ICP-01 Information compliance policy
Summary
This policy outlines how the University manages, protects, and uses information to ensure legal compliance, mitigate risks, support operational efficiency, and uphold data protection and security standards.
| Control information | Control detail |
|---|---|
| Owner | Information Governance Manager and Data Protection Officer, Information Compliance |
| Author | Information Governance Manager and Data Protection Officer, Information Compliance |
| Sponsor | Director of Governance and University Secretary, Governance |
| Consulted | Information Governance and Security Advisory Board |
| Approved by | Audit and Risk Committee |
| Responsible area | University Secretary’s Office |
| Version | 3 |
| Approval date | 02 March 2026 |
| Effective date | 02 March 2026 |
| Interim review effective date | Not applicable |
| Full review period | 1 year |
| Date of next full review | 02 March 2027 |
| EIA completion date | 25 February 2026 |
| DPIA completion date | Not applicable |
| SIA completion date | Not applicable |
| Reporting requirements | |
| Applicable statutory, legal or best practice requirements | |
| Keywords | anonymity, compliance, confidentiality, consent, data, direct marketing, disposal, document management, DPA, DPIA, EEA, information compliance, information security, lawful processing, personal data, protection, retention, rights, risk management, security, sharing, subject, transfer, transparency, UK GDPR |
On this page
1. Updates to this policy
1.1. Updates to policy suite structure, policy principles and roles and responsibilities.
1.2. This policy has been updated to align to the new University of Bristol policy management framework.
1.3. This policy will be reviewed as required and at least every three years by Information Governance and Security Advisory Board (IGSAB). The document is managed by the Information Compliance Manager.
2. Introduction
2.1. Information compliance is the accountability and decision-making framework ensuring that the creation, storage, use, disclosure, archiving, and destruction of information are handled in accordance with legal requirements and to maximise operational efficiency. It encompasses the processes, roles, policies, and standards that ensure the compliant and effective use of information, enabling an organisation to achieve its goals.
2.2. Information is a key asset for the University, and the regulatory, reputational, and operational risks of poor information compliance are ever increasing. As the creation of information proliferates, it is vital that the University has measures in place to manage and control these risks.
2.3. This overarching policy provides an overview of information compliance and lists a set of policy documents that, taken together, constitute the Information Compliance Policy of the University.
3. Scope
3.1. This policy applies to all members of the University and any others who may process information on behalf of the University.
4. Definitions
4.1. Data Protection Impact Assessment (DPIA): An assessment to identify and minimise the data protection risks of a project, process or system.
4.2. Data Protection Officer (DPO): Statutorily mandated role appointed to monitor compliance with data protection law.
4.3. Data subject: An individual to whom Personal Data relates and who can be identified or is identifiable from Personal Data.
4.4. Data Controller: The natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of Personal Data.
4.5. Information Asset Assistant (IAA): Responsible for supporting IAOs with operational management of information assets.
4.6. Information Asset Owner (IAO): Senior staff responsible for managing information assets, risks, and assurance.
4.7. Information Asset Register (IAR): An inventory that records all significant information assets held by the University.
4.8. Information Commissioner's Office (ICO): The UK's independent data protection regulator.
4.9. Personal data: Any information identifying a data subject or information relating to a data subject that can be identified (directly or indirectly) from that data alone or in combination with other identifiers that are possessed or can be reasonably accessed. Personal Data includes criminal convictions and offences data, special categories of Personal Data, and pseudonymised Personal Data, but excludes anonymous data which has had the identity of an individual permanently removed. Personal data can be factual (for example, a name, email address, location, or date of birth) or an opinion about that person's actions or behaviour.
4.10. Process, processes, processing: Any activity or set of activities which involves Personal Data, including collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or making available, alignment or combination, restriction, erasure or destruction.
4.11. Senior Information Risk Owner (SIRO): Assumes executive responsibility for information risk management.
5. Responsibilities
5.1. All staff are responsible for ensuring information compliance. The following roles and groups have specific responsibilities, further information on which can be found in the University’s Data Protection Policy: [UNFINISHED]
5.2. Board of Trustees: Has ultimate responsibility for ensuring information compliance policies and procedures are established.
5.3. Senior Information Risk Owner (SIRO): Assumes executive responsibility for information risk management.
5.4. Data Protection Officer (DPO): A mandated statutory role to ensure the University meets legal compliance.
5.5. Information Compliance Team: The University's central information compliance function and subject matter experts, providing day-to-day advice and guidance on information compliance while overseeing relevant procedures.
5.6. Information Asset Owners (IAO): Senior staff responsible for managing information assets, risks, and assurance.
5.7. Information Asset Assistants (IAA): Support IAOs with operational management of information assets.
5.8. Caldicott Guardians: A mandated role for ensuring confidentiality of health and care data.
5.9. Information Governance and Security Advisory Board (IGSAB): Facilitates effective oversight, strategic direction, and senior stakeholder support for information compliance.
5.10. Information Security team: Maintains information security policies and ensures the technical protection of data.
5.11. Boards and Committees: Several boards and committees have an oversight or operational role in ensuring compliance, including the Operations Board, Audit and Risk Committee, and the Data Access Committee.
5.12. All Staff: Follow policies and procedures, complete training, handle data responsibly, and report incidents and breaches.
5.13. Together, the above play a critical role in the University’s approved operating model for information compliance as described in Appendix 1 and illustrated in Figure 1.
6. Policy suite structure
6.1. This primary policy outlines a body of subsidiary policies that collectively form the University's Information Compliance Policy. While these policy documents are designed to work cohesively together, should any conflict arise between this primary policy and its subsidiary components, this primary document takes priority.
6.2. The subsidiary policies provide an overview of requirements and foundational principles. They are not designed to provide comprehensive implementation details. When needed, specific procedural guidelines and standards will be developed as standalone documents and referenced within the relevant subsidiary policy.
7. Information strategy principles
7.1. The need for a set of clear information strategy principles to inform and guide decision-making processes, both for individual programmes and projects, and also in relation to the University’s use of information more widely, has been identified. The University has adopted the following principles, which underpin this policy:
- Transparency: Information will be used to increase trust with the University’s staff, students, and other stakeholders.
- Integrity: Information will be of a consistently high quality across the University and will be used and represented honestly.
- Ownership: Information created or held by the University will have a designated owner and will be appropriately managed, including ensuring access is lawful and documented.
- Security: Information will always be handled safely and securely, ensuring the highest level of confidentiality.
- Embedded: Information management practices will be ingrained and followed across the University, embedding a "digital by default" approach to information management.
- Lifecycle: Information will be managed systematically from its creation through to its secure disposal, ensuring compliance at every stage.
- Governance: Clear structures and processes will be in place for managing information, with senior-level ownership and oversight.
8. Governance
8.1. Responsibility for the production, maintenance and communication of this policy and all subsidiary policies lies with the University’s Information Compliance Manager.
8.2. This top-level policy has been approved by the Audit and Risk Committee and the Information Governance and Security Advisory Board.
8.3. Responsibility for the approval of all subsidiary policies is delegated to the Information Governance and Security Advisory Board (IGSAB).
8.4. Each policy in this suite will be reviewed annually under the responsibility of the Information Compliance Manager.
8.5. Any substantive changes made to any of the documents in the suite will be communicated to staff via appropriate channels.
9. Sub-policy suite
9.1. ICP-02 Data protection policy
9.2. ICP-03 Records management policy
10. Changes to this policy
10.1. The University may make minor amendments to this policy at any time without notice, so please ensure you view the latest version.
Request this policy in an alternative format
If you need this policy in a different format, email uob-policymanager@bristol.ac.uk. In your message, include the format you need, for example: plain text, braille, BSL, large print or audio.