The Information Asset Owner is accountable to the SIRO for ensuring risks associated with handling confidential information are properly managed.
The Owner is equivalent to the Data Owner as defined in the UCL Data Protection Policy. Within a study, this is typically the PI and must be a UCL employee, not an Honorary. The Owner must be in a position to mandate responsibilities within the team, such as training and will be in a position to secure funds and resources to ensure information will be properly handled within the study. If the PI is not employed by UCL then a similarly senior UCL staff member closely involved with the project should be appointed as Owner. In research this will most often be the UCL grant holder.
Responsibilities of the Information Asset Owner
The Information Asset Owner must ensure:
- Their own Information Governance training is maintained
- A record is maintained of training for all team members, including the Owner
- Risks associated with data transfers have been assessed and additional security controls implemented where required
- The physical security of the team's work environment, or any changes to this, is assessed and, if necessary, improved
- Suitable standard operating procedures are documented and implemented
- Technical measures are in place to protect all personal data form unauthorised access
- Appropriate data processing contracts are in place where external parties are processing personal data under UCL's behalf
- All members of the research team handling personal data have suitable UCL contracts
- Contractual requirements, relating to data in use by the study, are met
- Suitable joiners, movers and leavers processes are in place
- Records are kept of all information assets that they are responsible for
- Incidents are reported promptly
- Data is securely destroyed when no longer needed
- There is a legal basis for holding personal data
- All onward sharing of data is legal
In addition, the Owner must ensure that all members of the study team understand their responsibilities. In particular, team members must receive Information Governance training before being given access to personal data.
Many Owners will want someone they employ to be responsible for the day-to-day operations of a project such as assigning access rights to data. This is possible by assigning an information asset administrator ('Administrator'). Administrator responsibilities are outlined here.