I.T.

Data Classification and Usage Procedure

Policy Code: IM1974

Purpose

Federation University Australia recognises that its corporate data is an important strategic asset. This procedure supports and mandates the implementation of the Master Data Management Policy. It expands on the principles outlined in the policy and provides direction and guidance on assessing the sensitivity and importance of its corporate data and usage.

All University data created must be allocated a classification so that it is managed, used and secured in a manner appropriate to its importance and sensitivity.

Scope

This procedure applies to all digital and digitised data produced, stored and/or utilised by members of the University’s community. While partner provider organisations are supported through the use of specific University information technology systems, this procedure does not apply to other non-University electronic data created, managed or stored by these organisations.

Legislative Context

  • Federation University Australia Act 2010
  • Information Privacy Act 2000 (Victoria)
  • Electronic Transactions Act 2000 (Victoria)
  • Public Record Act 1973 (Victoria)
  • Australian Copyright Act of 1968
  • Evidence Act 1958 (Victoria)
  • Australian Code for the Responsible Conduct of Research (2007)
  • OECD Principles and Guidelines for Access to Research Data from Public Funding (2007)
  • Australian Qualifications Framework (AQF) Second Edition January 2013
  • Australian Skills Quality Authority (ASQA)
  • Higher Education Standards Framework (Threshold Standards) 2011
  • Tertiary Education Quality and Standards Agency (TEQSA)
  • Higher Education and Skills Group (HESG)
    • 2014 – 2016 VET Funding Contract

Definitions

A complete list of definitions relevant to this procedure is contained within the Master Data Management Policy.

A further list of definitions specifically relevant to this procedure is included below:

Term Definition
Data classification

A scheme comprising of four levels including Public, General Internal, Protected or Restricted

The creator of University data is required to assess the importance and sensitivity of the data and assign a label to that data so that it can be managed and stored with the appropriate consideration

Data owner Entity that can authorise or deny access to certain data and is responsible for its accuracy, integrity and timeliness
Data user Controls the collection, classification, processing, use or storage of specific data following specified protocols
General Internal Data University data that is not generally made publically available and release of such information may cause minor impact on the reputation of the University, other organisation or individual eg academic lecture notes
Information assets Definable pieces of information in any form, recorded or stored on any media that is recognised as valuable to the University
Personal use All non-work or study related use including internet usage and private emails
Protected Data Confidential University data with limited access with unauthorised disclosure, modification;  data that includes personally identifiable information, is commercially sensitive eg salary information, contracts, medical/health records etc and if released could cause reputational harm or embarrassment to the University eg budget data, academic records, student grades, planning or purchasing documents
Public Data Data created with the intention of being in the public domain, that is publically available and unlikely to impact on the reputation of the University, other organisation or individual eg academic calendar, course outlines
Restricted Data Strictly confidential or sensitive University information eg budget data, academic records, student grades, planning or purchasing documents, restricted to individuals who are explicitly granted access with unauthorised disclosure, modification or destruction and if released is most likely to cause reputational harm or embarrassment to the University, other organisation or individual, compromise Australia’s national security, national interests, economy, stability, integrity or damage international relations or defence eg research requiring ethics clearances, information relating to allegations of fraud

Actions

1. Ensuring all University data is classified

  ACTIVITY RESPONSIBILITY STEPS
A. Protecting data assets Data owner
  1. Classify all data created commensurate with its sensitivity and value to ensure appropriate protection throughout its lifecycle eg creation/modification/destruction
  2. Ensure data is used only for the purposes as determined by its classification, relevant University policies, procedures and/or applicable legislation

2. Assigning data classification

  ACTIVITY RESPONSIBILITY STEPS
A. Identifying the appropriate data classification Data owner
  1. Utilise Appendix 1 - Data Classification Scheme  to determine the correct data classification
  2. Assign correct data classification on saving or completing the document or work
  3. Ensure all required metadata fields are completed
B. Reclassifying data Data users
  1. Ensure that the correct data classification is used for data created
  2. Ensure that any required re-classification of data follows the correct Data Classification Scheme
    • NOTE: This step is important when dealing with data that falls into the Protected or Restricted classification
  3. Ensure all required metadata fields are completed
C. Classifying data from another source Data users
  1. Ensure that data received from another source is classified to correctly match the University’s requirements
    • NOTE: In some instances, the data may have an existing classification from its place of origin
  2. Ensure all required metadata fields are completed

3. Allocating responsibilities

  ACTIVITY RESPONSIBILITY STEPS
A. Ensuring correct access Data owner
  1. Refer to Appendix 2 - Responsibilities Table and allocate access classification
B. Storing data Data owner
  1. Follow Actions within the University’s Data Storage Procedure
C. Disposing of data Data owner
  1. Ensure all required approvals are obtained prior to undertaking any data disposal
  2. Follow all data disposal requirements detailed within the University’s Records Management Procedure and consistent with ethics requirements for research data

4. Changing or downgrading classifications

  ACTIVITY RESPONSIBILITY STEPS
A. Reclassifying data Data owner
  1. Downgrade when protection is no longer necessary/needed at the original level
  2. Review when the data becomes inactive or no longer in regular use
  3. Refer to Appendix 2 - Responsibilities Table and determine new classification to reflect changes in the data’s criticality, confidentiality or sensitivity
  4. Obtain approval from Privacy Officer to change, downgrade or dispose of data with Protected or Restricted classification
  5. Follow correct records management disposal process when disposing of any electronic data – refer Records Management Procedure

5. Disclosing, transmitting and/or exchanging data

  ACTIVITY RESPONSIBILITY STEPS
A. Approving data dispersal Data owner
  1. Distribute, transmit and/or  exchange data if/as required for a valid business need
  2. Contact ITS and complete a Functional Design Document (FDD)
  3. Follow FDD workflow approval process to transfer data between systems
  4. Provide written approval for protected or restricted information to be transferred or processed on any third party systems

6. Using data

  ACTIVITY RESPONSIBILITY STEPS
A. Ensuring data usage is appropriate Data owner
  1. Access and use data in accordance with the Data Classification Scheme and Level of Impact table
  2. Ensure any data exchange is carried out with appropriate approvals – refer Information Privacy Procedure
  3. Access the appropriate University’s data storage option:
    • Business Systems The University’s business systems store data that relates to a specific business function (ie student data is stored in the Student Management System)
    • Network drives Access/store other types of data, excluding data that is classified as protected or restricted
    • Cloud Any data stored/accessed must comply with all legislative requirements and be fit for purpose eg classified as public

Responsibility

  • Deputy Vice-Chancellor, Student Support and Services is responsible for monitoring the implementation, outcomes and scheduled review of this procedure
  • Executive Director, Information Technology and Business Solutions is responsible for maintaining the content of this procedure as delegated by the Deputy Vice-Chancellor, Student Support and Services
  • Manager, Business Partnerships and Service Governance is responsible for the administration support for the maintenance of this policy as directed by the Executive Director, Information Technology and Business Solutions

Promulgation

The Data Classification and Usage Procedure will be communicated throughout the University community in the form of:

  1. an Announcement Notice via FedNews and on the FedUni Policy Central’s Policy Library ‘Recently Approved Documents’ page to alert the University-wide community of the approved Procedure;
  2. distribution of e-mails to Head of School / Head of Department / University staff; and/or
  3. notification to Organisational Units, Faculties, Directorates and other relevant parties
  4. training / information sessions

Implementation

The Data Classification and Usage Procedure will be implemented throughout the University via:

  1. an Announcement Notice via FedNews and on the FedUni Policy Central’s Policy Library ‘Recently Approved Documents’ page to alert the University-wide community of the approved Procedure;
  2. Staff induction sessions
  3. Training sessions, if required

Records Management

Document Title Location Responsible Officer Minimum Retention Period
Functional Design Document The University’s approved records management system Information Technology Services 7 years after administrative use has concluded
Information Model (identifies relationships between major data entities and systems of record) [section 3.2 page 35] The University’s approved records management system Information Technology Services 7 years after administrative use has concluded
Migration plans and quality assurance checks for migrated data The University’s approved records management system Information Technology Services 1 year after migration has been completed
System testing strategies, result forms and test reports The University’s approved records management system Information Technology Services 7 years after administrative use has concluded

Appendix 1

Data Classification Scheme

Classification Examples Potential Impact (refer Level of Impact Table)
Public Newsletter, education material created for public use, course schedule, course catalogue, campus brochure, campus map, annual report Negligible adverse impact to the University if disclosed
General Internal academic lecture notes May cause minor impact on the reputation of the University, other organisation or individual
Protected

Intellectual property, commercially sensitive research, personally identifiable sensitive information, credit/debit card details, disciplinary information, salary information, examination papers, binding contracts, HR personal evaluations, medical / health records

Budget and financial data, de-identified clinical research information, audit reports, student academic records, student grades, strategy and planning documents, purchasing data

Would cause exceptional damage to the University, staff or students if disclosed

These records manage University functions or business activities where greater restrictions are required to protect the rights and interests of both the University and individuals, or to limit the University’s liabilities

Restricted Confidential out-of-court settlements, records affecting national security, protected disclosures, security vulnerabilities

Could cause physical harm to individuals or impact the University’s existence if disclosed

These records manage University functions or business activities where wider dissemination would expose the University or individuals to significant risks or liabilities

Level of Impact Table

The goal of data security is to protect the confidentiality, integrity and availability of data assets. Data Classification reflects the level of impact to the University if confidentiality, integrity or availability of data is compromised:

  Potential Impact
Security objective LOW MODERATE HIGH

Confidentiality

Preserving authorised restrictions on data access and disclosure, including the means for protecting personal privacy and propriety information

The unauthorised disclosure of data could be expected to have a limited adverse effect on the University’s operations, assets or individuals The unauthorised disclosure of data could be expected to have a serious adverse effect on the University operations, assets or individuals The unauthorised disclosure of data could be expected to have a severe or catastrophic adverse effect on the University operations, assets or individuals

Integrity

Guarding against improper data modification or destruction and includes ensuring data non-repudiation and authenticity

The unauthorised disclosure of data could be expected to have a limited adverse effect on the University’s operations, assets or individuals The unauthorised disclosure of data could be expected to have a serious adverse effect on the University operations, assets or individuals The unauthorised disclosure of data could be expected to have a severe or catastrophic adverse effect on the University operations, assets or individuals

Availability

Ensuring timely and reliable access to and use of data

The disruption of access to or use of data or a data system could be expected to have a limited adverse effect on the University’s operations, assets or individuals The disruption of access to or use of data or a data system could be expected to have a serious adverse effect on the University operations, assets or individuals The disruption of access to or use of data or a data system could be expected to have a severe or catastrophic adverse effect on the University operations, assets or individuals

Appendix 2

Responsibilities Table

Classification Access Storage Disposal
Public Records are accessible by external parties from any location Storage must be as per Data Storage Procedure Disposal must be as per Records Management Procedure
General Internal Information is classified as General Internal by default unless reclassified by the creator; access to General Internal records and files is limited to University staff or other authorised personnel Storage must be as per Data Storage Procedure Disposal must be as per Records Management Procedure
Protected

Access to records and files requires authentication and password protection.

Records accessible by only a limited number of authorised people.

Records and portable storage devices should be stored in a secured (locked) location

Storage must be as per Data Storage Procedure Disposal must be as per Records Management Procedure
Restricted

Access to records and files requires authentication and password protection

Record and file access must be protected and accessible by only top level management within the University

Devices and records must be stored in a secured (locked) location

Storage must be as per Data Storage Procedure

If data is to be moved, it must be encrypted

Disposal must be as per Records Management Procedure