What is Information Governance?

Information Governance can mean different things to different people. It is a term that is used to describe the way we manage our obligations to the following legislation:

  • GDPR
  • Regulation of Investigatory Powers 2000
  • Environmental Information Regulations 2004
  • Freedom of Information Act 2000
  • Re-use of Public Sector Information Regulations 2005
  • Records Management (cop s46 FOIA)

It allows both the school and its employees to ensure that both business and personal information is dealt with legally, securely, efficiently and effectively, in order to deliver the best possible services.

The Information Governance Framework sets out the way the School handles information, in particular, the personal and sensitive data relating to our students, staff and suppliers

Information Governance – aims

The aims of Information Governance are to:

  • comply with all relevant legislative requirements thereby protecting individuals, and organisations
  • manage the creation, storage, movement and sharing of data in a secure and efficient manner
  • support the provision of high quality service delivery by promoting the effective and appropriate use of information
  • encourage staff and partners to work together, preventing duplication of information, effort and enabling more efficient use of shared data resources
  • develop support arrangements which provide staff with information and appropriate Information Governance policies and guidance
  • provide training and support to enable staff to discharge their responsibilities under the various acts – all to consistently high standards

Information Risk Management

Information risk is inherent in all administrative and business activities and everyone working for or on behalf of the school continuously manages information risk.

Information risk management is an essential element of information governance and is an integral part of good management practice. The intent is to embed information risk management in a very practical way into business processes and functions.



Information Assets

An information asset is a body of information, defined and managed as a single unit so it can be understood, shared, protected and exploited effectively. Information Assets (IA) have recognisable and manageable value, information lifecycle. By identifying IAs it is possible to quantify risk, mitigate and control risks and individuals who manage and control the asset and risks.

How to Identify an IA

  • Does the information have a value to the organisation? i.e.
    1. How useful is it? Will it cost money to reacquire?
    2. Would there be legal, reputational or financial repercussions if you couldn’t produce it on request?
    3. Would it have an effect on operational efficiency if you could not access it?
    4. Would there be consequences for not having it?
  • Is there a risk associated with the information? i.e.
    1. Is there a risk of losing it?
    2. A risk that it is not accurate?
    3. A risk that someone may tamper with it?
    4. A risk arising from inappropriate disclosure?
  • Does the class of information have a specific content? i.e.
    1. Do you understand what it is
    2. What it does?
    3. Does it include the context of the data?
  • Does the information have a manageable lifecycle? i.e.
    1. Are all the components created for a common purpose?
    2. Have the same retention date
    3. Be disposed of in the same way and according to the same rules?

Privacy Impact Assessments

Are a means of assessing risk when processing personal information. They should be conducted at the start of any project collecting personal digital data. There is a statutory need to conduct them where special category data or there is high risk data. Further information is included in the PIA template and procedure

Information Security

Information stored and processed by the council or by third parties working on behalf of the School. It should be recognised and managed as a valuable asset and subject to the same resource management processes as any other school resource. When data is created, stored, transmitted or communicated it must be protected from unauthorised access, use, modification or destruction.

Without adequate levels of protection, confidentiality, integrity and availability of information it is not possible to comply with obligations including legal, statutory and contractual requirements. Personal data should be encrypted or pseudonymised where possible.

All access to, and use of information should follow the information governance principles

Confidentiality Appropriate measures must be taken to ensure that information is accessible only to those authorised to have access.


Integrity The accuracy and completeness of information must be maintained and all changes affecting that information must be authorised, controlled, and validated.


Availability Information must be available to authorised individuals when required. In the event of a disaster or other events, information and the systems critical to the success of our organisation must be recoverable in accordance with plans.


Authentication All persons and systems seeking access to information or to our networked computer resources must first establish their identity to Flintshire County Councils satisfaction.


Access Control The privilege to view or modify information, computer programs, or the systems on which the information resides, must be restricted to only those whose job functions absolutely require it.



User access to information, and activity on the organisations computers, firewalls and networks must be recorded and maintained in compliance with all security, retention, relevant legislation and regulatory requirements.


It is the responsibility of each member of staff to adhere to the School’s Security Policies.


When is information classified?

Information Sharing

Information sharing is key to the Authority’s goal of delivering better, more efficient services that are coordinated around the needs of the individual. It is essential to enable early intervention and preventative work, for safeguarding and promoting welfare and for wider public protection. Information sharing is a vital element in improving outcomes for all.

Taking our responsibilities for handling information seriously

At the heart of Information Governance is training. This is so that staff can all understand how managing information affects their working lives and be fully aware of their responsibilities. A key responsibility concerns managing personal protected information. There have been many cases in the public sector of data breaches where staff have lost computers, memory sticks, emailed and faxed personal information to the wrong people. Policies and procedures can be put in place but training helps staff to understand what they are doing and how to implement them.



Governing Body

The Governing Body is the Data Controller and owns the policy, fulfils a monitoring role, manages complaints and reviews the policy as appropriate. The Data Protection Officer will provide advice and assistance in these functions.

Head Teacher (with Data Protection Officer)

Provide an annual update to the Governing Body

Data Protection Officer

To provide an independent overview of compliance issues. Provide advice and assistance when requested and advise and assist on complaints and the operation of the equipment.

All staff

Must complete Information Security & Data Protection Training every 12 months to ensure they are compliant in how they use and protect information in their work activities.

School Contact

Nicola Cooper


Information Commissioner’s Office

Wycliffe House

Water Lane






Golftyn CP school Data Protection Officer

GDBR Consultancy Ltd

David Bridge


Governing Body contact

Chair of Governors

Golftyn CP School

david@gdbr.co.uk www.gdbr.co.uk