Information Governance Framework
Determines context and objectives
Identifies issues and provides guidance
Provides quantifiable measures
|Encryption, password management, data retention, information disposal, privacy notices, roles, responsibilities, training|
Establishes the actions to take
|DSAR, FOI, CCTV, incident management, impact assessments|
Embeds good practice
|Clear desk, learner reference, network storage, emails|
Information is a vital asset for the provision of services to learners or staff and assists in the effective management of Group resources. It plays a key part in governance service planning and delivery as well as performance management.
Information Governance (IG) is concerned with how content is collected, recorded, used, shared, held and destroyed.
Content (including shared content) is a collective term for documents, data and records (electronic and paper).
It is essential that the Group has a functional information governance framework to ensure that content, and particularly content of a special category nature, is effectively managed with accountability structures, processes, documented policies and procedures, staff training and appropriate resources to deliver a robust service to the data subjects with whom we collect and process content.
The Group must also ensure that it is responsive to enquiries, whether from the data subjects with whom the content was collected, authorised third parties or from the general public. It must also be responsible for addressing any complaints that may be presented from time to time in relation to the processing activities and maintain communications with the UK regulatory authority upholding actions when determined necessary.
The principles set out in this framework apply to all employees, trainees or apprentices and volunteers; they also apply to contractors, suppliers and partners delivering services on the Group’s behalf.
Key IG policies
Group policies that impact on the processing of content will be supported by standards, procedures and guidelines that are developed throughout the various sections of the organisation.
Board: Responsible for the oversight and implementation of the IG Framework.
Chief Executive: Responsible for compliance with, and communication of, the Group wide IG commitment.
Leadership Group: Ensures the delivery of an effective governance approach.
Senior Information Risk Owner (SIRO): Responsible for managing information risk throughout the RNN Group. Specifically the SIRO will:
- Foster a culture for protecting content in our care
- Ensure compliance with legislation, policy, standards, procedures and guidelines
- Provide a focal point for managing content (and shared content) risks and incidents
- Prepares information risk assessments for the Group on monthly and annual basis
Data Protection Officer (DPO): Is responsible for compliance with legal, policy and moral responsibilities in relation to the processing of content by the organisation and to provide advice and guidance, regarding information governance, to the RNN Group as a whole. The DPO will act as liaison for the Group with the data subjects themselves, third parties and the UK regulatory authority (currently the Information Commissioners Office).
Caldicott Guardians: Responsible for ensuring that all patient identifiable information handled on behalf of the Group is compliant with laws and standards. The Caldicott Guardian ensures that satisfactory information governance policies and procedures are in place for their service area, in conjunction with the Group’s DPO.
Information Governance Team: Supports the SIRO/DPO in the implementation, delivery and embedding of information governance through Data Protection Impact Assessments (where appropriate) and to give advice on the privacy risks of projects and change, including memoranda of understanding; data sharing agreements; and data protection clauses in contracts. Uphold data subject rights, compliance monitoring, central record keeping and statutory reporting obligations. Appropriate action when complaints are reported to the Group.
Information Asset Owner: Each curriculum and business manager is responsible for the identifying, understanding and addressing risks to the content collected and processed within their area.
Information System Owner: Content systems used by the Group will have a designated system owner, they will ensure that system operating procedures are in place and enforce these where necessary. They will have responsibility to recognise actual or potential security incidents and liaise with the SIRO/DPO accordingly.
The Content Governance Group (CGG) will comprise of the SIRO/DPO (Chair) and representatives from Leadership Group, Contracts and Funding, Quality, Human Resources, IT Services, Marketing, Student Services, MIS and subsidiaries.
Terms of reference
Policy: Decision making responsibility of policy recommendation to Leadership Group and The Board.
Forms: Decision making responsibility in respect of information governance approach when first determining content collection.
With overall Group responsibility to:
- Oversee the Information Governance framework
- Review and approve content collection and processes
- Review and approve policy and standards
- Consider recommendations from the Data Protection Officer
- Coordinate Information Governance activities across the Group
- Ensure Information Governance training plans are progressed
- Implement changing legislation
All RNN Group directors and managers are responsible for promoting the information governance framework and its associated standards, procedures and guidelines.
All RNN Group staff are responsible for ensuring they apply the standards of the information governance framework and its associated standards, procedures and guidelines to all work practices.
Wilful or negligent disregard for RNN Group information governance policies and procedures may be treated as a disciplinary matter.
Training and Guidance
Information governance training for all staff will be mandatory at induction and periodically after, in line with the Group’s training standards and requirements and in compliance with UK legislative obligations.
Secondments, agency, voluntary and any other staff with access to the Group’s systems and shared content (at any location) will be required to undertake the information governance training, unless evidence of equivalent training is provided through an exceptions process.
Training compliance will be monitored by the Content Governance Group and at individual level through the Performance & Development Review (PDR).
Privacy and information governance awareness sessions may be given to staff as required at team meetings or other events.
Regular updates on information governance topics will be made through Group and local team briefings, social media, staff news, emails and on occasions, through targeted publicity campaigns.
Information governance related policies and associated standards, procedures and guidelines will be published on the RNN Group staff portal.
Monitoring and Review
This Information Governance Framework will be monitored and reviewed annually by the CGG and maintained in line with current legislation.
The information governance related policies and associated standards, procedures and guidelines will be reviewed as set out in the individual documents.
A gap analysis report to identify good practice along with any shortfalls is to be maintained annually, assisting with the Group’s journey to recognised standards such as BS10012, Cyber Essentials and ISO27001.