for additional training due to having responsibilities to handle or process personal data and/or specific data handling and security management responsibilities.
3. It is the responsibility of the line manager to communicate any specialist IM training requirement to the relevant staff and to ensure this is completed successfully.
4. The IM Training Needs Assessment is reviewed annually by the CITO, it is monitored and reported as per the process defined here.
5. Training completion rates will be reported against a KPI at the UIMC.

Participation and Completion of Training

1. For all new staff (or new to role) the IM Induction training must be completed within two weeks of start date. Initial systems access is provided only for completion of training. If training is not completed within the defined timeframe for the system, access will be withdrawn.
2. Refresher training is mandatory.
3. Where staff are returning from extended leave (3 months or greater) period or where there is a fundamental change to legislation, refresher training will be a requirement on returning to work or the legislation being implemented.
4. The process associated with Information Management training including allowed time for completion and identification of specific role requirements can be found.

Content

1. All IM content is developed and designed by  the Information and Digital Group (IDG) in consultation with subject experts where required.
2. Once developed and designed, it will be shared with the Data Protection Officer (DPO) for review and advice, which must take no more than four working weeks.
3. For particularly sensitive data handling e.g. children, vulnerable adults, clinical trials, an agreed specialist advisor will give input. The specialist advisor will be appointed by the CITO. The CITO will seek advice from the DPO in these circumstances.
4. All training content must be reviewed and, where necessary, refreshed on an annual basis. Responsibility for this sits with the CITO.

Training Pedagogy & Delivery

1. It is the responsibility of the CITO to develop methodology according to the needs of identified groups. Their responsibility is to ensure the training is delivered with the greatest relevance and impact to those identified as requiring it, to meet their needs and ensure compliance.
2. It is the responsibility of the CITO to define, allocate and manage training responsibilities. Where training is face-to-face, it will be delivered by trainers who are formally trained.
3. All training activity – online, blended or face-to-face – will be the subject of participant feedback and regular reviews which will be presented to the University Information Management Executive Committee (UIMEC) with proposals for amendments, if required.
4. The CITO will ensure that training records are kept up to date, and progress is recorded on a regular basis.

Monitoring and Reporting

Every policy within the framework will report as defined in the UIMEC reporting process.

The handling of incidents of non-compliance

An initial failure to complete training within the set timescale will result in removal of system access rights. Should this be a reoccurring behaviour it will be deemed to be a failure to comply with the policy and will be deemed to be a disciplinary offence and will be subject to the UIMEC escalation process. This may lead to proceedings being taken through the University Disciplinary Process.

The Process of Review & Revision

This policy will be reviewed by the UIMC five months before its expiry and any recommendations for change will be sent to the UIMEC for consideration and onward progression

Exemptions

‘Exemption requests’ under this policy must be submitted to the CITO or their designate. Exemptions to this policy may only be granted by the CITO or their designate. Activities that have received prior approval by the Research Ethics Committee will be exempt, but the CITO must be notified. This policy may have an impact on users of assistive technology or assistive software due to their disability. These individual cases will be considered on a case by case basis.

Compliance Monitoring

Compliance with this policy will be monitored on an ongoing basis. The compliance focus will be on:

• Training completion rates
• Training effectiveness (i.e. the number of policy breaches per trained individual)
• Training engagement (i.e. participant feedback on training activity)
• Incidents of non-compliance (i.e. removal of access rights due to non-completion of training within approved timeframes)

Compliance performance will be reported monthly by the Information Asset Owners to the UIMC.

A failure to comply with this policy will be deemed to be a disciplinary offence and will be subject to the UIMEC escalation process (see link above) and may lead to proceedings being taken through the University Disciplinary Process.

Policy

It is University Policy that:

• information security controls must be monitored to ensure they are adequate and effective

Not in use

Not in use