Some examples of needing an IGRR are;

• You are collecting or using personal, commercial or sensitive data (e.g survey/questionnaires, interviews/focus groups, audio-visual recordings, capturing images etc) for an activity. This includes reusing existing data for a new purpose.
• You are contractually sharing data (commercial or personal) with Universities, Government, companies, external partners or other third party organisations.
• You are using IT systems or software not already available via IT Services (e.g subscriptions, purchases, or downloads of applications or programs).
• You are using innovative technology (including AI, machine learning and deep learning), intrusive technology (including facial recognition or biometrics), or any activity considered intrusive or a risk to privacy, such as large scale data processing (including monitoring or CCTV).

For a refresher on Data Protection, please see our Data Protection training module.

If you have any questions regarding whether you need to complete an IGRR, please speak with us and we can advise further information.governance@manchester.ac.uk

The IGRR assessment should be completed as early as possible in the project or activity, please contact the IGO information.governance@manchester.ac.uk who will be able to launch the assessment for you and guide you through the process, please include the following information:

• A brief summary of your activity and the data being used
• The timeline detailing the current stage of your activity

There are four different stages to the assessment (Not Started, In Progress, Under Review, Completed)

There is a user guide to walk you through the assessment and the types of questions asked.

Once you have completed your screening assessment, you may be asked to complete an additional assessment in OneTrust based on the nature of what you are doing.

If you are using, building or changing an IT system you may be asked to complete a Technical Security Assessment – these are reviewed by the IT Security team.

In some instances, if your processing of personal data is identified as being of high risk, you may be asked to complete a Data Protection Impact Assessment (DPIA). DPIAs consider compliance risks, but also broader risks to the rights and freedoms of individuals, including the potential for any significant social or economic disadvantage. The focus is on the potential for harm—to individuals or to society at large, whether it is physical, material or non-material.

For users with an existing or in progress IGRR, OneTrust is still accessible to review and update via this link. 

If you are a researcher, the primary review of your data is the Data Management Plan (DMP). The IGO reviews data management plans which process certain types of data and record the output of their review in OneTrust.  Researchers are not expected to complete an  IGRR screening assessment as well. Once the DMP has been reviewed then there may be a need for researchers to complete a DPIA or Technical assessment, the IGO will advise if this is needed. This will be more likely if you are using AI to process highly restricted or very sensitive information.  Please contact the Information Governance Office for further advice. 

Further support on creating a DMP can be found here 

Further guidance on Research Data Management can be found here

Following a successful trial launched in June 2025, changes to the Information Governance Risk Review (IGRR) process are now fully implemented and form part of the standard process. These updates aim to improve efficiency, clarity, and oversight.

• The Information Governance Office (IGO) now initiates screening assessments for users who are required to complete them, ensuring appropriate oversight and reducing unnecessary or incorrect submissions. Screening assessment questions have been revised and reduced, making them clearer and quicker to complete.
• Researchers are no longer required to complete screening assessments. Instead, the Data Management Plan (DMP) now provides the primary review of data, with a DPIA or Technical Assessment required where appropriate.
• IGRR webpages and the user guide have been updated for clarity and ease of use. A review of the Technical Assessment is ongoing, with further updates to follow.
• Users with existing IGRRs can continue to access and update them in OneTrust via this link.

If you have any questions or need further assistance with the IGRR process, please do not hesitate to contact the IGO via email or phone Tel: 0161 275 7789. Your feedback and cooperation are greatly appreciated as we work to improve our information governance practices.