An Introduction to Information Goverance

[1.0] An Introduction to Information Governance

Information Governance is a large and complex area of law which is receiving ever increasing attention from politicians, the media, and the public. Therefore, it is more important than ever before to ensure your education establishment understands its statutory information governance obligations.

In information governance terms, schools are separate legal entities, and not part of the local authority. Responsibility for compliance with information governance legislation rests with each school's governing body. It is therefore vital that all staff and governors understand their responsibilities.

The main pieces of legislation that determine these obligations and responsibilities are:

  • Data Protection Act 1998 (DPA)
  • Freedom of Information Act 2000 (FOIA)
  • Environmental Information Regulation 2004 (EIR)
  • Education (Public Information) (England) Regulations 2005 (Education Regs)
  • Privacy and Electronic Communications Regulations 2003 (PECR)
  • NEW General Data Protection Regulation 2015 (GDPR)*

*In May 2018 the United Kingdom will adopt new general data protection regulation (GDPR) from the European Union. This regulation will replace the Data Protection Act 1998. Whilst the regulation will not be enforced until 2018, all organisations need to be aware of changes that will be required. Many elements of the GDPR are already suggested as best practice but there will be some changes that will mean your policies and procedures will need to be adapted. Where possible this guide has already been written to comply with GDPR but Veritau’s information governance team will ensure that these changes are communicated to your school as and when appropriate. As well as the Veritau briefing note in Useful Downloads below, you can find more guidance on the ICO’s webpage. Please click here to access this page [New Window]

[1.1] Roles and Responsibilities

Regulator: The Information Commissioner's Office (ICO) is the UK's independent public authority responsible for data protection. It upholds information rights, promotes good practice, rules on complaints, provides information to individuals and organisations, and takes appropriate action when the law is broken.

The Information Commissioner has published a video "ICO information rights video for schools" which is aimed primarily at head teachers, deputy head teachers, school business managers and school governors. It discusses data protection and freedom of information, information governance policies, subject access requests, information sharing, websites, photographs, CCTV, training, publication schemes, and responding to a FOI request. Click here to view [New Window].

The ‘Data protection for the Education Sector’ webinar looks at best practice when it comes to collecting and using personal information of pupils and staff within educational establishments. It also discusses the ICO’s role and powers if problems with sensitive data occur. Click here to view [New Window].

It also looks at the GDPR and discusses the likely impact on schools and how the ICO will help institutions meet the new required standards.

IMPORTANT: Your school must ensure that it is registered as a data controller with the ICO. Registration includes stating what data you process and who the accountable officers in your organisation are. You must register annually and this incurs a cost of £35 each year. This is known as notification. Click here to view [New Window].

SIRO: It is the responsibility of schools to appoint a Senior Information Risk Owner (SIRO). This should be a senior member of staff who will act as a champion for managing information risks, ensures that the school's policies and procedures are effective and complies with legislation, and promotes good practice in school. Usually the head teacher would be the most appropriate SIRO but this is not obligatory. However, the SIRO must possess the senior authority to make decisions and to be accountable for all the information risks that a school retains.

SPOC: Each educational establishment should have a dedicated member of staff to be a Specific Point of Contact (SPOC). This person should be responsible for processing information requests, ensuring compliance with retention schedules, and maintaining privacy notices. Usually the business manager or an office administrator would be most suitable for this position. The SPOC should directly report to the SIRO.

IGT: Veritau’s Information Governance Team (IGT) are able to provide advice and assistance to the SIRO or SPOC as part of the school’s audit contract. Any additional work, such as processing data protection requests, may be chargeable. The IGT can be contacted by emailing or by phoning 01609 53 2526 or 01609 53 6656.

Schools ICT: Schools ICT provide technical advice on a wide range of ICT issues. They can be contacted via

[1.2] Information Governance Policies

As individual education providers are ‘data controllers’ in their own right then they will need to have in place their own information governance policy. This policy should cover each section of this guide and should assign information governance responsibilities to certain positions within the school. The SIRO should issue this policy and the governing body should approve the policy. The policy will then become a public document and good practice suggests it should be published on your school’s website.

There are two documents, under Useful Downloads, which have been created to assist you with writing, updating, and maintaining your school’s information governance policy. The first is a model policy which you may use and adapt to create your own policy. The second document is a checklist to ensure that you have covered all areas of information governance – both in your policy and in your current procedures.

Useful Downloads

Briefing Note: General Data Protection Regulation 2016

Model DP Policy for Schools

Health Checklist