The Information Technology Services procedural manuals detail the processes that have been developed using previous policies, procedures to provide clear advice to Federation University Staff regarding their responsibilities, actions and accountability in accordance with the Federation University Act, Statute, Regulations and Policies Procedures and Manuals.
It is an associated document within the Federation Governance document suite and must be used as a tool to assist all stakeholders to fulfil obligations in accordance with university mandates.
The purpose of this manual is to ensure that all members of the Federation community are informed, understand their requirements to perform key tasks and know where to access information as needed to adhere to mandated requirements and enhance their practice.
It is also intended to assist all staff in carrying out their functions and responsibilities with ease and completeness by providing clarity of expectation and responsibilities.
This manual will be revised annually by the owner and/or their nominated delegates to ensure currency of information.
Federation University Australia is committed to the appropriate storage of information in support of its teaching, administrative and support functions. The University acknowledges its obligation to ensure appropriate security of personal data in relation to all relevant legislation while providing approved data storage solutions to accommodate the varying needs of the University community. University data is recognised as a valuable asset and will be efficiently managed and availed through development of a best practice approach to data management.
This procedure mandates a range of associated University policies and procedures developed to ensure the integrity, authenticity, availability, access, confidentiality and security of data produced and/or utilised by the University through minimising duplication and fragmentation and introducing internal controls to mitigate identified risks.
Through its associated procedures the University will:
- define the roles, responsibilities and accountability for different data usage
- ensure best practice processes for effective data management including access, retrieval, reporting, managing and storing
- protect the University’s data against internal and external threats.
The University is also required to produce evidence of its activities to external regulators, internal auditors, accreditation and funding bodies. Adherence to this procedure will ensure the University is able to meet this requirement.
The University’s Research Data Management Policy and Research Data Management Procedure (in draft) governs responsibilities and processes for the ownership, storage, retention, accessibility for use and reuse and/or disposal of research data in accordance with the Australian Code for the Responsible Conduct of Research.
This procedure applies to all University data produced, collected, stored and/or utilised by members of the University’s community. It does not apply to data used for the purpose of academic research.
While partner provider organisations are supported through the use of specific University information technology systems, this procedure does not apply to non-University related data created, managed or stored by these organisations.
The following categories of people are permitted access to the computing and communication facilities:
- Federation University Australia Act 2010
- The Higher Education Support Act 2003
- The National Code of Practice for Registration Authorities and Providers of Education and Training to Overseas Students made under the Education Services for Overseas Students Act 2000 (ESOS)
- Telecommunications (Interception and Access) Amendment (Data Retention) Act 2015
- Information Privacy Act 2000 (Victoria)
- Electronic Transactions Act 2000 (Victoria)
- Public Record Act 1973 (Victoria)
- Australian Copyright Act of 1968
- Evidence Act 1958 (Victoria)
- Australian Code for the Responsible Conduct of Research (2007)
- OECD Principles and Guidelines for Access to Research Data from Public Funding (2007)
- Australian Qualifications Framework AQF Second Edition January 2013
- Australian Skills Quality Authority ASQA
- Higher Education Standards Framework (Threshold Standards) 2011
- Tertiary Education Quality and Standards Agency (TEQSA)
- Higher Education and Skills Group HESG
- 2014 – 2016 VET Funding Contract
| Term | Definition |
| Authorised person | An individual or group of people who have been authorised to use and/or store data on the University’s approved data storage system/s |
| Copyright | Intellectual property right that protects a body of work, not for ideas or information, but for the form in which they are expressed, from unauthorised use and is applied automatically when a work is created without the need to register or comply with formalities |
| Data | Data and records collected, created and/or maintained by the University including digital and non-digital information which can generally be assigned to one of the four data categories of public, general internal, protected or restricted |
| Data dictionary | Centralised repository of information about data such as meaning, relationships to other data, origin, usage and format |
| Data management | Defines the access rights, roles and responsibilities in relation to the management and protection of University data |
| Data integrity | Data accuracy and consistency over its entire lifecycle |
| Data owner | An individual or group of people accountable for specific data that is created, transmitted, used and stored on a system within the University |
| Data quality | Data currency, validity and relevance |
| School | Federation University Australia has a number of Academic Organisational Units |
| Intellectual property (IP)(including patents and trademarks) |
IP is the application of the mind to develop something new or original, existing in various forms – a new invention, brand, design or artistic creation A patent is a legally enforceable right that is granted for any device, substance, method or process that is new, inventive and useful A registered trade mark is a legally enforceable right that is granted for a letter, number, work, phrase, sound, smell, shape, logo, picture and/or aspect of packaging |
| Metadata | Describes information about data, such that data can be discovered, understood, re-used and integrated with other data; information described in a metadata record includes where and when the data was collected, created, organised, transmitted (where applicable) and last updated and who is responsible, allowing correct attribution to the creators of the work |
| Record | Any record that is created or received by the University in the transaction of its business functions or resulting from research activities and retained as evidence of that activity which can include, but is not limited to, hard copy documents, electronic or digital records including email and information maintained as part of a database or business information system |
| Scholarly works | Any article, book, musical composition, creative writing or like publication or any digital or electronic version of these works that contains material written by academic staff or student based on that person’s scholarship, learning or research but does not include work that is teaching material |
| Security | Safety of University data in relation to access control, authentication, effective incident detection, reporting and solution, physical and virtual security, change management and version control |
| University data | All data owned or licensed by the University |
| Users | Persons who use information resources and have responsibility for ensuring that such data is used properly in compliance with this procedure |
This procedure provides the following set of guiding principles to maximise the University’s data management capabilities to manage the needs of students, staff and other members of the University’s community who create, receive, store, access, transmit, use, or dispose of data as part of their relationship to the University noting that both the types of data and requirements will differ:
| Principle | Demonstrated By: |
| Any record generated as a result of University activities is an official record under the Public Records Act 1973 (Victoria) and must be created, captured, stored and effectively managed within the University’s approved data storage and records management systems |
|
| The University’s data classification scheme standardises records’ structures and descriptions by contextualising the records within functions and activities |
|
| The University protects the confidentiality of personal and health information it collects for both its own operations and the conduct of research |
|
| Ownership and rights associated with data created, collected and stored is clarified and managed appropriately |
|
| The legal context for the collection, management, storage and use of data is considered and addressed |
|
| Extensive metadata is built around the data to ensure quality information about its provenance, legal and technical framework, access rights, publication and disposal in line with relevant metadata standards |
|
| Long term storage, archiving and disposal requirements are identified and implemented |
|
| Data disaster recovery and activity continuity planning is in place |
|
Federation University Australia recognises that its corporate and research data are important strategic assets. This procedure supports and mandates the implementation of Section 2: Master Data Management and Research Data Management Procedure. It expands on the principles outlined in these policies and provides direction and guidance on assessing the sensitivity and importance of University data and it's usage.
All University data created must be allocated a classification so that it is managed, used and secured in a manner appropriate to its importance and sensitivity.
This procedure applies to all digital and digitised data produced, stored and/or utilised by members of the University’s community. While partner provider organisations are supported through the use of specific University information technology systems, this procedure does not apply to other non-University electronic data created, managed or stored by these organisations.
- Federation University Australia Act 2010
- Information Privacy Act 2000 (Victoria)
- Electronic Transactions Act 2000 (Victoria)
- Public Record Act 1973 (Victoria)
- Privacy and Data Protection Act 2014
- Australian Copyright Act of 1968
- Evidence Act 1958 (Victoria)
- Australian Code for the Responsible Conduct of Research (2007)
- OECD Principles and Guidelines for Access to Research Data from Public Funding (2007)
- Australian Skills Quality Authority ASQA
- Higher Education Standards Framework (Threshold Standards) 2011
- Tertiary Education Quality and Standards Agency (TEQSA)
A complete list of definitions relevant to this procedure is contained within Section 2: Master Data Management.
A further list of definitions specifically relevant to this procedure is included below:
| Term | Definition |
| Data classification |
A scheme comprising of four levels including Public, General Internal, Protected or Restricted The creator of University data is required to assess the importance and sensitivity of the data and assign a label to that data so that it can be managed and stored with the appropriate consideration |
| Data Steward | Entity that can authorise or deny access to certain data and is responsible for its accuracy, integrity and timeliness |
| Data user | Controls the collection, classification, processing, use or storage of specific data following specified protocols |
| General Internal Data | University data that is not generally made publicly available and release of such information may cause minor impact on the reputation of the University, other organisation or individual e.g. academic lecture notes |
| Information assets | Definable pieces of information in any form, recorded or stored on any media that is recognised as valuable to the University |
| Personal use | All non-work or study related use including internet usage and private emails |
| Metadata | Describes information about data, such that data can be discovered, understood, re-used and integrated with other data; information described in a metadata record includes where and when the data was collected, created, organised, transmitted (where applicable) and last updated and who is responsible, allowing correct attribution to the creators of the work |
| Protected Data | Confidential University data with limited access with unauthorised disclosure, modification; data that includes personally identifiable information, is commercially sensitive e.g. salary information, contracts, medical/health records etc and if released could cause reputational harm or embarrassment to the University e.g. budget data, academic records, student grades, planning or purchasing documents |
| Public Data | Data created with the intention of being in the public domain, that is publicly available and unlikely to impact on the reputation of the University, other organisation or individual e.g. academic calendar, unit outlines |
| Restricted Data | Strictly confidential or sensitive University information e.g. budget data, academic records, student grades, planning or purchasing documents, restricted to individuals who are explicitly granted access with unauthorised disclosure, modification or destruction and if released is most likely to cause reputational harm or embarrassment to the University, other organisation or individual, compromise Australia’s national security, national interests, economy, stability, integrity or damage international relations or defence e.g. research requiring ethics clearances, information relating to allegations of fraud |
| Activity | Responsibility | Steps | |
| A. | Protecting data assets | Data Steward |
|
| Activity | Responsibility | Steps | |
| A. | Identifying the appropriate data classification | Data Steward |
|
| B. | Reclassifying data | Data users |
|
| C. | Classifying data from another source | Data users |
|
| Activity | Responsibility | Steps | |
| A. | Ensuring correct access | Data Steward |
|
| B. | Storing data | Data Steward |
|
| C. | Disposing of data | Data Steward |
|
| Activity | Responsibility | Steps | |
| A. | Reclassifying data | Data Steward |
|
| Activity | Responsibility | Steps | |
| A. | Approving data dispersal | Data Steward |
|
| Activity | Responsibility | Steps | |
| A. | Ensuring data usage is appropriate | Data Steward |
|
| Document Title | Location | Responsible Officer | Minimum Retention Period |
| Functional Design Document | The University’s approved records management system | Information Technology Services | 7 years after administrative use has concluded |
| Information Model (identifies relationships between major data entities and systems of record) | The University’s approved records management system | Information Technology Services | 7 years after administrative use has concluded |
| Migration plans and quality assurance checks for migrated data | The University’s approved records management system | Information Technology Services | 1 year after migration has been completed |
| System testing strategies, result forms and test reports | The University’s approved records management system | Information Technology Services | 7 years after administrative use has concluded |
| Classification | Examples |
Potential Impact (refer Level of Impact Table) |
| Public | Newsletter, education material created for public use, unit schedule, unit catalogue, campus brochure, campus map, annual report, published journal article | Negligible adverse impact to the University if disclosed |
| General Internal | Academic lecture notes, unit content distributed via sanctioned learning management systems | May cause minor impact on the reputation of the University, other organisation or individual |
| Protected |
Intellectual property, commercially sensitive research, personally identifiable sensitive information, credit/debit card details, disciplinary information, salary information, examination papers, binding contracts, HR personal evaluations, medical / health records Budget and financial data, de-identified clinical research information, curated data from research projects, audit reports, student academic records, student grades, strategy and planning documents, purchasing data |
Would cause exceptional damage to the University, staff or students if disclosed These records manage University functions or business activities where greater restrictions are required to protect the rights and interests of both the University and individuals, or to limit the University’s liabilities |
| Restricted | Confidential out-of-court settlements, records affecting national security, protected disclosures, security vulnerabilities |
Could cause physical harm to individuals or impact the University’s existence if disclosed These records manage University functions or business activities where wider dissemination would expose the University or individuals to significant risks or liabilities |
The goal of data security is to protect the confidentiality, integrity and availability of data assets. Data Classification reflects the level of impact to the University if confidentiality, integrity or availability of data is compromised:
| Potential Impact | |||
| Security objective | LOW | MODERATE | HIGH |
|
Confidentiality Preserving authorised restrictions on data access and disclosure, including the means for protecting personal privacy and propriety information |
The unauthorised disclosure of data could be expected to have a limited adverse effect on the University’s operations, assets or individuals | The unauthorised disclosure of data could be expected to have a serious adverse effect on the University operations, assets or individuals | The unauthorised disclosure of data could be expected to have a severe or catastrophic adverse effect on the University operations, assets or individuals |
|
Integrity Guarding against improper data modification or destruction and includes ensuring data non-repudiation and authenticity |
The unauthorised disclosure of data could be expected to have a limited adverse effect on the University’s operations, assets or individuals | The unauthorised disclosure of data could be expected to have a serious adverse effect on the University operations, assets or individuals | The unauthorised disclosure of data could be expected to have a severe or catastrophic adverse effect on the University operations, assets or individuals |
|
Availability Ensuring timely and reliable access to and use of data |
The disruption of access to or use of data or a data system could be expected to have a limited adverse effect on the University’s operations, assets or individuals | The disruption of access to or use of data or a data system could be expected to have a serious adverse effect on the University operations, assets or individuals | The disruption of access to or use of data or a data system could be expected to have a severe or catastrophic adverse effect on the University operations, assets or individuals |
| Classification | Access | Storage | Disposal |
| Public | Records are accessible by external parties from any location | Storage must be as per Section 4: Data Storage | Disposal must be as per Records Management Procedure |
| General Internal | Information is classified as General Internal by default unless reclassified by the creator; access to General Internal records and files is limited to University staff or other authorised personnel | Storage must be as per Section 4: Data Storage | Disposal must be as per Records Management Procedure |
| Protected |
Access to records and files requires authentication and password protection. Records accessible by only a limited number of authorised people. Records and portable storage devices should be stored in a secured (locked) location |
Storage must be as per Section 4: Data Storage | Disposal must be as per Records Management Procedure |
| Restricted |
Access to records and files requires authentication and password protection Record and file access must be protected and accessible by only senior management within the University Devices and records must be stored in a secured (locked) location |
Storage must be as per Section 4: Data Storage If data is to be moved, it must be encrypted |
Disposal must be as per Records Management Procedure |
This procedure supports and mandates the implementation of Section 2: Master Data Management and Research Data Management Procedure. It expands on the principles outlined in the policies as they relate to data management and provides guidance on the implementation and practical application of data storage solutions.
This procedure applies to all digital and digitised data produced, stored and/or utilised by members of the University’s community.
While partner provider organisations are supported through the use of specific University information technology systems, this procedure does not apply to electronic data created, managed or stored by these organisations.
- Federation University Australia Act 2010
- Information Privacy Act 2000 (Victoria)
- Electronic Transactions Act 2000 (Victoria)
- Public Record Act 1973 (Victoria)
- Privacy and Data Protection Act 2014
- Australian Copyright Act of 1968
- Evidence Act 1958 (Victoria)
- Australian Code for the Responsible Conduct of Research (2007)
- OECD Principles and Guidelines for Access to Research Data from Public Funding (2007)
- Australian Skills Quality Authority ASQA
- Higher Education Standards Framework (Threshold Standards) 2011
- Tertiary Education Quality and Standards Agency (TEQSA)
A complete list of definitions relevant to this procedure is contained within Section 2: Master Data Management.
A further list of definitions specifically relevant to this procedure is included below:
| Term | Definition |
| Cloud computing |
The delivery of on-demand computing resources over the internet with four options in terms of access and security: Private cloud – services and infrastructure maintained and managed by self or a third party which reduces potential security and control risks particularly in relation to sensitive data requirements e.g. data and applications are a core part of your business Community cloud – several organisations with similar security considerations share access to a private cloud e.g. a group of franchises who have their own private clouds which are hosted remotely in a private environment Public cloud – services are stored off-site, managed by an external organisation such as Google or Microsoft and accessed over the internet which offers the greatest level of flexibility and cost saving but more vulnerable than private clouds Hybrid cloud – takes advantage of both public and private cloud services and gain benefits by spreading options across different cloud models e.g. use public cloud for emails to save on large storage costs while keeping highly sensitive data safe and secure behind the firewall in a private cloud |
| Cloud-based applications | Software as a Service (SaaS), run on cloud computers that are owned and operated by others and connect to users’ computers via the internet and a web browser |
| Cloud-based environment | Platform as a service (PaaS) provides everything required to support the complete lifecycle of building and delivering web-based (cloud) applications, without the cost and complexity of buying and managing the underlying hardware, software, provisioning and hosting |
| Information Security Classification |
An Information Security Classification is assigned to a set of information after the creator (user) assesses the sensitivity and importance of the information. This classification determines the appropriate methods of storage and management for the information. Information Security Classifications include: Public – information that is publicly available and unlikely to impact on the reputation of the University, other organisation or individual e.g. academic calendar, unit outlines General Internal – University information that is not generally made publicly available and release of such information may cause minor impact on the reputation of the University, other organisation or individual e.g. academic lecture notes Protected – confidential University information with limited access with unauthorised disclosure, modification. Data that is released which could cause reputational harm or embarrassment to the University e.g. budget data, academic records, student grades, planning or purchasing documents Restricted – strictly confidential or sensitive University information restricted to individuals who are explicitly granted access with unauthorised disclosure, modification or destruction most likely to cause serious harm to the University, other organisation or individual, compromise Australia’s national security, national interests, economy, stability, integrity or damage international relations or defence e.g. research requiring ethics clearances, information relating to allegations of fraud |
| Metadata | Describes information about data, such that data can be discovered, understood, re-used and integrated with other data; information described in a metadata record includes where and when the data was collected, created, organised, transmitted (where applicable) and last updated and who is responsible, allowing correct attribution to the creators of the work |
| On-premise Storage | Refers to locations inside the University network which is controlled and managed by University Information Technology Services ITS staff and remains within the University network and security infrastructure |
| Activity | Responsibility | Steps | |
| A. | Checking data classification | Data Steward |
|
| B. | Determine compliance requirements | Data Steward |
|
| C. | Determining suitability of cloud storage | Data Steward |
|
| Activity | Responsibility | Steps | |
| A. | Protecting data | ITS |
|
| B. | Undertaking a risk assessment for prospective data storage | ITS |
|
| Activity | Responsibility | Steps | |
| A. | Storing Protected or Restricted data | Data Steward |
|
- Chief Operating Officer, Chief Operating Office is responsible for monitoring the implementation, outcomes and scheduled review of this procedure.
- Director, Information Technology Services is responsible for maintaining the content of this procedure as delegated by the Chief Operating Officer, Chief Operating Office.
- Manager, Enterprise Data is responsible for the administration support for the maintenance of this procedure as directed by the Director, Information Technology Services.
| Document Title | Location | Responsible Officer | Minimum Retention Period |
| Completed Risk Assessments | The University’s approved records management system | Information Technology Services | 7 years after administrative use has concluded |
| Agreements with Cloud Service | The University’s approved records management system | ITS / Legal | 7 years after expiry of agreement |
Prev
Up
Next