Defining the University’s approach to vetting of employees and their continued information security responsibilities.
This control procedure defines the University’s approach to vetting of employees and their continued information security responsibilities, and directly supports the following policy statement from the Information Security Policy:
The university’s security policies and expectations for acceptable use will be communicated to all users to ensure that they understand their responsibilities. Information security education and training will be made available to all staff, and poor and inappropriate behaviour will be addressed.
Where practical, security responsibilities will be included in role descriptions, person specifications and personal development plans.
This procedure is intended to be read and understood by all employees and contractors. It is of particular relevance to HR staff and recruiting managers.
Employees, contractors and third party users must understand their responsibilities in respect of University information, and checks should be conducted to ensure they are suitable for the roles they are considered for, prior to being granted any access to Univeristy systems or information.
Background verification checks on all candidates for employment, contractors, and third party users should be carried out by Human Resources. Checks will be proportionate to the business requirements, the classification of the information to be accessed, and any perceived risks.
The process for conducting verification checks and subsequent offers of employment are documented in University’s Recruitment and Selection Policy.
Candidate data that is collected as part of the University’s recruitment process will be handled in accordance with HR policies and procedures.
Occasionally a third party will request additional screening of a University employee in order to grant access to information, for example where a research project is using HMG information. Such requests will be considered on a case-by-case basis by the Legal and HR teams.
As part of their contractual obligation, users must agree to and sign their offer letter and contractual terms and conditions. Employment contracts will state employee obligations and responsibilities for complying with University policies and procedures including those associated with information security.
Employee contracts contain a confidentiality statement outlining that as part of the offer of employment, individiauls understand the confidential nature of the information they access, that they will not use the information for unauthorised purposes and that they will return or destroy any information or assets when their employment terminates.
Failure to comply with this procedure could result in action in line with the University’s Disciplinary Procedure or Capability Procedure.
Compliance checks will be undertaken by the University’s Information Governance functions. The results of compliance checks, their risk assessment and their remediation will be managed by the Information Security Board.
This control procedure needs to be understood in the context of the other policies and procedures constituting the University’s Information Security Management System.
A review of this policy will be undertaken by the Information Security team annually or more frequently as required, and will be approved by the Information Governance Board.