Information Governance Framework

Introduction

Information is a vital asset for all aspects of the University’s operation and for the efficient management of the University’s resources. As well as protecting and providing the rights of access to public and personal information, it plays an increasingly strategic role in the way in which the University is regulated and held accountable by external bodies. Insight and intelligence gathering from our data is key to understanding our institutional position and performance. It plays a key role in the management and governance of the University and its future planning. 

Information governance is concerned with how information is held, obtained, recorded, used and shared by an organisation. Information is used here as a collective term to cover terms such as data, documents, records and content. It is essential that the University has a robust information governance management framework, to ensure that information is effectively managed using the appropriate resources and documented policies, processes and procedures, staff training and the necessary management and accountability structures.

Purpose

This Information Governance Framework establishes and sets out the current roles and responsibilities associated with the management of the University’s information, data and system assets.  It concerns the management of all paper and electronic information and its associated systems within the organisation, as well as information held outside the organisation that affects its regulatory and legal obligations. Information Governance compliance covers the legal framework and the standards that need to be established to ensure the University’s management of information operates within the law and the rights of individuals. 

Scope

The Framework relates to institutional or management data across, but not limited to, the following domains: 

• Student data 
• Staff data 
• Research data
• Learning resource data 
• Enterprise and community engagement data 
• Business data 
• Finance data 
• Space and asset data 

The Framework outlines the following Information Governance elements:

• Strategy
• Policies and processes
• Responsibilities
• Guidance and training

Strategy

Good Information Governance will ensure that the University’s information is properly held, obtained, recorded, used and shared ensuring compliance, lessening risk, increasing business efficiencies, creating a better working environment and securing the data of its staff and stakeholders.

Within the context of this Framework Information Governance will establish and embed policies and processes to meet the following aims:

• Records are created and processed in compliance with legislation and to meet business requirements
• Records are reliable and trustworthy and vital records are identified
• Records can be easily identified and accessed by the appropriate people when necessary
• Information is kept in accordance with business and legal requirements and disposed of when necessary
• Information of enduring historical value is preserved permanently for future generations
• Staff have understanding of value of IG and the skills to implement best practice

Embedding good Information Governance practices within the University will:

• Contribute to the University’s strategic plan by supporting teaching, research, enterprise and partnerships and contributing to its digital and people enabling streams
• Improve the management of information and records
• Ensure compliance with legislation and improve business efficiencies
• Establish clear policies, responsibilities, and ownership in relation to information management
• Reduce financial, operational, legal and reputational risk 

The rest of this Framework outlines how this will be achieved. 

Policies and Processes

Information Governance is concerned with all stages of the information lifecycle; our policies govern how information is managed during these stages and our processes assist in implementing these. 

The following describes some of the key functions of Information Governance and associated policies and responsibilities. 

* IC - Information Champions

Additional key policies and guidance for Information Governance at the University of Dundee are:

1. Records Management policy 
2. Guidance on Managing records
3. Guidance on the Proper Disposal of Information
4. Policy to Govern the Management of Research Data
5. Lecture Capture Policy
6. Asset Management Policy (DTS)
7. UoD / NHS Tayside Clinical and Data Governance
8. Interception of Communications

Responsibilities

The governance structures, lines of management and risk responsibilities for information are outlined below. University Court has ultimate responsibility for the security, integrity, reliability, storage and processing of University information. 

This responsibility to devolved through UEG, the Digital Committee, Directorates and Schools, and ultimately to individual members of staff and students in their work. 

Deans/Directors are recognised as Senior Information Risk Owners in relation to the governance and protection of University data. 

Full roles and responsibilities are outlined in Appendix 1. 

University of Dundee Court

(Ultimately responsible for the compliance and security of University information)

University Executive Group

Provide a culture of responsible and respectful management of information within the University, including recognition of information as a strategic asset and compliance responsibility.

Senior Information Risk Owners

Deans and Directors with overall accountability for information assets within their domains.

Information Asset Owners

Roles with responsibility for the management and use of information assets within Schools and Directorates. Act to ensure compliance with University information policies and procedures. Generally School Managers, Research leads and Senior Directorate staff.

Information Asset Administrators

Roles with responsibility for the management and use of information assets within Schools and Directorates. Act to ensure compliance with University information policies and procedures. Generally School Managers, Research leads and Senior Directorate staff.

Information Governance and Legal Compliance Support

Information Governance provide professional support and guidance for all these individuals. Information policies, templates and procedures are managed to ensure they are up-to-date and meet statutory requirements. 
Data Protection Officer and Legal Guidance.

Information Asset

An identifiable system and/or set of records that contain information required for the operation of University business. May be in physical (such as paper) or digital form and may include personal data, research data, teaching material and more.

Guidance and Training

Information Governance is responsible for the provision of effective training for all University staff, and where appropriate, students relating to the management of records and information, data protection and freedom of information compliance. 

Information Governance officers will include a presentation within the staff induction sessions for all staff to ensure that they receive the appropriate training in records and information management, data protection and freedom of information compliance. 

All University staff must complete the mandatory training on Information Security and Data Privacy. This is provided within the My Dundee system and requires a pass grade to be obtained in the course assessment. This is managed by DTS and is currently under review. It is likely that GDPR specific training will be included in this. 

Staff in specialist areas and with specific roles in information governance, records management, privacy and data management will receive enhanced training tailored to their needs. The Information Governance officers are available to provide this training. A rolling timetable of training has been established to cover all Schools and Directorates. Information Governance staff will continue to develop and review guidelines and online training. 

Resources to permit adherence of the University policies are provided by links to University standards, procedures and guidelines. These are signposted within the policies and generally contained within grouped web pages / SharePoint sites supporting each major policy and compliance area.

1. Information Governance (LLC&I)
2. Research Data Management (LLC&I)
3. Information Security (DTS)
4. Legal and Policies (ACG)
5. TASC SOPS and Guidelines 

See Appendix 2 for relevant legislation. 

Appendix 1 Roles and Responsibilities

1A Individuals and Groups

University Court: To approve the UEG policies relating to information governance. To ensure the UEG and relevant areas of the University correctly prioritise information and data management and security

University Executive Group: To ensure information governance framework, policies, roles and staffing duties are accurate, balanced and fulfilled.

Digital Committee:  Oversight of the strategy, operations and management of information governance throughout the University. 

University Ethics Committee: To oversee the operation of the School Ethics Committee in their approval of Research Data Plans (where personal or confidential data is involved), including the provision and review of the Research Data Policy, and the provision of guidance on new and emerging information management issues is areas of research

School Ethics Committees: To approve Research Data Plans to permit the collection, storage and processing of personal data within proposed research projects.

Caldicott Guardian: To ensure that all personal/patient identifiable information managed by the University using NHS data is compliant with existing laws and standards. There is a requirement to work to Caldicott principles, and have an approach approved by NHS Caldicott Guardian. To ensure appropriate information governance policies, procedures, training and recording are in place to permit clinical research. 

Tayside Clinical and Data Governance (TASC): To ensure policy guidance and operational procedures are available for clinical research for the University and NHS Tayside Trust. 

Data Protection Officer: To advise, monitor and report on the University compliance with the UK Data Protection Act 2018 (UK GDPR implementation). To lead on raising data protection requirements, lead information audits, advise on data protection at information sharing and to lead on the investigation of data breaches and incidents. To be the contact for the Information Commissioner’s Office in Scotland .

Director / Assistant Director of LLC&I: To lead on the creation of a strategy for information governance and to have oversight of its implementation.

Information Governance Officers: To lead on many areas of information governance including providing guidance, training and support in all areas of information, records and data management at the University. To support the Data Protection Officer, particularly in the realm of personal data of students, staff, University partners and wider members of the public. To provide support and guidance in relation to the completion of Data Processing Impact Assessments for all new processes and solutions which involve personal data, and to assist in the completion and review of Data Processing/Sharing Agreements relating to the sharing of personal data by the University with third parties. To coordinate the answering of Freedom of Information, Subject Access Requests and Environmental Information Regulation (Scotland) requests. To complete compliance reports for FOI and EIRs. To advise on the creation, storage and retention of records, particularly those vital for the University’s current and future operations. To provide storage for non-current hard copy records and to advise on storage and retention of records in Office 365 and on other platforms. 

Directors of Services and Deans of Schools are accountable (in consultation with information governance as appropriate) for information and data within the major and minor systems that are administrated by leads within their Directorate or School and for the records that are still kept in hard copy. Specifically, for major systems these are: 

• OneUniversity Finance – Director of Finance
• OneUniversity Research – Director of Finance
• Personnel, Payroll & Pensions – Director of Human Resources
• SITS – Director of Student Services via the Director of Registry
• Microsoft 365, including Teams, Outlook Email, Office, OneDrive, SharePoint – Director of DTS
• My Dundee / Blackboard – Director of LLC&I
• ExLibris Library Management System – Director of LLC&I
• Discovery (Pure) – Director of LLC&I
• Raisers Edge – Director of External Relations
• Sateon Building Access Control Data – Director of Campus Services
• CCTV Recordings – Director of Campus Services

In addition, Deans of Schools are accountable for research data where School staff are the Principal or Chief Investigator. 

Deans are accountable for data transfers with Professional Subject Bodies within the domain of their School. 

Deans are also accountable for the completion of appropriate data protection documentation for systems that are operated solely within their School for research, teaching, administration or other purposes. 

Responsibility for data management may be provided by appropriate senior officers in Schools and Directorates. Typically these may be the School Manager or Assistant Director roles. 

Examples and further explanation: 

• The reuse of HR data must be agreed by the Director of HR
• The reuse of the student data in SITS must be agreed by the Director of Registry
• Blanket approval may be granted to specific data sets for specific individuals, for instance Sateon data for Life Sciences may be provided to named administrators by the Director of Campus Services. 
• Records of blanket approvals for continued access to specific data sets will be maintained by Information Governance

Principal Investigators (Research) are responsible for the preparation and adherence to research data management plans for any significant research project involving personal data, and other confidential, high value or appropriate information and data. 

LLC Research Support works with Information Governance to provide advice on the creation, management, processing and retention of research data.

University Archive Services are responsible for the management and preservation of University records and information which have been identified has requiring long-term or permanent preservation as part of the corporate memory or for research purposes.  

Procurement are responsible for the procurement process relating to framework agreements with new vendors for new services and solutions the University purchase and will liaise with Information Governance to ensure that where personal data is being shared all required data protection processes such as DPIAs, Data Sharing Agreements have been completed and signed off.

Global Partnerships are responsible for arranging agreements and formal relationships under Memorandums of Understanding (MoUs) with overseas partners and will liaise with Information Governance to ensure that any activities resulting from the MoUs are governed by appropriate DPIAs and Data Sharing Agreements where required. 

Legal provide advice on the legislative and compliance aspects of information governance.

DTS work closely with Information Governance to ensure the appropriate management of digital data particularly in terms of security of personal and other sensitive information. 

University Signatories – The schedule of delegation is provided here. This provides for data processing agreements, data sharing agreements, clinical research and related information contracts. 

1B Records of Information Governance Agreements, Projects, Registers and Activities

University Finance (Procurement Office) retain a copy of all vendor contracts which they administer, including Data Processing Agreements and Data Sharing Agreements as appropriate, within the Hunter Database.

Information Governance maintain a record of the major information and data activities and systems in use by the University covering Teaching and Learning, Research, Knowledge Transfer and Enterprise, Academic Administration, Corporate Management, Corporate Resources, Corporate Relations. This information records the type and range of information held, the system in use, the contracts in place and the person responsible.    

The following Registers of Information are maintained by Information Governance:

• University Data Incident / Breach Log
• FOIs answered and summary statistics
• Data protection requests answered – SARs, information queries, reviews
• Record of processing activity (within University licenced and contracted systems) (DPAs)
• Research data management plans that involve significant personal data (DPIA, DSA, PN, etc)
• Partnerships that involve significant personal data (DPIAs, DSA, PNs, etc). 

University Legal and Information Governance maintain a list of all signed Data Processing Agreements, Data Sharing Agreements, relevant Data Privacy Impact Assessments and Privacy Notices for significant and University wide activities. 

The Director of TASC maintains the records of research contracts, including agreements covering collection, management and reuse of patient data, on behalf of the School of Medicine. 

Deans of Schools are accountable for maintaining records of Research Management Plans for significant research projects within their School.

Appendix 2 Relevant Laws and Regulations

Computer Misuse Act (1990).  Created to criminalise unauthorised access to computer systems and to deter the more serious criminals from using a computer or the data it stores by inducing a computer to perform any function with intent to secure access. The Act has been modified by the Police and Justice Act 2006.

Copyright, Designs and Patents Act 1988. Grants the creators of original works exclusive rights to control the ways in which their material may be used.

Caldicott Guardians Manual – A Manual for Caldicott Guardians 2017. This provides for comprehensive guidance on medical patient information and the management of patient data while permitting effective clinical practice, research and teaching. Knowledge of NHS patient data requirements and relevant Caldicott Guardian approval will be required by all University staff proposing to, or using, UK NHS patient data. 

Data Protection Act 2018. The main piece of legislation that governs protection of personal data in the UK and ensure compliance with the European Union GDPR. Requires personal data to be protected through the recognition of data protection principles, and extends stronger legal protection for more sensitive personal information. 

Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit)) Regulations 2019 (DPPEC). This now forms the UK GDPR and amends the DPA 2018 to ensure continued alignment of UK regulations and EU GDPR following the exit of Britain from the EU in 2020. 

Environmental Information (Scotland) Regulations 2004. Provides for the accurate reporting of environmental information by Scottish institutions and businesses.

Freedom of Information (Scotland) Act (2002). Provides the right of access to recorded information of any age held by public sector bodies in Scotland. There is a duty on all local authorities to adopt and maintain a publication scheme approved by the Scottish Information Commissioner.

Human Rights Act (2000). Governs interception or monitoring of communications, most specifically article 8 which guarantees respect for an individuals’ private and family life, their home and correspondence. Public authorities cannot interfere with these rights unless it’s justifiable to do so.

General Data Protection Regulations (EU 2018). GDPR and the basis for the UK law below. Compliance with GDPR continues to be relevant to enable EU services and individual’s data to be processed appropriately. See DPPEC above. 

Privacy and Electronic Communication (EC Directive) Regulations (2003). Replacing the Telecommunications (Data Protection and Privacy) regulations 1999 and amendments 2000, these cover a range of issues relating to privacy in respect of electronic communications including telemarketing and cookies.

Public Records (Scotland) Act 2011 Makes provision about the management of records held by public authorities, including the creation of a records management plan.

Regulation of Investigatory Powers Act (2000). Aims to ensure that various investigatory powers available to public bodies are only exercised in accordance with the Human Rights Act 1998. The Act legislates for using methods of surveillance and information gathering to help the prevention of crime and terrorism.

Please note this list is not exhaustive.