Data management strategy

We aim to enable data planning and governance to effectively manage university data as an asset, ensuring that data is collected, created and processed in a compliant manner that is also in the best interests of the wider University.


  1. The University acquires, creates and retains data in a variety of digital and non-digital formats. It also holds personal data and special category (sensitive) data about data subjects, including patients, so must comply with the provisions of current data protection legislation.
  2. It recognises that there needs to be a balance between its:
    1. Public accountability and transparency in its governance
    2. Compliance with regulatory obligations including data protection legislation
    3. Need to protect both the personal and commercially sensitive confidential information it holds.
  3. The University has implemented a data management strategy to ensure that data is collected, created and processed in a compliant manner in the best interests of the wider University, supports its organisational strategy and informs the design and development of its technical architecture and business processes.

Strategic aims

This strategy is underpinned by the following eight guiding principles:

Data, in all forms, is recognised as a university asset

Data is managed as a corporately owned asset with clear governance processes to control its processing and retention.

Data is held in compliance with the University’s regulatory obligations including data protection legislation

Data is kept secure and personal data must only be processed under appropriate, usually limited, conditions in compliance with data protection legislation. Data subjects are able to exercise rights in respect of their own personal data.

Confidence in the reliability and quality of the data is maintained throughout its lifecycle

The University holds timely, accurate and reliable data in order to manage activities and meet internal and external requirements to enable it to demonstrate accountability through accurate reporting.

Data will be governed appropriately throughout its lifecycle in relation to its purpose

Data is assigned to a designated information asset owner (IAO). It must be kept secure and personal data must only be processed under appropriate, usually limited, conditions in compliance with data protection legislation.

All data should be identifiable

Data is identified, findable and managed in a structured manner and labelled and recorded in a consistent and logical fashion.

All data processing changes are subject to control

Implementing and codifying the measures to be taken when making changes to the processing of data is vital to ensuring that the significant remedial work required to establish the right conditions for success does not have to be repeated in the future. Change control is a vital component of effective data management.

All data will be ultimately governed by the Executive Board with guidance from the designated overseeing committee

Governance structures for data are now in place with an appropriate designated overseeing committee.

The level of rigour is proportionate to the risk

The University’s Information Assurance Strategy will inform data requirements. This Data Management Strategy will ensure that the data collection, processing and sharing meets the needs of the University and effectively supports its mission.


  • University data, is managed as an increasingly important corporate asset and potential source of competitive advantage and is better protected and exploited
  • There exists a benefit to or link through the use of data and the achievement of the University’s goals and strategy
  • There is an understanding of data usage, flows against purposes and the data lifecycle is managed
  • Accurate management data is provided to enable effective University’s decision making
  • The IT Data Security Strategy is embedded.

  • The University is compliant with all current and emerging information compliance rules including the data protection legislation
  • Categories of access to data are defined on a least privileged/need to know basis
  • Data rights are able to be successfully fulfilled
  • Breaches are dealt with in an effective and timely fashion to ensure regulatory obligations are met.

  • The University is compliant with the Data Protection Legislation in that the personal data it holds is accurate and that inaccurate data is rectified or erased without delay
  • Accurate external returns are submitted to ensure maximization of funding opportunities.

  • A community of clearly defined data management roles has been established and are maintained
  • The community of appropriately trained and supported IAOs ensure that enterprise data and other strategically important data held locally is managed for strategic, not local purposes
  • The role and responsibilities of the IAOs are defined
  • Data will be managed appropriately
  • Records, and the data in them, can be efficiently retrieved by those with a legitimate right of access for as long as the records are held by the University
  • Guidance for IAOs on how to manage the data within their areas has been developed
  • Appropriate resourcing, training and organisational conditions are in place to ensure that they can operate effectively
  • Gaps in current resource and necessary university support to address them have been identified.

  • Data held within university systems and other networked locations has been identified and highlighted where personal data is stored
  • Data that the University holds and its use is automatically identified and discoverable
  • There is an understanding of data usage, flows against purposes and the data lifecycle is managed
  • Interfaces, data flows, data modelling of systems and architecture support identification and management of data
  • Data will be classified according to the data risk categories
  • The management of data retention and governance is automated where appropriate
  • Data is disposed of/archived appropriately.

  • The University’s plans for the development of its technical architecture is driven by the Information Assurance and IT Data Security strategies and any changes will be properly controlled to reduce data compliance risk
  • The application of information governance procedures are regularly monitored against agreed indicators and action taken to improve standards as necessary
  • Changes to the processing of personal data will follow the Data Protection Impact Assessment process.

  • The designated overseeing committee will oversee the design and implementation of the overarching Information Assurance Strategy, this strategy, IT Data Security Strategy and any subsequent data management.

  • Data risk categories are clearly defined
  • Data is automatically and appropriately classified, tagged and protected according to its risk category
  • Data protection risks are managed appropriately.

Data Management Strategy

(390.7 KB .PDF)