I.T.
- Use of Computing and Communication Facilities Policy
- Information Security Policy
- Master Data Management Policy
- Data Classification and Usage Procedure
- Data Storage Procedure
- Web Management and Publishing Policy
- Web Management and Publishing Procedure
- Forms
- Printable PDF Version
This procedure supports and mandates the implementation of the Master Data Management Policy and Research Data Management Policy. It expands on the principles outlined in the policies as they relate to data management and provides guidance on the implementation and practical application of data storage solutions.
This procedure applies to all digital and digitised data produced, stored and/or utilised by members of the University’s community.
While partner provider organisations are supported through the use of specific University information technology systems, this procedure does not apply to electronic data created, managed or stored by these organisations.
- Federation University Australia Act 2010
- Information Privacy Act 2000 (Victoria)
- Electronic Transactions Act 2000 (Victoria)
- Public Record Act 1973 (Victoria)
- Privacy and Data Protection Act 2014
- Australian Copyright Act of 1968
- Evidence Act 1958 (Victoria)
- Australian Code for the Responsible Conduct of Research (2007)
- OECD Principles and Guidelines for Access to Research Data from Public Funding (2007)
- Australian Skills Quality Authority (ASQA)
- Higher Education Standards Framework (Threshold Standards) 2011
- Tertiary Education Quality and Standards Agency (TEQSA)
A complete list of definitions relevant to this procedure is contained within the Master Data Management Policy.
A further list of definitions specifically relevant to this procedure is included below:
Term | Definition |
---|---|
Cloud computing |
The delivery of on-demand computing resources over the internet with four options in terms of access and security: Private cloud – services and infrastructure maintained and managed by self or a third party which reduces potential security and control risks particularly in relation to sensitive data requirements e.g. data and applications are a core part of your business Community cloud – several organisations with similar security considerations share access to a private cloud e.g. a group of franchises who have their own private clouds which are hosted remotely in a private environment Public cloud – services are stored off-site, managed by an external organisation such as Google or Microsoft and accessed over the internet which offers the greatest level of flexibility and cost saving but more vulnerable than private clouds Hybrid cloud – takes advantage of both public and private cloud services and gain benefits by spreading options across different cloud models e.g. use public cloud for emails to save on large storage costs while keeping highly sensitive data safe and secure behind the firewall in a private cloud |
Cloud-based applications | Software as a Service (SaaS), run on cloud computers that are owned and operated by others and connect to users’ computers via the internet and a web browser |
Cloud-based environment | Platform as a service (PaaS) provides everything required to support the complete lifecycle of building and delivering web-based (cloud) applications, without the cost and complexity of buying and managing the underlying hardware, software, provisioning and hosting |
Information Security Classification |
An Information Security Classification is assigned to a set of information after the creator (user) assesses the sensitivity and importance of the information. This classification determines the appropriate methods of storage and management for the information. Information Security Classifications include: Public – information that is publicly available and unlikely to impact on the reputation of the University, other organisation or individual e.g. academic calendar, course outlines General Internal – University information that is not generally made publicly available and release of such information may cause minor impact on the reputation of the University, other organisation or individual e.g. academic lecture notes Protected – confidential University information with limited access with unauthorised disclosure, modification. Data that is released which could cause reputational harm or embarrassment to the University e.g. budget data, academic records, student grades, planning or purchasing documents Restricted – strictly confidential or sensitive University information restricted to individuals who are explicitly granted access with unauthorised disclosure, modification or destruction most likely to cause serious harm to the University, other organisation or individual, compromise Australia’s national security, national interests, economy, stability, integrity or damage international relations or defence e.g. research requiring ethics clearances, information relating to allegations of fraud |
Metadata | Describes information about data, such that data can be discovered, understood, re-used and integrated with other data; information described in a metadata record includes where and when the data was collected, created, organised, transmitted (where applicable) and last updated and who is responsible, allowing correct attribution to the creators of the work |
On-premise Storage | Refers to locations inside the University network which is controlled and managed by University Information Technology Services (ITS) staff and remains within the University network and security infrastructure |
ACTIVITY | RESPONSIBILITY | STEPS | |
---|---|---|---|
A. | Checking data classification | Data Steward |
|
B. | Determine compliance requirements | Data Steward |
|
C. | Determining suitability of cloud storage | Data Steward |
|
ACTIVITY | RESPONSIBILITY | STEPS | |
---|---|---|---|
A. | Protecting data | ITS |
|
B. | Undertaking a risk assessment for prospective data storage | ITS |
|
ACTIVITY | RESPONSIBILITY | STEPS | |
---|---|---|---|
A. | Storing Protected or Restricted data | Data Steward |
|
- Master Data Management Policy
- Data Classification and Usage Procedure
- Research Data Management Policy
- Research Data Management Procedure
- Data Backup and Recovery Procedure
- Records Management Policy
- Records Management Procedure
- Information Privacy Policy
- Information Privacy Procedure
- Information Security Policy
Forms
- Appendix 1 Cloud Applications (DOCX 21.5kb)
- Appendix 2 Data Storage Risk Matrix (DOCX 46.1kb)
- Appendix 3 Data Requirements Checklist (DOCX 2587.9kb)
- Appendix 4 Risk Assessment Template (DOCX 2589.5kb)
- Chief Operating Officer, Chief Operating Office is responsible for monitoring the implementation, outcomes and scheduled review of this procedure.
- Director, Information Technology Services is responsible for maintaining the content of this procedure as delegated by the Chief Operating Officer, Chief Operating Office.
- Manager, Enterprise Data is responsible for the administration support for the maintenance of this policy as directed by the Director, Information Technology Services.
The Data Storage Procedure will be communicated throughout the University community in the form of:
- an Announcement Notice via FedNews and on the FedUni Policy Central’s Policy Library ‘Recently Approved Documents’ page to alert the University-wide community of the approved Procedure;
- distribution of e-mails to Head of School / Head of Department / University staff; and/or
- notification to Organisational Units, Schools, Directorates and other relevant parties
- Training/Information Sessions
The Data Storage Procedure will be implemented throughout the University via:
- an Announcement Notice via FedNews and on the FedUni Policy Central’s Policy Library ‘Recently Approved Documents’ page to alert the University-wide community of the approved Procedure;
- Staff induction sessions
- Training sessions, if required
Document Title | Location | Responsible Officer | Minimum Retention Period |
---|---|---|---|
Completed Risk Assessments | The University’s approved records management system | Information Technology Services | 7 years after administrative use has concluded |
Agreements with Cloud Service Provider | The University’s approved records management system | ITS / Legal | 7 years after expiry of agreement |