Information Risk Governance Committee

Find out more about Information Risk Governance Committee, including terms of reference, membership, meetings and minutes.

On this page you will find:

 

Overview

Reports toUniversity Management Committee
ChairProfessor Emma Morris
Secretary

Freya Markwell
f.markwell@ucl.ac.uk 

For agendas and minutes; apologies for absence

Meeting dates

Scheduled meeting dates: 2025-26

The copy deadlines quoted are the latest dates by which the final papers must be received by the secretary. Please use the templates for papers submission.

Meeting dateCopy deadline
Friday 7 November 2025, 12.30pm24 October
Friday 6 February 2026, 2.00pm23 January
Friday 24 April 2026, 3.15pm10 April
Wednesday 3 June 2026, 2.00pm20 May

Minutes

Open minutes from this committee will be published once available.
 

Terms of Reference

Subject to any particular direction that may from time to time be given by the University Management Committee (UMC), the Information Risk Governance Committee is charged by the UMC:

  1. To review, maintain, and promote compliance with information governance regulatory requirements in line with the Information Security Policy and its supporting documents and the Data Protection Policy and its supporting documents.
  2. To provide an appropriate information risk governance framework establishing clear lines of accountability, responsibility and authority for the management of all information and data assets generated, collected and held by UCL.
  3. To review and recommend to UMC for approval the Information Security Policy, Data Protection Policy and Freedom of Information Policy.
  4. To monitor the implementation of the Information Security Policy, Data Protection Policy and Freedom of Information Policy and regularly review the supporting documents governing the management, use, and storage of information and data, ensuring that UCL’s objectives and legal obligations are properly supported.
  5. To support UMC in developing and keeping under review the institutional risk appetite.
  6. To oversee effective management of key risks and to ensure that they are identified, assessed and managed in line with the UCL risk management framework and institutional risk appetite.
  7. To consider escalated exceptions which require UCL’s risk appetite to be exceeded, and escalations arising from policy exemption requests and make recommendations regarding high-risk data issues and security risks to the UMC for possible further action.
  8. To provide assurance to UMC that the arrangements to manage information and data protection risks are appropriate and effective; and to escalate to UMC any significant regulatory or compliance risks.
  9. To develop performance metrics and annually review the effectiveness of UCL’s information security and data protection strategies against agreed targets.
  10. To consider incident trends including personal data breaches affecting UCL information assets and the findings from incident reviews, audit reports and observations and propose priorities for further development.
  11. Provide governance over UCL’s Trusted Research Environment and other areas for which the Committee represents UCL’s leadership.
  12. To report cyber security and data protection risks to UMC and via the UMC to Audit Committee.
  13. To oversee the development and delivery of training and related activities aimed to promote awareness amongst staff and students of UCL’s information governance and data protection policies and strategies and encourage best practice.
  14. To advise the UMC on all matters of information governance, cybersecurity, data protection and information security.

  15. To refer matters to the UMC where they impact on the responsibility of other UMC committees or where the Chair considers the decision is of strategic importance.

     

Membership

Ex Officio members

Senior Information Risk Owner (SIRO) (Chair) - Professor Emma Morris

Chief Information Security Officer (CISO) - Paul Haywood

Chief Privacy Officer - Alex Potts

Head of Information Security Risk - Miriam Holderness

General Counsel - Natasha Lewis

Chief People Officer - Donna Dalrymple

Executive Director, Student and Registry Services & Registrar - Sarah Cowls

Chair, Security Working Group - Dr Paul Lamb

Chair of the Operational Management Group (OMG) - Gail Adams

Director, The Centre for Advanced Research Computing (ARC) - Dr James Hetherington 

Director, UCL Centre for Clinical Research in Infection and Sexual Health & Deputy SIRO - Professor Richard Gilson 

Nominated members

Vice-President and Vice Provost Offices

Director of Finance Business Partnering (PSVP) - Tom Turner

Chief Risk and Compliance Officer - Kash Bokhari

Executive Director, Research and Innovation Services - Claire Glen

Assistant Director of Security and Resilience - Chris Jones

Data Governance Manager, OVP (Strategy) - Alison Amatsah

Deans’ nominees

Professor of Global Politics and Cyber Security, Computer Science - Professor Madeline Carr

Other nominated members

Office of the President and Provost - Megan Gerrie

One representative of the UCL Students’ Union - Sarah Jilani, SU Education Officer

One representative of the UCLH/UCL Joint Research Office - Rajinder Sidhu

Secretary

Freya Markwell