Information Handling Policy

This policy was last approved by the Executive Board in August 2024.

This policy describes how all staff (including contractors, volunteers and agents) should manage the College’s information and data. It sits within the Data and Information Policies to provide everyone who works for the college with clear and consistent instructions on how to protect themselves, others, and college assets.

The policies and associated processes are designed to reduce information-related risk to tolerable levels. All users must adhere to these policies to enable the college to run effectively and to keep the college and its people secure from information risks, such as ever-evolving cyber threats or non-compliance with the Data Protection Act 2018.

The policy refers to and outlines the management of information assets. Information and data assets can take physical and digital forms, including paper files, documents, databases, and video or audio recordings. Everyone must take adequate steps to prevent accidental or deliberate disclosure and unauthorised access to these assets.

Definitions

Information Assets are defined as a group of information that can be defined and managed as a single unit so that it can be understood, shared, protected, and exploited efficiently.

Example: a student record, mailing list, or documentation relating to a specific project are examples of Information Assets.

Data are defined as information constituting facts or figures used to analyse something or make decisions.

Information is the organisation or interpretation of data to give meaning within a context.

Records are defined as information consciously retained as evidence of an action.

Retention refers to the ability to store and recall data, information and records, and the period for which the College will no longer require it.

All staff

All Staff members employed by the College are responsible for handling the College’s information and data in line with this policy to keep information secure, ensure statutory and regulatory compliance, and support the efficient running of the College. The full set of Information Security and Data policies are listed at the end of this Policy.

Managers

Managers must ensure staff are aware of and comply with information policies, complete mandatory training (including any additional training required for certain roles), and report non-compliance.

Data Owners

Schools and Professional Services must have one named individual to take accountability for information and data assets as the Data Owner. The Data Owner will be responsible for ensuring data managed by their team, service, or School is processed (e.g. used, stored, shared, and destroyed) in compliance with the Data Protection Act 2018, including maintaining data integrity and quality, maintaining retention periods, and keeping confidential information assets secure.

Data Stewards

Data Owners will nominate at least one Data Steward for their area of the College to support the effective management of information and data. The Data Steward will do this through the implementation or development of compliant procedures, identifying risks to the Data Owner, and communicating data and information practices to their teams.

Senior Information Risk Owner

The College has a nominated Senior Information Risk Owner who owns the College’s data policies and is accountable for data risk decisions. The role reports information risk to the Executive Board and Council, and leads on and fosters a culture that values data and best practice data governance.

The College

The College is responsible for compliance with legal and statutory duties related to this policy.

Data Owners must periodically audit and assess the risk to information assets to determine the sensitivity to apply appropriate security measures and information handling procedures.

The use of classification labels against documents is encouraged to convey the confidential nature of a document. The level of protection required is proportional to its classification (more sensitive data requires additional security measures). The College defines its information assets as one of the following classification types:

Public Information (Unrestricted)

Information is available to anyone (including members of the public). Such information should be stored on College systems where possible to maintain availability and appropriate management of data.

Impact of Disclosure: Little to no damage.

Restricted information

Information that is not routinely made available to the public and does not attract confidentiality requirements internally. Can constitute internal procedural documents, general reporting data, CAD designs, and materials under copyright.

Impact of disclosure: Low reputational or financial impact where inaccurate information is disclosed inappropriately.

Confidential information

Access is restricted and limited to an authorised group internally. Information in this class may include but is not limited to:

• commercially or financially valuable information;
• student coursework and exam scripts;
• internal reports;
• general research data held;
• Protected Personal Information (information that links an identifiable individual with information that, if released, would put them at significant risk of harm or distress);
• any source of information relating to a substantial number of individuals.

Impact of disclosure: Moderate to significant reputational damage, financial damage, and damage to individuals through non-compliance with statutory and regulatory duties.

Strictly Confidential information

Access is restricted to a small, named group, regularly reviewed, and requires additional protection. Information in this class may include but is not limited to:

• Special category data, as defined by UK GDPR;
• Research data covered explicitly by a patent or legal agreement;
• Information protected by clauses;
• Evidence of criminal activity;
• Reports under the Whistleblowing procedure;
• Highly sensitive financial information.

Impact of disclosure: Significant to substantial reputational damage, financial damage, and damage to individuals through non-compliance with statutory and regulatory duties.

The College and it’s staff must comply with legislation, the following legislation are most relevant to this policy:

• Data Protection Act 2018
• Computer Misuse Act 1990
• Copyright, Designs and Patents Act 1988
• UK General Data Protection Regulation (GDPR) 2018
• Human Rights Act 1998
• Regulation of Investigatory Powers Act 2000
• Terrorism Act 2006
• Privacy and Electronic Communication Regulations 2003
• Counter-Terrorism and Security Act 2015.
• Limitations Act 1980.

The College, each student and member of staff have an obligation to abide by all relevant legislation. Particularly:

• Data Protection Act 2018
• Computer Misuse Act 1990
• Copyright, Designs and Patents Act 1988
• UK General Data Protection Regulation (GDPR) 2018
• Human Rights Act 1998
• Regulation of Investigatory Powers Act 2000
• Terrorism Act 2006
• Privacy and Electronic Communication Regulations 2003
• Counter-Terrorism and Security Act 2015.
• Limitations Act 1980.

This policy will be reviewed as it is deemed appropriate, but no less frequently every three years.

Information Security Policy

Account and Password Policy

Acceptable Use Policy

Information Handling Policy

Home and Remote Access to Services Policy

Data Protection Policy

Data breach process.

See all RCA Policies and codes of practice