I.T.
- Use of Computing and Communication Facilities Policy
- Information Security Policy
- Deployment of Custom Applications and Projects on the University's Corporate Webserver Guidelines
- Master Data Management Policy
- Data Classification and Usage Procedure
- Data Storage Procedure
- Web Management and Publishing Policy
- Web Management and Publishing Procedure
- Forms
- Printable PDF Version
Document Currently Under Review
Current Status: Under Review - With Editor 16 September 2019
Federation University Australia recognises that its corporate data is an important strategic asset. This procedure supports and mandates the implementation of the Master Data Management Policy. It expands on the principles outlined in the policy and provides direction and guidance on assessing the sensitivity and importance of its corporate data and usage.
All University data created must be allocated a classification so that it is managed, used and secured in a manner appropriate to its importance and sensitivity.
This procedure applies to all digital and digitised data produced, stored and/or utilised by members of the University’s community. While partner provider organisations are supported through the use of specific University information technology systems, this procedure does not apply to other non-University electronic data created, managed or stored by these organisations.
- Federation University Australia Act 2010
- Information Privacy Act 2000 (Victoria)
- Electronic Transactions Act 2000 (Victoria)
- Public Record Act 1973 (Victoria)
- Australian Copyright Act of 1968
- Evidence Act 1958 (Victoria)
- Australian Code for the Responsible Conduct of Research (2007)
- OECD Principles and Guidelines for Access to Research Data from Public Funding (2007)
- Australian Qualifications Framework (AQF) Second Edition January 2013
- Australian Skills Quality Authority (ASQA)
- Higher Education Standards Framework (Threshold Standards) 2011
- Tertiary Education Quality and Standards Agency (TEQSA)
- Higher Education and Skills Group (HESG)
- 2014 – 2016 VET Funding Contract
A complete list of definitions relevant to this procedure is contained within the Master Data Management Policy.
A further list of definitions specifically relevant to this procedure is included below:
Term | Definition |
---|---|
Data classification |
A scheme comprising of four levels including Public, General Internal, Protected or Restricted The creator of University data is required to assess the importance and sensitivity of the data and assign a label to that data so that it can be managed and stored with the appropriate consideration |
Data owner | Entity that can authorise or deny access to certain data and is responsible for its accuracy, integrity and timeliness |
Data user | Controls the collection, classification, processing, use or storage of specific data following specified protocols |
General Internal Data | University data that is not generally made publically available and release of such information may cause minor impact on the reputation of the University, other organisation or individual eg academic lecture notes |
Information assets | Definable pieces of information in any form, recorded or stored on any media that is recognised as valuable to the University |
Personal use | All non-work or study related use including internet usage and private emails |
Protected Data | Confidential University data with limited access with unauthorised disclosure, modification; data that includes personally identifiable information, is commercially sensitive eg salary information, contracts, medical/health records etc and if released could cause reputational harm or embarrassment to the University eg budget data, academic records, student grades, planning or purchasing documents |
Public Data | Data created with the intention of being in the public domain, that is publically available and unlikely to impact on the reputation of the University, other organisation or individual eg academic calendar, course outlines |
Restricted Data | Strictly confidential or sensitive University information eg budget data, academic records, student grades, planning or purchasing documents, restricted to individuals who are explicitly granted access with unauthorised disclosure, modification or destruction and if released is most likely to cause reputational harm or embarrassment to the University, other organisation or individual, compromise Australia’s national security, national interests, economy, stability, integrity or damage international relations or defence eg research requiring ethics clearances, information relating to allegations of fraud |
ACTIVITY | RESPONSIBILITY | STEPS | |
---|---|---|---|
A. | Protecting data assets | Data owner |
|
ACTIVITY | RESPONSIBILITY | STEPS | |
---|---|---|---|
A. | Identifying the appropriate data classification | Data owner |
|
B. | Reclassifying data | Data users |
|
C. | Classifying data from another source | Data users |
|
ACTIVITY | RESPONSIBILITY | STEPS | |
---|---|---|---|
A. | Ensuring correct access | Data owner |
|
B. | Storing data | Data owner |
|
C. | Disposing of data | Data owner |
|
ACTIVITY | RESPONSIBILITY | STEPS | |
---|---|---|---|
A. | Reclassifying data | Data owner |
|
ACTIVITY | RESPONSIBILITY | STEPS | |
---|---|---|---|
A. | Approving data dispersal | Data owner |
|
ACTIVITY | RESPONSIBILITY | STEPS | |
---|---|---|---|
A. | Ensuring data usage is appropriate | Data owner |
|
- Master Data Management Policy
- Data Storage Procedure
- Research Data Management Policy
- Research Data Management Procedure (in draft)
- Data Backup and Recovery Procedure
- Records Management Policy
- Records Management Procedure
- Information Privacy Policy
- Information Privacy Procedure
- Deputy Vice-Chancellor, Student Support and Services is responsible for monitoring the implementation, outcomes and scheduled review of this procedure
- Executive Director, Information Technology and Business Solutions is responsible for maintaining the content of this procedure as delegated by the Deputy Vice-Chancellor, Student Support and Services
- Manager, Business Partnerships and Service Governance is responsible for the administration support for the maintenance of this policy as directed by the Executive Director, Information Technology and Business Solutions
The Data Classification and Usage Procedure will be communicated throughout the University community in the form of:
- an Announcement Notice via FedNews and on the FedUni Policy Central’s Policy Library ‘Recently Approved Documents’ page to alert the University-wide community of the approved Procedure;
- distribution of e-mails to Head of School / Head of Department / University staff; and/or
- notification to Organisational Units, Schools, Directorates and other relevant parties
- training / information sessions
The Data Classification and Usage Procedure will be implemented throughout the University via:
- an Announcement Notice via FedNews and on the FedUni Policy Central’s Policy Library ‘Recently Approved Documents’ page to alert the University-wide community of the approved Procedure;
- Staff induction sessions
- Training sessions, if required
Document Title | Location | Responsible Officer | Minimum Retention Period |
---|---|---|---|
Functional Design Document | The University’s approved records management system | Information Technology Services | 7 years after administrative use has concluded |
Information Model (identifies relationships between major data entities and systems of record) [section 3.2 page 35] | The University’s approved records management system | Information Technology Services | 7 years after administrative use has concluded |
Migration plans and quality assurance checks for migrated data | The University’s approved records management system | Information Technology Services | 1 year after migration has been completed |
System testing strategies, result forms and test reports | The University’s approved records management system | Information Technology Services | 7 years after administrative use has concluded |
Classification | Examples | Potential Impact (refer Level of Impact Table) |
---|---|---|
Public | Newsletter, education material created for public use, course schedule, course catalogue, campus brochure, campus map, annual report | Negligible adverse impact to the University if disclosed |
General Internal | academic lecture notes | May cause minor impact on the reputation of the University, other organisation or individual |
Protected |
Intellectual property, commercially sensitive research, personally identifiable sensitive information, credit/debit card details, disciplinary information, salary information, examination papers, binding contracts, HR personal evaluations, medical / health records Budget and financial data, de-identified clinical research information, audit reports, student academic records, student grades, strategy and planning documents, purchasing data |
Would cause exceptional damage to the University, staff or students if disclosed These records manage University functions or business activities where greater restrictions are required to protect the rights and interests of both the University and individuals, or to limit the University’s liabilities |
Restricted | Confidential out-of-court settlements, records affecting national security, protected disclosures, security vulnerabilities |
Could cause physical harm to individuals or impact the University’s existence if disclosed These records manage University functions or business activities where wider dissemination would expose the University or individuals to significant risks or liabilities |
The goal of data security is to protect the confidentiality, integrity and availability of data assets. Data Classification reflects the level of impact to the University if confidentiality, integrity or availability of data is compromised:
Potential Impact | |||
---|---|---|---|
Security objective | LOW | MODERATE | HIGH |
Confidentiality Preserving authorised restrictions on data access and disclosure, including the means for protecting personal privacy and propriety information |
The unauthorised disclosure of data could be expected to have a limited adverse effect on the University’s operations, assets or individuals | The unauthorised disclosure of data could be expected to have a serious adverse effect on the University operations, assets or individuals | The unauthorised disclosure of data could be expected to have a severe or catastrophic adverse effect on the University operations, assets or individuals |
Integrity Guarding against improper data modification or destruction and includes ensuring data non-repudiation and authenticity |
The unauthorised disclosure of data could be expected to have a limited adverse effect on the University’s operations, assets or individuals | The unauthorised disclosure of data could be expected to have a serious adverse effect on the University operations, assets or individuals | The unauthorised disclosure of data could be expected to have a severe or catastrophic adverse effect on the University operations, assets or individuals |
Availability Ensuring timely and reliable access to and use of data |
The disruption of access to or use of data or a data system could be expected to have a limited adverse effect on the University’s operations, assets or individuals | The disruption of access to or use of data or a data system could be expected to have a serious adverse effect on the University operations, assets or individuals | The disruption of access to or use of data or a data system could be expected to have a severe or catastrophic adverse effect on the University operations, assets or individuals |
Classification | Access | Storage | Disposal |
---|---|---|---|
Public | Records are accessible by external parties from any location | Storage must be as per Data Storage Procedure | Disposal must be as per Records Management Procedure |
General Internal | Information is classified as General Internal by default unless reclassified by the creator; access to General Internal records and files is limited to University staff or other authorised personnel | Storage must be as per Data Storage Procedure | Disposal must be as per Records Management Procedure |
Protected |
Access to records and files requires authentication and password protection. Records accessible by only a limited number of authorised people. Records and portable storage devices should be stored in a secured (locked) location |
Storage must be as per Data Storage Procedure | Disposal must be as per Records Management Procedure |
Restricted |
Access to records and files requires authentication and password protection Record and file access must be protected and accessible by only top level management within the University Devices and records must be stored in a secured (locked) location |
Storage must be as per Data Storage Procedure If data is to be moved, it must be encrypted |
Disposal must be as per Records Management Procedure |