Skip to navigation | Skip to main content | Skip to footer
Search the Staffnet siteSearch StaffNet
Search type

Information Governance Risk Review (IGRR)     

The IGRR online assessment is accessed through OneTrust

Access the User Guide for completing an IGRR. 

If you have any queries about OneTrust please call 0161 275 7789 (Internal 57789) or email

When should a member of staff complete an IGRR?

This online assessment must be completed if any of the following apply:

  • You are involved in the procurement or development of a new IT system
  • You are making changes to an existing IT system
  • You are involved in a non-IT-related project or activity that involves collecting, using or sharing, information or data (whether it’s personal data or not)

The business owner or project manager should complete the assessment to the best of their ability as early as possible for each project or activity. 

Initial screening - where high level risks are identified you will progress to a more detailed impact assessment.

Impact assessment - the aim here is to assess (and where possible) minimise risks with agreed recommendations from the Information Governance Office.

Information Stores and Processing Activities - depending on the nature of the project/activity you may need to answer questions about where information will be held/stored and/or how it will be processed.

Why is the IGRR process important? 

The IGRR process allows the IGO to quickly identify high risk activities involving personal data and other types of sensitive information. This will mean it is easier for us to:

1. Advise staff about lawfully using, storing and protecting information
2. Demonstrate that we are fulfilling our GDPR requirements

The IGRR helps the IGO identify information risks and advise on appropriate technical, administrative and physical safeguards to protect information. Data protection and security must be built in to the design and planning phase for any new technologies or non-IT related processes that involve collecting, using, or sharing personal data. The legal requirement to do a Data Protection Impact Assessment is incorporated into the IGRR process. Note that the IGRR online assessment in OneTrust replaces the old process of completing an IG Checklist. 

Does the IGRR process apply to research projects?

Researchers will not usually need to complete an IGRR assessment for research projects involving personal data as the existing data management plans and ethics application process, fulfil this purpose. However, in certain circumstances where research involves processing personal data that is ‘likely to result in high risk’, particularly that which makes use of innovative technology (e.g. artificial intelligence, machine learning) or otherwise poses significant potential risks to the privacy of the intended participants, the principal investigator may be asked to complete an IGRR. If you're in any doubt email or call 0161 275 7789 (Internal 57789).