Information governance

ARU must have robust measures in place for ensuring that information is managed in a safe and secure environment. Our information governance framework must:

• establish and quality-assure our information management framework
• clearly set out the authority and relationships of relevant groups and roles
• have in place an effective process for managing complaints about how we handle information.

The framework will assist ARU to comply with legislation and relevant regulations. ARU requires information to be handled in the most effective and efficient way to meet the changing needs of the people who learn or work in The University along with the wider community of partners and the public. Our information governance arrangements ensure that we maintain an effective framework for managing information, enabling business needs to be met within an agile and flexible environment and allowing us to work closely with our partners, exchanging information legally, safely and securely.

We assure the public, partners and regulators that ARU is maintaining standards and is a trustworthy body to be processing personal data and data of other sensitivity types.

We have clarity for staff in all roles about their responsibilities, and arrangements that can be evidenced to the public, partners and regulators to provide assurance that information policy and other decision making is done consistently and through due process.

This information governance framework supports the implementation of our policies and strategies for the way we handle information and the provision of advice and guidance to our staff to help them understand and meet the legislative and regulatory requirements and promote good information management practice.

Our policies, strategies and standards are reviewed annually and whenever legislation changes to ensure they continue to deliver legislative and regulatory compliance and meet business needs. Our procedures and operational guidance are reviewed whenever relevant policies, strategies or standards are revised and when an operational need arises. Our project and technology governance mechanisms include appropriate checkpoints to ensure compliance with our information management framework, including the implementation of privacy impact assessments when information about people is involved.

• The Information Compliance Team (ICT) is the core function for managing information governance across the University
  1. Ensuring processes are robust
  2. Managing security breaches
  3. managing Subject Access Requests (SAR) and Freedom of Information (FOI)/Environmental Information Regulations (EIR) requests.
• Internal Audit examines, evaluates and reports on the degree to which our rules for handling information support and promote the proper, economic, efficient and effective use of ARU’s resources.
• The Procurement Service monitors and reviews contracts with third party suppliers and raises non compliances regarding information breaches with ICT.

The following describes the relevant boards and roles with associated responsibilities:

• The University Executive Team (UET) and Corporate Management Team (CMT) assist the Vice-Chancellor in the overall management of the University. They consider matters of strategic or corporate significance for the University and either decide on management actions, including operational policy, or advise other bodies as appropriate.
• The Data Governance Steering Committee (DGSC) takes decisions on policy and procedural issues. It validates and authorises all changes to ARU’s information-related policies, standards, procedures and guidance, taking a risk-based approach to ensure that proportionate and consistent guidance is provided to all staff and making recommendations to CMT when appropriate. To ensure consistency of approach, DGSC also arbitrate, should it be necessary, on matters of interpretation and associated disciplinary or other action.
• The Chief Information Officer (CIO) is responsible for ensuring that ARU has appropriate technical measures in place to achieve information and data confidentiality, integrity and accessibility. The CIO is a member of DGSC.
• The Senior Information Risk Owner (SIRO) is ultimately responsible for all information risks across the University; the SIRO ensures information risks are managed effectively to deliver business goals. The SIRO is a member of DGSC and is responsible for reporting any actual or potential breaches of the law which occur within ARU to the regulator with advice from the DPO for personal data matters.
• The Information Asset Owner (IAO) is a Dean (for Faculties) or Director (for Professional Services) responsible and accountable for all of the information assets in their business area with authority to delegate the day to day management of information assets to an Information Asset Manager.
• The Information Asset Manager (IAM) understands the records in their care, their purpose and is responsible for making decisions about the information such as authorising destruction and making relevant changes. They have responsibility for the accuracy of the data the records contain and ensure the Record of Processing Activity is kept up to date by liaising with ICT.
• The Data Protection Officer (DPO). The DPO provides independent advice and recommendations to the SIRO in line with the requirements of the role as detailed in the General Data Protection Regulation (GDPR). The DPO supports ARU’s Privacy by Design processes and is the focal point for managing complaints on privacy matters.
• Data Champions through their presence on the Information Compliance Group (ICG) provide policy development and information risk advice and recommendation to DGSC. Individually they consider the practical effects on their own business practices of proposals for new or changed policies, standards, procedures and guidance focussed on the management or handling of information and jointly make recommendations to DGSC. They also raise issues about, and support their service area in the application of our information governance framework, information risks and provide advice and support to their Service Leadership Team.
• Leadership Teams (LT), through appropriate communication and actions, ensure that working practices across their functions comply with our rules for handling information and that changes to those rules are implemented promptly.
• Line Managers ensure that those who work for or with them are aware of and follow our rules for handling information. They do this through the use of relevant ARU policy, standards and processes, including induction, appraisal and training, as well as through monitoring day to day working practices.
• All employees handle information in accordance with our code of conduct, contractual controls, policies, procedures and training.

Complaints about the way we handle information, particularly those relating to compliance with the Data Protection Act or the Freedom of Information Act, are managed by ICT, and involve staff at all levels in investigating matters and in approving formal responses, agreeing appropriate remedial actions and in identifying and discussing lessons learned.

Please see our governance pages for more information about ARU’s governance controls.