This is an HTML version of an attachment to the Freedom of Information request 'Information Governance Risk Review Form'.







Information Governance Risk Review - New Item
Page 4 of 7
Instructions
Please answer the questions as accurately as possible.  Your entries will not be saved until you press the “Submit” button and, once 
submitted, you will not be able to edit your answers. So please make sure you are able to answer most of the questions before you start.
Description
Name
Type of initiative
Select or type...

Title of the initiative
From what area does the initiative 
Select...

originate?
Date Submitted
06/03/2019
Initiative/Project Code/Short Name
Name of business owner of this 
initiative
Describe the primary business 
objectives of the initiative. (Please 
limit to a maximum of 255 
characters, including spaces)
Select...

What users will be impacted by the 
Please specify  Specific Team or Other is selected above
initiative?
Date initiative is due to go live
Confidentiality
Confidentiality is a characteristic that applies to information. To protect and preserve the confidentiality of information means to ensure 
that it is not made available or disclosed to unauthorised entities. In this context, entities include both individuals and processes. Think 
about the information involved in your initiative. Further information and examples can be found 
here (http://documents.manchester.ac.uk/DocuInfo.aspx?DocID=15677).
Q1  Which of these statements best describes the initiative as you currently understand it?
Highly Restricted
Defined as information where a breach in confidentiality would cause:
Significant distress or financial loss to individuals; 
Significant fines and enforcement action by the Information Commissioner's 
Office  for data breaches;
Significant reputational damage;
Withdrawal of one or more significant research grants, contracts or 
donations;
Litigation against the University; and/or Significant financial loss due to 
premature disclosure of Intellectual Property.
Information which is accessible by a tightly defined group of users, dealing 
with issues they are exclusively authorised to handle.
Examples - health related information regarding staff, students or research 
participants; research related to key industrial fields at particular risk of being 
targeted; legal advice and other papers related to legal action; reserved committee 
papers
https://org.manchester.ac.uk/sites/IGO/igrr/Lists/isrr/Item/newifs.aspx?List=5d5b355c... 06/03/2019

Information Governance Risk Review - New Item
Page 5 of 7
Restricted
Defined as information that, whilst not categorised as Highly Restricted, 
could result in harm or distress to individuals or the University if there were a 
breach in  confidentiality.
Accessible by legitimate groups of University users.
Examples -  routine records related to staff or students; routine financial information; 
teaching materials; question papers
Unrestricted
Little or no adverse effect on individuals  or the University if there was a 
breach in confidentiality.
Information that is consciously placed in the public domain.
Freely accessible as required
Examples - press release, public marketing material, financial reports after declaration, 
and information already approved for publication on the internet. 
Integrity
Integrity: to preserve the integrity of information means to protect the accuracy and completeness of information and the
methods that are used to process and manage it. Think about how important the accuracy and integrity of your information is to your 
business operation or initiative.
Q2
Which of these statements best describes the initiative as you currently understand it?
Critical
Any information that is indispensable or essential to maintain University operations 
and/or to maintain integrity of University assets, and/or to protect individuals - loss of, 
or inaccuracy in, this information could result in severe operational impact, or give rise 
to severe financial, regulatory or reputational consequences. Critical information will 
be subject to rigorous access controls and measures to ensure its continuing accuracy.
99%-100% error free information.
Important
Any information that is fundamental to maintain University operations and/or to 
maintain integrity of University assets, and/or to protect individuals. Like Critical 
integrity the information classified as Important will be subject to controls and 
measures to maintain accuracy, however the degree of control is likely to be less 
rigorous. The consequences of a loss of integrity will be less severe than is the case for 
Critical information.
90-98% error free information.
Unimportant
Any information that is lacking in value to maintain University operations and/or to 
maintain integrity of University assets, and/or to protect individuals,  although 
susceptible to integrity breaches, would not result in significant business 
consequences. Controls for access to modify these information sources may exist, but 
they would be limited and proportional to the inconvenience of any integrity breach.
<90% error free information.
Availability
Availability: is a characteristic that applies to assets. An asset is available if it is accessible and usable when needed by an authorised entity. 
In the context of this assessment, assets include things like information, systems, facilities, networks, and computers. All of these assets 
must be available to authorised entities when they need to access or use them.
Q3
Which of these statements best describes the initiative as you currently understand it?
Critical
Describes information assets where availability (and the expectation of availability) is 
imperative to the operation of the University. Any failure of availability would result in 
a severely impaired ability to make management decisions, impact key control 
procedures and may result in a legal liability, loss of public confidence and costs 
arising from workarounds and restoration of service.
No interruption of access beyond 4 working hours.
Important
Information assets where routine availability is embedded in the normal operation of 
the University. Loss of availability would result in a degraded ability to make 
management decisions and operate normal control procedures, but if restored within 
appropriate limits would be unlikely to result in legal liability, loss of public confidence, 
or costs arising from workarounds and restoration of service.
No interruption of access beyond 8 service hours.
Unimportant
Information assets where loss of availability would result in a degraded ability to 
undertake some aspect of the University. Unlikely to impact upon the ability to make 
management decisions, operate control procedures. Loss of availability would result in 
inconvenience for the impacted business area, but would not lead to legal liability and 
is unlikely to result in a loss of public confidence. Cost of workaround/restoration are 
likely to be low, but proportional to the asset nature.
Interruption of access may extend beyond 10 working days or be in the next planned 
release for approval.
https://org.manchester.ac.uk/sites/IGO/igrr/Lists/isrr/Item/newifs.aspx?List=5d5b355c... 06/03/2019

Information Governance Risk Review - New Item
Page 6 of 7
Processing personal data
This section of the IGRR is used to determine if your initiative requires a Data Protection Impact Assessment.
Q4
Which of these statements best describes the initiative as you currently understand it 
Sensitive Personal Data
This type of initiative will create/handle/process/access/transport/transmit/host/view 
any of the following personal data:
race or ethnic origin;
political opinions;
religious or philosophical beliefs;
trade union membership;
genetic data;
biometric data (where used for identification purposes);
health; 
sex life or sexual orientation; or
criminal convictions and offences
Or involves processing personal data which might:
involve any systematic evaluation of individuals, including profiling, in ways 
that can have a significant impact on them e.g. decisions about an 
individual’s access to a product, service, opportunity or benefit;
give rise to identity theft, fraud or financial loss to the data subject e.g. 
processing financial information e.g. salary, National Insurance Number, 
bank account details, tax, benefit or pensions records, debt information;
involve using new technology that might be perceived as being privacy 
intrusive e.g. the use of video or voice recording, biometrics, facial 
recognition;
require you to contact individuals in a way that they may find intrusive e.g. 
marketing;
involve the use of new technologies, or the novel application of existing 
technologies (including artificial intelligence) in a way which uses identifiable 
information or would impact individuals;
involve combining, comparing or matching personal data obtained from 
multiple sources;
involve personal data that has not been obtained direct from the data 
subject;
involves tracking an individual’s geolocation or behaviour, including but not 
limited to the online environment; or
target children (under 16) or other vulnerable individuals.
Personal data
Personal data means data which relate to a living individual who can be identified:
From those data, or 
From those data and other information which is in the possession of, or is 
likely to come into the possession of, the data controller
No Personal data
This type of initiative may use a variety of data types (or sources), but none of the data 
handled could be used to identify an individual.
Q5
Approximately how many individual's records will it involve?
0

Regulatory Requirements
This section of the IGRR is used to determine whether an initiative needs to meet external regulatory requirements.
Q6
Required to comply with Cyber Essentials?

Q7
Required to comply with PCI DSS?

Q8
Required to comply with the NHS Data Security and Protection Toolkit (previously "IG Toolkit")?

https://org.manchester.ac.uk/sites/IGO/igrr/Lists/isrr/Item/newifs.aspx?List=5d5b355c... 06/03/2019

Information Governance Risk Review - New Item
Page 7 of 7
Q9
Are there any other external regulatory requirements or standards which the initiative needs to comply with other 

than data protection laws?
If yes, please state (list all that apply)
3rd Parties
This section of the IGRR will determine the need to consider risks associated with third parties involved with your initiative 
Q10
Does the initiative involve a third party

Q11
Does the University have an existing contract with this third party?

Q12
Does the initiative require an update to an existing contract?

Hosting
This section of the IGRR is used to determine where the data captured by your initiative will be hosted (stored)
Q13
Does the initiative involve the hosting of information in the University of Manchester datacentre?

Does the initiative involve the hosting of information on University of Manchester-owned premises but not in the 

Q14
data centre?
Q15
Does the initiative involve the hosting of information by a third party service provider?

Q16
Does the initiative involve accessing information outside the European Economic Area?

Automation and Control Systems
This section of the IGRR will determine the need to consider risks associated with control systems involved with your initiative, for example 
industrial control systems, process control systems, instrumentation, automation, telemetry, and SCADA (supervisory control and data 
acquisition).  Examples of Control Systems at the University are Medical Devices, National Instruments Laboratory, Jodrell Bank etc. 
Q17
Does the initiative impact on University control systems?

Once you have finished checking and editing your answers, please click the Submit button to the right. 
Once submitted, you will not be able to amend your answers.
Submit & Close
Print This Item
Get support
Information and documents
Log an issue (http://remedy.manchester.ac.uk/cgi-
What is SharePoint? (/getstarted/Pages/whatis.aspx)
bin/submitnologin.cgi)
Help (/help)
Register for training (https://app.manchester.ac.uk/CDDSHAREOG)
Policies (/policy)
Experts and contacts (/help/Pages/experts.aspx)
Disclaimer (http://www.manchester.ac.uk/disclaimer/) / Privacy (http://www.manchester.ac.uk/privacy/) /
Copyright notice (http://www.manchester.ac.uk/copyright/) / Accessibility (http://www.manchester.ac.uk/accessibility/) /
Freedom of information (http://www.manchester.ac.uk/discover/governance/freedom-information/) /
Charitable status (http://www.manchester.ac.uk/discover/governance/charitable-status/) / Royal Charter Number: RC000797
https://org.manchester.ac.uk/sites/IGO/igrr/Lists/isrr/Item/newifs.aspx?List=5d5b355c... 06/03/2019