Skip to main content

Information Governance Framework

Information is a trusted asset, enabling confident decisions, compliant operations, the means to continually improve, and world‑class teaching and research

Summary

Information is one of the University’s most valuable assets, supporting:

  • research excellence
  • learning and teaching
  • regulatory compliance
  • operational efficiency
  • financial sustainability
  • reputation and trust

The volume, sensitivity and complexity of Bath’s information is increasing, and new technologies are expanding how we manage information. This Information Governance Framework (IGF) describes the arrangements in place to ensure a coherent, institution-wide approach to managing information, ensuring Bath has the confidence to act, the evidence to decide, and the means to continually improve.

This page brings together a complete view of the IGF, including:

  • governance structures and decision‑making routes
  • roles and responsibilities across the institution
  • policies, processes, templates and training
  • risk and assurance mechanisms
  • tools and technology
  • an IG maturity model and roadmap for improvement

The University manages information as an asset by handling it fairly and transparently, appropriately retaining and sharing it, and by supporting it with clear accountability for its quality, privacy and protection. Following the IGF:

  • reduces institutional risk
  • unlocks value through consistent, compliant information practice
  • improves the reliability, efficiency and quality of information used for teaching, research and operations
  • embeds clear ownership and accountability across the University, and enables a confident, informed workforce

The IG team provides expert guidance, training, and transparent progress reporting. working collaboratively across the University, ensuring a culture where information is trusted, managed well and used responsibly.

Staff can access more information about the IGF and its practical application on the Information Governance SharePoint.

Introduction to Information Governance

Information is one of the University’s most valuable assets, supporting:

  • research excellence
  • learning and teaching
  • regulatory compliance
  • operational efficiency
  • financial sustainability
  • reputation and trust

Therefore, we must have oversight of policies, processes, roles and controls so that we can manage, protect and maximise the value of the University’s information. Collectively, this is Information Governance (IG).

Scope

IG covers the whole lifecycle of information management, from creation and storage to usage, sharing, archiving and disposal, and includes all data and information held by the University. This includes, but is not limited to:

  • management data
  • databases
  • data about research
  • data generated by research
  • records
  • emails
  • SharePoint pages and Teams chats
  • committee papers
  • reports
  • dashboards
  • photos
  • video
  • audio

This Framework, the IGF, applies to all staff at the University of Bath.

Definitions

  • Data: raw facts and figures like numbers, symbols, text, and images that can be quantitative (numerical) or qualitative (descriptive), such as student marks, website traffic, and lab results.
  • Personal Data: that which can be used to identify a living person.
  • Special category data: Personal Data requiring extra protection under Data Protection legislation. This specifically includes data relating to:
    • racial or ethnic origin
    • political opinions
    • religious or philosophical beliefs
    • trade union membership
    • genetic data
    • biometric data (where used for identification purposes)
    • health
    • sex life
    • sexual orientation
  • Data Subject: the individual the Personal Data relates to.
  • Management data: data collected to support decision-making and planning
    • This includes data about research projects
  • Research data (data generated by research): collected or generated to validate research findings
  • Information: data that is processed, organised and structured to inform decisions and actions, like reports, minutes and contracts. This includes:
    • Records: formal, fixed information that serves as evidence of activities or operations
    • Archives: records preserved permanently for their historical value

Key acronyms

  • DPO: Data Protection Officer
  • IG: Information Governance
  • IGF: Information Governance Framework
  • RoPA: Record of Processing Activity
  • RRS: Records Retention Schedule

More definitions/acronyms are listed in the University Glossary and Acronym database.

The IGF supports compliance with the following legislation:

  • UK GDPR
  • Data Protection Act 2018 (DPA 2018)
  • Freedom of Information Act (FOI)
  • Environmental Information Regulations (EIR)
  • Privacy and Electronic Communication Regulations (PECR)
  • Office for Students (OfS) conditions of registration

The IGF provides overall management of the following assets:

The principles of openness and transparency are aligned with the publication scheme.

The Information Governance Framework

The Information Governance Framework (IGF) covers the University’s expectations for managing information, including:

  • its governance and management arrangements
  • key policies and standards
  • activities
  • services
  • training

This is a key enabler for the strategic priority ‘foundations for the future’ as it supports decision-making, bolsters sustainability and supports our digital and physical infrastructure. This enables us to continually improve our culture, spaces and systems, freeing up our people and partners to focus on excellence and impact.

Principles

Core Principle: information is managed as an institutional asset, ensuring compliance and enabling value. This means the University treats information with the same discipline and care as its finances, people and physical resources.

This principle is realised when all six enabling principles are true:

  1. Privacy: information is processed fairly and lawfully.
  2. Transparency: information is collected and used for a specific and well-defined purpose(s).
  3. Quality: information is accurate, timely, complete and relevant.
  4. Accessibility: information is available at the point of need and kept only when it is needed.
  5. Management: information is collected, used, stored, shared, and deleted in accordance with University policies.
  6. Accountability: all information has a named owner responsible for its quality, protection and lifecycle.

These principles apply to all staff and all information, across the whole lifecycle.

To uphold this, the University has committed to:

  • continuous improvement in information management
  • widening knowledge, best practice and innovation
  • non-negotiable compliance with value at the heart
  • acting early to reduce risk and unlock opportunities

Benefits

The IGF enables clear ownership, compliant practices, reliable information and a confident workforce, resulting in the following benefits for:

Students

  • Better support and quicker responses
  • Reduced risk of data breaches involving student information
  • Clearer communications and more consistent decisions

Research

  • Increased confidence in the handling of research data
  • Fewer barriers and delays in launching new research projects

Operations

  • Faster, more confident decision making
  • Clear roles and responsibilities
  • Consistent processes for retention, deletion and information handling
  • Better alignment across professional services

Cost, Risk and Efficiency

  • Reduced regulatory exposure
  • Lower costs of storage and system bloat
  • Fewer incidents, breaches and rework caused by poor information practices
  • Improved resilience and continuity

Operating Model

Governance

Effective University governance is vital to effective IG. The University provides oversight, assurance and strategic direction, ensuring that roles, responsibilities and decisions are clearly understood and consistently applied across the institution. The following outlines the governance structure and responsibilities.

University Executive Board (UEB)

The University Executive Board (UEB) advises and supports the Vice-Chancellor and President in the discharge of their responsibility to Council for maintaining and promoting the good order of the University. UEB is constituted to support the Vice-Chancellor and President in exercising their delegated authority and responsibilities. The Board is the principle operating committee of the University.

Audit and Risk Assurance Committee (ARAC)

The Audit and Risk Assurance Committee (ARAC) is responsible to Council for reviewing the effectiveness of internal arrangements. ARAC reviews the adequacy and effectiveness of the University's system of internal control and risk management, governance and value for money arrangements. The Information Governance team provide regular, period reporting to ARAC as required to give appropriate assurance.

Information Governance Board

The Information Governance Board is responsible for the oversight of Information and Data Governance, including but not limited to quality, compliance, records retention and security. Members are key Data Domain Owners and other senior stakeholders, who will receive updates and requests from the Information Governance team.

Information Governance Steering Group

The Information Governance Steering Group acts as the primary link between the Information Governance Board and operational teams. It is designed to receive and interpret strategic decisions from the Information Governance Board, provide feedback on suitability and adoption and promote awareness and understanding of IG practice.

This Group acts as a collaborative forum for sharing good practice and resolving operational issues. Members are key Data Stewards and other stakeholders who will receive updates from the IG team and be asked to feedback to their teams, peers and line managers.

Specialist Roles

Named accountability ensures that information is managed effectively, risks are owned, and good practice is embedded across all functions. Numerous roles are involved in the successful running of the IGF, and these roles exist across the University in a variety of teams.

University Secretary & Registrar

The University Secretary & Registrar acts as the Senior Information Risk Officer (SIRO), providing senior oversight and strategic leadership for the University’s approach to managing information risk. The Senior Information Risk Owner:

Displays strategic leadership by…

  • acting as the UEB representative for information risk, with support and advice from the Information Governance Board
  • chairing the Information Governance Board and setting agendas
  • taking institutional ownership of information risk, ensuring it is considered at the highest levels of decision making

Oversees information-related risk by…

  • acting as an escalation point for serious or unresolved information issues
  • reviewing all key information risks on a quarterly basis and ensure that mitigation plans are robust

Provides assurance by…

  • evidencing to the Vice-Chancellor and UEB/ARAC/Council that information risks are being effectively identified, assessed and mitigated
  • approving an annual assessment of IG performance, risks and actions
  • ensuring the University’s IGF is fit for purpose and regularly reviewed

Embeds culture change by…

  • ensuring the University has a plan to achieve and monitor IG culture across the organisation and to take visible steps to support and participate in that plan
  • acting as a link between executive leadership and operational functions so that Information Governance remains a priority
  • ensuring that lessons learned are captured and used to improve future risk management

Head of Information Governance

The Head of IG leads the IGF and provides strategic leadership and accountability for the University’s approach to:

  • data protection
  • records retention
  • data quality
  • data management training
  • related communications

They also manage many of the below roles, the Information Asset Owner and Steward Network, the Glossary and Acronym lookup.

Data Protection Officer / Deputy Data Protection Officer

The DPO and Deputy DPO ensure that data collected by the institution is processed in accordance with data protection legislation and best practice. This includes:

  • creating Data Protection Impact Assessments
  • responding to Subject Access Requests
  • investigating and responding to Personal Data breaches
  • assisting colleagues with advice and guidance

Where appropriate, the DPO reports breaches to the ICO and coordinates the response.

Under UK GDPR Article 38(3), the Data Protection Officer is required to be independent and report to the ‘highest level of authority’ at the organisation. At Bath, this means a dotted line management relationship from the University Secretary to the Data Protection Officer. In practice, this means the DPO has direct access to senior leadership if:

  • there are urgent, emerging or unresolved risks
  • legal advice is not being followed
  • a conflict of interest has been made
  • a data breach is likely to cause significant harm to the University

This is also the escalation point for any reportable breaches to the ICO. If escalation is needed and the University Secretary is absent, the Deputy University Secretary is the appropriate contact.

Communication and Training Officer

Responsible for:

  • creating and delivering engaging training on Information Governance related topics
  • developing accessible learning and guidance materials
  • delivering communications to raise awareness of Information Governance and support staff in complying with UK GDPR
  • evaluating the impact of this work
  • gathering feedback and improving activities to support a compliant organisation

Archivist and Records Manager

Responsible for:

  • the acquisition, preservation and long-term accessibility of the University’s archives and research collections
  • identifying institutional records of lasting value
  • developing records management policy and practice to ensure that the appropriate records are permanently retained

Information and Data Management Officer (Records)

Responsible for:

  • developing and leading the implementation of robust records management processes across the University in both digital and physical formats
  • reducing risks associated with poor record-keeping
  • improving operational efficiency
  • supporting compliance

They maintain the Record of Processing Activities (RoPA) and the Records Retention Schedule (RRS) across all departments.

Supporting Roles

NOTE: Although only some colleagues hold formal roles such as Information Asset Owners or Data Stewards, all staff share responsibility for handling, retaining and deleting information appropriately. Every member of the University community is expected to follow the IGF, comply with relevant policies, complete required training, and help ensure information is well managed.

Data Stewards: subject matter experts who are responsible for the definitions and quality of data sets within a data domain (e.g., a student’s qualification history in the admissions domain). Stewards write and maintain definitions and help develop data quality checks to ensure the data is fit for use.

Information Asset Owners: senior individuals with overall accountability for the security, content, quality and distribution of an information asset. They should have a broad understanding of the information they’re accountable for, and the authority to make decisions regarding its access, use, retention and disposal. They ensure it is high quality and fit for purpose for both operational and strategic needs. They are also a point of escalation for the Stewards.

Data Producers: staff who collect, capture or enter information into any system, spreadsheet, document or third-party.

Data Consumers: staff that use information from any internal system, spreadsheet, document or third-party.

Last updated: 01.07.2026.

On this page