Policy

Information Management - Policy

Printer-friendly version
Body

1.0   Purpose and Scope

The University of Queensland (UQ) values information as a core strategic asset and will govern and manage it accordingly throughout its lifecycle. Effective information management ensures that the right information is available to the right person, in the right format and medium, at the right time. Information that enables UQ to perform its core functions is considered an asset.

This policy outlines expectations and requirements for the governance and management of information at UQ and is intended to enable UQ to:

  • improve the integration and accuracy of its information,
  • increase the impact of its research and scholarship,
  • improve its compliance and reduce risks associated with potential loss or misuse of information,
  • make better use of information in its decision-making processes,
  • provide a strong foundation for systematically managing its information assets, ensuring that information of strategic importance and high value is prioritised, and
  • obtain valuable knowledge through the increased discoverability and accessibility of its information.

1.1   Scope

The scope of the Information Management Policy includes the governance and management of UQ’s structured and unstructured information and data (physical, electronic or hybrid) that is collected and managed by UQ to perform its business functions and deliver its services.

This policy applies to consumers of UQ information and communications technology (ICT) resources and anyone creating or accessing UQ’s information assets, including but not limited to:

  • Students
  • Staff
  • Contractors and consultants
  • Visitors
  • Affiliates and third parties.

Consumers that are connected to UQ networks, systems or services must comply with this policy, irrespective of location or device ownership (e.g. consumers with personally-owned computers). Exceptions to this policy must be approved by the Chief Information Officer.

2.0   Principles and Key Requirements

Robust and effective information management at UQ:

  • provides for the creation, use and sharing of information in compliance with legislative requirements and mandatory standards,
  • helps to ensure that the right information is available to the right person, in the right format, at the right time, and
  • is fundamental to UQ’s functions and operations.

The principles and requirements in this policy are related and intended to be applied by consumers as a whole where possible.

2.1   Information is treated as an asset

Information management supports evidence of UQ decisions and activities, enables accountability and transparency, mitigates risk, and allows businesses to operate. To achieve this, UQ ICT consumers must apply the following measures to their information management practices:

  • All UQ information assets must be clearly identified and classified and be allocated an Information Steward.
  • Maintain adequate information and records (as outlined in the Information Management Procedure) and capture this information in digital or physical management systems capable of meeting requirements of this policy and associated procedure.
  • Follow the Information Security Classification Procedure to classify all UQ information assets.
  • Manage information throughout the information lifecycle in accordance with the Information Governance and Management Framework.
  • Information with historic, permanent or long-term value will be archived or preserved, and not destroyed.
  • Information that is of high risk or high value will be maintained in accordance with the Information Management procedure and must not be destroyed without proper authorisation.
  • Appropriate custodian and stewardship roles and responsibilities are assigned to information assets.

Consumers should seek to ensure digital information and records remain digital and will not be converted to a physical format unless required (the 'born digital, stay digital' principle). 

UQ will maintain facilities to enable efficient cataloguing, long term maintenance and discovery of information assets.

2.2   Information can be found and accessed

UQ facilitates the creation of large volumes of information. UQ consumers and members of the public should have access to relevant and appropriate UQ information where necessary. To achieve this:

  • Non-confidential information about UQ will be available to the public.
  • UQ will maintain procedures for responding to requests for information from the public.
  • UQ staff will have timely access to information required to undertake their official duties, as authorised in the Information Management Procedure.
  • UQ staff, students, contractors, consultants, visitors, affiliates and third parties who have access to UQ networks and services will not provide or share UQ records or information which are not in the public domain with unauthorised parties.

2.3   Information is suitable for all of its uses

The quality of information must support UQ’s strategic objectives of academic and research excellence. To achieve this, UQ ICT consumers should apply the following information management practices:

  • Administrative records should be created as soon as possible to document an event, decision or action.
  • The quality of information should be ensured at the point of collection and the information stored in a suitable location in an appropriate information management system. UQ will establish and maintain procedures for ensuring information quality.
  • Information recorded and captured should consider the primary purpose for which it is collected or created and its potential secondary uses. Information quality management should take into account potential future re-use of the information, which may not be known at the initial point of capture.

2.4   Information remains compliant

To strengthen its information and records management practices, UQ will:

  • Comply with records and information management requirements in laws, regulations, contracts and agreements applicable to its operations (refer to section 6.2 and 6.3).
  • Adhere to best practices and standards where possible.
  • Establish and maintain records and information management guidelines and procedures.

Records cannot be destroyed until their retention period (as specified in the Retention and Disposal Schedules) has passed. In some instances, records must not be destroyed, even if the retention period has passed. This may occur when:

  • A Disposal Freeze is issued by Queensland State Archives,
  • The records are subject to legal processes such as discovery or subpoena,
  • The records are required for internal or external investigation, or;
  • The records are related to an application made under the Right to Information Act 2009.

This policy should be read in conjunction with other ICT policies and procedures and other UQ policies such as the: Privacy Policy; Public Records Act 2002 (Qld) and the approved Records Retention and Disposal Schedules.

2.5   Information privacy, confidentiality and security is assured

To help protect UQ information and its consumers, UQ will:

  • Ensure all information is stored, accessed, managed and used in accordance with its information security classification.
  • Safeguard personal and sensitive information and maintain controls for security of information as documented in the Cyber Security Policy.
  • Establish and maintain procedures for the secure and appropriate sharing of confidential information.

Preserve and maintain records to meet administrative, legal, fiscal and archival requirements and in accordance with at least the minimum requirements of approved retention and disposal schedules.

3.0   Roles, Responsibilities and Accountabilities

Information management is the responsibility of all UQ consumers. Specifically, each information domain (e.g. Learning & Teaching, Research Management, or Human Resources) must have a designated Information Custodian, one or more Information Stewards, and one or more Information Service Providers. The Custodian and Steward roles will usually relate to the organisational hierarchy associated with the business functions primarily responsible for managing the domain’s data. These roles are explained in more detail in the Information Governance and Management Framework.

4.0   Monitoring, Review and Assurance

The CIO will ensure periodic review and monitoring of information management (including classification) is conducted to determine how well information management supports UQ’s business and strategic goals, and for its compliance with legislation. Results of this monitoring will be reported to the Information Technology Governance Committee (ITGC).

UQ’s Information Technology Governance Committee will review all ICT policies (three yearly) and procedures (annually) and ensure appropriate consultation is undertaken.

5.0   Recording and Reporting

UQ will meet its data retention obligations under the Telecommunications (Interception and Access) Act 1979 (Cth.), recognising that UQ will rely on the 'immediate circle' exclusion for any relevant services provided only to persons who are 'inherently connected to the functions of the University'.

6.0   Appendix

6.1   Definitions

Data - There is a subtle difference between data and information. Raw data is a term used to describe data in its most basic digital format. Data is raw, individual facts that need to be processed.  When data is processed, combined with other data, organised, structured or presented in a given context, it is referred to as information.

Information – Includes, but is not limited to, physical (e.g. paper records) or digital files (e.g. email, voicemail, meeting minutes, video and audio recordings) in any format (e.g. PDF, .wav, .docx, or .jpeg) and data recorded by University applications (often in a database of some form).

Information Management - is a collection of capabilities delivered through people, processes and technology to ensure the confidentiality, integrity, availability, quality and security of our information assets throughout their life cycle.

Information Governance - is a collection of practices and processes, which provides a formal framework to apply control through defined roles and responsibilities for the management of information and data assets throughout their information lifecycle.

Information Asset - A body of information, defined and managed as a single unit so it can be understood, shared, protected and exploited effectively. Information assets have recognisable and manageable value, risk, content and lifecycles.

Information domain – A broad category or theme under which University information can be identified and managed. UQ uses the Topics and Entities outlined in the CAUDIT Higher Education Data Reference Model, in the context of business capabilities and organisation structures, as a guide to determine appropriate information domains.

Information Standards - Define and promote best practice in the acquisition, development, management, support and use of information systems and technology infrastructure which support the business processes and service delivery of Queensland public authorities.

Structured data - Data that resides in a consistent field structure and includes data in formats such as relational databases and spreadsheets. This data is often generated during business transactions and is stored in a business information system, e.g. student data, financial data, research data.

Unstructured data - Data that does not have a pre-defined data model or a consistent field structure that is easily readable by machines, and includes formats such as audio, video and unstructured text. Unstructured data may have structured elements, e.g. metadata associated with an email, xml document.

Record - Information in any format that has been generated or received by UQ in the course of its activities, and which must be retained by UQ as evidence of its actions and decisions. A record can consist of one or more pieces of information that together form a record or context of the activity, action or event.

Retention and Disposal Schedules – Legally binding documents that have been authorised by Queensland State Archives, the authority on records governance for public entities such as UQ. They define the status, minimum retention periods and consequent disposal actions authorised for specific classes of records.

6.2   Related UQ Policies and Procedures

6.3   Related legislation

The University is required under the Queensland Government’s Information asset custodianship policy (IS44) to identify and register information assets and assign roles and responsibilities to information assets, to protect information in accordance with Information security (IS18) information standard, to make full and accurate records in accordance with the Recordkeeping policy (IS40) and lawfully dispose records in accordance with the Retention and disposal of public records policy (IS31).

A full list of obligations can be found in the Information Governance and Management Framework

Custodians
Chief Information Officer Mr Rob Moffatt

Procedures

Destruction of Records - Procedure

Printer-friendly version
Body

1.0   Purpose and Scope

The purpose of this procedure is to support effective management of records at The University of Queensland (UQ) by enabling the destruction of University records that satisfy certain conditions.

A University record can be an object in any format that displays recorded information showing evidence of the University’s decisions and actions whilst performing its various operations. Records can be “born digital” e.g. email, electronic document, image, video, audio recording. They can also be “physical source records” which means that they have a physical presence such as paper, folder, photograph, microform, USB drive, Compact Disc, etc. A digital copy of physical source records can, in some cases be transitioned to becoming a Digitised Electronic Record (electronic format through scanning or other technologies).

This procedure covers all records of the University of Queensland and describes the appropriate destruction criteria and procedures for their destruction including the approved process for transitioning physical source records to a Digitised Electronic Record.

This procedure applies to consumers of UQ information and communications technology (ICT) resources and anyone creating or accessing UQ’s information assets.

Consumers that are connected to UQ networks, systems or services must comply with this procedure, irrespective of location or device ownership e.g. consumers with personally-owned computers.

Exceptions to this policy must be approved by the Chief Information Officer.

2.0   Processes and Key Controls

The processes and key controls for determining the eligibility of records for destruction apply to both physical and digital records.

The University is subject to the Queensland Government’s:

Other key controls include the retention and disposal schedules authorised by Queensland State Archives:

The key points of action from these controls, is illustrated below:

3.0   Key Requirements

3.1   Testing eligibility

All records regardless of format must be managed in accordance with the minimum legal retention requirements stated in the authorised retention and disposal schedules listed in section 2.0.

Only records that are classified as “temporary” and “expired” (past their legal minimum retention expiry date) will be eligible for destruction.

3.1.1   Exceptions

It is important to recognise that certain types of records are not eligible for consideration for destruction.

The following summarises these types of records that cannot be destroyed under any circumstances:

  1. Permanent records
  • Records described as permanent retention value under a current retention and disposal schedule cannot be destroyed, even after digitisation.
  1. Records of intrinsic value

Are significant physical source records where any or all of the following qualities or characteristics apply:

  • Cannot be captured through digitisation.
  • Are of historical significance and of enduring value in their physical format.
  • Are classified as permanent retention in the authorised retention and disposal schedules that apply to UQ.
  • Are the surviving records of a significant event/disaster/incident which resulted in the destruction of records with special qualities and characteristics that could be lost or diminished if the original source record is digitised, converted or migrated into another medium.
  • Provides explicit evidence specific to UQ in its current format.
  1. Information under Right to Information (RTI) or Information Privacy legislation requests

  • Records that are and/or have been requested as part of an application under Right to Information or Information Privacy legislation are not to be destroyed. Consultation with the UQ Right to Information team and/or the Records Management & Advisory Services (RMAS) team is required. Further information can be found within the General Retention and Disposal Schedule (GRDS).
  1. Records required for legal purposes

  • It is a breach of the Criminal Code Act 1899 to destroy records that are or could be reasonably expected to be required for a legal matter whether current or anticipated at time of destruction.
  • The lead agency for Government recordkeeping, Queensland State Archives, can impose a records disposal freeze. Under a disposal freeze, it is unlawful to destroy physical or electronic records outlined in the freeze directive.

3.1.2   Physical source records after digitisation

Physical source records that have been digitised only qualify for early destruction if the original is classified as temporary value, and if the digitised version is held for the required retention period for that class of records.

Digitisation must follow a documented and auditable process that includes quality assurance measures. These include:

  • Scan or convert the physical source record to create an electronic copy in an approved digital format (e.g. .PDF,.JPG, mp3, mp4),
  • Confirm that the digital record is clearly legible and/or audible and fit-for-purpose,
  • Store the digital copy of the record in an approved record keeping system that includes the appropriate metadata. The RMAS team provide organisational units with advice on record keeping metadata requirements,
  • Store the original physical copy after digitisation, in an ordered and secure state until a compliant digital record has been obtained, and
  • Follow the process outlined in section 3.2, 3.3 and 3.4 until approval of their final destruction.

3.2   Assessing records

Organisational units need to determine and document records that are eligible for destruction.

To assist with determining the eligibility of University records for destruction a ‘Criteria Matrix’ resource is appended (refer to 7.1).

The ‘Criteria Matrix’ summarises the conditions referenced in the approved retention and disposal schedules to:

  • determine whether the records are categorised as temporary records, and to
  • understand the retention trigger conditions in order to calculate and confirm that the minimum retention requirements have been served.

RMAS provides advice and support to organisational units to assist with the correct translation of the requirements stated in the approved retention and disposal schedules.

3.3   Create evidence of destruction process

Regardless of the format the time expired records are in, under legislation it is mandatory to keep a record (log) of destruction activities.

  • Organisational units must document the records eligible for destruction and receive local organisational unit endorsement and delegated manager approval prior to carrying out destruction. Liaison with the RMAS team is also required and templates to assist are available in Section 7.2.
  • The destruction logs and their associated approvals, must always be kept and captured within UQ’s enterprise document and records management system, that is Micro Focus Content Manager (also known as TRIM).

3.4   Destruction of Records

3.4.1   Carrying out the destruction of physical source records

The destruction of physical source records must be carried out using a secure process unless the record had a security classification approved as ‘public’.

The RMAS team provide advice to organisational units on preferred confidential destruction services. These include:

  • For small volumes of paper records, local shredding equipment can be used.
  • For sizeable volumes of paper records or records on small portable recording devices such as USB’s or compact disks, there are third-party providers for:
    • Medium volumes – supply and removal of in-office confidential destruction bins, and
    • Large volumes – through an on-site mobile destruction service or via an off-site destruction plant.

3.4.2   Destruction of digital records

As is the case for physical source records (refer to 3.4), the destruction of digital records must also be carried out using a documented, authorised and secure process. Organisational units can contact RMAS if they require assistance.

3.5   Documenting the Destruction of Records

3.5.1   University's Enterprise Document and Records Management System

The University’s enterprise document and records management system (Micro Focus Content Manager also known as TRIM) is designed with functionality that supports compliant destruction practices. It caters for the capture of electronic records, it facilitates the registration of the existence of physical records, and captures audit trails associated with records. The features include:

  • Inbuilt functionality to facilitate the application of the legal retention requirements, their assessment for eligibility and to enact secure destruction after approval.
  • When a physical record has been registered into ‘Micro Focus Content Manager’, the destruction also involves the process described in 3.4 above, as well as the digital destruction process within this database.
  • The system automatically retains evidence via metadata of destruction activities, plus audit trails and these histories are permanently captured.
  • Only authorised RMAS staff are able to activate final destruction functionality.

3.5.2   Other electronic systems of records

The University has many other systems of records. However, the destruction of records captured within these systems is not straight-forward.

Prior to destroying digital records that are not within Micro Focus Content Manager UQ consumers are required to consult with the RMAS team for advice.

4.0   Roles, Responsibilities and Accountabilities

The roles and responsibilities outlined below are in addition to those defined in the Information Management Policy.

4.1   Vice-Chancellor and President

The Vice-Chancellor and President is responsible for ensuring that UQ complies with the Public Records Act 2002 (QLD), including the principles and standards established by the Queensland State Archives.

Responsibilities within this Act may be delegated, and authority is given to the Manager of Records Management for endorsement and approval of the final destruction activities of University records.

4.2   Chief Information Officer

The Chief Information Officer is responsible for:

  • Ensuring this procedure is reviewed every three years,
  • Ensuring RMAS is resourced to support this procedure.

4.3   Information Domain Custodian

Information Domain Custodians (Information Custodian) are responsible for ensuring that records under their domain are destroyed in accordance with this procedure.

This includes:

  • The delegation of responsibilities to Information Stewards as per section 4.4; and
  • Assurance that measures are in place to support compliance.
  • Record keeping compliance as defined in this procedure.

4.4   Information Stewards

Information Stewards are responsible for:

  • Providing assurance of the quality of digitised physical records,
  • Keeping destruction logs that includes destruction approvals,
  • Engaging with RMAS for:
    • Interpreting the retention requirements listed in the Queensland State Archives’ authorised retention and disposal schedules that apply to UQ.
    • Digitisation and metadata advice.
    • Records within University systems of records.

4.5   Manager of Records Management

  • The Manager of Records Management is responsible for authorising the destruction of UQ records as the delegate of the Vice-Chancellor and President.

4.6   Records Management and Advisory Services (RMAS)

RMAS staff are responsible for:

  • Supporting the destruction of UQ records under the supervision of the Manager of Records Management,
  • Assisting UQ Consumers with the processes documented in this procedure,
  • Advising UQ Consumers on best practices relating to Records Management,
  • Communicating to Information Stewards when a disposal freeze is issued or changes are made to the retention and disposal schedules,
  • Maintaining the disposal log and authorisation within an approved record keeping system as per 3.3,
  • Provide records management training programs to staff.

4.7   Managers and Supervisors

UQ managers and supervisors are responsible for ensuring their staff are disposing of records in accordance with this procedure.

4.8   UQ consumers

All UQ Consumers are responsible for complying with this procedure, ensuring records are kept for as long as they are legally required.

5.0   Monitoring, Review and Assurance

The Chief Information Officer (CIO) will ensure this procedure is reviewed every three years.

Information Stewards will ensure documented quality assurance processes to satisfy legibility, audibility, readability and completeness prior to the destruction of physical records or digital records.

Areas under the responsibility of the Information Stewards will be subject to quality assurance checks and record keeping compliance audits. These checks and audits will be carried out in partnership with the authorised officer delegated by the Information Steward and the authorised Records Management and Advisory Services’ delegate.

6.0   Recording and Reporting

An annual status report summarising records destruction activities, will be provided to the Information Technology Governance Committee (ITGC) by the Manager Records Management and Advisory Services.

7.0   Appendix

7.1   Criteria Matrix

The following criteria can be used for assessing the eligibility of records for destruction:

For further guidance on:  1) what information can be a “record” go to the advice provided by the lead agency for Queensland Government record keeping, Queensland State Archives  https://www.forgov.qld.gov.au/keep-and-manage-specific-records and

https://www.forgov.qld.gov.au/decide-what-capture-and-how .  2) Preferred digital record formats:  https://www.forgov.qld.gov.au/digital-record-formats For specific UQ advice contact:  Records Management and Advisory Services via UQCentralRecords@uq.edu.au

7.2   Resources

Source latest version from:  https://www.forgov.qld.gov.au/search-retention-and-disposal-schedule

  • PROCESS MAP – Destruction of Physical Paper Records (PPL Guideline Section)
  • TEMPLATE - Worksheet – Destruction Log and Approvals (PPL Form Section)

7.3   Related policies

7.4   Related legislation

  • Public Records Act 2002
  • Criminal Code Act 1899 (s.129)
  • Evidence Act 1995 (Cth)
  • Information Privacy Act 2009

8.0   Appendix - Definitions

Born Digital Records – Original records that have been initiated, created, transmitted/received within a digital environment. (e.g. email; email attachment)

Information Asset - A body of information, defined and managed as a single unit so it can be understood, shared, protected and exploited effectively. Information assets have recognisable and manageable value, risk, content and lifecycles.

Information Domain – a broad category or theme under which University information can be identified and managed. UQ uses the topics and entities outlined in the CAUDIT Higher Education Data Reference Model, in the context of business capabilities and organisation structures, as a guide to determine appropriate information domains.

Information Stewards - are responsible for the quality, integrity and use of an information asset on a day-to-day basis. An Information Steward may manage multiple information assets. The stewards are responsible for applying relevant policies, procedures and rules, including safeguarding the information from unauthorised access and abuse

Information Domain Custodian (Information Custodian) - is responsible for defining and implementing safeguards to ensure the protection of information. This must be done in accordance with the relevant policies and procedures.

Physical Source Records - A physical source record has a material presence and consumes workplace space (e.g. paper, microfilm, compact disk, VHS tapes, etc).

Source records – Documents, records or files (either paper or electronic) that remain after they have been copied, converted or migrated from one format or system to another.

Digitisation – In the context of this procedure, digitisation refers to the process undertaken to scan paper source records to produce an accurate digital representation of the document in a pdf format.

Retention and Disposal Schedules – Legally binding documents that govern decisions about retention and disposal of records. These official documents, all to be read in-conjunction with each other, have been authorised by Queensland State Archives, the authority on record keeping governance for public entities such as UQ. The schedules provide descriptions and other contextual information around specific classes of records and state the legal minimum retention obligations based on the status of the class of record e.g. Temporary – dispose after 7 years from last action; Permanent – Retain permanently by the University.

Disposal vs Destruction – In this document disposal and destruction are used interchangeably. However, destruction is the more correct term when we refer to undertaking the irreversible action of destroying the records to make them irretrievable. Disposal can refer to actions where the records change ownership, such as the transfer of records to another entity outside of UQ e.g. Queensland State Archives, and the records remain intact and retrievable at their new location.

Metadata - Metadata is descriptive information about a record that typically includes the author, title of the record, creation date and changes along with disposal information. Record metadata enables disposal authentication.

RMAS - Records Management & Advisory Services Is located within Information Technology Services (ITS) and is responsible for the strategic management of The University's recordkeeping systems, records of enduring value, developing policies and providing advice.

Custodians
Chief Information Officer Mr Rob Moffatt

Procedures

Access to UQ Documents - Procedures

Printer-friendly version
Body

1.0   Purpose and Scope

This procedure sets out the process for accessing documents held by The University of Queensland (UQ or the University).

Under the Right to Information Act 2009 (the RTI Act) and the Information Privacy Act 2009 (the IP Act), the community has a right to have access to information held by State Government departments and local and public authorities (including Queensland public universities), subject to limited exceptions, with a view to achieving more open, accountable and responsible government.

This procedure applies to all UQ staff (including any person employed or engaged by UQ in a permanent, contractual or voluntary arrangement) and applicants seeking to access University-held documents (including students, staff and third-party representatives).

This procedure does not apply to:

2.0   Process and Key Controls

As a Queensland public university, UQ is required to comply with legislative obligations under the RTI and IP Acts.

In accordance with its legislative obligations, UQ makes information available proactively, through:

Applicants seeking access to University-held information not publicly available must apply through a formal application under the RTI or IP Act.

3.0   Key Requirements

3.1   Administrative access schemes

UQ operates a number of administrative access schemes to facilitate access by UQ students and staff to their own personal information.

These schemes allow UQ students and staff to access a copy of their student or staff file, or their referee reports, except where the University considers the information to be confidential or otherwise exempt under the RTI or IP Act.

These administrative access schemes apply only to current students and staff, and their third-party representatives. Former students or staff seeking access to their personal information, or current students and staff seeking access to personal information not covered by the University’s administrative access schemes, must apply via a formal access application.

Patients of University clinics who are seeking access to their clinical files should contact the relevant clinic directly.

The UQ Right to Information and Privacy Coordinator is responsible for processing applications made under the University’s administrative access schemes, and applications will normally be processed within 20 business days. Applicants dissatisfied with the information provided to them under any of these schemes may make a formal access application (refer to section 3.2 of this procedure).

3.1.1   Access to student and staff files

Current students and staff can access a copy of their student or staff file. To apply for access to their file, students and staff must:

  • lodge a written request to the UQ Right to Information and Privacy Office via rtip@uq.edu.au;
  • include a copy of their current student or staff ID card; and
  • provide sufficient information regarding the documents required.

What can be applied for under this scheme:

  • Routine study or employment-related documents and information, as contained in the applicant’s student or staff file.

What can’t be applied for under this scheme:

  • Official UQ academic transcripts and testamurs (refer to the Degree certificates, transcripts and documents webpage for more information on ordering these).
  • Documents and information relating to complaints, appeals and/or misconduct matters (application for these must be made via a formal access application).

Where documents applied for under this scheme contain information considered to be confidential or otherwise exempt under the RTI or IP Act, such information will be edited from the documents.

3.1.2   Access to referee reports (academic staff levels A-D)

Current academic staff who have applied for confirmation of continuing appointment or promotion (excluding professorial confirmation and promotion) may apply for access to their referee reports.

To apply for access to referee reports, staff members must:

  • lodge a written request to the UQ Right to Information and Privacy Office via rtip@uq.edu.au;
  • include a copy of their current staff ID card; and
  • provide sufficient information regarding which referee reports are required.

Access under this scheme will only be granted where the referee has consented to the release of the report to the staff member. Where the University does not hold the relevant consents, application for these reports must be made via a formal access application.

3.1.3   Access to information by third parties

Third parties, typically solicitors and insurers, may apply for access to the personal information of their client (or the claimant, where applicable).

To apply for access to the information, third parties must:

  • lodge a written request to the UQ Right to Information and Privacy Office via rtip@uq.edu.au;
  • include a signed written authorisation from the individual to whose personal information access is sought; and
  • provide sufficient information regarding the information to which access is sought.

The requested information must be within the scope of the relevant authorisation.

 

The scope of information accessible under this scheme is the same as for access to student and staff files outlined under section 3.1.1 of this procedure (but also extends to patients of UQ Health and Rehabilitation Clinics). Where access is sought to information and/or documents that are outside of the provisions of this scheme, a formal access application may be made.

3.2   Formal access applications

A formal access application for University-held documents under the RTI and IP Acts can be made if access to the information is not available through UQ’s publication scheme or administrative access schemes.

3.2.1   Under which Act should documents be applied for?

Applications made under the RTI Act are appropriate for:

  • Documents of the University not containing the applicant’s personal information.
  • Documents of the University where some (but not all) of the documents contain the applicant’s personal information.

Applications made under the IP Act are appropriate for documents of the University that contain the applicant’s personal information.

3.2.2   Valid applications

A formal access application under the RTI or IP Act must:

  • be made in writing to the UQ Right to Information and Privacy Office (preferably via rtip@uq.edu.au) on the approved application form;
  • contain sufficient information to enable the relevant documents to be identified; and
  • state a contact address to which correspondence can be sent.

In addition to the above:

  • Applications made under the RTI Act must be accompanied by payment of the application fee as set out in the Right to Information Regulation 2009.
  • If the application is for documents where some or all of the documents contain the applicant’s personal information, the application must also be accompanied by evidence of the applicant’s identity, as set out in the Information Privacy Regulation 2009.
  • Where an agent is making application on behalf of an applicant, and the application is for documents where some or all of the documents contain the applicant’s personal information, the application must also be accompanied by:
    • evidence of the agent’s identity, as set out in the Information Privacy Regulation 2009; and
    • evidence of the agent’s authority to act on the applicant’s behalf.

There is no application fee for applications made under the IP Act.

3.2.3   Processing RTI and IP applications

RTI and IP applications will be processed in accordance with the provisions of the RTI and IP Acts.

3.3   Review of decisions

The RTI and IP Acts provide that an applicant who is dissatisfied with certain decisions made in relation to their application may apply to the University for internal review, and/or may apply to the Office of the Information Commissioner for external review. Applications for review must be made within 20 business days of the decision. 

Applications for internal review must be made in writing to the UQ Right to Information Privacy Office (preferably via rtip@uq.edu.au).

Applications for external review must be made in writing to the Office of the Information Commissioner.

4.0   Roles, Responsibilities and Accountabilities

4.1   UQ Right to Information and Privacy Office

The UQ Right to Information and Privacy Office is responsible for administering UQ’s administrative access schemes and its obligations under the RTI and IP Acts.

The functions of the UQ Right to Information and Privacy Office include:

  • processing applications made to UQ under its administrative access schemes;
  • dealing with applications made to UQ under the RTI and IP Acts, in accordance with the delegation from the Vice Chancellor and President; and
  • advising UQ staff on right to information and privacy-related matters.

4.2   Decision-makers

As the University's principal officer, the Vice-Chancellor has powers and responsibilities under the RTI and IP Acts. This includes the responsibility to deal with access applications. The Vice-Chancellor may delegate this responsibility, generally or in a particular case, to another officer of the University.

The Vice-Chancellor has made the following delegations:

  • The responsibility for processing any access application made to the University under the RTI or IP Act to –
    • the UQ Right to Information and Privacy Coordinator
    • the Manager, Enterprise Governance.
  • The responsibility to deal with any application to the University for internal review made under the RTI or IP Act to –
    • the Chief Operating Officer.

5.0   Monitoring, Review and Assurance

The UQ Right to Information and Privacy Office is responsible for:

  • monitoring UQ’s compliance with its obligations under the RTI and IP Acts;
  • reviewing this procedure as required to ensure –
    • its currency and accuracy; and
    • that UQ’s processes comply with requirements under relevant legislation; and
  • providing sufficient training opportunities and awareness-raising materials to enable UQ staff to meet their obligations under this procedure.

6.0   Recording and Reporting

The UQ Right to Information and Privacy Office is responsible for:

  • recording all requests for information made under this procedure; and 
  • providing management with an Annual Report on UQ’s compliance with the RTI and IP Acts.

The UQ Right to Information and Privacy Office also reports annually to the Department of Justice and Attorney-General in relation to the operation of the RTI and IP Acts by the University.

7.0   Appendix 

7.1   Definitions

Document - for the purposes of the RTI and IP Acts, a document is very broad and includes:

  • any paper or other material on which there is writing; and
  • any paper or other material on which there are marks, figures, symbols or perforations having a meaning for a person qualified to interpret them; and any disc, tape or other article or any material from which sounds, images, writings or messages are capable of being produced or reproduced (with or without the aid of another article or device).

Document in the possession or control of the University - a document will be considered to be in the possession or control of the University if it:

  • was created in, or received by the University;
  • is a document which the University is entitled to access; or
  • is a document in the possession or under the control of an officer of the University in that officer’s official capacity.

Independent organisations - independent organisations include residential colleges (other than UQ Gatton Halls of Residence), staff and student unions and the sports associations.

Personal information - any information about an identified or identifiable individual. In the University context, examples of personal information include:

  • home address, home telephone number, date of birth, marital status, next of kin;
  • salaries and wages of University staff;
  • all information concerning students, their enrolment, academic performance and their personal welfare (such as medical matters) and records of an individual student’s library borrowings;
  • information concerning persons who apply to the University for appointment or admission;
  • information collected from or concerning human research subjects; and
  • photographs and CCTV footage of individuals.
Custodians
Chief Information Officer Mr Rob Moffatt

Procedures

Information Security Classification - Procedure

Printer-friendly version
Body

1.0   Purpose and Scope

This procedure outlines information security classification requirements for information, both digital and/or physical, at The University of Queensland (UQ) and should be read in conjunction with the Information Management Policy and the Information Governance and Management Framework. This procedure applies to:

  • All data or information that is created, collected, stored or processed by UQ, in electronic or physical formats.
  • All UQ staff and those contracted by UQ who are authorised to access UQ information.

The objectives of this procedure are to:

  • Provide for a consistent approach to the management of UQ information in all formats, including electronic and physical records.
  • Provide guidance for evaluating UQ information and applying the appropriate security classification.
  • Ensure UQ information security classifications are informed by confidentiality, integrity and availability requirements.
  • Protect and manage UQ information in accordance with relevant UQ policies and regulatory requirements.

2.0   Process and Key Controls

  1. Information Creators (as defined in the Information Governance and Management Framework) that create UQ information or receive information from an external third party must apply a security classification to the information (as specified in section 3.1 of this procedure).
  2. Information Stewards (as defined in the Information Governance and Management Framework) must ensure an appropriate information security classificaton has been assigned to the information within the respective data (sub) domain.
  3. Where UQ information is shared with external parties, there is an expectation that the third party will apply equivalent controls as per its information security classification.
  4. UQ information that is classified SENSITIVE and PROTECTED must not be stored using:
    • Non-UQ accounts on external storage services (e.g. Dropbox, Google Drive, Trello).
    • USB drives, CDs or DVDs.
    • Unsecure physical storage (e.g. paper records left on desks).
    • Local hard drives.

3.0   Key Requirements

3.1   Information Security Classifications

Information Creators are responsible for applying information security classifications to UQ information, taking into account the need to maintain and ensure the confidentiality, integrity and availability requirements.

  • Information Confidentiality – Ensure the information is only accessible to authorised UQ consumers. Consider the risks associated with unauthorised or inappropriate disclosure of the information.
  • Information Integrity – Ensure the quality, completeness and accuracy of the information. Consider the risks associated with changes to the information.
  • Information Availability – Ensure the information is available in the right format when it is needed. Consider the risks associated with information not being available or accessible.

Image 1 – Determining an Information Security Classification

3.1.1   OFFICIAL - PUBLIC

UQ information that is publicly available. OFFICIAL – PUBLIC information is stored and managed by UQ to ensure information integrity.

Examples of OFFICIAL – PUBLIC information include:

  • The UQ Strategy.
  • Published course outlines.
  • Academic calendar.

3.1.2   OFFICIAL - INTERNAL (Default)

UQ information that is not publicly available but unlikely to cause harm to UQ, another organisation or an individual if released publicly.

Examples of OFFICIAL – INTERNAL information include:

  • Personal details of staff members or students (e.g. employee number or position title), excluding details with a high risk of being used for identity theft, or medical or other details likely to cause serious harm to individuals.
  • Internal correspondence (e.g. work-related emails between staff members about the allocation of work task).

3.1.3   SENSITIVE

UQ information that is not publicly available and could reasonably be expected to cause harm to UQ, another organisation or an individual if publicly released. Access to sensitive information is limited to authorised UQ consumers outlined in section 3.3. Information with a SENSITIVE security classification should be labelled appropriately.

Sensitive information must be stored with security mechanisms in place to prevent unauthorised access. For example, digital records stored in username and password restricted folders with role based access controls and physical records stored in locked cabinets or drawers.

Username and password restrictions should be applied when transmitting sensitive information electronically.

Examples of SENSITIVE information include:

  • Business documents such as budgets, business cases and project plans.
  • Raw research data, excluding personal or medical data.
  • Personal details of staff or students with a high risk of being used for identity theft (e.g. Tax File Numbers, passport details, bank account details), or medical or other details likely to cause harm to individuals.
  • Unpublished research that may be used by UQ for commercial purposes.

3.1.4   PROTECTED

UQ information that is not publicly available and must be kept confidential. The unauthorised disclosure, modification or destruction of protected information could reasonably be expected to cause serious harm to UQ, another organisation or an individual.

Protected information must be:

  • Labelled with a ‘PROTECTED’ marking in capital letters (for printed information this should be placed at the top and bottom of each page, approximately 5mm (or 20pt) height).
  • Protected against unauthorised access (both physically and digitally), ensuring its confidentiality, integrity and availability are protected.

Examples of PROTECTED information include:

  • Security tokens and credentials used for access control and encryption.
  • Commercially valuable intellectual property.
  • Highly sensitive communications between UQ and government agencies.
  • Legal documents relating to highly sensitive litigation cases.

Compilations of information which are individually classified as OFFICIAL – INTERNAL or SENSITIVE may collectively be classed as PROTECTED.

3.1.5   National Security Information (NSI)

Handling national security information, classified material or systems that are considered to have confidentiality requirements above PROTECTED should refer to the Australian Government Protective Security Policy Framework (PSPF) and the Security and Counter-Terrorism Group in Queensland Police Service. Telephone 07 3364 4549 or email counter.terrorism@police.qld.gov.au.

The source of most NSI is the federal government and the Information Creator will be aware of the classification.

3.1.6   Information Security Classification Matrix

The information security classification matrix (section 6.1) aids Information Creators and other Information Management roles determine security classifications and minimum handling requirements.

3.2   Information Reclassification

Information may be reclassified if its confidentiality changes, or if the information was incorrectly classified. Any protective marking must be amended to indicate the new classification.

3.3   Information Assets Held by UQ

The Information Asset Register contains all information domains and the relevant security classification. The default classification may be overridden for sub-elements of the assets recorded in the register. Information systems processing or storing information assets will have security controls according to the security classification and business criticality of the asset.

3.4   Access to UQ Information

UQ encourages the sharing of information assets in pursuit of organisational objectives. UQ staff and students are provided with access to UQ information in order to carry out their activities.

 UQ consumers’ access to UQ information is determined by the Information Service Provider as advised by Information Custodians or Stewards and based on the information’s security classification. Where there are confidentiality or legislative constraints, access to information is restricted accordingly.

Classification

Access Procedure

OFFICIAL – PUBLIC

Information Service Providers will grant access to this information.

OFFICIAL – INTERNAL (Default)

Information Service Providers will grant access to this information in accordance with processes for the information domain (as determined by the Information Steward and Custodian(s)).

 

Where processes for this information have not been defined by the Information Steward or Custodian(s), the Information Service Provider will limit the access to UQ staff by default.

 

Information that has not been given a security classification will be considered OFFICIAL – INTERNAL by default.

SENSITIVE

Information Service Providers will grant access to this information in accordance with processes for the information domain (as determined by the Information Steward and Custodian(s)). The Information Service Provider will inform the Information Steward when access has been granted.

PROTECTED

Information Service Providers will only grant access to this information where authorisation has been provided by the Information Steward of the domain.

4.0   Roles, Responsibilities and Accountabilities

4.1   Information Creators

UQ Information Creators who capture or create information are responsible for:

  • Classifying the information in accordance with this procedure and any rules or procedures specified by the Information Domain Custodian.
  • Ensuring that the information is appropriately labelled with a protective marking (if necessary).
  • Managing and storing the information in line with its security classification.

See ‘Appendix 6.1 – Information Security Classification Matrix’ which summarises classifications for Information Creators based upon content within Section 3.1.

4.2   Other Information Management Roles

The roles and responsibilities of Information Service Providers, Information Stewards and Information Custodians are detailed in the Information Governance and Management Framework.

4.3   Information Consumer

UQ Information Consumers are responsible for using the data and information they require as defined in the Information Governance and Manangement Framework.

5.0   Monitoring, Review and Assurance

The Chief Information Officer (CIO) will ensure periodic review and monitoring of information management (including classification) is conducted to determine how well information management supports UQ’s business and strategic goals, and for its compliance with legislation.

6.0   Recording and Reporting

UQ’s Information Asset Register will be used to record:

  • Information Custodians, Stewards and security classifications for each UQ information domain.
  • Information security classifications of UQ Information Assets (as a minimum, UQ Information Assets will be assigned a classification based on the highest classification rating of the information held).

The Information Technology Services Division will provide the Information Technology Governance Committee with regular reports on the Information Asset Register.

7.0   Transitional Arrangements

The UQ Enterprise Data Governance Program is developing operational models, training and detailed data handling guidelines to support this procedure. Please consult the Enterprise Data Governance Program for further information and guidance related to this procedure.

8.0   Appendix

8.1   Information Security Classification Matrix

The matrix below summarises classifications described in section 3.1 to enable an easy lookup for Information Creators and other Information Management roles to help determine classifications and minimum handling requirements:

8.2   Definitions

Information – Includes, but is not limited to, physical (e.g. paper records) or digital files (e.g. email, voicemail, meeting minutes, video and audio recordings) in any format (e.g. PDF, .wav, .docx, or .jpeg) and data recorded by UQ applications (often in a database of some form).

Information Asset – A body of information, defined and managed as a single unit so it can be understood, shared, protected and exploited effectively. Information assets have recognisable and manageable value, risk, content and lifecycles.

Information domain – A broad category or theme under which UQ information can be identified and managed. UQ uses the Topics and Entities outlined in the CAUDIT Higher Education Data Reference Model, in the context of business capabilities and organisation structures, as a guide to determine appropriate information domains.

Information Standards – Define and promote best practice in the acquisition, development, management, support and use of information systems and technology infrastructure which support the business processes and service delivery of Queensland public authorities.

Record – Information in any format that has been generated or received by UQ in the course of its activities, and which must be retained by UQ as evidence of its actions and decisions. A record can consist of one or more pieces of information that together form a record or context of the activity, action or event.

8.3   Related Policies and Procedures

Information Management Policy

Information Governance and Management Framework

Cyber Security Incident Management Procedure

Cyber Security Policy

Privacy Policy

Research Data Management Policy

Destruction of Records Procedure

8.4   Reference material

Queensland Government Information Security Policy (IS18:2018)

Queensland Government Information Security Classification Framework

Queensland Government Records Governance Policy

University Sector Retention and Disposal Schedule

General Retention and Disposal Schedule (GRDS)

 

 

Custodians
Chief Information Officer Mr Rob Moffatt

Forms

Printer-friendly version

Destruction Log and Approvals - Form

Destruction Log and Approvals - Form

Printer-friendly version
Body
Description: 

Request for Approval - Destruction of eligible legally time expired records.

Custodians
Chief Information Officer Mr Rob Moffatt
Destruction of Physical Paper Records - Process Map Guideline

Destruction of Physical Paper Records - Process Map Guideline

Printer-friendly version
Body
Description: 

Process map - Destruction of Physical Paper Records.

 

PLEASE NOTE: For full details on Records disposal obligations pease refer to Destruction of Records - Procedure.

Custodians
Chief Information Officer Mr Rob Moffatt
Custodians
Chief Information Officer Mr Rob Moffatt
Custodians
Chief Information Officer Mr Rob Moffatt