I.T.
- Use of Computing and Communication Facilities Policy
- Information Security Policy
- Deployment of Custom Applications and Projects on the University's Corporate Webserver Guidelines
- Master Data Management Policy
- Data Classification and Usage Procedure
- Data Storage Procedure
- Web Management and Publishing Policy
- Web Management and Publishing Procedure
- Forms
- Printable PDF Version
Document Currently Under Review
Current Status: Under Review - With Editor 16 September 2019
This procedure supports and mandates the implementation of the Master Data Management Policy. It expands on the principles outlined in the policy as they relate to data management and provides guidance on the implementation and practical application of data storage solutions.
This procedure applies to all digital and digitised data produced, stored and/or utilised by members of the University’s community.
While partner provider organisations are supported through the use of specific University information technology systems, this procedure does not apply to electronic data created, managed or stored by these organisations.
- Federation University Australia Act 2010
- Information Privacy Act 2000 (Victoria)
- Electronic Transactions Act 2000 (Victoria)
- Public Record Act 1973 (Victoria)
- Australian Copyright Act of 1968
- Evidence Act 1958 (Victoria)
- Australian Code for the Responsible Conduct of Research (2007)
- OECD Principles and Guidelines for Access to Research Data from Public Funding (2007)
- Australian Qualifications Framework (AQF) Second Edition January 2013
- Australian Skills Quality Authority (ASQA)
- Higher Education Standards Framework (Threshold Standards) 2011
- Tertiary Education Quality and Standards Agency (TEQSA)
- Higher Education and Skills Group (HESG)
- 2014 – 2016 VET Funding Contract
A complete list of definitions relevant to this procedure is contained within the Master Data Management Policy.
A further list of definitions specifically relevant to this procedure is included below:
Term | Definition |
---|---|
Cloud computing |
The delivery of on-demand computing resources over the internet with four options in terms of access and security: Private cloud – services and infrastructure maintained and managed by self or a third party which reduces potential security and control risks particularly in relation to sensitive data requirements eg data and applications are a core part of your business Community cloud – several organisations with similar security considerations share access to a private cloud eg a group of franchises who have their own private clouds which are hosted remotely in a private environment Public cloud – services are stored off-site, managed by an external organisation such as Google or Microsoft and accessed over the internet which offers the greatest level of flexibility and cost saving but more vulnerable than private clouds Hybrid cloud – takes advantage of both public and private cloud services and gain benefits by spreading options across different cloud models eg use public cloud for emails to save on large storage costs while keeping highly sensitive data safe and secure behind the firewall in a private cloud |
Cloud-based applications | Software as a service (SaaS), run on cloud computers that are owned and operated by others and connect to users’ computers via the internet and a web browser |
Cloud-based environment | Platform as a service (PaaS) provides everything required to support the complete lifecycle of building and delivering web-based (cloud) applications, without the cost and complexity of buying and managing the underlying hardware, software, provisioning and hosting |
Information Security Classification |
Process whereby the creator (user) assesses the sensitivity and importance of the information and assigns a classification to the data/information so that it can be managed or stored appropriately eg Public – information that is publically available and unlikely to impact on the reputation of the University, other organisation or individual eg academic calendar, course outlines General Internal – University information that is not generally made publically available and release of such information may cause minor impact on the reputation of the University, other organisation or individual eg academic lecture notes Protected – confidential University information with limited access with unauthorised disclosure, modification. Data that is released which could cause reputational harm or embarrassment to the University eg budget data, academic records, student grades, planning or purchasing documents Restricted – strictly confidential or sensitive University information restricted to individuals who are explicitly granted access with unauthorised disclosure, modification or destruction most likely to cause serious harm to the University, other organisation or individual, compromise Australia’s national security, national interests, economy, stability, integrity or damage international relations or defence eg research requiring ethics clearances, information relating to allegations of fraud |
On Premise Storage | Refers to locations inside the University network which is controlled and managed by University Information Technology Services (ITS) staff and remains within the University network and security infrastructure |
ACTIVITY | RESPONSIBILITY | STEPS | |
---|---|---|---|
A. | Protecting data | ITS |
|
B. | Undertaking a risk assessment for prospective data storage | ITS |
|
ACTIVITY | RESPONSIBILITY | STEPS | |
---|---|---|---|
A. | Storing Protected or Restricted data | Data owner |
|
ACTIVITY | RESPONSIBILITY | STEPS | |
---|---|---|---|
A. | Checking data classification | Data owner |
|
B. | Determining suitability of cloud storage | Data owner |
|
- Master Data Management Policy
- Data Classification and Usage Procedure
- Research Data Management Policy
- Research Data Management Procedure (in draft)
- Data Backup and Recovery Procedure
- Records Management Policy
- Records Management Procedure
Forms
- Appendix 1 Cloud Applications (DOCX 12.8kb)
- Appendix 2 Data Storage Risk Matrix (DOCX 37.1kb)
- Appendix 3 Data Requirements Checklist (DOCX 2587.9kb)
- Appendix 4 Risk Assessment Template (DOCX 2589.5kb)
- Deputy Vice-Chancellor, Student Support and Services is responsible for monitoring the implementation, outcomes and scheduled review of this procedure
- Executive Director, Information Technology and Business Solutions is responsible for maintaining the content of this procedure as delegated by the Deputy Vice-Chancellor, Student Support and Services
- Manager, Business Partnerships and Service Governance is responsible for the administration support for the maintenance of this policy as directed by the Executive Director, Information Technology and Business Solutions
The Data Storage Procedure will be communicated throughout the University community in the form of:
- an Announcement Notice via FedNews and on the FedUni Policy Central’s Policy Library ‘Recently Approved Documents’ page to alert the University-wide community of the approved Procedure;
- distribution of e-mails to Head of School / Head of Department / University staff; and/or
- notification to Organisational Units, Schools, Directorates and other relevant parties
- Training/Information Sessions
The Data Storage Procedure will be implemented throughout the University via:
- an Announcement Notice via FedNews and on the FedUni Policy Central’s Policy Library ‘Recently Approved Documents’ page to alert the University-wide community of the approved Procedure;
- Staff induction sessions
- Training sessions, if required
Document Title | Location | Responsible Officer | Minimum Retention Period |
---|---|---|---|
Completed Risk Assessments | The University’s approved records management system | Information Technology Services | 7 years after administrative use has concluded |
Agreements with Cloud Service Provider | The University’s approved records management system | ITS / Legal | 7 years after expiry of agreement |