Divisional Information Governance Policy
Approved by the Board: January 2020; Next Review: January 2021
Information governance (IG) is a framework setting out accountability and decision-making processes about information. It is described by a wide range of policies and associated procedures. The Divisional Information Governance Policy describes the Division’s aims (as set out below) with regard to Information Governance and provides a governance mechanism for achieving these aims.
The lifecycle of information includes all activities relating to:
- Disclosure (including sharing);
- archiving; and
- destruction or other disposition.
These activities are guided or specified by policies, procedures, defined roles and standards in accordance with:
- University policy and objectives;
- legal requirements;
- the policies and requirements of funding bodies and data providers, such as the National Health Service (where applicable);
- applicable information security frameworks outlining data management responsibilities. This covers both external and University frameworks; and
- Other frameworks adopted by the University such as Business Continuity and data quality.
Information is a key asset across MSD and its constituent Departments. MSD is conscious of the opportunities presented by availability of robust and well-governed information and of the financial, regulatory and reputational risks of weak IG. MSD is committed to:
- developing and implementing operational standards and controls to enable information to be used effectively and manage associated risks; and
- ensuring that all relevant persons are aware of, and supported to comply with, applicable standards and controls.
Purpose of this Policy
The purpose of this policy is to:
- Enable MSD to make effective and appropriate use of the information assets under its control.
- Manage risks associated with information assets throughout their lifecycle.
- Ensure MSD’s approach to IG provides assurance to stakeholders on the effective custodianship of its information assets.
- summarises responsibilities relating to IG activities;
- outlines the support and guidance arrangements available to MSD staff, including signposting to relevant functions at University level;
- defines the role of the MSD Information Risk Management Group and the Information Risk Advisory Group; and
- signposts policies and procedures relevant to IG arrangements across MSD.
Failure to comply with relevant IG policies and procedure and breaches of confidentiality may result in a loss of a contract for services. It may also result in disciplinary action. This can include action up to and including dismissal/termination of contracts.
Scope of the Policy
This Policy applies to everyone who creates, stores, shares or disposes of information in connection with their role in MSD. This includes, but is not limited to employees, students, honorary staff, visitors, contractors, hourly paid teachers and students. References to MSD includes any and all such people.
This Policy applies to all information received, processed and held within MSD or on its behalf (eg by cloud providers). It applies whether the information is created internally or received from third parties. Information includes, but is not limited to:
- Information relating to teaching, education and research,
- Information relating to student and staff functions and support.
- Internal and external reports and publications.
Information exists in many different formats. It includes, but is not limited to:
- Paper-based and electronic documents;
- Images and video footage;
- Social media content; and
- Statistical and research data and meta-data.
This policy applies to all information in any form.
Roles, Responsibilities and Accountabilities across the Division
The following paragraphs outline IG roles, responsibilities and accountabilities across the Division. Individuals undertaking specific roles are responsible for ensuring:
- They understand the scope and limits of their authority.
- They obtain advice and assistance where appropriate for the satisfactory discharge of their responsibilities.
All Members of MSD
All members of MSD are individually accountable for ensuring that:
- They are aware of, and comply with, all applicable information governance requirements relating to the information they handle. This includes maintaining knowledge of relevant policies, procedures and standards affecting information assets used by them;
- They undertake any required training at the specified intervals;
- Perceived information governance risks are managed or escalated as appropriate
MSD Board: The Board acknowledges the importance of a consistent and effective approach to IG across MSD and the wider University. It also recognises the risk of reputational and other damage resulting from weak IG within the University, particularly MSD. The Board therefore accepts accountability for ensuring that IG processes enable it to:
- make effective and appropriate use of information across MSD;
- review information-related risks, taking account of relevant entries in Departmental risk registers and other reports and advice;
- effectively oversee and support Heads of Department with their IG responsibilities and activities (see below); and
- provide reasonable assurance on compliance with applicable law, regulation, policy, standards and frameworks.
The MSD Board nominates the Head of Commercial Strategy and Risk to be its Information Governance liaison. The Head of Commercial Strategy and Risk will:
- Chair the MSD Information Risk Management Group.
- Present the outcomes of the Information Risk Management Group’s deliberations to the Board (or other appropriate committee) for comment and action.
MSD Information Risk Management Group: The MSD Information Risk Management Group will report to the MSD Board. Its key activities will be:
- Providing leadership and visibility on behalf of MSD for IG matters, including providing MSD input to any University policies and procedures;
- Developing a culture of increased IG awareness and the expectation of compliance;
- Advising on the effective and appropriate use of information in meeting MSD’s strategic objectives and mitigating associated risks;
- Advising on the adequacy and effectiveness of the structures, processes, resources and training supporting IG activities across the Division;
- Identifying suitable projects to support the management of information risks in MSD and implementing those projects, subject to any necessary approvals;
- Advising on a programme of IG reviews and assurance exercises, supporting this effort as required; recommending actions as appropriate, and reporting on outcomes;
- Informing MSD Board when reportable or serious incidents occur, their follow-up and subsequent communication of lessons learned; and
- Advising and recommending to the Board actions in response to any new regulation, policy and guidance.
In undertaking the above activities, the Information Risk Management Group will be advised and supported by the Information Risk Advisory Group. This will replace the Information Governance and Security Committee from the date on which this policy is adopted.
- The membership and Terms of Reference of the Information Risk Management Group are set out in Appendix A
- The membership and Terms of Reference for the Information Risk Advisory Group are set out in Appendix B
The Information Risk Management Group will contribute to proposed new or amended University policies relating to IG. This may follow consideration of such matters by the Board and input from the Information Risk Advisory Group.
The Board and the Information Risk Management Group will be the only bodies authorised to give a Divisional view on IG. This is to ensure and promote a consistent approach to the interpretation, adoption and implementation of IG policy.
Individual Responsibilities and Accountabilities
Heads of Department (HOD): Heads of Department are accountable for the implementation of information governance activities as required by University policies. The HOD will be accountable for ensuring adequate Departmental arrangements are maintained to demonstrate ongoing compliance with:
- Applicable University policy;
- Legal requirements;
- The policies and regulations of funders and other bodies providing data, such as the National Health Service (where applicable).
- Information Risk Management: The HoD will be accountable for the following:
- ensuring IG risks are appropriately recognised in the Departmental risk register;
- ensuring appropriate arrangements are in place for the maintenance of the Department’s Information Asset register;
- liaising with the Information Risk Management Group, contributing to and implementing relevant outputs from that Group;
- understanding how information-related risks are impacted by Departmental activities; and
- formulating actions to mitigate information-related risks.
The MSD Board will oversee and support the HoD in the discharge of these responsibilities and activities (see above).
Specific IG-related roles: The following responsibilities should be assigned and communicated within the Department. The HOD may divide these responsibilities between roles as they see fit, based on the activities of the Department (the suggested titles are used for convenience but need not be replicated in each Department):
IG security advisor:
- The IG security advisor will be responsible for:
- advising the HoD on security relating to existing Departmental information assets in accordance with University policy;
- monitoring that security-related compliance can be demonstrated by the Department to any applicable, regulations, standards and contract terms;
- advising on the impact of information-related policies, frameworks and contract requirements notified by, for example, funding and regulatory bodies;
- reporting and reviewing information-security related breaches to ensure compliance to regulations and an appropriate revision of policies and procedures;
- maintaining applicable records and registers relating to information assets and the assessment of their risks; and
- advising on the resolution of IG risks arising for Departmental information assets and obtaining further advice where necessary.
Information Asset Owners (IAOs): IAOs must be senior members of staff with responsibility for specific information assets. IAOs will provide assurance that:
- information assets are handled and managed appropriately;
- sensitive information assets are handled in accordance with external regulations, University policy and Departmental procedure;
- appropriate access and security controls are in place;
- the accuracy and integrity of information is maintained;
- appropriate training and instruction is provided for the users of the information asset;
- Data Protection Impact Assessments (DPIAs) are undertaken, where appropriate, for their information assets. DPIAs must be undertaken, where required, in accordance with University policy and applicable regulations.
- The IAO will be responsible for:
- communicating any additional security measures to affected staff; and
- escalating any associated issues to the relevant persons for action.
- Actions are documented in order to provide accurate records and demonstrate compliance.
Information Asset Administrators (IAAs): IAAs are staff or students with delegated responsibility from an IAO for the operational use and care of specific named information assets.
Guidance, Support and Training across MSD
- The Board will be responsible for ensuring sufficient personnel and resources are available to support the activities of the Information Risk Management Group. The Board will take account of IG resources in the central University in making resourcing decisions.
- The Information Risk Management Group will advise the Board on the support and training required to address IG requirements. It will also advise on the most appropriate method(s) of delivery. The Group will take account of IG resources in the central University when providing advice to the Board.
- Training (which may be differentiated by role) may be mandated. The HOD is responsible for ensuring mandated training is undertaken in a timely manner.
Relevant Policies, Procedures and Guidance
The University has a number of existing policies, procedures and guidance documents which form part of the information governance framework. Members of MSD must comply with these, where applicable.
The current policies and associated procedures and guidelines are listed in Appendix C. They are also signposted from the webpages at https://www.medsci.ox.ac.uk/divisional-services/infogov. Any updates will be signposted from these webpages.
Audit, Measurement and Review
The Board supports a culture of continuous improvement in relation to IG.
The Board requires assurance that this IG policy and the associated policies and procedures are implemented and effective within MSD and that risks identified are being mitigated and/or managed. Accordingly the Information Risk Management Group will propose procedures for monitoring, implementation and efficacy, including by means of audit. The Information Risk Management Group will report annually to the Board, including the results of such monitoring.
IG Policy Review
- The policy will be reviewed annually with the support of the Director of Assurance and any recommended changes communicated for agreement by the Board.
- The Appendices to this policy will be updated by the Information Risk Management Group to reflect:
- Regulatory changes.
- University policy changes
- Changes in the functions within the wider University supporting information governance processes.