View Current

Data Governance and Management Policy

This is the current version of this document. You can provide feedback on this document to the document author - refer to the Status and Details on the document's navigation bar.

Section 1 - Purpose

(1) The University of Wollongong (the University) recognises the importance of data as a strategic asset and is committed to building a data culture to effectively govern and manage it in support of organisational, student, and research outcomes.

(2) The purpose of this Policy is to:

  1. establish a framework for governing the University’s data, ensuring a consistent approach to data management;
  2. define the key roles and responsibilities for governance and management of University data;
  3. define the principles for managing and protecting University data throughout its lifecycle.
Top of Page

Section 2 - Application and Scope 

(3) This Policy supports and should be read in conjunction with:

  1. Information Security Policy - to outline how the University protects its data against cyber security threats.
  2. Data Breach Policy – to outline the strategies to effectively respond to a data breach, reduce possible harm to individuals and organisations, and prevent future breaches.
  3. IT Acceptable Use Policy – to outline how to appropriately use IT facilities that allow storage of and access to the University’s data.
  4. Privacy Policy – to outline how the University handles and safeguards personal information.
  5. Purchasing and Procurement Policy – to manage responsibilities for data management during procurement activities.
  6. Records Management Policy – to outline responsibilities and compliance controls regarding managing University records.
  7. Research Data Management Policy – to manage research data.
  8. Enterprise Risk Management Policy and Enterprise Risk Management Procedures – to apply risk management practices to data.

(4) This Policy is implemented through the combination of these policies, the Data Classification and Handling Procedure, the Data Quality Management Procedure, and the supporting data literacy and culture programs.

(5) This Policy applies to University staff and affiliates.

(6) This Policy applies to University data except for research data as defined in the Research Data Management Policy.

Top of Page

Section 3 - Principles

(7) Data management at the University is guided by the following INSIGHT principles:

  1. Informs Strategy – data is a valuable, strategic, institutional asset that informs decision making;
  2. Nimble – data is adaptable, reusable, and easy to find across the organisation;
  3. Secure – data is protected, managed, authorised, and accessed via secure methods;
  4. Integrated – data is standardised and interoperable for use across systems and processes;
  5. Governed – data governance roles, responsibilities, and processes are well defined and provides transparency to the way we work;  
  6. High Quality – data quality is fit for purpose and understood across its lifecycle; and
  7. Timely – data enables sound decision making based on timely access.
Top of Page

Section 4 - Data Governance

(8) University data must have Data Custodians responsible and accountable for data management.

(9) Data Custodian roles are defined as follows:

  1. Data Executives are members of the Senior Executive Group with university level strategic planning and decision-making authority for data within their respective portfolios. The Data Executive for faculty data is the Vice-Chancellor and President.
  2. Data Guardians are members of senior leadership, usually a divisional director, faculty executive manager, or similar level, responsible for making strategic and tactical decisions about data within their divisions or faculties.
  3. Data Stewards act on behalf of Data Guardians and are responsible for the policy implementation and day-to-day data management activities in areas within their assigned responsibility. Data stewards are appointed by Data Guardians.
Top of Page

Section 5 - Data Management

(10)  Data management means that University data is managed throughout its lifecycle from collection to disposal. This means that data:

  1. is only collected, used, and accessed ethically and in accordance with the University’s obligations to support and facilitate the effective implementation of university functions;
  2. is appropriately assessed when undertaking new projects, initiatives, or systems to identify and mitigate data management risks by utilising tools such as a Privacy Impact Assessment and the Records Impact Assessment;
  3. is associated with a designated source of truth and not duplicated across the organisation;
  4. is stored only within University approved applications and storage;
  5. is classified, labelled, handled, protected, and stored in accordance with the Data Classification and Handling Procedure and other associated policies;
  6. sharing and transferring of data to external parties must be accompanied by a Data Sharing Agreement, non-disclosure agreement, contract, or equivalent agreement and be approved by the Data Guardian;
  7. received from an external party must be managed in accordance with the relevant legislative or contractual obligations, UOW policies, or other restrictions imposed by the sender for the relevant jurisdiction;
  8. must have quality assessed, monitored, and remediated in accordance with the Data Quality Management Procedure;
  9. should be disposed of after meeting the mandated retention period and when the business purpose has been met. Disposal must be in accordance with the Records Management Policy.

(11) University data is to be documented in the Data Asset Register(DAR), grouped into data assets, and linked to the Enterprise Data Model with an associated business glossary.

(12) The Data Asset Register will identify the University’s High-Risk and/or High-Value (HR/HV) data assets, determined by a Critical Process Impact Analysis as outlined in the Business Continuity Management Policy, so that appropriate security and governance measures can be implemented to protect them effectively.

Top of Page

Section 6 -  Roles and Responsibilities 

Data Custodians Responsibilities

(13) Data Executives are responsible for:

  1. providing high level strategic support and guidance for data governance and management within their portfolio;
  2. appointing Data Guardians within their portfolio if there is a need to assign this role to anyone other than a divisional director, Faculty Executive Manager, or Executive Dean;
  3. defining the single source of truth for the data under their custodianship; and
  4. resolving escalated disputes over ownership, access, quality, and the classification of data.

(14) Data Guardians are responsible for overall data management within their division or faculty, including but not limited to:

  1. ensuring that all legal, regulatory, and policy requirements are met in relation to data;
  2. appointing Data Stewards;
  3. approving data access and sharing within the University;
  4. approving external access and sharing of data in alignment with other responsible organisational units where required;
  5. addressing data quality issues in accordance with the Data Quality Management Procedure;
  6. ensuring that data is not retained for longer than required;
  7. managing data management related risks in line with the University risk management framework;
  8. ensuring that staff within their units are aware of data handling and information compliance requirements; and
  9. escalating data management issues to the Data Executive.

(15) Data Stewards are responsible for performing data management tasks as directed by the Data Guardian, including but not limited to:

  1. creating and implementing business processes to manage data locally;
  2. acting as subject matter experts for the University community;
  3. building and promoting data culture initiatives;
  4. understanding end-to-end data flows and identifying dependencies;
  5. providing business terms and definitions; and
  6. escalating data management issues to the Data Guardian.

Divisional Responsibilities

(16) The Vice-President Operations is accountable for the overall planning and implementation of the University’s data governance and management framework.

(17) The Data and Analytics Division are responsible for:

  1. developing University-wide procedures to support the implementation of this Policy;
  2. coordinating and engaging with other divisions that are responsible for the implementation of the supporting policies that impact the implementation of this Policy;
  3. building and implementing data literacy and culture programs;
  4. maintaining and publishing the Enterprise Data Model that is used as the foundation for assigning data governance responsibilities across the University;
  5. provisioning and publishing the University’s Data Asset Register;
  6. identifying, onboarding, training, supporting, and engaging Data Custodians in the implementation of this Policy;
  7. providing training and resources to ensure staff understand their data management responsibilities;
  8. maintaining and publishing the current list of Data Custodians; and
  9. managing the list of all current exceptions to this Policy.

(18) The Information Compliance Unit are responsible for maintaining the High-Risk and/or High-Value evaluations for University Data (excluding UOW College or UOW Pulse) within the University’s Data Asset Register.

(19) Information Management and Technology Services Division are responsible for:

  1. ensuring the University’s IT infrastructure and services operate in line with this Policy and all the supporting policies;
  2. maintaining and publishing an up-to-date list of all University systems and their respective owners; and
  3. ensuring that University systems can support data handling recommendations outlined in the Data Classification and Handling Procedure.

All Staff

(20) All staff are responsible for:

  1. classifying University data and labelling and handling it according to the requirements of its classification;
  2. ensuring security, privacy, and recordkeeping requirements are maintained whenever data is accessed, stored, or transmitted;
  3. completing data related training provided by the University in a timely manner;
  4. making reasonable effort to understand data and ensure its suitability for the intended use;
  5. reporting any data quality issues in accordance with the Data Quality Management Procedure;
  6. obtaining approval from the relevant Data Guardian for internal or external sharing and use of data; and
  7. prompt reporting of identified or suspected data breaches in alignment with the Data Breach Policy.
Top of Page

Section 7 - Definitions

Word/Term Definition (with examples if required)
Affiliates
Includes people holding University of Wollongong Honorary Awards as conferred by the University Council, including the awards of Emeritus Professor, Honorary Doctor and University Fellow; people appointed in accordance with the University’s Appointment of Visiting and Honorary Academics Policy; and people engaged by the University as agency staff, contractors, volunteers and work experience students.
(University) Data
All information created, received, stored, or managed by the university in any format and required for the University to perform its functions.
Enterprise Data Model (EDM)
A structured, high-level representation of university data, organised into domains and subdomains, designed to assign data governance responsibilities.
Data Asset Register (DAR)
A structured, logical grouping of key University data assets, mapped to the Enterprise Data Model, detailing their ownership, classification, and other attributes to support effective data governance, management, and compliance.
Data Custodian
An overarching term encompassing roles of Data Executive, Data Guardian, and Data Steward.
Data Governance
A collection of policies, practices, and data ownership to ensure data’s quality, adherence to regulatory and corporate requirements, and overall efficient management.
Data Management
Operational execution of the policies and practices defined by data governance. It involves the technical and administrative processes to acquire, store, protect, and use data throughout its lifecycle.
Staff
All people employed by the University including conjoint appointments, whether on continuing, permanent, fixed term, casual or cadet or traineeship basis.
University
University of Wollongong (UOW), UOW Pulse, and UOW College Australia.