Understand IG roles and responsibilities

Senior Information Risk Owner (SIRO), Information Asset Owner (IAO), and Information Asset Administrator (IAA) are all terms you may come across when working with the public sector, especially in demonstrating compliance with Health and Social Care compliance requirements. You will find below an outline of the roles and where this may translate, when working with health and social care information. 

There are a huge number of roles within NHS organisation that do not translate outside the health and social care sector. While some roles are irrelevant to Higher Education, some need to be adapted to the University and research context in order to work in partnership with the national data custodians and health service organisations.

This guidance is designed in line with the requirements to submit and maintain an NHS Data Security and Protection Toolkit for the purposes of processing confidential personal information for research purposes.

At a glance

 Know who owns risk in your unit

 Know who is responsible for information security and governance

 Understand how your research project is governed

 Work with your unit head or IG lead to assign roles as required


Senior Information Risk Owner

In Health and Social Care, SIROs have responsibility for understanding how the strategic business goals of the organisation may be impacted by any information risks, and for taking steps to mitigate them.  This role is assigned to the head of unit as per University policy. In research projects, especially those working across themes and units, the role needs to be undertaken by a similar senior member of staff with oversight. Should there be a need to do so at a project level, the project sponsor or Chief Investigator can undertake this role, as long as they are aware of their need to feed into the University’s governance structure.  This role can be undertaken by the same person who takes on the Caldicott function (if applicable) at the research group level Data Security and Protection Toolkit (DSPT) application, but this should not be the case if the roles are being assigned at the unit level as per NHS guidance.

NHS Classification:

Leaders and Board Members role

Expand All

  • Information risk and incident management framework within the unit
  • Information risk policy
  • Annual information risk review
  • Providing a focal point for communicating information risk policy and issues across the unit
  • Following up with identified information risks 
  • Fostering and leading an appropriate (security) culture 
  • Ensuring incident reporting process is in place, and process for Serious Incidents requiring investigations (SIRI)
  • Privacy Impact Assessment for new projects
  • Advising Chief Executive or senior management about information risk
  • Documentation and application of risk management methods
  • Providing guidance to information asset owners
  • Identifying Information Asset Owners for all assets, and ensuring they understand responsibilities
  • Oversight of and prioritisation of Information Governance activities
  • Sign off data flows
  • Own information risk policies and processes
  • Sign off on training needs analysis
  • Sign off on audit findings 
  • Sign off appropriate policies
  • Sign off process review findings from IG lead
  • Review information risk and assign owners to actions
  • Acknowledge or recognise the use of University information security and data protection policies for managing NHS Digital data
  • Signing off asset registers holding NHS Digital data
  • Understanding the baseline compliance status for your unit or research group
  • Understanding the incident management processes for the University as a whole (which has a 4 working hour window to report incidents, as opposed to CareCERT)
  • NHS Awareness module level 3
  • Or University awareness module and 
    • Awareness of the 10 National Data Guardian’s Standards
    • Awareness of Common Law Duty of Confidentiality 
    • Awareness of issues with processing Patient Confidential information within health and social care
Caldicott Guardian

Caldicott Guardian

A Caldicott Guardian is a senior person within a health or social care organisation who makes sure that the personal information about those who use its services is used legally, ethically and appropriately, and that confidentiality is maintained. While this is largely irrelevant to HE institutions, one may need to take on the role of Caldicott Guardian within certain contexts, for instance with regards to the governance of research databases holding identifiable participant information. Acting as the 'conscience' of an organisation, the Guardian actively supports work to enable information sharing where it is appropriate to share and advises on options for lawful and ethical processing of information. The role works with the senior management and the research community to promote and champion confidentiality and privacy related issues with information sharing. The role has to be undertaken by an existing member of the senior management team, or a senior health or social care professional, or by the individual responsible for promoting clinical governance (or similar functions). In projects sponsored by CTRG, the Caldicott Guardian for Oxford University Hospitals (OUH) can sign this off. However, in projects that do not involve the use of NHS R&D and are not sponsored by CTRG, it would need to be undertaken by a senior member of staff with an understanding of processing patient data, and may be an existing member of staff who champions data privacy within the division, department or unit. 

NHS Classification: 

Leaders and Board Members role

Expand All

  • Ensuring compliance with the principles contained within the Confidentiality: NHS Code of Practice and that staff are made aware of individual responsibilities through policy, procedure and training
  • Providing routine reports to the senior management on confidentiality and data protection issues
  • Identifying and addressing any barriers for sharing for care
  • Ensuring that the confidentiality and data protection work programme is successfully co-ordinated and implemented

  • Contributing to standard one of the Data Security and Protection Toolkit, contributing to the annual assessment

  • Understanding the provided safe data sharing and collaboration systems available to University staff
  • NHS Awareness Module Level 2
  • Or University Awareness Module and
    • Awareness of issues with processing Patient Confidential information within health and social care
    • Awareness of Common Law Duty of Confidentiality 
    • Understanding of the 10 Caldicott Principles
    • Awareness of the 10 National Data Guardian’s Standards
IG Lead

Information Governance Lead

The role of an IG lead is that of a security-oriented officer, above all. In an NHS organisation, this role is often occupied by the same individual who takes on a Data Protection Officer role. However, the University has at the unit level, recommended that this be assigned to an individual acting in the capacity of Information Security (or Governance) officer, or similar. The Information Security team can provide the appropriate guidance and steer as required in undertaking this role.  At a research group level this can often be a statistician or the PI, although understanding the unit-level and University level governance and procedures, and contributing to it, is important. 


NHS Classification:

Specialist role

Expand All

  • Ensuring effective management, accountability, compliance and assurance for all aspects of IG 
  • Working with the SIRO and IAO as needed to understand, and escalate information security risks to the University
  • Checking that SIRO ownership is in place within the department, and getting in touch with IST if you need support in identifying the relevant member within the unit 
  • Maintaining the comprehensive and appropriate documentation that demonstrates commitment to and ownership of IG responsibilities 
  • Ensuring that there is top level awareness and support for IG resourcing and implementation of improvements 
  • Promoting the usage of appropriate IG policies 
  • Co-ordinating the activities of staff given IG responsibilities and progress initiatives; Data Security and Protection Toolkit key roles 
  • Ensuring that the annual (toolkit and baseline) assessment and improvement plans are prepared for approval by the senior level of management 
  • Ensuring that the approach to information handling is communicated to all staff and made available to the public 
  • Liaising with other committees, working groups and programme boards in order to promote and integrate IG standards 
  • Monitoring information handling activities to ensure compliance with law and guidance 
  • Providing a focal point for the resolution and/or discussion of IG issues 
  • Ensuring that information staff processing NHS Digital information understand the need to support the safe sharing of personal confidential data for direct care, as well as the need to protect an individual's confidentiality 
  • Ensuring that the training provided from the Information Security team is made available to all staff and completed as necessary to support their duties 
  • Ensuring annual assessments using the DSPT and audits of DSPT policies and arrangements are carried out, documented and reported, in line with the requirements of the Data Sharing Framework Contract 
  • Ensuring that all Information Asset Registers holding NHS Digital information are signed off by the SIRO
  • Ensuring that all Information Asset Registers holding NHS Digital information have been completed in full, including AV versions used on endpoints processing NHS Digital information, if not using Sophos Central
  • Ensuring you receive AV alerts on systems processing NHS Digital information 
  • Ensuring Sophos alerts are received on systems processing NHS Digital information
  • Ensuring that any third parties processing NHS Digital data are recorded in the asset register
  • Ensuring that said third parties have had appropriate due diligence undertaken, with support from Information Security team if required
  • Ensuring all data disposal contracts are reviewed
  • Working with InfoSec to review/complete due diligence on all data disposal companies
  • Ensuring that the IG and security training is in place as part of the induction, and starters, movers, leavers, processes for the unit
  • Annually reviewing processes around DSPT and NHS Digital data processing activities and submitting this to SIRO
  • Completing software audit and have it signed off by SIRO (via asset register)
  • Arranging quarterly vulnerability scanning with OxCERT (oxcert@infosec.ox.ac.uk)
  • Online Awareness Module or
  • NHS Data Security and Awareness Level 1 training
  • Information Governance and security briefing with Information Security team

Information Asset Owner

Information Asset Owners are exactly as the term implies, members in the unit (or research group) who have accountability for information assets. The assets, as referred to here, could be people, processes or technology that processes information. The NHS recommends this be individuals with required seniority and authority to oversee the controls on the information assets and how they’re used. At a unit level this may be senior members of staff with ownership of clusters of equipment, or who own processes, or approve usage of information assets in particular capacities. In a research group capacity this would be the Principal Investigator, or the recipient of the research grant, for instance. 

NHS Classification:

Leaders and Board Members role, or Specialist role

Expand All

  • Maintaining an understanding of the owned assets and how they are used
  • Approving information transfers in line with data minimisation principles
  • Approving use of portable or removable media
  • Approving destruction processes
  • Understanding and addressing risks to the asset and providing assurance to the SIRO
    • Seeking advice from IG experts
    • Conducting Privacy Impact Assessments (PIAs) as required with input from Privacy Champion for division
    • Undertaking regular risk assessments as required
    • Escalating risks to SIRO or the Information Security team
    • Providing annual written assessment to SIRO
  • Online Awareness Module or
  • NHS Data Security and Awareness Level 1 training
  • Understanding of relevant policies and procedures within the unit

Information Asset Administrator

The role of Information Asset Administrator is less clear in that this is only required often in large and complex landscapes. In smaller cohorts, the IAO may also undertake the role and responsibilities of an IAA. In a unit this may be the Systems or Asset Administrator, where they have sufficient seniority and authority to carry out compliance activities on the asset users. In a research group this may be undertaken by a Senior Researcher, the Statistician or a Systems Administrator. 

NHS Classification:

Leaders and Board Members role, or Specialist role

Expand All

  • Ensuring that the policies and procedures are followed
  • Undertaking regular compliance checks in place of IG lead if required
  • NHS Online Awareness Module or
  • NHS Data Security and Awareness Level 1 training
  • Understanding of relevant policies and procedures within the unit
IGO-as-a-Service (IST)

Information Governace-as-a-Service (delivered by Information Security team)

Information Governance Office-as-a-Service, a service delivered by 1FTE of Information Security team, has developed a number of tools and guidance materials, and established processes and partnerships, both internal and external, to enable the University to manage information security risk amidst the changing regulatory and security landscape. As part of this stream of work, you will be able to request support for information governance and security aspects of research data and/or grant application, ask for more information or request security reviews via grc@infosec.ox.ac.uk

Expand All

  • Developing and maintaining the currency of comprehensive and appropriate documentation that demonstrates commitment to and ownership of IG responsibilities
  • Providing direction in formulating, establishing and promoting IG policies
  • Ensuring that the DPO is aware of the toolkit requirements
  • Ensuring that information governance staff understand the need to support the safe sharing of personal confidential data for direct care, as well as the need to protect individuals’ confidentiality 
  • Ensuring that appropriate training is made available to all staff and completed as necessary to support their duties 

IGO is delivered by members of the Information Security team who have the following training.

  • Levels 1, 2, and 3 of the NHS Data Security and Awareness Module 
  • Online Awareness Module
  • MRC's GDPR Train the Trainers course
  • Information Security course (such as CISMP)
DPO (Data Privacy)

Data Privacy and Data Protection Officer

The University of Oxford is the Data Controller for all processing activities. However, while policy is set at University level, the responsibility for implementation is at HoD level.  

There is a single Data Protection Officer (DPO) for the University, and a single registration with the Information Commissioner's Office (ICO). It is University policy for all Data Breaches, Subject Access Requests and Freedom of Information Requests to be reported immediately to the Information Compliance team, where they will be handled centrally.

Expand All

Information about the DPO’s responsibilities as defined on the Information Commissioner's Office website



  • Ensuring that the requirements for DSPT are understood
  • Providing and maintaining the policies relating to data privacy and data protection 
  • Providing evidence as required for the DSPT assertions