INFORMATION GOVERNANCE FRAMEWORK
Organisation Leeds Beckett University
Author(s) Head of Information Governance
Developed in consultation with University Secretary
Records and Information Governance Manager
Owner University Secretary’s Office
Target audience Staff
Sensitivity Public
Approved by University Executive Team
Endorsed by University Executive Team
Effective date 01-06-2020
Review Date +2 years from last date of approval [06-2022]
Status Published
External references
Links to other internal policies Data Protection Policy
/ procedures Access to Information Policy
Records Management Policy
Information Asset Management Programme
Information Asset Management Programme handbook
Records Retention Schedule
Information Classification Scheme
Information Management and Security Policy
Data Breach Procedure
Version reference 1.00
Version history No previous versions.
and summary of changes
1
�INTRODUCTION
Information as a strategic asset
1. Information is a vital asset for all aspects of the University’s operation and for the
efficient management of the University’s resources. As well as protecting and
providing the rights of access to public and personal information, it plays an
increasingly strategic role in the way in which the University is regulated and held
accountable by external bodies. Insight and intelligence gathering from our data is
key to understanding our institutional position and performance. It plays a key role in
the management and governance of the University and its future planning.
2. Information governance is concerned with how information is held, obtained,
recorded, used and shared by an organisation. Information is used here as a collective
term to cover terms such as data, documents, records and content. It is essential that
the University has a robust information governance management framework, to
ensure that information is effectively managed using the appropriate resources and
documented policies, processes and procedures, staff training and the necessary
management and accountability structures.
Purpose
3. This Framework establishes and sets out the roles and responsibilities associated with
the management of the University’s information, data and system assets.
Audience
4. This Framework applies to all staff the University and its partner organisations that,
by agreement, have responsibility for any aspects of University information collection,
maintenance or disposal.
Scope
5. The Framework relates to institutional or management data across but not limited to
the following domains:
• Student data
• Staff data
• Research data
• Learning resource data
• Enterprise and community engagement data
• Business data
• Finance data
• Space and asset data
Definitions
6. Data are facts and statistics collected together for reference or analysis. When data is
processed, organised, structured or presented in a way that gives it context and
therefore makes it more useful, it is called information. In the context of this
document and the University’s Information Governance framework, the terms data
and information can be used interchangeably.
2
�THE INFORMATION GOVERNANCE FRAMEWORK
7. The Information Governance Framework sets out how Leeds Beckett University
manages the capture, creation, access, security, management and sharing of its
information both internally and externally.
8. The Framework has been developed based on best practice models adopted
nationally. It is structured around the following five key strands of activity:
• Oversight and management of the Information Governance Framework
• Records and Information Management
• Information Legislation Compliance
• Information Security and Cyber Security
• Data Quality & Assurance
9. A summary of each strand and what will be delivered through the adoption of this
Framework is provided, alongside the supporting policies and procedures that will
enable the framework to be implemented across the University.
Information Governance - Roles and Responsibilities
10. The table below sets out the key roles and responsibilities relating to information
governance throughout the management structures of the University. An overview
diagram is attached at Appendix 1 and reporting structures Appendix 2.
Role Responsibilities Role Holder
University Key role in fostering the information governance UET members
Executive Team culture within the University and the use of
(UET) information and data as a strategic asset.
In addition:
• Providing Data Protection compliance assurance UET through
to the Board of Governors. the University
• Receiving assurance and reports in relation to Secretary
organisational compliance.
• Enabling the DPO to perform their statutory
requirements and is provided with the necessary
time, resources and support.
• Ensuring the DPO is involved as required in all
issues which relate to the protection of personal
data.
3
�Role Responsibilities Role Holder
Senior Senior management with overall responsibility for University
Information Risk the use of information as a strategic asset in their Registrar,
Owners (SIROs) School or Service area: Deans &
Directors
• Providing accountability and assurance to UET
that information governance framework policies,
including data protection, access to information
and information security policies are complied
with in their areas.
• Management of responses to any data protection
breaches.
• Enabling the DPO to perform their statutory
requirements and is provided with the necessary
information and support.
• Ensuring the DPO is involved as required in all
issues which relate to the protection of personal
data.
Data Protection A statutory role which advises on the University’s Head of
Officer compliance with data protection legislation: Information
Governance
• Providing advice and recommendations to the
SIROs and UET in relation to data protection risks.
• Enabling and monitoring compliance with data
protection legislation.
• Reviewing and periodically reporting on the
University’s data protection compliance.
• Advising the SIROs in relation to the management
and response to any personal data breaches.
• Being the University’s contact with the
Information Commissioner’s Officer.
The DPO role is independent and advisory and does
not make decisions on the processing of personal
data.
Information Role ensures that information assets are managed School and
Asset Owner appropriately: Service Heads
and Managers
• Ensuring consistent local information and data nominated by
management processes are developed, Deans &
implemented and reviewed. Directors
• Monitoring and reporting on information
management and compliance as required to UET
through Deans & Directors.
4
�Role Responsibilities Role Holder
• Role is responsible for data protection privacy
compliance in their area and be the point of
contact for the Information Compliance Team
• Managing data protection risks.
Information Information Asset Stewards/Administrators ensure Individuals
Asset Stewards/ that the daily operation of systems and processes are nominated by
Administrators compliant with the Information Governance IAO’s
Framework and related policies and procedures.
They take a proactive role in understanding the
purpose of the processes they operate and how they
contribute to the wider University and undertake
required learning and development activities.
All staff and All individuals and organisations who process information on behalf of
third parties the University have a responsibility, under the necessary agreements,
to comply with information governance framework and its policies,
including data protection, access to information and information
security procedures.
5
�OVERSIGHT AND MANAGEMENT OF INFORMATON GOVERNANCE
11. This strand of the Framework covers the management of information governance at
an institutional, managerial and operational level across the University. It is a
fundamental component of the Framework as it will provide the necessary ownership,
advocacy and accountability structures that can be used to ensure the appropriate
prioritisation and implementation of the information governance framework across
the University.
12. The following measures will be implemented to ensure appropriate oversight and
management of the University’s approach to Information Governance:
REF Measures
IG 1 Leeds Beckett University has an approved Information Governance Framework.
IG 2 There are clearly defined corporate, managerial and operational stewardship
responsibilities for information governance appropriately embedded in role
expectations across the University.
IG 3 Leeds Beckett University has a Strategic Information Management Group
supported by an Information Management Operations Group with agreed Terms
of Reference. These Groups will work within and report to an appropriate place
within the University’s broader executive advisory group and corporate
governance arrangements. (Appendix 2)
IG 4 The Strategic Information Management Group and its Information Management
Operations Group have access to the necessary expertise across all areas of the
Framework.
IG 5 A corporate information governance improvement plan sets out priorities and
objectives and is managed by the Information Management Operations Group
and monitored by the Strategic Information Management Group.
IG 6 Leeds Beckett University has an Information Asset Management Training
Programme that includes Data Protection and Privacy by Design requirements.
IG 7 Staff induction procedures across the University effectively raise the awareness
of information governance and outline individual responsibilities contained
therein.
IG 8 An established review process exists to maintain the currency of the Information
Governance Framework within the University.
13. The following policies and procedures will support the delivery of the Information
Governance Management measures outlined above.
• Leeds Beckett University Information Governance Framework
• Strategic Information Governance Steering Group Terms of Reference
• Information Management Operations Group Terms of Reference
• Corporate Information Governance Improvement Plan
• Leeds Beckett University Information Asset Management Training Programme
• Information Governance Training Needs Assessment and Training Plan
• Information Governance & Security – Staff guidance materials
6
�RECORDS AND INFORMATION MANAGEMENT
14. Records and Information Management covers the process of creating, describing,
using, storing, archiving and disposing of organisational records according to a defined
set of standards (usually adherence to ISO 15489). It is a fundamental component of
the Information Governance Framework as it ensures the University’s record sets
enable adherence to compliance rules and statutory access requirements as well as
protecting the University’s corporate memory.
15. The following measures will ensure the delivery of an appropriate Records
Management function:
REF Measure
RM 1 Leeds Beckett University has an ISO 15489 equivalent Records Management
Policy.
RM 2 Leeds Beckett University has an agreed and implemented Records Retention
Schedule.
RM 3 Leeds Beckett University has agreed and implemented Information
Management and Security Policy that include security & access measures and
controls.
RM 4 Leeds Beckett University has documented procedures to ensure delivery of the
Records Management Policy. As a minimum, these should cover:
• Storage and Handling
• Business Continuity
• Access, Retrieval and Disposal
RM 5 Leeds Beckett University has deployed appropriate systems and tools to
efficiently manage the University’s records in line with the Records Management
Policy.
RM 6 A Controlled Business Vocabulary (or taxonomy) is developed and embedded
within electronic document and records management processes.
RM 7 Leeds Beckett University has a Records Manager that has the required capacity
and skills to develop and support the implementation and embedding of the
Records Management Policy.
RM 8 Core Records Management competencies are built into appropriate role
expectations and a suitable training and development programme established to
facilitate their delivery.
RM 9 Leeds Beckett University has agreed and implemented an Information
Classification Scheme which incorporates security (access and permission) rules.
16. The following policies and procedures will support the delivery of the Records
Management measures outlined above.
• Records Management Policy
• Records Retention Schedule
• Guidance on Records Management
• Information Classification Scheme
7
�INFORMATION LEGISLATION COMPLIANCE
17. Information Compliance covers the legal framework and the standards that need to
be established to ensure the University’s management of information operates within
the law and the rights of individuals.
18. The University manages and processes large volumes of confidential and sensitive
information about people. It must deal with this lawfully and ethically. Failure to do
so could cause harm and distress to individuals and cause reputational damage and
increased risk of litigation or regulatory action. The key legislation the University must
comply with includes the General Data Protection Regulation, Data Protection Act, the
Freedom of Information Act and the Human Rights Act.
19. The following measures will support the delivery of an appropriate Information Rights
& Compliance function:
REF Measures
IC 1 Leeds Beckett University has an approved and monitored Access to Information
Policies that sets out University procedures, roles and responsibilities.
IC 2 Schools and Services have nominated staff responsible for supporting Access to
Information requests.
IC 3 Leeds Beckett University has a corporate framework for evaluating the public interest
test for disclosing information through Access to Information requests in a consistent
and transparent manner.
IC 4 All staff are aware of the various rights of access to information and how these can be
exercised inclusively.
IC 5 The public is made aware of their information rights under Data Protection and
Freedom of Information and how to exercise them.
IC 6 Staff ensure that information is provided in the most appropriately accessible format
within statutory timescales.
IC 7 Leeds Beckett University has an effective mechanism in place to consider appeals to
withhold information under information law.
IC 8 Leeds Beckett University has an approved and monitored Data Protection Policy
compliant with data protection principles and statutory requirements.
20. The following policies and procedures support the delivery of the information
compliance measures outlined above.
• Data Protection Policy
• Access to Information Policy
• Publication Scheme
• Staff guidance on Data Protection and Freedom of Information Act (FOIA)
• Guidance on Data Protection Impact Assessments
• Information Asset Management Programme
8
�DATA QUALITY AND ASSURANCE
21. This strand of the Framework covers the need to ensure the quality, accuracy, and
reliability of our data and internal information. It is a fundamental component of the
Information Governance Framework as, staff, students and key stakeholders need to
be able to trust the validity and authority of corporate information sources and have
confidence that it is up-to-date and accurate.
22. It is important that the University can assess the quality of its data as a strategic asset
and business intelligence tool and ensures that all data returns comply with the
necessary statutory and regulatory requirements and standards.
23. The following measures will support the delivery and assurance of data quality across
the various areas of the University with responsibility for data quality and data
returns:
REF Measures
DQ 1 Leeds Beckett University has a commitment to data quality and a designated data lead
at executive level.
DQ 2 Leeds Beckett University has a Data Quality Management Policy implemented across
Schools and Services.
DQ 3 There are designated data stewardship roles with specific responsibility for data quality
across the University.
DQ 4 Standards are set through processes and procedures to ensure the quality of data being
shared with external organisations.
DQ 5 There are documented procedures and processes in place governing the capturing,
recording and handling of data.
DQ 6 There are documented procedures for data collection activities and these procedures
are monitored.
DQ 7 Data quality checks are incorporated into processes and procedures around the
handling of data.
DQ 8 There are business continuity plans in place for all systems.
24. The following policies and procedures support the delivery of the data quality
assurance measures outlined above:
• Data Quality Management Policy
• Data Quality and Auditing Procedures
• Records Retention Schedule
• Business Continuity Plans
9
�INFORMATION SECURITY AND CYBER SECURITY
25. Information security covers the policies and procedures in place to protect
information and information systems from unauthorised access, use, disclosure,
disruption, modification, or destruction. It is one of the fundamental components of
the Information Governance Framework as it will ensure the University is able to
protect the confidentiality, integrity and availability of information within the
organisation, that includes cyber security resilience.
26. The following measures will support the delivery of an effective and robust
Information Security function:
REF Measures
IS 1 There is an Information Management and Security Policy in place based on ISO 270001
IS 2 Roles and responsibilities for adherence to the policy are clearly defined and an appropriate
training programme is in place.
IS 3 There is an inventory of information assets as required for compliance with data protection
principles.
IS 4 Access control is in line with the security policy and the need for information dissemination
and authorisation
IS 5 A Corporate Risk Management & Assurance Framework is in place and information security
risks are incorporated.
IS 6 Security requirements are included in formal system acquisition, development and
maintenance procedures along with Data Protection Impact Assessments where required.
IS 7 There are procedures to report information security incidents and weaknesses and to
escalate action on dealing with these. Staff are made fully aware of the procedures.
IS 8 There is a business continuity management process designed to limit the impact of and
recover from the loss of information assets.
IS 9 All changes to information processes are planned and implementation is effectively
managed including the use of Data Protection Impact Assessments.
IS 10 There are controls in place for managing third party data sharing agreements
IS 11 Networks are adequately managed and controlled to protect them from information and
cyber security threats. Security is provided for the systems and applications using the
network.
27. The following policies and procedures support the delivery of the University’s
Information Security measures outlined above:
• Information Management and Security • Network Management Policy
Policy • Software Management Policy
• IT Security Policy • System Planning & Management Policy
• IT for New Starters Manual • User Management Policy
• Bring Your Own Device Policy • Use of Computers Policy
• Computer Protection Policy • Wireless Communication Policy
• Cryptography Policy • Mobile Computing Policy
• Information Handling Policy
10
�Appendix 1
Roles and responsibilities for the management and governance of Information Assets within Leeds Beckett University
BOARD OF GOVENORS
(Ultimately responsible for Data Protection and GDPR compliance)
DATA PROTECTION OFFICER
UNIVERSITY EXECUTIVE TEAM (UET) SENIOR INFORMATION RISK OWNERS (SIROs) AND INFORMATION
Key role in fostering the information governance Senior management with overall responsibility for the COMPLIANCE TEAM
culture within the University and the use of use of information as a strategic asset in their School
information and data as a strategic asset. or Service area Provides professional support,
advice and guidance to all these
individuals. Ensure policies and
procedures are to up to date and
INFORMATION ASSET OWNERS (IAOs)
meet statutory requirements
Role ensures that information assets are managed appropriately and in accordance with University
expectations, policies and procedures.
INFORMATION ASSET ADMINISTRATORS (IAAs)
Support IAOs in their role and ensure that the daily operation of systems and processes is compliant with
information governance expectations within service area.
INFORMATION ASSET
Identified electronic or paper/filing/storage system that holds a named common set of records e.g. student record,
employee record, complaint files, finance and business information, etc.
11
�Appendix 2
Information Governance Framework – Oversight & Operations Groups
Group Description Membership
Strategic Responsible for overseeing a University wide University
Information Information Governance Framework that supports Secretary (Chair),
Management effective information management - planning, SIROs, IAOs of
Group developing and maintaining policies, standards, systems that
procedures and guidance, coordinating information process personal
governance activity across the University information
Information Operational arm of SIMG, tasked with the Head of
Management development and implementation of policies and Information
Operations processes. Governance, IT
Group Security Manager,
Provides professional guidance on best practice Records Manager,
regarding the lifecycle for the creation, collection, Schools and
curation, security and governance, access or usage, Service
disposal or retention and preservation, of any representative
records, information and data assets required and responsible for key
managed by the University. this group brings aspects of
together data, records, information and security University data,
specialists from across the University records and
information
Task and Groups of Information Asset Stewards / As nominated by
Finish Groups Administrators established, as required, to work Deans & Directors
collaboratively on specific data and information
processes to apply University and regulatory
requirements, standards of best practice and adapt
them for local implementation in their operational
areas.
12
