Information compliance

Information Compliance

The University is a complex organisation holding a very large amount of information across all of its functions and operations. Much of this is personal data, or other confidential information, regarding which there are specific requirements and risks. It is vital that the University is able to obtain, use, manage, disclose and dispose of the information it needs, as appropriate, in a responsible and secure manner that adheres to both operational requirements and the responsibilities imposed by legislation and regulation.

Information Compliance covers everything that an organisation may do with the information it handles, including adherence to legal and compliance requirements, such as those listed below, but also ensuring that it utilises its information assets in the most effective way and maximises value from those assets.

• Data Protection
• Information Security
• Freedom of Information
• Copyright

Information Compliance Policies

A suite of policies and guidance documents are in place to address the University's Information Governance requirements:   

• Information Governance Policy - IGP-01 (PDF, 348kB) - Establishes the high-level principles of information governance at the University and sets out responsibilities and reporting lines for members of staff. It provides an over-arching framework for information governance across the University.
• Data Protection Policy - IGP-02 (PDF, 372kB)‌ - Sets out how the University will process the personal data it holds (relating to students, staff, research participants, and other third parties). Outlines the University's responsibilities under data protection legislation and regulation, providing a high-level statement of how it will comply, and provides instruction for staff handling personal data. 
• Records Management and Retention Policy - IGP-03 (PDF, 404kB) - Establishes principles for ensuring that the University implements effective records management, and provides guidance on the retention and disposal of records.
• Records Retention Schedule - IGP-04 (PDF, 870kB) - Provides guidance for all staff and areas of the University on recommended retention periods for different categories of records, accounting for legislative and regulatory requirements, best practice standards, existing policies and practices, and operational needs.
• Document Management Policy - IGP-05 (PDF, 316kB) - Establishes standards for document management across all of the University's functions and operations, and for ensuring documents are created, maintained and disposed of appropriately, taking full account of operational needs. 
• Digital Preservation for Business Records Policy - IGP-06 (PDF, 275kB) - Guidance on the preservation of the University's digital records, accounting for technical and retention requirements.
• Personal Data Breach Procedure - IGP-07 - Sets out procedures for the identification, investigation, mitigation, notification and review of personal data breaches by the University. The document is not freely accessible to all, but can be made available on request. A Personal Data Breach Notification Form (IGP-07) (Office document, 44kB) needs to be used to initially notify any data breaches to data-protection@bristol.ac.uk or IT Services. A Personal Data Breach Report Form (IGP-07) (Office document, 60kB) will be used to record data breaches and outcomes after they have been investigated.
• Data Protection Impact Assessment Policy - IGP-08 v1.1 (PDF, 475kB)‌ - Establishes the University's approach to identifying the need for, undertaking and implementing Data Protection Impact Assessments (DPIAs), as required by GDPR to address risks to individuals whose personal data is being processed. Data Protection Impact Assessment Screening Questions (Office document, 47kB) will determine whether a full DPIA is needed. A Data Protection Impact Assessment (DPIA) Form (Office document, 58kB) should be used to conduct a full DPIA.
• Information Strategy Principles - IGP-09 (PDF, 105kB) - Establishes a set of clear information strategy principles to be used to guide decision-making processes across the University.
• I‌nformation Classification Scheme - IGP-10 - Sets out the five confidentiality classifications that apply to all University information, including personal data, and will help determine how the information should be handled relevant to the associated risk.

Information Compliance Framework

The policies listed above form a central part of the University's Information Compliance Framework, and they are complemented by a structure incorporating roles and responsibilities. This is headed by the Senior Information Risk Owners (SIRO, as below) to ensure that there is ownership and awareness of information risks and issues at a senior level:

• Registrar and Chief Operating Officer (Accountable)
• Chief Information Officer (Responsible)

The Information Compliance Team in the University Secretary's Office, led by the Information Compliance Manager, is tasked with ensuring that appropriate policies, procedures, practices, guidance and advice are in place and available so that staff and students use the information they need in a way that meets requirements.

Information asset owners are in place within schools, faculties and divisions to ensure information is owned and managed appropriately at a local level.

The Information Governance and Security Advisory Board has membership from across the University and discusses and advises on all matters relating to the handling of information.

A diagram outlining the structure of the University's Information Compliance Framework can be found here:

Information Governance Framework Structure Diagram (PDF, 77kB)

Information Asset Register

Research data

The Research Data Service can offer advice and assistance to those managing research data and the Research Data Storage Facility offers a secure storage option to all University staff. The University also has an Open Access Policy in relation to research publications.