Information Policy Compliance

Policy

1. Compliance with Legal Requirements

1.1 The University will comply with all relevant statutory and regulatory requirements whether or not those requirements are explicitly stated in its internal policy documentation.

1.2 The University will inform its staff and students of legal obligations by creating and circulating policies and explanatory information about legal compliance matters. Further guidance and advice will be available from specialist staff.

1.3 Heads of Departments, line managers and academic supervisors must inform their staff and students of the requirement to comply with statutory and regulatory requirements if their activities require it.

1.4 Individuals are responsible for ensuring that they do not break the law. Responsibilities with respect to the use of information and IT systems are set out in the University Ordinances and Regulations, and for employees in the Terms and Conditions of Employment.

1.5 As part of the introduction of new or changed systems and processes, a Data Protection Impact Assessment must be undertaken. In addition, where data is to be hosted in the cloud, a cloud computing assessment should be completed.

1.6 The University will monitor legal compliance through internal review processes and through the University’s internal and external Audit processes.

University policy

2. Compliance with University Information Policy

2.1 All IT account holders agree to abide by the information policies of the University as part of the account activation process and will be periodically reminded of their responsibilities.

2.2 User compliance with policies will be monitored through internal review processes and through the University’s internal and external Audit processes.

2.3 Technical compliance of software and hardware controls will be monitored and tested through internal review processes and through the use of third parties.

2.4 The University will investigate a possible breach of policy in accordance with the Investigations Policy. In cases of non-compliance with this policy disciplinary action may be taken even if legal compliance has not been breached.

Scope

3. Scope

3.1 This policy is binding on all those who use University information such as staff, students, contractors, consultants, visitors and guests of the University whether accessing information from on or off-campus.

3.2 This policy supplements the following University Information Policies:

• Regulation 11: Using University Information
• Records Management
• Data Protection
• Acceptable Use Policies
• Copyright
• Intellectual Property

Oversight

4. Oversight

4.1 The Information Security Board, chaired by the Deputy Registrar, will monitor the effectiveness of this policy and carry out regular reviews.

Responsibilities

5. Responsibilities

5.1 All information users are responsible for protecting and ensuring the security and integrity of the information to which they have access.

5.2 University Officers, Heads of Departments and Section Heads are responsible for ensuring that all information in their area is managed in conformance with this policy.

5.3 Employees, students, contractors, consultants, visitors and guests who act in breach of this policy, or who do not act to implement it, may be subject to disciplinary procedures or other appropriate sanctions.

5.4 Any breach of information security or violation of this policy must be reported to the Deputy Registrar who will take appropriate action and inform the relevant authorities.

Implementation

6. Policy implementation documents

6.1 This document, together with related information policies and implementation documents is available at: Protecting information

6.2 Information and IT legislation, external policies and licences: List of the principal laws, third party regulations and policies which are particularly relevant for the use of information and IT.

Document history

Document history

Review

Review cycle: Three yearly

Date of next review: January 2022