Information Governance Risk Review (IGRR)
The IGRR online assessment is accessed through OneTrust and there is a User Guide to help step you through the process.
If you have any queries about OneTrust please email firstname.lastname@example.org
The IGRR process explained
IGRR Screening Assessment
This aim of the screening assessment is to identify projects or activities where there are likely to be information risks, in order for advice and guidance to be provided by the Information Governance Office and IT Security, to minimise those risks. It must be completed by the business owner or project manager as early as possible, if any of the following apply:
- You are involved in the procurement or development of a new IT system
- You are making changes to an existing IT system
- You are involved in a non-IT-related project or activity that involves collecting, using or sharing, information or data (whether it’s personal data or not)
During the screening assessment, you will need to review particular statements for your project/new activity, they are there to help you consider the potential risks and highlight any further steps you may be required to take. Thorough consideration of the statements at this point, will make it easier to complete any additional assessments requested by the IGO as set out below.
Completing a New Information Store/Processing Activity Record
The IGO will send you the relevant additional assessment(s) that you will have to complete for a new information store (eg if you are procuring a new IT system) and/or processing activity (eg if you are creating a new process or making changes to one that involves personal data). The business owners of these information stores and processing activities will be expected to review the records generated by these assessments on an annual basis to keep them up to date.
Why is the IGRR process important?
The IGRR process allows the IGO to quickly identify high risk activities involving personal data and other types of sensitive information. This will mean it is easier for us to:
1. Advise staff about lawfully using, storing and protecting information
2. Demonstrate that we are fulfilling our GDPR requirements
The IGRR helps the IGO identify information risks and advise on appropriate technical, administrative and physical safeguards to protect information. Data protection and security must be built in to the design and planning phase for any new technologies or non-IT related processes that involve collecting, using, or sharing personal data. The legal requirement to do a Data Protection Impact Assessment is incorporated into the IGRR process. Note that the IGRR online assessment in OneTrust replaces the old process of completing an IG Checklist.
Does the IGRR process apply to academic research projects?
A researcher may be asked by the Information Governance Office, to complete a research assessment in OneTrust if the research involves any of the following:
- Processing personal data that is ‘likely to result in high risk’. In particular, processing operations that involve: innovative technology; automated decision-making; large-scale profiling; biometric data; genetic data; data matching; invisible processing; tracking; targeting of children/other vulnerable individuals for marketing, profiling for auto decision making or the offer of online services; risk of physical harm or otherwise poses significant potential risks to the privacy or safety of the intended participants.
- Handling data classified as Highly Restricted or Very Sensitive.
- Developing a new app or tool that will be on the University of Manchester infrastructure.
The assessment will be reviewed by specialist teams such as Information Governance, Research IT or IT Security to provide relevant advice on your research project. This assessment needs to be informed by the data management plan (DMP) for the research project, and the University of Manchester Research Data Management (RDM) Policy specifies that researchers are responsible for producing a DMP for every research study. The UoM RDM Standard Operating Procedure and RDM website provide further guidance on data management planning.