Information compliance

The University is a complex organisation holding a very large amount of information across all of its functions and operations. Much of this is personal data, or other confidential information, regarding which there are specific requirements and risks. It is vital that the University is able to obtain, use, manage, disclose and dispose of the information it needs, as appropriate, in a responsible and secure manner that adheres to both operational requirements and the responsibilities imposed by legislation and regulation.

Information Compliance covers everything that an organisation may do with the information it handles, including adherence to legal and compliance requirements, such as those listed below, but also ensuring that it utilises its information assets in the most effective way and maximises value from those assets.

Information Compliance key documents

A suite of policies and guidance documents are in place to address the University's Information Compliance requirements: 

  • ICP-01 Information compliance policy - This policy outlines how the University manages, protects, and uses information to ensure legal compliance, mitigate risks, support operational efficiency, and uphold data protection and security standards.

  • ICP-02 Data protection policy - This policy sets out how the University processes the personal data that it holds (relating to students, staff, research participants and third parties). It outlines the University’s responsibilities under data protection legislation and regulation, setting out how it will comply, and provides instruction for staff handling personal data.

  • ICP-03 Records management policy - This policy sets out the principles and practical considerations for the consistent management of records throughout their life cycle, from creation or receipt through to their operational use, storage and disposal.

  • Personal Data Breach Procedure - Sets out procedures for the identification, investigation, mitigation, notification and review of personal data breaches by the University. The document is not freely accessible to all, but can be made available on request. A Personal Data Breach Report Form (IGP-07) (Office document, 60kB) will be used to record data breaches and outcomes after they have been investigated. For further guidance staff can visit the Information Compliance SharePoint (staff access only).

  • Data Protection Impact Assessment Screening Questions (Office document, 47kB) - Use to determine whether a full DPIA is needed.

  • Data Protection Impact Assessment (DPIA) Form (Office document, 58kB) Use to conduct a full DPIA.

  • Records retention schedule (PDF, 2,575kB) - Provides guidance for all staff and areas of the University on recommended retention periods for different categories of records, accounting for legislative and regulatory requirements, best practice standards, existing policies and practices, and operational needs.

  • Information Classification Scheme (PDF, 99kB) - Sets out the five confidentiality classifications that apply to all University information, including personal data, and will help determine how the information should be handled relevant to the associated risk.

Information Compliance Framework

The policies listed above form a central part of the University's Information Compliance Framework, and they are complemented by a structure incorporating roles and responsibilities. This is headed by the Senior Information Risk Owners (SIRO, as below) to ensure that there is ownership and awareness of information risks and issues at a senior level:

  • University Secretary and Director of Governance (Accountable)

  • Chief Digital Information Officer (Responsible)

The Information Compliance Team in the University Secretary's Office, led by the Information Compliance Manager, is tasked with ensuring that appropriate policies, procedures, practices, guidance and advice are in place and available so that staff and students use the information they need in a way that meets requirements.

Information asset owners are in place within schools, faculties and divisions to ensure information is owned and managed appropriately at a local level.

The Information Governance and Security Advisory Board has membership from across the University and discusses and advises on all matters relating to the handling of information.

Information Asset Register

The University has produced a comprehensive Information Asset Register detailing the information held by Schools, Faculties and Divisions, though it doesn't include research data. A version of the Information Asset Register listing all information assets and their owners is available to University staff here: University of Bristol Information Asset Register.

Research data

The Research Data Service can offer advice and assistance to those managing research data and the Research Data Storage Facility offers a secure storage option to all University staff. The University also has an Open access policy in relation to research publications.