(1) These Guidelines provide recommendations to support the practical implementation of the IT Acceptable Use Policy and Data Governance Procedure. (2) These Guidelines should be read in conjunction with the IT Acceptable Use Policy, the Data Governance Procedure and the Data Quality Management Procedure. (3) The purpose of these Guidelines is to provide guidance on how to protect and handle data during its creation, access, storage, transmission, integration and disposal based on its security classification. (4) These Guidelines apply primarily to Data Guardians, Data Stewards, Information Management and Technology Services and the Data and Analytics Division; (5) Sections 5 and 6 of these Guidelines apply to all Staff; (6) These guidelines apply to all data stored by the University, with the exception of data referred to in clause 7 (7) These guidelines do not apply to: (8) All data assets must be assigned an appropriate Data Guardian on creation, in accordance with the Data Governance Procedure. (9) Any business process specific to regulatory or legislative requirements for data asset creation should be considered and implemented. (10) Staff creating restricted data assets are strongly recommended to undertake Privacy and IT Security training. (11) Staff creating restricted data assets are recommended to produce a data management plan with template and storage of the document provided by the Data and Analytics Division. (12) For all data except Public, access is based on a relevant business need, and is at the discretion of Data Guardians or their delegates. (13) The recommended authentication requirements are: (14) Automated monitoring of access logs for security anomalies is recommended. (15) In accordance with Data Governance Procedure, external portable storage (CDs, DVDs, USB/Flash Drives, etc.), personal devices, personal cloud storage or personal email accounts must not store Controlled, Protected or Restricted data. (16) University managed devices, such as Desktops, Laptops, Tablets, Phones, etc., storing Controlled and Protected data are recommended to: (17) Storage of Protected Data on University managed devices is strongly discouraged as it should be stored on University managed file servers (Such as H: or S: drives) or with the IMTS approved external services providers. (18) In accordance with Data Governance Procedure, Restricted Data must not be stored on University managed devices and should be stored on University managed file servers (Such as H: or S: drives) or with the IMTS approved external services providers. (19) Replica environments (such as Test, Development, Staging Environments, etc.) should not contain Personal Information (unless required by an appropriate legitimate business need and approved by a Data Guardian), and should be appropriately masked, scrubbed or sanitized as prescribed within Section 8. (20) In accordance with the IT Acceptable Use Policy, University data must not be stored or backed up with externally hosted services other than where provided through and approved by IMTS. (21) Use of on-premises and cloud servers to store data is recommended to adhere to the following requirements: (22) Automated monitoring of storage logs for security anomalies is recommended. (23) For controlled data, encryption is recommended when transmitting through public networks. (24) For protected data, encryption is strongly recommended when transmitting through public networks. Indirect transmission methods (such as email) should not be used. If the data platform or system is vendor managed/cloud hosted, then encryption keys should be managed by the University. (25) For restricted data, encryption is strongly recommended when transmitting through the University network and public networks. Indirect transmission methods (such as email) are strongly advised against. If the data platform or system is vendor managed/cloud hosted, then encryption keys should be managed by the University. (26) Automated monitoring of transmission logs for security anomalies is recommended. (27) Public data can be stored within any region. (28) Controlled and Protected data should be stored within Australian Territories. (29) Restricted data is strongly recommended to be stored within Australian Territories. (30) Data should be masked, scrubbed or sanitized (de-identified) when it is moved from a system holding data with a higher security classification to a system holding data with a lower security classification. (31) If clause 30 cannot be achieved then the system holding data with a lower security classification data must be treated as a system holding data of the higher security classification, and appropriate controls for the higher security classification should be applied. (32) Data Guardians should refer to the Records Management Policy as well as relevant legislation (such as the State Records Act 1998) to determine when the disposal of data stored in records can or should take place. (33) All staff are responsible for: (34) Data Creators are responsible for: (35) Information Management and Technology Services teams are responsible for: (36) Data Guardians are responsible for: (37) All other definitions relating to data are detailed in the Data Governance Procedure.Data Handling Guidelines
Section 1 - Introduction/Background
Section 2 - Scope/Purpose
Top of PageSection 3 - Data Asset Creation
Section 4 - Data Access
Section 5 - Data Storage
Section 6 - Data Transmission
Section 7 - Data Sovereignty
Section 8 - Data Integration
Section 9 - Data Disposal
Section 10 - Roles and Responsibilities
All Staff
Data Creator
Information Management and Technology Services
Data Guardian
Top of PageSection 11 - Definitions
Word/Term
Definition
Controlled Data
Data that if breached due to accidental, negligent or malicious activity would have a low adverse impact on an individual and/or the University’s activities, objectives and reputation.
Suggested examples include business processes and procedures, operational records, internal communications which do not contain Protected or Restricted data.
Data Creator
Staff who create original data assets and their structure and/or model in the course of performing a duty or function for the University.
Data Executive
A member of the Senior Executive with strategic planning and decision-making authority for the University’s data.
Data Guardian
Senior leadership with high-level knowledge, expertise and tactical decision making in data within their responsibility.
Data Integration
The process of combining data from different sources into a single unified view, which provides meaningful and valuable information across systems.
Data Management Plan
A document which defines appropriate users/roles, usage and scope, and what mitigation strategies will be employed to assure the security of a particular data asset.
Data Sovereignty
The concept that data is stored and retained within the nation it is collected, as the data would be subject to legislative and/or regulatory requirements within that nation.
Data Specialist
A business and/or technical subject matter expert in relation to a data asset. They are typically Business or Information Technology specialists who provide ongoing technical support as a part of their day-to-day role.
Data Transmission
The process of transmitting data between two or more parties (such as devices, systems or users)
Privileged Users
A user that has more privileges than ordinary users of a system. Privileged users may be identified by their ability to view and modify data about other users, be able to install or remove software, change security controls, or modify system and/or application configurations.
Protected Data
Data that if breached due to accidental, negligent or malicious activity would have a moderate adverse impact on an individual and/or the University’s activities, objectives and reputation.
Suggested examples include Personal Information such as student and staff data, assessment and exam data, organisational confidential and Financial data.
Public Data
Data that if breached owing to accidental or malicious activity would have an insignificant impact on the University’s activities and objectives.
Suggested examples include web content, course handbook, published reports, staff directory.
Restricted Data
Data that if breached due to accidental, negligent or malicious activity would have a high adverse impact on an individual and/or the University’s activities, objectives and reputation. Suggested examples include data subject to regulatory control, Health Information, Sensitive Personal Information, Personal Information of Children and Young Persons.
View Current
This is the current version of this document. You can provide feedback on this document to the document author - refer to the Status and Details on the document's navigation bar.