I.T.

Data Storage Procedure

Policy code: IM1981
Policy owner: Executive Director, Information Technology and Business Solutions
Approval authority: Chief Operating Officer and Chief Financial Officer
Approval date: 31 August 2016
Next review date: 11 November 2023

Purpose
Scope
Legislative Context
Definitions
Actions
1. Determining data storage compliance requirements
2. Providing data storage options
3. Accessing on-premise storage
4. Using cloud storage services
Supporting Documents
Responsibility
Promulgation
Implementation
Records Management

Purpose

This procedure supports and mandates the implementation of the Master Data Management Policy and Research Data Management Policy. It expands on the principles outlined in the policies as they relate to data management and provides guidance on the implementation and practical application of data storage solutions.

Scope

This procedure applies to all digital and digitised data produced, stored and/or utilised by members of the University’s community.

While partner provider organisations are supported through the use of specific University information technology systems, this procedure does not apply to electronic data created, managed or stored by these organisations.

Legislative Context

  • Federation University Australia Act 2010
  • Information Privacy Act 2000 (Victoria)
  • Electronic Transactions Act 2000 (Victoria)
  • Public Record Act 1973 (Victoria)
  • Privacy and Data Protection Act 2014
  • Australian Copyright Act of 1968
  • Evidence Act 1958 (Victoria)
  • Australian Code for the Responsible Conduct of Research (2007)
  • OECD Principles and Guidelines for Access to Research Data from Public Funding (2007)
  • Australian Skills Quality Authority (ASQA)
  • Higher Education Standards Framework (Threshold Standards) 2011
  • Tertiary Education Quality and Standards Agency (TEQSA)

Definitions

A complete list of definitions relevant to this procedure is contained within the Master Data Management Policy.

A further list of definitions specifically relevant to this procedure is included below:

Term Definition
Cloud computing

The delivery of on-demand computing resources over the internet with four options in terms of access and security:

Private cloud – services and infrastructure maintained and managed by self or a third party which reduces potential security and control risks particularly in relation to sensitive data requirements e.g. data and applications are a core part of your business

Community cloud – several organisations with similar security considerations share access to a private cloud e.g. a group of franchises who have their own private clouds which are hosted remotely in a private environment

Public cloud – services are stored off-site, managed by an external organisation such as Google or Microsoft and accessed over the internet which offers the greatest level of flexibility and cost saving but more vulnerable than private clouds

Hybrid cloud – takes advantage of both public and private cloud services and gain benefits by spreading options across different cloud models e.g. use public cloud for emails to save on large storage costs while keeping highly sensitive data safe and secure behind the firewall in a private cloud
Cloud-based applications Software as a Service (SaaS), run on cloud computers that are owned and operated by others and connect to users’ computers via the internet and a web browser
Cloud-based environment Platform as a service (PaaS) provides everything required to support the complete lifecycle of building and delivering web-based (cloud) applications, without the cost and complexity of buying and managing the underlying hardware, software, provisioning and hosting
Information Security Classification

An Information Security Classification is assigned to a set of information after the creator (user) assesses the sensitivity and importance of the information. This classification determines the appropriate methods of storage and management for the information. Information Security Classifications include:

Public – information that is publicly available and unlikely to impact on the reputation of the University, other organisation or individual e.g. academic calendar, course outlines

General Internal – University information that is not generally made publicly available and release of such information may cause minor impact on the reputation of the University, other organisation or individual e.g. academic lecture notes

Protected – confidential University information with limited access with unauthorised disclosure, modification. Data that is released which could cause reputational harm or embarrassment to the University e.g. budget data, academic records, student grades, planning or purchasing documents

Restricted – strictly confidential or sensitive University information restricted to individuals who are explicitly granted access with unauthorised disclosure, modification or destruction most likely to cause serious harm to the University, other organisation or individual, compromise Australia’s national security, national interests, economy, stability, integrity or damage international relations or defence e.g. research requiring ethics clearances, information relating to allegations of fraud
Metadata Describes information about data, such that data can be discovered, understood, re-used and integrated with other data; information described in a metadata record includes where and when the data was collected, created, organised, transmitted (where applicable) and last updated and who is responsible, allowing correct attribution to the creators of the work
On-premise Storage Refers to locations inside the University network which is controlled and managed by University Information Technology Services (ITS) staff and remains within the University network and security infrastructure

Actions

1. Determining data storage compliance requirements

  ACTIVITY RESPONSIBILITY STEPS
A. Checking data classification Data Steward
  1. Apply data classification scheme to determine if the data can be stored on University sanctioned cloud storage services – if not, refer Action 2: Accessing on-premise Storage
B. Determine compliance requirements Data Steward
  1. In context of the data to be stored refer to the Legislative Context to determine the compliance requirements that apply.
  2. Compare compliance requirements against provided data storage options compliance certifications.
C. Determining suitability of cloud storage Data Steward
  1. Refer Appendix 1: Cloud Applications
  2. Staffing and financial data is may be stored in university sanctioned cloud services.

2. Providing data storage options

  ACTIVITY RESPONSIBILITY STEPS
A. Protecting data ITS
  1. Provide  options for the storage of digital data, including those housed On premise and in the cloud including approved corporate business systems, network drives and approved cloud-based applications
    • Business information systems Use business information systems to store data that relates to a specific business function (i.e. student data should be stored in the Student Management System)
    • SharePoint may be used to store other types of data – refer Data Classification and Usage Procedure
    • Cloud storage solutions deployed for the storage of University data must comply with all legislative requirements; may not be appropriate for all applications and classifications of data – the service must be fit for purpose and used appropriately – refer Appendix 1: Cloud Applications
B. Undertaking a risk assessment for prospective data storage ITS
  1. Utilise the Data Requirements Checklist in Appendix 3 to ensure the cloud solution meets the legislative requirements of the Public Records Act 1973 (Victoria) and associated mandatory standards issued by PROV
  2. Utilise the Risk Matrix in Appendix 2 to identify risks in the proposed cloud environment
  3. Complete a Risk Assessment utilising the template in Appendix 4

3. Accessing on-premise storage

  ACTIVITY RESPONSIBILITY STEPS
A. Storing Protected or Restricted data Data Steward
  1. Use of on-premise storage for any data classified as Protected or Restricted – Refer Data Classification and Usage Procedure, , may only be done by way of a University sanctioned business information system. NOTE: On-premise can be used to store data of any type, but the preference will be to store public data in University sanctioned cloud storage services – Refer Action 1
  2. Input information into relevant on-premise business information system or storage location
  3. Save with suitable data classification tags
  4. Complete all metadata fields

4. Using cloud storage services

  ACTIVITY RESPONSIBILITY STEPS
A. Accessing cloud storage services Data Steward
  1. Determine suitable storage location. Refer Appendix 1: Cloud Applications
  2. Save with suitable data classification tags
  3. Complete all metadata fields

Supporting Documents

Forms

Responsibility

  • Chief Operating Officer, Chief Operating Office is responsible for monitoring the implementation, outcomes and scheduled review of this procedure.
  • Director, Information Technology Services is responsible for maintaining the content of this procedure as delegated by the Chief Operating Officer, Chief Operating Office.
  • Manager, Enterprise Data is responsible for the administration support for the maintenance of this policy as directed by the Director, Information Technology Services.

Promulgation

The Data Storage Procedure will be communicated throughout the University community in the form of:

  1. an Announcement Notice via FedNews and on the FedUni Policy Central’s Policy Library ‘Recently Approved Documents’ page to alert the University-wide community of the approved Procedure;
  2. distribution of e-mails to Head of School / Head of Department / University staff; and/or
  3. notification to Organisational Units, Schools, Directorates and other relevant parties
  4. Training/Information Sessions

Implementation

The Data Storage Procedure will be implemented throughout the University via:

  1. an Announcement Notice via FedNews and on the FedUni Policy Central’s Policy Library ‘Recently Approved Documents’ page to alert the University-wide community of the approved Procedure;
  2. Staff induction sessions
  3. Training sessions, if required

Records Management

Document Title Location Responsible Officer Minimum Retention Period
Completed Risk Assessments The University’s approved records management system Information Technology Services 7 years after administrative use has concluded
Agreements with Cloud Service Provider The University’s approved records management system ITS / Legal 7 years after expiry of agreement
PrevPrev  UpUp  NextNext
Data Classification and Usage Procedure 
 Web Management and Publishing Policy


Approval Authority: Chief Operating Officer and Chief Financial Officer Original Issue 31/08/2016
Policy Sponsor: Executive Director, Information Technology and Business Solutions Current Version: 11/11/2020
CRICOS Provider Number 00103D Review Date: 11/11/2023
TEQSA Provider ID: PRV12151 Provider Category: Australian University
RTO Code 4909 Policy Code IM1981