Information Policy Compliance

Related pages

This policy explains how the University and individuals comply with legal requirements and University information policies. It also outlines how compliance is monitored and reviewed.

It applies to everyone - all staff, students, associates, and anyone else authorised to use University IT facilities and information.

Policy

1. Compliance with Legal Requirements

1.1 The University will comply with all relevant statutory and regulatory requirements whether or not those requirements are explicitly stated in its internal policy documentation.

1.2 The University will inform its staff and students of legal obligations by creating and circulating policies and explanatory information about legal compliance matters. Further guidance and advice will be available from specialist staff.

1.3 Heads of Departments, line managers and academic supervisors must inform their staff and students of the requirement to comply with statutory and regulatory requirements if their activities require it.

1.4 Individuals are responsible for ensuring that they do not break the law. Responsibilities with respect to the use of information and IT systems are set out in the University Ordinances and Regulations, and for employees in the Terms and Conditions of Employment.

1.5 As part of the introduction of new or changed systems and processes, a review must be conducted to identify relevant legal obligations. Implementation plans must take relevant obligations into account.

1.6 The University will monitor legal compliance through internal review processes and through the University’s internal and external Audit processes.

University policy

2. Compliance with University Information Policy

2.1 All IT account holders agree to abide by the information policies of the University as part of the account activation process and will be periodically reminded of their responsibilities.

2.2 User compliance with policies will be monitored through internal review processes and through the University’s internal and external Audit processes.

2.3 Technical compliance of software and hardware controls will be monitored and tested through internal review processes and through the use of third parties.

2.4 The University will investigate a possible breach of policy in accordance with the Investigations Policy. In cases of non-compliance with this policy disciplinary action may be taken even if legal compliance has not been breached.

Scope

3. Scope

3.1 This policy is binding on all those who use University information such as staff, students, contractors, consultants, visitors and guests of the University whether accessing information from on or off-campus.

3.2 This policy supplements the following University Information Policies:

Oversight

4. Oversight

4.1 The Information Security Board, chaired by the Director of Information, will monitor the effectiveness of this policy and carry out regular reviews.

Responsibilities

5. Responsibilities

5.1 All information users are responsible for protecting and ensuring the security of the information to which they have access.

5.2 University Officers, Heads of Departments and Section Heads are responsible for ensuring that all information in their area is managed in conformance with this policy.

5.3 Employees, students, contractors, consultants, visitors and guests who act in breach of this policy, or who do not act to implement it, may be subject to disciplinary procedures or other appropriate sanctions.

5.4 Any breach of information security or violation of this policy must be reported to the Director of Information who will take appropriate action and inform the relevant authorities.

Implementation

6. Policy implementation documents

6.1 This document, together with related information policies and implementation documents is available at: Protecting information

6.2 Information and IT legislation, external policies and licences: List of the principal laws, third party regulations and policies which are particularly relevant for the use of information and IT.

Document history

Document history

14 November 2012 Approved by Information Policy Executive
13 December 2012 Approved by Information Security Board
29 January 2016 Reviewed and approved by Information Security Board

Review

Review cycle: Three yearly

Date of next review: January 2019