View Current

Data Handling Guidelines

This is the current version of this document. You can provide feedback on this document to the document author - refer to the Status and Details on the document's navigation bar.

Section 1 - Introduction/Background

(1) These Guidelines provide recommendations to support the practical implementation of the IT Acceptable Use Policy and Data Governance Procedure.

(2) These Guidelines should be read in conjunction with the IT Acceptable Use Policy, the Data Governance Procedure and the Data Quality Management Procedure.

Top of Page

Section 2 - Scope/Purpose

(3) The purpose of these Guidelines is to provide guidance on how to protect and handle data during its creation, access, storage, transmission, integration and disposal based on its security classification.

(4) These Guidelines apply primarily to Data Guardians, Data Stewards, Information Management and Technology Services and the Data and Analytics Division;

(5) Sections 5 and 6 of these Guidelines apply to all Staff;

(6) These guidelines apply to all data stored by the University, with the exception of data referred to in clause 7

(7) These guidelines do not apply to:

  1. research data defined in the Research Data Management Policy; and
  2. data of University Controlled Entities.
Top of Page

Section 3 - Data Asset Creation

(8) All data assets must be assigned an appropriate Data Guardian on creation, in accordance with the Data Governance Procedure.

(9) Any business process specific to regulatory or legislative requirements for data asset creation should be considered and implemented.

(10) Staff creating restricted data assets are strongly recommended to undertake Privacy and IT Security training.

(11) Staff creating restricted data assets are recommended to produce a data management plan with template and storage of the document provided by the Data and Analytics Division.

Top of Page

Section 4 - Data Access

(12) For all data except Public, access is based on a relevant business need, and is at the discretion of Data Guardians or their delegates.

(13) The recommended authentication requirements are:

  1. for access to controlled data users are to authenticate using at least single-factor authentication;
  2. for access to protected data users are to authenticate using at least single-factor authentication. Privileged Users are to authenticate using multi-factor authentication methods when communicating with the system over a public network;
  3. for access to restricted data users are to authenticate using multi-factor authentication methods.

(14) Automated monitoring of access logs for security anomalies is recommended.

Top of Page

Section 5 - Data Storage

(15) In accordance with Data Governance Procedure, external portable storage (CDs, DVDs, USB/Flash Drives, etc.), personal devices, personal cloud storage or personal email accounts must not store Controlled, Protected or Restricted data.

(16) University managed devices, such as Desktops, Laptops, Tablets, Phones, etc., storing Controlled and Protected data are recommended to:

  1. use hard drive encryption;
  2. have endpoint security protection software;
  3. have an endpoint firewall enabled which restricts network access to services offered by that device;
  4. have an appropriately maintained operating system patching applied; and
  5. use password protection.

(17) Storage of Protected Data on University managed devices is strongly discouraged as it should be stored on University managed file servers (Such as H: or S: drives) or with the IMTS approved external services providers.

(18) In accordance with Data Governance Procedure, Restricted Data must not be stored on University managed devices and should be stored on University managed file servers (Such as H: or S: drives) or with the IMTS approved external services providers.

(19) Replica environments (such as Test, Development, Staging Environments, etc.) should not contain Personal Information (unless required by an appropriate legitimate business need and approved by a Data Guardian), and should be appropriately masked, scrubbed or sanitized as prescribed within Section 8.

(20) In accordance with the IT Acceptable Use Policy, University data must not be stored or backed up with externally hosted services other than where provided through and approved by IMTS.

(21) Use of on-premises and cloud servers to store data is recommended to adhere to the following requirements:

  1. Controlled data:
    1. firewall rules, appropriate for either a backend or consolidated tier as per the University Data Centre Security Model;
    2. encryption is recommended for data at rest.
  2. Protected data:
    1. firewall rules, appropriate for either a backend green tier or consolidated green tier as per the University Data Centre Security Model.
    2. encryption is strongly recommended for data at rest.
  3. Restricted data:
    1. firewall rules, appropriate for a backend green tier as per the University Data Centre Security Model.
    2. encryption is strongly recommended for data at rest.

(22) Automated monitoring of storage logs for security anomalies is recommended.

Top of Page

Section 6 - Data Transmission

(23) For controlled data, encryption is recommended when transmitting through public networks.

(24) For protected data, encryption is strongly recommended when transmitting through public networks. Indirect transmission methods (such as email) should not be used. If the data platform or system is vendor managed/cloud hosted, then encryption keys should be managed by the University.

(25) For restricted data, encryption is strongly recommended when transmitting through the University network and public networks. Indirect transmission methods (such as email) are strongly advised against. If the data platform or system is vendor managed/cloud hosted, then encryption keys should be managed by the University.

(26) Automated monitoring of transmission logs for security anomalies is recommended.

Top of Page

Section 7 - Data Sovereignty

(27) Public data can be stored within any region.

(28) Controlled and Protected data should be stored within Australian Territories.

(29) Restricted data is strongly recommended to be stored within Australian Territories.

Top of Page

Section 8 - Data Integration

(30) Data should be masked, scrubbed or sanitized (de-identified) when it is moved from a system holding data with a higher security classification to a system holding data with a lower security classification.

(31) If clause 30 cannot be achieved then the system holding data with a lower security classification data must be treated as a system holding data of the higher security classification, and appropriate controls for the higher security classification should be applied.

Top of Page

Section 9 - Data Disposal

(32) Data Guardians should refer to the Records Management Policy as well as relevant legislation (such as the State Records Act 1998) to determine when the disposal of data stored in records can or should take place.

Top of Page

Section 10 - Roles and Responsibilities

All Staff

(33) All staff are responsible for:

  1. appropriately storing data as prescribed in Section 5; and
  2. appropriately transmitting data as prescribed in Section 6.

Data Creator

(34) Data Creators are responsible for:

  1. creation of the data structure of a data asset;
  2. advising the creation of the data asset to an appropriate Data Guardian who will have responsibility for business processes related to the data asset created; and
  3. ensuring data quality at the creation stage until it becomes a part of business processes in which it transitions to the responsibility of the Data Guardian.

Information Management and Technology Services

(35) Information Management and Technology Services teams are responsible for:

  1. ensuring appropriate logging for IMTS Managed Environments;
  2. monitoring of access, transmission, storage and audit logs of systems held within the IMTS Managed Environments for security anomalies;
  3. ensuring that data is appropriately masked, scrubbed or sanitized as prescribed within Sections 5 and 8;
  4. ensuring that data systems are compliant with the integration requirements prescribed within Section 8;
  5. implementing data storage requirements for University managed devices; and
  6. advising University Staff on the implementation of these guidelines.

Data Guardian

(36) Data Guardians are responsible for:

  1. authorising access to data;
  2. ensuring that data sovereignty requirements are implemented for data stored outside of IMTS Managed Environments;
  3. ensuring appropriate logging and review of access, transmission and audit logs of systems outside of the IMTS Managed Environment; and
  4. managing disposal of data stored in University records in accordance with the Records Management Policy.
Top of Page

Section 11 - Definitions

Word/Term Definition
Controlled Data Data that if breached due to accidental, negligent or malicious activity would have a low adverse impact on an individual and/or the University’s activities, objectives and reputation.

Suggested examples include business processes and procedures, operational records, internal communications which do not contain Protected or Restricted data.
Data Creator Staff who create original data assets and their structure and/or model in the course of performing a duty or function for the University.
Data Executive A member of the Senior Executive with strategic planning and decision-making authority for the University’s data.
Data Guardian Senior leadership with high-level knowledge, expertise and tactical decision making in data within their responsibility.
Data Integration The process of combining data from different sources into a single unified view, which provides meaningful and valuable information across systems.
Data Management Plan A document which defines appropriate users/roles, usage and scope, and what mitigation strategies will be employed to assure the security of a particular data asset.
Data Sovereignty The concept that data is stored and retained within the nation it is collected, as the data would be subject to legislative and/or regulatory requirements within that nation.
Data Specialist A business and/or technical subject matter expert in relation to a data asset. They are typically Business or Information Technology specialists who provide ongoing technical support as a part of their day-to-day role.
Data Transmission The process of transmitting data between two or more parties (such as devices, systems or users)
Privileged Users A user that has more privileges than ordinary users of a system. Privileged users may be identified by their ability to view and modify data about other users, be able to install or remove software, change security controls, or modify system and/or application configurations.
Protected Data Data that if breached due to accidental, negligent or malicious activity would have a moderate adverse impact on an individual and/or the University’s activities, objectives and reputation.

Suggested examples include Personal Information such as student and staff data, assessment and exam data, organisational confidential and Financial data.
Public Data Data that if breached owing to accidental or malicious activity would have an insignificant impact on the University’s activities and objectives.

Suggested examples include web content, course handbook, published reports, staff directory.
Restricted Data Data that if breached due to accidental, negligent or malicious activity would have a high adverse impact on an individual and/or the University’s activities, objectives and reputation. Suggested examples include data subject to regulatory control, Health Information, Sensitive Personal Information, Personal Information of Children and Young Persons.

(37) All other definitions relating to data are detailed in the Data Governance Procedure.