Information Governance Policy

This policy applies to the information the School creates and uses to operate the institution and evidence compliance. It sets the overarching Information Governance framework, including accountability for information assets, systems-of-record, records management, retention and disposal, information security controls, and assurance and auditability expectations. It covers student lifecycle information (from admissions through to outcomes), assessment outcomes, financial records used for statutory and regulatory reporting, and governance evidence (for example approvals, minutes and assurance packs). This includes regulated reporting and returns activity (for example Office for Students and designated data body/HESA returns) where the School must evidence sources, checks, and approvals.

The School designates one authoritative system for each core domain so that staff and governors can rely on a single “official” record:

• Student record system: the Student Management System (SMS) is the authoritative store for student identity, enrolment status history, engagement status history, progression and outcomes. Where the School refers operationally to an Internal Student System (ISS) within AGS, this is the School’s implementation of the Student Management System and forms part of the same system-of-record control model.
• Learning delivery system: the Virtual Learning Environment (VLE) holds learning activity evidence that supports teaching delivery, student support, and assurance of engagement.
• Assessment system: the School’s assessment platform holds assessment delivery and marking evidence and feeds validated outcomes into the Student Management System (SMS).
• Governance and assurance system: the School’s Automated Governance System (AGS) provides the authoritative record of approvals, committee minutes, policy versions, and assurance evidence.

Regulated submissions and governance decisions must be traceable to authoritative records. Where extracts, spreadsheets, or working papers are used to support checks (for example reconciliations between student records and the finance ledger), they must remain supporting evidence and must not become alternative sources of truth.

The School’s governance structure provides clear decision rights and assurance routes:

• The Board of Governors approves this policy and retains ultimate responsibility for the integrity of regulated submissions.
• The President is the accountable officer for institutional assurance and for making sure submissions and material reporting decisions are appropriately governed.
• The Academic Board provides assurance over academic quality and standards, assessment integrity, progression, and awards.
• The Quality, Compliance and Audit Committee (QCAC) scrutinises internal control, compliance, audit and risk, and provides assurance to the Board of Governors.
• The Executive Committee (President and Directors) oversees day-to-day operational performance, including the operation of data controls and the resolution of data issues.

The following terms are defined and underpin this policy

• Information governance: The framework of people, rules and controls that ensures information is created, managed, shared, retained and disposed of appropriately throughout its life.
• Data governance: A component of information governance that sets decision rights, standards, quality expectations and assurance processes for structured data (for example student and finance records).
• Records management: The controls and practices that ensure records are captured, classified, stored, retained, disposed of, and retrievable as evidence, regardless of format.
• Data protection: The set of legal and organisational duties (including the UK GDPR and the Data Protection Act 2018) that governs how personal data is used fairly, lawfully, transparently and securely. The School’s Data Protection Policy sets the detailed requirements for lawful processing, rights handling, and privacy controls, and operates within this Data Governance framework.
• Personal data: Information relating to an identified or identifiable person (for example a student, applicant, staff member or supplier contact).
• Special category data: Personal data that is more sensitive (for example health information) and therefore requires additional safeguards.
• Systems of record: The School’s designated authoritative systems for particular data domains. They are the places where the “official” record is stored.
• Persistent identifiers: Stable unique reference numbers used to link records across systems over time (for example a Student Identifier that does not change when a name changes).
• Governed reporting layer: The controlled set of reports, dashboards and calculations approved by the School, where business rules are versioned and changes are recorded and approved. Where regulated returns require derived groupings, mappings, or reconciliation working papers, these are treated as governed evidence with clear source references, ownership, and version control.
• Record of Processing Activities (RoPA): A documented inventory of the School’s main personal‑data processing activities, including purpose, lawful basis, categories of data and retention.
• Data Protection Impact Assessment (DPIA): A structured assessment completed before high‑risk processing begins, used to identify privacy risks and agree mitigations.
• Data Subject Access Request (DSAR): A request from an individual to access the personal data the School holds about them.
• Role‑based access control (RBAC): A method of granting system access based on job role (for example “Student Services Officer”) so staff only access what they need.
• Joiner/Mover/Leaver controls: Processes that ensure access is granted when someone starts (joiner), changed when their role changes (mover), and removed promptly when they leave (leaver).
• Service recovery objectives: Targets that describe how quickly systems should be restored after disruption and how much data loss is tolerable.

The School places accountability for information meaning, quality expectations, lawful basis (where personal data is involved), retention expectations, and appropriate use with the leaders who run the underlying processes. These Data Owners hold decision rights over definitions, rules and lawful processing requirements for their domains, and ensure the required controls operate:

• Student domain owner: Director of Student Services (student identity, status, engagement, outcomes in the Student Management System (SMS)).
• Academic structure and outcomes owner: Director of Education (course and module structures, assessment governance, outcomes rules, and academic reporting).
• Finance domain owner: Director of Operations (finance ledger integrity, reconciliations, statutory accounts, and financial regulatory submissions).

Data Owners ensure that staff follow agreed standards, that lawful basis and transparency requirements are met for personal data in their domains, that issues are corrected promptly, and that evidence is retained so decisions, submissions, and privacy compliance can be defended.

The School appoints the Director of Technology as the Data Governance Lead and Senior Information Risk Owner (SIRO). The Data Governance Lead operates the governance ‘machinery’ (standards, controls, reporting and change control), while Data Owners remain accountable for meaning, lawful basis and appropriate use. This role exists to make governance work in practice by operating the governance “machinery”, while Data Owners remain accountable for meaning and use.

The Data Governance Lead:

• maintains data standards, definitions catalogue, and controlled reporting rules;
• operates integration controls between systems of record and ensures audit trails are preserved;
• designs and runs access controls in collaboration with Data Owners;
• produces governance reporting (metrics, exceptions, trends) for the Executive Committee and QCAC;
• coordinates change control for material reporting logic and system configuration impacting regulated submissions.

The School meets its data protection obligations through clearly defined roles that separate operational processing from independent oversight.

• The Internal Data Protection Lead is the Student Success Team member who serves as secretary to committees and the Board. They coordinate day‑to‑day privacy administration: maintaining the Record of Processing Activities (RoPA), coordinating Data Protection Impact Assessments (DPIAs) where needed, managing the Data Subject Access Request (DSAR) log and process, and coordinating breach documentation and lessons learned.
• QCAC provides independent oversight and assurance through governance scrutiny and challenge. Where material privacy or information risks or incidents arise, QCAC ensures appropriate escalation to the Board of Governors under the Scheme of Delegation.
• The Director of Technology is responsible for information security controls and technical resilience (for example access control design, monitoring, backup and recovery).

This model ensures that privacy is actively managed day‑to‑day and that independent challenge exists, without placing the formal privacy oversight role in a conflicting executive position.

To ensure records can be traced and joined across systems, the School maintains a canonical set of core objects (for example: Student, Enrolment/Engagement, Course Session, Module Instance and Award/Outcome). Each object is linked by persistent identifiers, meaning stable reference numbers that do not change when circumstances change (for example a student changes name or contact details). Persistent identifiers are essential because they enable the School to show a clear audit trail from learning activity and assessment outcomes through to student records, financial records and regulated submissions.

The School maintains agreed definitions for material concepts (for example student status categories, engagement states, award dates, fee rules and reporting groupings). When a definition or rule must change, the School uses a controlled change process:

1. the Data Owner proposes the change and explains why it is required;
2. the Data Governance Lead assesses technical and reporting impacts (including any regulated submission impacts);
3. the change is approved by the relevant Data Owner and recorded with an effective date;
4. evidence of approval and the updated definition is stored in the governance and assurance repository.

This prevents “definition drift” and ensures that reports remain comparable over time.

The School uses a governed reporting layer, meaning the approved set of reports and calculations used for management information and regulated submissions. “Governed” means:

• the calculation logic is documented;
• changes are version‑controlled and approved;
• outputs can be traced back to systems of record;
• staff use the approved reports rather than creating competing versions.

Spreadsheets may be used to support reconciliation checks or to provide evidence, but they must not become alternative sources of truth.

Data quality is maintained through a regular operating cycle. In practice, this means:

• each month, Data Owners review agreed quality indicators (for example completeness, validity, and timeliness for key student and finance fields);
• reconciliations are performed between the Student Management System (SMS) and the finance ledger (for example ensuring student invoices and receipts reconcile to enrolment and fee rules), and between learning/assessment systems and the Student Management System (SMS) (for example ensuring assessment outcomes posted to the SMS match assessment evidence);
• exceptions are reviewed, root causes are identified, and corrective actions are assigned and tracked.

A set of quality measures is reported to the Executive Committee and summarised for QCAC as part of assurance reporting.

When data issues arise, the School records them in a managed issues log on the AGS. Each logged issue includes: what happened, which data was affected, who owns resolution, the required completion date, and the root cause.

Where a regulated submission might be affected, the School records how the issue will be handled. Some issues are corrected prospectively (a “fix forward” approach), while others require the School to correct historical records and resubmit where required.

Regulated submissions are produced from systems of record and then submitted through the relevant external portals (for example, the Higher Education Statistics Agency collection service for annual higher education returns and the Office for Students portal for financial and compliance returns). The School’s internal processes ensure that what is uploaded is traceable, checked, and properly approved.

For each submission, the School prepares an assurance pack that includes:

• a clear description of what data was extracted, from which system of record, and on what date; evidence of validation checks and reconciliations;
• a documented sign-off chain showing that Data Owners reviewed the submission, the President approved it, and QCAC and/or the Board of Governors provided scrutiny/approval where required under delegation;
• a post-submission review record capturing issues, queries raised by regulators, and improvements to implement;
• evidence retention and version control for supporting working papers and reconciliation outputs in accordance with the Data Retention Schedule and Policy.

The School maintains a Record of Processing Activities (RoPA), which is an inventory of the main ways the School uses personal data. The RoPA records the purpose of processing, categories of personal data, lawful basis, retention expectations, key recipients/processors, and the controls used to protect the data.

Alongside the RoPA, the School maintains a lawful basis map for key processing areas such as student administration, learning delivery and support, assessment, marketing and admissions, and payments.

A Data Protection Impact Assessment (DPIA) is completed before a new activity begins where processing is likely to result in high risk to individuals. At the School, DPIA triggers include:

• introducing new learning analytics or artificial intelligence features that significantly change how student activity is monitored or used;
• introducing new technologies that monitor behaviour, location or usage in a way that could materially affect individuals;
• starting new processing of special category data or increasing the scale/sensitivity of such processing;
• establishing new large‑scale data sharing arrangements or major changes to existing arrangements;
• implementing major changes to systems of record that change the purposes or means of processing.

A Data Subject Access Request (DSAR) is a request by an individual to access their personal data. The School maintains a DSAR process that includes: verifying identity where necessary, logging the request, managing deadlines, gathering records from systems of record, applying any lawful exemptions, and providing a complete response.

A personal data breach is an incident that results in accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. The School maintains a breach process that includes: immediate containment steps, logging, risk assessment, decision‑making on whether notification is required, and lessons learned. Material incidents are escalated to the President and, where appropriate, reviewed through QCAC and the Board of Governors.

The School uses suppliers and partners to deliver services (for example learning resources and assessment platforms). The School maintains a data sharing and processor register that records: who the supplier is, what data is shared, why it is shared, the lawful basis, retention expectations, security measures required, and whether any international data transfers occur.

Contracts and onboarding processes are used to ensure suppliers provide appropriate security and privacy safeguards. The register is reviewed at least annually and whenever a new supplier or significant change is introduced.

The School maintains an Information Asset Register that records the School’s key information assets and systems-of-record, the accountable Information Asset Owner (Data Owner) for each asset, the purpose and key uses, the classification, and the key risks and controls.

The School classifies information so staff know how it should be handled:

• Public: information intended for publication.
• Internal: information for staff use that should not be shared externally without approval.
• Confidential: information that must be restricted to specific roles because it could cause harm if disclosed (for example student records, internal investigations or financial detail).
• Special category / high-risk: particularly sensitive personal data (for example health information) requiring additional safeguards.
• Official record: information that must be captured and maintained in a designated system-of-record and is relied upon for governance decisions, audit evidence, and regulated submissions.

Classification determines access permissions, storage expectations, sharing restrictions and the level of scrutiny applied before disclosure.

The School maintains a Data Retention Schedule that sets how long information is kept and how it is securely disposed of. As a minimum, the schedule covers student records, assessment evidence, complaints and appeals, finance and audit records, safeguarding/Prevent evidence, and governance minutes and policy versions.

Secure disposal is completed using approved methods (for example secure deletion for digital records and confidential waste processes for paper). Where required, the School retains evidence that disposal occurred.

The School protects personal and sensitive information by controlling who can access systems and data.

• Role‑based access control (RBAC) means access is granted based on a defined job role. For example, a Student Success Team role may view and update student contact details, while a Finance Team role may view invoices and receipts.
• Joiner/Mover/Leaver controls ensure access is granted only when needed, updated promptly when responsibilities change, and removed promptly when someone leaves.
• Privileged access (administrative permissions that can change configurations or access large volumes of data) is restricted to a small number of authorised staff and reviewed at least once per term.

The School keeps evidence of access grants, removals and reviews so that governance bodies can have confidence that access is appropriately controlled. Information classified as Confidential or Special category / high-risk must not be stored or processed in unmanaged personal storage locations, personal cloud services, or informal repositories that bypass role-based access control, auditability, and retention controls.

The School maintains backups for systems of record so that information can be restored after accidental deletion, system failure or cyber incident. Please see the Information Technology (IT) Infrastructure Management Policy.

As a minimum expectation:

• backups for critical systems of record are taken regularly;
• backups are monitored so failures are detected and corrected promptly;
• restoration is tested for critical systems so the School can demonstrate recovery works;
• recovery objectives (how quickly the School aims to restore service and how much data loss is tolerable) are reviewed.

The School maintains an incident response process for security incidents and personal data breaches, aligned to the breach reporting and notification requirements set out in the Data Protection Policy. Incidents are logged, assessed for impact, and managed through containment and remediation steps. Where an incident is material (for example it affects many individuals, involves sensitive data, disrupts critical services, or may require regulatory notification), it is escalated to the President.

QCAC receives reporting on material incidents and the School’s response, and the Board of Governors is informed where required by the scheme of delegation or where the incident is significant to the School’s risk profile.

The Executive Committee monitors performance against data governance metrics and reports termly to the Quality, Compliance and Audit Committee (QCAC). QCAC provides assurance to the Board of Governors, including: trends in data quality, significant issues and remediation, privacy and security incidents, and progress against improvement actions.

This reporting supports the Board’s oversight responsibilities and ensures that data governance remains aligned to the School’s values, delivery model and regulatory expectations.

This policy is reviewed annually or sooner following material changes to systems, regulatory requirements, the School’s risk profile, major changes to processing activities (including new learning analytics or artificial intelligence features), or significant incidents or audit findings. Changes are version‑controlled, approved in line with delegation arrangements, and archived so the School can evidence what applied at any point in time.

All staff must complete information governance, data protection, and information security training appropriate to their role. Targeted training must be provided for staff with elevated responsibilities, including Information Asset Owners (Data Owners), staff handling special category data, staff responding to DSARs, staff managing incidents, and staff responsible for regulated submissions.