(1) Data is a key strategic and operational asset of the University and the appropriate governance of the availability, usability, integrity and security of data is critical to the University’s operations. (2) This Procedure should be read in conjunction with the IT Acceptable Use Policy, the Data Quality Management Procedure and the Data Handling Guidelines. (3) The purpose of this Procedure is to: (4) This Procedure applies primarily to Data Executives, Data Guardians, Data Stewards and the Data and Analytics Division. (5) Sections 3 and 7, and clause 27 apply to all Staff. (6) This Procedure applies to all data stored by the University, with the exception of data referred to in clause 7. (7) This Procedure does not apply to: (8) The handling of data expressed in this procedure is also underpinned by the University’s Data Handling Guidelines, IT Acceptable Use Policy, Privacy Policy, Cyber Security Policy, Records Management Policy and other relevant policies. (9) Collection, access authorisation, and use of data must be underpinned by a relevant business need. (10) High quality data enables informed decision-making and accurate reporting. The University is committed to the continuous improvement of data quality. (11) The collection and management of personal information is to be handled in accordance with the Privacy Policy which facilitates the University’s compliance with current legislative requirements. (12) Data stored in University records must be retained and disposed of in an appropriate manner in accordance with the Records Management Policy. (13) All data assets must have an assigned Data Executive, Data Guardian and Data Steward to ensure clear lines of responsibility and accountability. Data governance roles are defined in the table below. (14) Data governance roles are assigned based on the University Enterprise Data Model managed by the Data and Analytics Division, which separates all University data into information domains and subdomains. (15) Data quality requirements must be defined by a Data Guardian, and required data quality monitoring mechanisms put in place. (16) The Data Quality Management Procedure describes the main dimensions used to measure and monitor data quality. (17) Data quality issues must be managed as prescribed in the Data Quality Management Procedure. (18) The security classification is based on the likely impact on an individual and/or the University’s activities, objectives and reputation resulting from compromise of the data confidentiality. (19) To ensure appropriate handling and protection, University data assets are to be assigned one of the following security classifications. (20) To ensure immediate protection of higher risk data, the ongoing priority for Data Guardians is to identify and classify data assets that should have classification of Restricted. (21) The default security classification for newly created data assets must be Controlled unless there is a specific need to protect the confidentiality of the information. For detailed information on data asset creation refer to the Data Handling Guidelines. (22) The Data Handling Guidelines provide best practice guidance on how to protect and handle data based on security classification of its data assets. (23) Electronically stored data must be protected by appropriate safeguards and/or physical access controls that restrict access to the authorised user(s). (24) Controlled, protected or restricted data must not be stored on external portable storage (CDs, DVDs, USB/Flash Drives, etc.), personal devices, personal cloud storage or personal email accounts. (25) Restricted data must not be stored on University managed devices and should be stored on University managed file servers (Such as H: or S: drives) or with the IMTS approved external services providers. (26) Higher level data assets containing lower level data assets that have different security classification levels must be handled and protected according to the highest security classification assigned to any data asset within. (27) All Staff are responsible for: (28) The Chief Operating Officer and Vice-President Operations is responsible for appointing Data Guardians on recommendation of the relevant Data Executive. (29) Data Executives are responsible for: (30) Data Guardians are responsible for the overall implementation and enforcement of data management, quality, privacy and security within their assigned domain, including but not limited to: (31) Data Stewards are responsible for performing data management, quality, privacy and security tasks as directed by the Data Guardian, as well as: (32) The Data and Analytics Division is responsible for:Data Governance Procedure
Section 1 - Introduction/Background
Section 2 - Purpose/Scope
Section 3 - Data Principles
Section 4 - Data Governance and Ownership
Role
Definition
Data Executive
Data Executives are members of the Senior Executive Group with strategic planning and decision-making authority for the University’s data.
Data Guardian
Data Guardians are senior leadership with high-level knowledge, expertise and tactical decision making in data within their responsibility.
Data Steward
Data Stewards are Staff responsible for data quality, implementation and enforcement of data management within their organisational unit(s).
Data Specialist
Data Specialists are business and technical subject matter experts. They are typically Business or Information Technology specialists who provide ongoing technical support as a part of their day-to-day role
Figure 1 – Hierarchy of Data Governance Roles and Responsibilities
Section 5 - Data Quality
Section 6 - Data Security Classification
Classification
Description
Example Data Types
Restricted
(Considered to be sensitive)Data that if breached due to accidental, negligent or malicious activity would have a high adverse impact on an individual and/or the University’s activities, objectives, reputation.
Sensitive personal information (detailed in Definitions)
Personal information of children and young persons
Credit card information.
Research data containing identifiable personal or medical data.
Research data classified by Ethics Committees as Highly Restricted.
Research data containing Indigenous cultural significance that is considered “secret or sacred” (e.g. images or names of deceased people, women’s and men’s business), or data that may cause harm to Indigenous communities.
Commercially protected research data.
Protected
(Considered to be sensitive)Data that if breached due to accidental, negligent or malicious activity would have a moderate adverse impact on an individual and/or the University’s activities, objectives, reputation.
Personal information (such as student and staff data)
Assessment and exam data
Organisational confidential and financial data.
Geospatial coordinates that can be used for the purposes of identification
Research data sets shared under contractual obligation.
Controlled
(Default classification)Data that if breached due to accidental, negligent or malicious activity would have a low adverse impact on an individual and/or the University’s activities, objectives, reputation.
Operational data, information, records and communications that do not contain Protected or Restricted data.
Unpublished non-sensitive, non-identifiable research data
Sensitive research data that has been de-identified and cannot be reasonably re-identified.
Public
Data that if breached owing to accidental or malicious activity would have an insignificant impact on the University’s activities and/or objectives.
Public web content.
Published Research data.
Section 7 - Data Handling and Protection
Section 8 - Roles and Responsibilities
All Staff
Chief Operating Officer and Vice-President Operations
Data Executive
Data Guardian
Data Steward
Top of PageSection 9 - Definitions
Word/Term
Definition
(Data) Access
The ability to interact with data in one or more ways, such as the ability to read, copy, query, retrieve, update or delete data.
Data
Stored facts and statistics collected for reference, analysis or other purposes as required by University business.
Examples of data are provided at Section 6 Data Security Classification.
Data Asset
A structure for grouping data used mainly for practical data management purposes such as access, data security classification, etc.
Suggested examples include database column (field), database table, entity, REST API endpoint, source system, etc.
Data Governance
The specification of decision rights and an accountability framework to ensure the appropriate behaviour in the valuation, creation, consumption and control of data.
Data quality
An assessment of data’s fitness to serve its purpose in a given context.
Personal Information
Information or an opinion (including information or an opinion forming part of a database and whether or not recorded in a material form) about an individual whose identity is apparent or can reasonably be ascertained from the information or opinion
Sensitive Personal Information
A subset of personal information, defined as:
racial or ethnic origin
political opinions
membership of a political association
religious beliefs or affiliations
philosophical beliefs
membership of a professional or trade association
membership of a trade union
sexual orientation or practices, or
criminal record
Staff
All people employed by the University including conjoint appointments, whether on continuing, permanent, fixed term, casual or cadet or traineeship basis.
University
University of Wollongong.
View Current
This is the current version of this document. You can provide feedback on this document to the document author - refer to the Status and Details on the document's navigation bar.