Starting from 24^th June, the Information Governance Risk Review (IGRR) process will launch some trial changes over a three-month period. These changes aim to streamline the process and enhance clarity for users.

• The IGO will launch screening assessments directly for those who need to complete them rather than users being able to launch one themselves. This change is designed to ensure that all IGRRs are initiated with proper oversight and guidance from the IGO, potentially reducing errors and improving the quality of the assessments. This change will also help to ensure that only those who need to complete IGRRs will do so.
• The question sets in the screening assessment have been revised, updated and reduced by a fifth. The new question sets are clearer and more concise, making it easier for users to understand and respond accurately. This update aims to reduce the time and effort needed to finish the assessments, while maintaining the integrity and thoroughness of the review procedure.
• Another significant change is that researchers are no longer required to complete screening assessments. Instead, the Data Management Plan (DMP) serves as the primary review of data in your activity. This shift highlights the need for a comprehensive DMP to ensure all aspects of data governance are covered. Once the DMP has been reviewed then there may be a need for researchers to complete a DPIA or Technical Assessment.  
• As part of the changes, we have also improved our webpages and user guide. The webpage information is now divided into sections for easier reading. 
• A review of the current technical assessment is being conducted with support from Waterstons. Further details will be provided later.

Overall, these trial changes to the IGRR process are intended to improve efficiency, clarity, and oversight. By involving the IGO more directly in the initiation of IGRRs, revising the question sets, and shifting the focus to DMPs, the process is expected to become more streamlined and effective. As these changes are still in the trial phase, feedback from users will be crucial in determining their long-term implementation and success.

For users with an existing or in progress IGRR, OneTrust is still accessible to review and update via this link.

If you have any questions or need further assistance with the new IGRR process, please do not hesitate to contact the IGO via email or phone Tel: 0161 275 7789. Your feedback and cooperation are greatly appreciated as we work to improve our information governance practices.

If you are a researcher, the primary review of your data is the Data Management Plan (DMP). The IGO reviews data management plans which process certain types of data and record the output of their review in OneTrust.  Researchers are not expected to complete an  IGRR screening assessment as well. Once the DMP has been reviewed then there may be a need for researchers to complete a DPIA or Technical assessment, the IGO will advise if this is needed.  Please contact the Information Governance Office for further advice. 

Further support on creating a DMP can be found here 

Further guidance on Research Data Management can be found here

Some examples of needing an IGRR are;

• You are collecting or using personal, commercial or sensitive data (e.g survey/questionnaires, interviews/focus groups, audio-visual recordings, capturing images etc) for an activity. This includes reusing existing data for a new purpose.
• You are contractually sharing data (commercial or personal) with Universities, Government, companies, external partners or other third party organisations.
• You are using IT systems or software not already available via IT Services (e.g subscriptions, purchases, or downloads of applications or programs).
• You are using innovative technology (including AI, machine learning and deep learning), intrusive technology (including facial recognition or biometrics), or any activity considered intrusive or a risk to privacy, such as large scale data processing (including monitoring or CCTV).

For a refresher on Data Protection, please see our Data Protection training module.

If you have any questions regarding whether you need to complete an IGRR, please speak with us and we can advise further information.governance@manchester.ac.uk

The IGRR assessment should be completed as early as possible in the project or activity, please contact the IGO information.governance@manchester.ac.uk who will be able to launch the assessment for you and guide you through the process, please include the following information:

• A brief summary of your activity and the data being used
• The timeline detailing the current stage of your activity

There are four different stages to the assessment (Not Started, In Progress, Under Review, Completed)

There is a user guide to walk you through the assessment and the types of questions asked.

Once you have completed your screening assessment, you may be asked to complete an additional assessment in OneTrust based on the nature of what you are doing.

If you are using, building or changing an IT system you may be asked to complete a Technical Security Assessment – these are reviewed by the IT Security team.

In some instances, if your processing of personal data is identified as being of high risk, you may be asked to complete a Data Protection Impact Assessment (DPIA). DPIAs consider compliance risks, but also broader risks to the rights and freedoms of individuals, including the potential for any significant social or economic disadvantage. The focus is on the potential for harm—to individuals or to society at large, whether it is physical, material or non-material.

For users with an existing or in progress IGRR, OneTrust is still accessible to review and update via this link.