View Current

Data Governance Procedure

This is the current version of this document. You can provide feedback on this document to the document author - refer to the Status and Details on the document's navigation bar.

Section 1 - Introduction/Background

(1) Data is a key strategic and operational asset of the University and the appropriate governance of the availability, usability, integrity and security of data is critical to the University’s operations.

(2) This Procedure should be read in conjunction with the IT Acceptable Use Policy, the Data Quality Management Procedure and the Data Handling Guidelines.

Top of Page

Section 2 - Purpose/Scope

(3) The purpose of this Procedure is to:

  1. define the roles and responsibilities for the governance, protection, quality and overall management of data stored by the University;
  2. set the standards for classifying data stored by the University based on its level of sensitivity and value; and
  3. establish principles for creating and maintaining high quality data.

(4) This Procedure applies primarily to Data Executives, Data Guardians, Data Stewards and the Data and Analytics Division.

(5) Sections 3 and 7, and clause 27 apply to all Staff.

(6) This Procedure applies to all data stored by the University, with the exception of data referred to in clause 7.

(7) This Procedure does not apply to:

  1. Research data defined in the Research Data Management Policy with the exception of Section 6 Data Security Classification; and
  2. data of University controlled entities.

(8) The handling of data expressed in this procedure is also underpinned by the University’s Data Handling Guidelines, IT Acceptable Use Policy, Privacy Policy, Cyber Security Policy, Records Management Policy and other relevant policies.

Top of Page

Section 3 - Data Principles

(9) Collection, access authorisation, and use of data must be underpinned by a relevant business need.

(10) High quality data enables informed decision-making and accurate reporting. The University is committed to the continuous improvement of data quality.

(11) The collection and management of personal information is to be handled in accordance with the Privacy Policy which facilitates the University’s compliance with current legislative requirements.

(12) Data stored in University records must be retained and disposed of in an appropriate manner in accordance with the Records Management Policy.

Top of Page

Section 4 - Data Governance and Ownership

(13) All data assets must have an assigned Data Executive, Data Guardian and Data Steward to ensure clear lines of responsibility and accountability. Data governance roles are defined in the table below.

Role Definition
Data Executive Data Executives are members of the Senior Executive Group with strategic planning and decision-making authority for the University’s data.
Data Guardian Data Guardians are senior leadership with high-level knowledge, expertise and tactical decision making in data within their responsibility.
Data Steward Data Stewards are Staff responsible for data quality, implementation and enforcement of data management within their organisational unit(s).
Data Specialist Data Specialists are business and technical subject matter experts. They are typically Business or Information Technology specialists who provide ongoing technical support as a part of their day-to-day role

Figure 1 – Hierarchy of Data Governance Roles and Responsibilities

(14) Data governance roles are assigned based on the University Enterprise Data Model managed by the Data and Analytics Division, which separates all University data into information domains and subdomains.

Top of Page

Section 5 - Data Quality

(15) Data quality requirements must be defined by a Data Guardian, and required data quality monitoring mechanisms put in place.

(16) The Data Quality Management Procedure describes the main dimensions used to measure and monitor data quality.

(17) Data quality issues must be managed as prescribed in the Data Quality Management Procedure.

Top of Page

Section 6 - Data Security Classification

(18) The security classification is based on the likely impact on an individual and/or the University’s activities, objectives and reputation resulting from compromise of the data confidentiality.

(19) To ensure appropriate handling and protection, University data assets are to be assigned one of the following security classifications.

Classification Description Example Data Types
Restricted
(Considered to be sensitive)
Data that if breached due to accidental, negligent or malicious activity would have a high adverse impact on an individual and/or the University’s activities, objectives, reputation. Sensitive personal information (detailed in Definitions)
Personal information of children and young persons
Credit card information.
Research data containing identifiable personal or medical data.
Research data classified by Ethics Committees as Highly Restricted.
Research data containing Indigenous cultural significance that is considered “secret or sacred” (e.g. images or names of deceased people, women’s and men’s business), or data that may cause harm to Indigenous communities.
Commercially protected research data.
Protected
(Considered to be sensitive)
Data that if breached due to accidental, negligent or malicious activity would have a moderate adverse impact on an individual and/or the University’s activities, objectives, reputation. Personal information (such as student and staff data)
Assessment and exam data
Organisational confidential and financial data.
Geospatial coordinates that can be used for the purposes of identification
Research data sets shared under contractual obligation.
Controlled
(Default classification)
Data that if breached due to accidental, negligent or malicious activity would have a low adverse impact on an individual and/or the University’s activities, objectives, reputation. Operational data, information, records and communications that do not contain Protected or Restricted data.
Unpublished non-sensitive, non-identifiable research data
Sensitive research data that has been de-identified and cannot be reasonably re-identified.
Public Data that if breached owing to accidental or malicious activity would have an insignificant impact on the University’s activities and/or objectives. Public web content.
 
Published Research data.

(20) To ensure immediate protection of higher risk data, the ongoing priority for Data Guardians is to identify and classify data assets that should have classification of Restricted.

(21) The default security classification for newly created data assets must be Controlled unless there is a specific need to protect the confidentiality of the information. For detailed information on data asset creation refer to the Data Handling Guidelines.

Top of Page

Section 7 - Data Handling and Protection

(22) The Data Handling Guidelines provide best practice guidance on how to protect and handle data based on security classification of its data assets.

(23) Electronically stored data must be protected by appropriate safeguards and/or physical access controls that restrict access to the authorised user(s).

(24) Controlled, protected or restricted data must not be stored on external portable storage (CDs, DVDs, USB/Flash Drives, etc.), personal devices, personal cloud storage or personal email accounts.

(25) Restricted data must not be stored on University managed devices and should be stored on University managed file servers (Such as H: or S: drives) or with the IMTS approved external services providers.

(26) Higher level data assets containing lower level data assets that have different security classification levels must be handled and protected according to the highest security classification assigned to any data asset within.

Top of Page

Section 8 - Roles and Responsibilities

All Staff

(27) All Staff  are responsible for:

  1. complying with this procedure, together with the Data Quality Management Procedure and Data Handling Guidelines;
  2. adhering to the principles laid out in Sections 3 and 7 of this Procedure;
  3. handling data based on its security classification level; and
  4. raising data quality issues in accordance with the Data Quality Management Procedure.

Chief Operating Officer and Vice-President Operations

(28) The Chief Operating Officer and Vice-President Operations is responsible for appointing Data Guardians on recommendation of the relevant Data Executive.

Data Executive

(29) Data Executives are responsible for:

  1. overseeing the continuous improvement of the University's data management, integration and use;
  2. recommending to the Chief Operating Officer and Vice-President Operations the appointment of Data Guardians within their respective portfolio; and
  3. resolving disputes over ownership, access, quality and the classification of data.

Data Guardian

(30) Data Guardians are responsible for the overall implementation and enforcement of data management, quality, privacy and security within their assigned domain, including but not limited to:

  1. ensuring that all legal, regulatory, and policy requirements are met in relation to data within their assigned domain;
  2. assigning appropriate security classification levels to data assets;
  3. ensuring that all data assets have a Data Steward(s) assigned;
  4. approving data access requests or establishing an approval model for role-based access to data;
  5. approving the release of University data to be used or shared outside the University;
  6. maintaining acceptable levels of data quality as well as identifying data critical to business operations to be constantly monitored for quality; and
  7. escalating data governance issues to the appropriate Data Executive.

Data Steward

(31) Data Stewards are responsible for performing data management, quality, privacy and security tasks as directed by the Data Guardian, as well as:

  1. creating and enforcing processes and procedures for implementation;
  2. acting as subject matter experts for the University community for data within their stewardship;
  3. understanding end-to-end data flows and identifying data dependencies to support enterprise reporting and downstream data consumption;
  4. developing and approving business terms and definitions;
  5. proactively communicating planned changes for data held in systems within their assigned domain;
  6. developing data sharing agreements with other business units;
  7. recommending appropriate data security classifications to the Data Guardian; and
  8. escalating data governance issues to Data Guardian.

(32) The Data and Analytics Division is responsible for:

  1. recording and maintaining the list of the current agreed Data Executives, Data Guardians, Data Stewards and Data Specialists;
  2. locating and assigning Data Specialists;
  3. recording and maintaining the security classification for data assets;
  4. providing guidance for Data Executives, Data Guardians, Data Stewards on the implementation of their duties and responsibilities.
Top of Page

Section 9 - Definitions

Word/Term Definition
(Data) Access The ability to interact with data in one or more ways, such as the ability to read, copy, query, retrieve, update or delete data.
Data Stored facts and statistics collected for reference, analysis or other purposes as required by University business.
Examples of data are provided at Section 6 Data Security Classification.
Data Asset A structure for grouping data used mainly for practical data management purposes such as access, data security classification, etc.
Suggested examples include database column (field), database table, entity, REST API endpoint, source system, etc.
Data Governance The specification of decision rights and an accountability framework to ensure the appropriate behaviour in the valuation, creation, consumption and control of data.
Data quality An assessment of data’s fitness to serve its purpose in a given context.
Personal Information Information or an opinion (including information or an opinion forming part of a database and whether or not recorded in a material form) about an individual whose identity is apparent or can reasonably be ascertained from the information or opinion
Sensitive Personal Information A subset of personal information, defined as:
  1. information or an opinion (that is also personal information) about an individual’s:
    racial or ethnic origin
    political opinions
    membership of a political association
    religious beliefs or affiliations
    philosophical beliefs
    membership of a professional or trade association
    membership of a trade union
    sexual orientation or practices, or
    criminal record
  2. health information about an individual
  3. genetic information (that is not otherwise health information)
  4. biometric information that is to be used for the purpose of automated biometric verification or biometric identification, or
  5. biometric templates
Staff All people employed by the University including conjoint appointments, whether on continuing, permanent, fixed term, casual or cadet or traineeship basis.
University University of Wollongong.