Information Governance Risk Review (IGRR)
If you have any queries about OneTrust please email firstname.lastname@example.org
The IGRR process explained
IGRR Screening Assessment
This aim of the screening assessment is to identify projects or activities where there are likely to be information risks, in order for advice and guidance to be provided by the Information Governance Office and IT Security, to minimise those risks. It must be completed by the business owner or project manager as early as possible, if any of the following apply:
- You are involved in the procurement or development of a new IT system
- You are making changes to an existing IT system
- You are involved in a non-IT-related project or activity that involves collecting, using or sharing, information or data (whether it’s personal data or not)
During the screening assessment, you will need to review particular statements for your project/new activity, they are there to help you consider the potential risks and highlight any further steps you may be required to take. Thorough consideration of the statements at this point, will make it easier to complete any additional assessments requested by the IGO as set out below.
Completing a New Information Store/Processing Activity Record
The IGO will send you the relevant additional assessment(s) that you will have to complete for a new information store (eg if you are procuring a new IT system) and/or processing activity (eg if you are creating a new process or making changes to one that involves personal data). The business owners of these information stores and processing activities will be expected to review the records generated by these assessments on an annual basis to keep them up to date.
Why is the IGRR process important?
The IGRR process allows the IGO to quickly identify high risk activities involving personal data and other types of sensitive information. This will mean it is easier for us to:
1. Advise staff about lawfully using, storing and protecting information
2. Demonstrate that we are fulfilling our GDPR requirements
The IGRR helps the IGO identify information risks and advise on appropriate technical, administrative and physical safeguards to protect information. Data protection and security must be built in to the design and planning phase for any new technologies or non-IT related processes that involve collecting, using, or sharing personal data. The legal requirement to do a Data Protection Impact Assessment is incorporated into the IGRR process. Note that the IGRR online assessment in OneTrust replaces the old process of completing an IG Checklist.
Does the IGRR process apply to research projects?
Researchers will not usually need to complete an IGRR assessment for research projects involving personal data as the existing data management plans and ethics application process, fulfil this purpose. However, in certain circumstances where research involves processing personal data that is ‘likely to result in high risk’, particularly that which makes use of innovative technology (e.g. artificial intelligence, machine learning) or otherwise poses significant potential risks to the privacy of the intended participants, the principal investigator may be asked to complete an IGRR. If you're in any doubt email email@example.com or call 0161 275 7789 (Internal 57789).