Policy

Information Management - Policy

Printer-friendly version
Body

1.0   Purpose and Scope

The University of Queensland (UQ) values information as a core strategic asset and will govern and manage it accordingly throughout its lifecycle. Effective information management ensures that the right information is available to the right person, in the right format and medium, at the right time. Information that enables UQ to perform its core functions is considered an asset.

This policy outlines expectations and requirements for the governance and management of information at UQ and is intended to enable UQ to:

  • improve the integration and accuracy of its information,
  • increase the impact of its research and scholarship,
  • improve its compliance and reduce risks associated with potential loss or misuse of information,
  • make better use of information in its decision-making processes,
  • provide a strong foundation for systematically managing its information assets, ensuring that information of strategic importance and high value is prioritised, and
  • obtain valuable knowledge through the increased discoverability and accessibility of its information.

1.1   Scope

The scope of the Information Management Policy includes the governance and management of UQ’s structured and unstructured information and data (physical, electronic or hybrid) that is collected and managed by UQ to perform its business functions and deliver its services.

This policy applies to consumers of UQ information and communications technology (ICT) resources and anyone creating or accessing UQ’s information assets, including but not limited to:

  • Students
  • Staff
  • Contractors and consultants
  • Visitors
  • Affiliates and third parties.

Consumers that are connected to UQ networks, systems or services must comply with this policy, irrespective of location or device ownership (e.g. consumers with personally-owned computers). Exceptions to this policy must be approved by the Chief Information Officer.

2.0   Principles and Key Requirements

Robust and effective information management at UQ:

  • provides for the creation, use and sharing of information in compliance with legislative requirements and mandatory standards,
  • helps to ensure that the right information is available to the right person, in the right format, at the right time, and
  • is fundamental to UQ’s functions and operations.

The principles and requirements in this policy are related and intended to be applied by consumers as a whole where possible.

2.1   Information is treated as an asset

Information management supports evidence of UQ decisions and activities, enables accountability and transparency, mitigates risk, and allows businesses to operate. To achieve this, UQ ICT consumers must apply the following measures to their information management practices:

  • All UQ information assets must be clearly identified and classified and be allocated an Information Steward.
  • Maintain adequate information and records (as outlined in the Information Management Procedure) and capture this information in digital or physical management systems capable of meeting requirements of this policy and associated procedure.
  • Follow the Information Security Classification Procedure to classify all UQ information assets.
  • Manage information throughout the information lifecycle in accordance with the Information Governance and Management Framework.
  • Information with historic, permanent or long-term value will be archived or preserved, and not destroyed.
  • Information that is of high risk or high value will be maintained in accordance with the Information Management procedure and must not be destroyed without proper authorisation.
  • Appropriate custodian and stewardship roles and responsibilities are assigned to information assets.

Consumers should seek to ensure digital information and records remain digital and will not be converted to a physical format unless required (the 'born digital, stay digital' principle). 

UQ will maintain facilities to enable efficient cataloguing, long term maintenance and discovery of information assets.

2.2   Information can be found and accessed

UQ facilitates the creation of large volumes of information. UQ consumers and members of the public should have access to relevant and appropriate UQ information where necessary. To achieve this:

  • Non-confidential information about UQ will be available to the public.
  • UQ will maintain procedures for responding to requests for information from the public.
  • UQ staff will have timely access to information required to undertake their official duties, as authorised in the Information Management Procedure.
  • UQ staff, students, contractors, consultants, visitors, affiliates and third parties who have access to UQ networks and services will not provide or share UQ records or information which are not in the public domain with unauthorised parties.

2.3   Information is suitable for all of its uses

The quality of information must support UQ’s strategic objectives of academic and research excellence. To achieve this, UQ ICT consumers should apply the following information management practices:

  • Administrative records should be created as soon as possible to document an event, decision or action.
  • The quality of information should be ensured at the point of collection and the information stored in a suitable location in an appropriate information management system. UQ will establish and maintain procedures for ensuring information quality.
  • Information recorded and captured should consider the primary purpose for which it is collected or created and its potential secondary uses. Information quality management should take into account potential future re-use of the information, which may not be known at the initial point of capture.

2.4   Information remains compliant

To strengthen its information and records management practices, UQ will:

  • Comply with records and information management requirements in laws, regulations, contracts and agreements applicable to its operations (refer to section 6.2 and 6.3).
  • Adhere to best practices and standards where possible.
  • Establish and maintain records and information management guidelines and procedures.

Records cannot be destroyed until their retention period (as specified in the Retention and Disposal Schedules) has passed. In some instances, records must not be destroyed, even if the retention period has passed. This may occur when:

  • A Disposal Freeze is issued by Queensland State Archives,
  • The records are subject to legal processes such as discovery or subpoena,
  • The records are required for internal or external investigation, or;
  • The records are related to an application made under the Right to Information Act 2009.

This policy should be read in conjunction with other ICT policies and procedures and other UQ policies such as the: Privacy Policy; Public Records Act 2002 (Qld) and the approved Records Retention and Disposal Schedules.

2.5   Information privacy, confidentiality and security is assured

To help protect UQ information and its consumers, UQ will:

  • Ensure all information is stored, accessed, managed and used in accordance with its information security classification.
  • Safeguard personal and sensitive information and maintain controls for security of information as documented in the Cyber Security Policy.
  • Establish and maintain procedures for the secure and appropriate sharing of confidential information.

Preserve and maintain records to meet administrative, legal, fiscal and archival requirements and in accordance with at least the minimum requirements of approved retention and disposal schedules.

3.0   Roles, Responsibilities and Accountabilities

Information management is the responsibility of all UQ consumers. Specifically, each information domain (e.g. Learning & Teaching, Research Management, or Human Resources) must have a designated Information Custodian, one or more Information Stewards, and one or more Information Service Providers. The Custodian and Steward roles will usually relate to the organisational hierarchy associated with the business functions primarily responsible for managing the domain’s data. These roles are explained in more detail in the Information Governance and Management Framework.

4.0   Monitoring, Review and Assurance

The CIO will ensure periodic review and monitoring of information management (including classification) is conducted to determine how well information management supports UQ’s business and strategic goals, and for its compliance with legislation. Results of this monitoring will be reported to the Information Technology Governance Committee (ITGC).

UQ’s Information Technology Governance Committee will review all ICT policies (three yearly) and procedures (annually) and ensure appropriate consultation is undertaken.

5.0   Recording and Reporting

UQ will meet its data retention obligations under the Telecommunications (Interception and Access) Act 1979 (Cth.), recognising that UQ will rely on the 'immediate circle' exclusion for any relevant services provided only to persons who are 'inherently connected to the functions of the University'.

6.0   Appendix

6.1   Definitions

Data - There is a subtle difference between data and information. Raw data is a term used to describe data in its most basic digital format. Data is raw, individual facts that need to be processed.  When data is processed, combined with other data, organised, structured or presented in a given context, it is referred to as information.

Information – Includes, but is not limited to, physical (e.g. paper records) or digital files (e.g. email, voicemail, meeting minutes, video and audio recordings) in any format (e.g. PDF, .wav, .docx, or .jpeg) and data recorded by University applications (often in a database of some form).

Information Management - is a collection of capabilities delivered through people, processes and technology to ensure the confidentiality, integrity, availability, quality and security of our information assets throughout their life cycle.

Information Governance - is a collection of practices and processes, which provides a formal framework to apply control through defined roles and responsibilities for the management of information and data assets throughout their information lifecycle.

Information Asset - A body of information, defined and managed as a single unit so it can be understood, shared, protected and exploited effectively. Information assets have recognisable and manageable value, risk, content and lifecycles.

Information domain – A broad category or theme under which University information can be identified and managed. UQ uses the Topics and Entities outlined in the CAUDIT Higher Education Data Reference Model, in the context of business capabilities and organisation structures, as a guide to determine appropriate information domains.

Information Standards - Define and promote best practice in the acquisition, development, management, support and use of information systems and technology infrastructure which support the business processes and service delivery of Queensland public authorities.

Structured data - Data that resides in a consistent field structure and includes data in formats such as relational databases and spreadsheets. This data is often generated during business transactions and is stored in a business information system, e.g. student data, financial data, research data.

Unstructured data - Data that does not have a pre-defined data model or a consistent field structure that is easily readable by machines, and includes formats such as audio, video and unstructured text. Unstructured data may have structured elements, e.g. metadata associated with an email, xml document.

Record - Information in any format that has been generated or received by UQ in the course of its activities, and which must be retained by UQ as evidence of its actions and decisions. A record can consist of one or more pieces of information that together form a record or context of the activity, action or event.

Retention and Disposal Schedules – Legally binding documents that have been authorised by Queensland State Archives, the authority on records governance for public entities such as UQ. They define the status, minimum retention periods and consequent disposal actions authorised for specific classes of records.

6.2   Related UQ Policies and Procedures

6.3   Related legislation

The University is required under the Queensland Government’s Information asset custodianship policy (IS44) to identify and register information assets and assign roles and responsibilities to information assets, to protect information in accordance with Information security (IS18) information standard, to make full and accurate records in accordance with the Recordkeeping policy (IS40) and lawfully dispose records in accordance with the Retention and disposal of public records policy (IS31).

A full list of obligations can be found in the Information Governance and Management Framework

Custodians
Chief Information Officer Mr Rob Moffatt

Procedures

Access to UQ Documents - Procedures

Printer-friendly version
Body

1.0   Purpose and Scope

This procedure sets out the process for accessing documents held by The University of Queensland (UQ or the University).

Under the Right to Information Act 2009 (the RTI Act) and the Information Privacy Act 2009 (the IP Act), the community has a right to have access to information held by State Government departments and local and public authorities (including Queensland public universities), subject to limited exceptions, with a view to achieving more open, accountable and responsible government.

This procedure applies to all UQ staff (including any person employed or engaged by UQ in a permanent, contractual or voluntary arrangement) and applicants seeking to access University-held documents (including students, staff and third-party representatives).

This procedure does not apply to:

2.0   Process and Key Controls

As a Queensland public university, UQ is required to comply with legislative obligations under the RTI and IP Acts.

In accordance with its legislative obligations, UQ makes information available proactively, through:

Applicants seeking access to University-held information not publicly available must apply through a formal application under the RTI or IP Act.

3.0   Key Requirements

3.1   Administrative access schemes

UQ operates a number of administrative access schemes to facilitate access by UQ students and staff to their own personal information.

These schemes allow UQ students and staff to access a copy of their student or staff file, or their referee reports, except where the University considers the information to be confidential or otherwise exempt under the RTI or IP Act.

These administrative access schemes apply only to current students and staff, and their third-party representatives. Former students or staff seeking access to their personal information, or current students and staff seeking access to personal information not covered by the University’s administrative access schemes, must apply via a formal access application.

Patients of University clinics who are seeking access to their clinical files should contact the relevant clinic directly.

The UQ Right to Information and Privacy Coordinator is responsible for processing applications made under the University’s administrative access schemes, and applications will normally be processed within 20 business days. Applicants dissatisfied with the information provided to them under any of these schemes may make a formal access application (refer to section 3.2 of this procedure).

3.1.1   Access to student and staff files

Current students and staff can access a copy of their student or staff file. To apply for access to their file, students and staff must:

  • lodge a written request to the UQ Right to Information and Privacy Office via rtip@uq.edu.au;
  • include a copy of their current student or staff ID card; and
  • provide sufficient information regarding the documents required.

What can be applied for under this scheme:

  • Routine study or employment-related documents and information, as contained in the applicant’s student or staff file.

What can’t be applied for under this scheme:

  • Official UQ academic transcripts and testamurs (refer to the Degree certificates, transcripts and documents webpage for more information on ordering these).
  • Documents and information relating to complaints, appeals and/or misconduct matters (application for these must be made via a formal access application).

Where documents applied for under this scheme contain information considered to be confidential or otherwise exempt under the RTI or IP Act, such information will be edited from the documents.

3.1.2   Access to referee reports (academic staff levels A-D)

Current academic staff who have applied for confirmation of continuing appointment or promotion (excluding professorial confirmation and promotion) may apply for access to their referee reports.

To apply for access to referee reports, staff members must:

  • lodge a written request to the UQ Right to Information and Privacy Office via rtip@uq.edu.au;
  • include a copy of their current staff ID card; and
  • provide sufficient information regarding which referee reports are required.

Access under this scheme will only be granted where the referee has consented to the release of the report to the staff member. Where the University does not hold the relevant consents, application for these reports must be made via a formal access application.

3.1.3   Access to information by third parties

Third parties, typically solicitors and insurers, may apply for access to the personal information of their client (or the claimant, where applicable).

To apply for access to the information, third parties must:

  • lodge a written request to the UQ Right to Information and Privacy Office via rtip@uq.edu.au;
  • include a signed written authorisation from the individual to whose personal information access is sought; and
  • provide sufficient information regarding the information to which access is sought.

The requested information must be within the scope of the relevant authorisation.

 

The scope of information accessible under this scheme is the same as for access to student and staff files outlined under section 3.1.1 of this procedure (but also extends to patients of UQ Health and Rehabilitation Clinics). Where access is sought to information and/or documents that are outside of the provisions of this scheme, a formal access application may be made.

3.2   Formal access applications

A formal access application for University-held documents under the RTI and IP Acts can be made if access to the information is not available through UQ’s publication scheme or administrative access schemes.

3.2.1   Under which Act should documents be applied for?

Applications made under the RTI Act are appropriate for:

  • Documents of the University not containing the applicant’s personal information.
  • Documents of the University where some (but not all) of the documents contain the applicant’s personal information.

Applications made under the IP Act are appropriate for documents of the University that contain the applicant’s personal information.

3.2.2   Valid applications

A formal access application under the RTI or IP Act must:

  • be made in writing to the UQ Right to Information and Privacy Office (preferably via rtip@uq.edu.au) on the approved application form;
  • contain sufficient information to enable the relevant documents to be identified; and
  • state a contact address to which correspondence can be sent.

In addition to the above:

  • Applications made under the RTI Act must be accompanied by payment of the application fee as set out in the Right to Information Regulation 2009.
  • If the application is for documents where some or all of the documents contain the applicant’s personal information, the application must also be accompanied by evidence of the applicant’s identity, as set out in the Information Privacy Regulation 2009.
  • Where an agent is making application on behalf of an applicant, and the application is for documents where some or all of the documents contain the applicant’s personal information, the application must also be accompanied by:
    • evidence of the agent’s identity, as set out in the Information Privacy Regulation 2009; and
    • evidence of the agent’s authority to act on the applicant’s behalf.

There is no application fee for applications made under the IP Act.

3.2.3   Processing RTI and IP applications

RTI and IP applications will be processed in accordance with the provisions of the RTI and IP Acts.

3.3   Review of decisions

The RTI and IP Acts provide that an applicant who is dissatisfied with certain decisions made in relation to their application may apply to the University for internal review, and/or may apply to the Office of the Information Commissioner for external review. Applications for review must be made within 20 business days of the decision. 

Applications for internal review must be made in writing to the UQ Right to Information Privacy Office (preferably via rtip@uq.edu.au).

Applications for external review must be made in writing to the Office of the Information Commissioner.

4.0   Roles, Responsibilities and Accountabilities

4.1   UQ Right to Information and Privacy Office

The UQ Right to Information and Privacy Office is responsible for administering UQ’s administrative access schemes and its obligations under the RTI and IP Acts.

The functions of the UQ Right to Information and Privacy Office include:

  • processing applications made to UQ under its administrative access schemes;
  • dealing with applications made to UQ under the RTI and IP Acts, in accordance with the delegation from the Vice Chancellor and President; and
  • advising UQ staff on right to information and privacy-related matters.

4.2   Decision-makers

As the University's principal officer, the Vice-Chancellor has powers and responsibilities under the RTI and IP Acts. This includes the responsibility to deal with access applications. The Vice-Chancellor may delegate this responsibility, generally or in a particular case, to another officer of the University.

The Vice-Chancellor has made the following delegations:

  • The responsibility for processing any access application made to the University under the RTI or IP Act to –
    • the UQ Right to Information and Privacy Coordinator
    • the Manager, Enterprise Governance.
  • The responsibility to deal with any application to the University for internal review made under the RTI or IP Act to –
    • the Chief Operating Officer.

5.0   Monitoring, Review and Assurance

The UQ Right to Information and Privacy Office is responsible for:

  • monitoring UQ’s compliance with its obligations under the RTI and IP Acts;
  • reviewing this procedure as required to ensure –
    • its currency and accuracy; and
    • that UQ’s processes comply with requirements under relevant legislation; and
  • providing sufficient training opportunities and awareness-raising materials to enable UQ staff to meet their obligations under this procedure.

6.0   Recording and Reporting

The UQ Right to Information and Privacy Office is responsible for:

  • recording all requests for information made under this procedure; and 
  • providing management with an Annual Report on UQ’s compliance with the RTI and IP Acts.

The UQ Right to Information and Privacy Office also reports annually to the Department of Justice and Attorney-General in relation to the operation of the RTI and IP Acts by the University.

7.0   Appendix 

7.1   Definitions

Document - for the purposes of the RTI and IP Acts, a document is very broad and includes:

  • any paper or other material on which there is writing; and
  • any paper or other material on which there are marks, figures, symbols or perforations having a meaning for a person qualified to interpret them; and any disc, tape or other article or any material from which sounds, images, writings or messages are capable of being produced or reproduced (with or without the aid of another article or device).

Document in the possession or control of the University - a document will be considered to be in the possession or control of the University if it:

  • was created in, or received by the University;
  • is a document which the University is entitled to access; or
  • is a document in the possession or under the control of an officer of the University in that officer’s official capacity.

Independent organisations - independent organisations include residential colleges (other than UQ Gatton Halls of Residence), staff and student unions and the sports associations.

Personal information - any information about an identified or identifiable individual. In the University context, examples of personal information include:

  • home address, home telephone number, date of birth, marital status, next of kin;
  • salaries and wages of University staff;
  • all information concerning students, their enrolment, academic performance and their personal welfare (such as medical matters) and records of an individual student’s library borrowings;
  • information concerning persons who apply to the University for appointment or admission;
  • information collected from or concerning human research subjects; and
  • photographs and CCTV footage of individuals.
Custodians
Chief Information Officer Mr Rob Moffatt

Procedures

Destruction of Records - Procedure

Printer-friendly version
Body

1.0   Purpose and Scope

The purpose of this procedure is to support effective management of records at The University of Queensland (UQ) by enabling the destruction of University records that satisfy certain conditions.

A University record can be an object in any format that displays recorded information showing evidence of the University’s decisions and actions whilst performing its various operations. Records can be “born digital” e.g. email, electronic document, image, video, audio recording. They can also be “physical source records” which means that they have a physical presence such as paper, folder, photograph, microform, USB drive, Compact Disc, etc. A digital copy of physical source records can, in some cases be transitioned to becoming a Digitised Electronic Record (electronic format through scanning or other technologies).

This procedure covers all records of the University of Queensland and describes the appropriate destruction criteria and procedures for their destruction including the approved process for transitioning physical source records to a Digitised Electronic Record.

This procedure applies to consumers of UQ information and communications technology (ICT) resources and anyone creating or accessing UQ’s information assets.

Consumers that are connected to UQ networks, systems or services must comply with this procedure, irrespective of location or device ownership e.g. consumers with personally-owned computers.

Exceptions to this policy must be approved by the Chief Information Officer.

2.0   Processes and Key Controls

The processes and key controls for determining the eligibility of records for destruction apply to both physical and digital records.

The University is subject to the Queensland Government’s:

Other key controls include the retention and disposal schedules authorised by Queensland State Archives:

The key points of action from these controls, is illustrated below:

3.0   Key Requirements

3.1   Testing eligibility

All records regardless of format must be managed in accordance with the minimum legal retention requirements stated in the authorised retention and disposal schedules listed in section 2.0.

Only records that are classified as “temporary” and “expired” (past their legal minimum retention expiry date) will be eligible for destruction.

3.1.1   Exceptions

It is important to recognise that certain types of records are not eligible for consideration for destruction.

The following summarises these types of records that cannot be destroyed under any circumstances:

  1. Permanent records
  • Records described as permanent retention value under a current retention and disposal schedule cannot be destroyed, even after digitisation.
  1. Records of intrinsic value

Are significant physical source records where any or all of the following qualities or characteristics apply:

  • Cannot be captured through digitisation.
  • Are of historical significance and of enduring value in their physical format.
  • Are classified as permanent retention in the authorised retention and disposal schedules that apply to UQ.
  • Are the surviving records of a significant event/disaster/incident which resulted in the destruction of records with special qualities and characteristics that could be lost or diminished if the original source record is digitised, converted or migrated into another medium.
  • Provides explicit evidence specific to UQ in its current format.
  1. Information under Right to Information (RTI) or Information Privacy legislation requests

  • Records that are and/or have been requested as part of an application under Right to Information or Information Privacy legislation are not to be destroyed. Consultation with the UQ Right to Information team and/or the Records Management & Advisory Services (RMAS) team is required. Further information can be found within the General Retention and Disposal Schedule (GRDS).
  1. Records required for legal purposes

  • It is a breach of the Criminal Code Act 1899 to destroy records that are or could be reasonably expected to be required for a legal matter whether current or anticipated at time of destruction.
  • The lead agency for Government recordkeeping, Queensland State Archives, can impose a records disposal freeze. Under a disposal freeze, it is unlawful to destroy physical or electronic records outlined in the freeze directive.

3.1.2   Physical source records after digitisation

Physical source records that have been digitised only qualify for early destruction if the original is classified as temporary value, and if the digitised version is held for the required retention period for that class of records.

Digitisation must follow a documented and auditable process that includes quality assurance measures. These include:

  • Scan or convert the physical source record to create an electronic copy in an approved digital format (e.g. .PDF,.JPG, mp3, mp4),
  • Confirm that the digital record is clearly legible and/or audible and fit-for-purpose,
  • Store the digital copy of the record in an approved record keeping system that includes the appropriate metadata. The RMAS team provide organisational units with advice on record keeping metadata requirements,
  • Store the original physical copy after digitisation, in an ordered and secure state until a compliant digital record has been obtained, and
  • Follow the process outlined in section 3.2, 3.3 and 3.4 until approval of their final destruction.

3.2   Assessing records

Organisational units need to determine and document records that are eligible for destruction.

To assist with determining the eligibility of University records for destruction a ‘Criteria Matrix’ resource is appended (refer to 7.1).

The ‘Criteria Matrix’ summarises the conditions referenced in the approved retention and disposal schedules to:

  • determine whether the records are categorised as temporary records, and to
  • understand the retention trigger conditions in order to calculate and confirm that the minimum retention requirements have been served.

RMAS provides advice and support to organisational units to assist with the correct translation of the requirements stated in the approved retention and disposal schedules.

3.3   Create evidence of destruction process

Regardless of the format the time expired records are in, under legislation it is mandatory to keep a record (log) of destruction activities.

  • Organisational units must document the records eligible for destruction and receive local organisational unit endorsement and delegated manager approval prior to carrying out destruction. Liaison with the RMAS team is also required and templates to assist are available in Section 7.2.
  • The destruction logs and their associated approvals, must always be kept and captured within UQ’s enterprise document and records management system, that is Micro Focus Content Manager (also known as TRIM).

3.4   Destruction of Records

3.4.1   Carrying out the destruction of physical source records

The destruction of physical source records must be carried out using a secure process unless the record had a security classification approved as ‘public’.

The RMAS team provide advice to organisational units on preferred confidential destruction services. These include:

  • For small volumes of paper records, local shredding equipment can be used.
  • For sizeable volumes of paper records or records on small portable recording devices such as USB’s or compact disks, there are third-party providers for:
    • Medium volumes – supply and removal of in-office confidential destruction bins, and
    • Large volumes – through an on-site mobile destruction service or via an off-site destruction plant.

3.4.2   Destruction of digital records

As is the case for physical source records (refer to 3.4), the destruction of digital records must also be carried out using a documented, authorised and secure process. Organisational units can contact RMAS if they require assistance.

3.5   Documenting the Destruction of Records

3.5.1   University's Enterprise Document and Records Management System

The University’s enterprise document and records management system (Micro Focus Content Manager also known as TRIM) is designed with functionality that supports compliant destruction practices. It caters for the capture of electronic records, it facilitates the registration of the existence of physical records, and captures audit trails associated with records. The features include:

  • Inbuilt functionality to facilitate the application of the legal retention requirements, their assessment for eligibility and to enact secure destruction after approval.
  • When a physical record has been registered into ‘Micro Focus Content Manager’, the destruction also involves the process described in 3.4 above, as well as the digital destruction process within this database.
  • The system automatically retains evidence via metadata of destruction activities, plus audit trails and these histories are permanently captured.
  • Only authorised RMAS staff are able to activate final destruction functionality.

3.5.2   Other electronic systems of records

The University has many other systems of records. However, the destruction of records captured within these systems is not straight-forward.

Prior to destroying digital records that are not within Micro Focus Content Manager UQ consumers are required to consult with the RMAS team for advice.

4.0   Roles, Responsibilities and Accountabilities

The roles and responsibilities outlined below are in addition to those defined in the Information Management Policy.

4.1   Vice-Chancellor and President

The Vice-Chancellor and President is responsible for ensuring that UQ complies with the Public Records Act 2002 (QLD), including the principles and standards established by the Queensland State Archives.

Responsibilities within this Act may be delegated, and authority is given to the Manager of Records Management for endorsement and approval of the final destruction activities of University records.

4.2   Chief Information Officer

The Chief Information Officer is responsible for:

  • Ensuring this procedure is reviewed every three years,
  • Ensuring RMAS is resourced to support this procedure.

4.3   Information Domain Custodian

Information Domain Custodians (Information Custodian) are responsible for ensuring that records under their domain are destroyed in accordance with this procedure.

This includes:

  • The delegation of responsibilities to Information Stewards as per section 4.4; and
  • Assurance that measures are in place to support compliance.
  • Record keeping compliance as defined in this procedure.

4.4   Information Stewards

Information Stewards are responsible for:

  • Providing assurance of the quality of digitised physical records,
  • Keeping destruction logs that includes destruction approvals,
  • Engaging with RMAS for:
    • Interpreting the retention requirements listed in the Queensland State Archives’ authorised retention and disposal schedules that apply to UQ.
    • Digitisation and metadata advice.
    • Records within University systems of records.

4.5   Manager of Records Management

  • The Manager of Records Management is responsible for authorising the destruction of UQ records as the delegate of the Vice-Chancellor and President.

4.6   Records Management and Advisory Services (RMAS)

RMAS staff are responsible for:

  • Supporting the destruction of UQ records under the supervision of the Manager of Records Management,
  • Assisting UQ Consumers with the processes documented in this procedure,
  • Advising UQ Consumers on best practices relating to Records Management,
  • Communicating to Information Stewards when a disposal freeze is issued or changes are made to the retention and disposal schedules,
  • Maintaining the disposal log and authorisation within an approved record keeping system as per 3.3,
  • Provide records management training programs to staff.

4.7   Managers and Supervisors

UQ managers and supervisors are responsible for ensuring their staff are disposing of records in accordance with this procedure.

4.8   UQ consumers

All UQ Consumers are responsible for complying with this procedure, ensuring records are kept for as long as they are legally required.

5.0   Monitoring, Review and Assurance

The Chief Information Officer (CIO) will ensure this procedure is reviewed every three years.

Information Stewards will ensure documented quality assurance processes to satisfy legibility, audibility, readability and completeness prior to the destruction of physical records or digital records.

Areas under the responsibility of the Information Stewards will be subject to quality assurance checks and record keeping compliance audits. These checks and audits will be carried out in partnership with the authorised officer delegated by the Information Steward and the authorised Records Management and Advisory Services’ delegate.

6.0   Recording and Reporting

An annual status report summarising records destruction activities, will be provided to the Information Technology Governance Committee (ITGC) by the Manager Records Management and Advisory Services.

7.0   Appendix

7.1   Criteria Matrix

The following criteria can be used for assessing the eligibility of records for destruction:

For further guidance on:  1) what information can be a “record” go to the advice provided by the lead agency for Queensland Government record keeping, Queensland State Archives  https://www.forgov.qld.gov.au/recordkeeping and

https://www.forgov.qld.gov.au/decide-what-capture-and-how .  2) Preferred digital record formats:  https://www.forgov.qld.gov.au/digital-record-formats For specific UQ advice contact:  Records Management and Advisory Services via UQCentralRecords@uq.edu.au

7.2   Resources

Source latest version from:  https://www.forgov.qld.gov.au/search-retention-and-disposal-schedule

  • PROCESS MAP – Destruction of Physical Paper Records (PPL Guideline Section)
  • TEMPLATE - Worksheet – Destruction Log and Approvals (PPL Form Section)

7.3   Related policies

7.4   Related legislation

  • Public Records Act 2002
  • Criminal Code Act 1899 (s.129)
  • Evidence Act 1995 (Cth)
  • Information Privacy Act 2009

8.0   Appendix - Definitions

Born Digital Records – Original records that have been initiated, created, transmitted/received within a digital environment. (e.g. email; email attachment)

Information Asset - A body of information, defined and managed as a single unit so it can be understood, shared, protected and exploited effectively. Information assets have recognisable and manageable value, risk, content and lifecycles.

Information Domain – a broad category or theme under which University information can be identified and managed. UQ uses the topics and entities outlined in the CAUDIT Higher Education Data Reference Model, in the context of business capabilities and organisation structures, as a guide to determine appropriate information domains.

Information Stewards - are responsible for the quality, integrity and use of an information asset on a day-to-day basis. An Information Steward may manage multiple information assets. The stewards are responsible for applying relevant policies, procedures and rules, including safeguarding the information from unauthorised access and abuse

Information Domain Custodian (Information Custodian) - is responsible for defining and implementing safeguards to ensure the protection of information. This must be done in accordance with the relevant policies and procedures.

Physical Source Records - A physical source record has a material presence and consumes workplace space (e.g. paper, microfilm, compact disk, VHS tapes, etc).

Source records – Documents, records or files (either paper or electronic) that remain after they have been copied, converted or migrated from one format or system to another.

Digitisation – In the context of this procedure, digitisation refers to the process undertaken to scan paper source records to produce an accurate digital representation of the document in a pdf format.

Retention and Disposal Schedules – Legally binding documents that govern decisions about retention and disposal of records. These official documents, all to be read in-conjunction with each other, have been authorised by Queensland State Archives, the authority on record keeping governance for public entities such as UQ. The schedules provide descriptions and other contextual information around specific classes of records and state the legal minimum retention obligations based on the status of the class of record e.g. Temporary – dispose after 7 years from last action; Permanent – Retain permanently by the University.

Disposal vs Destruction – In this document disposal and destruction are used interchangeably. However, destruction is the more correct term when we refer to undertaking the irreversible action of destroying the records to make them irretrievable. Disposal can refer to actions where the records change ownership, such as the transfer of records to another entity outside of UQ e.g. Queensland State Archives, and the records remain intact and retrievable at their new location.

Metadata - Metadata is descriptive information about a record that typically includes the author, title of the record, creation date and changes along with disposal information. Record metadata enables disposal authentication.

RMAS - Records Management & Advisory Services Is located within Information Technology Services (ITS) and is responsible for the strategic management of The University's recordkeeping systems, records of enduring value, developing policies and providing advice.

Custodians
Chief Information Officer Mr Rob Moffatt

Procedures

Data Handling - Procedure

Printer-friendly version
Body

1.0 Purpose and Scope

This procedure outlines data handling requirements for all data (structured and unstructured), information and records in digital/electronic format at The University of Queensland (UQ) and should be read in conjunction with the Information Management Policy and the Information Governance and Management Framework.  This procedure applies to:

  • University employees
  • University students
  • Third parties engaged by, or collaborating with, UQ.

1.1 Exclusions

The procedure does not define requirements regarding any of the following:

  • Compliance with industry standards or legislations that the faculty, researcher or organisational area may be bound by. It is the responsibility of the Information Domain Custodian to ensure any specific industry requirements are identified and appropriate controls are implemented.
  • Requirements for handling information in physical format.
  • Business and exception processes.
  • Cross referencing and mapping to other data classification and handling standards (e.g. Australian Signals Directorate – Information Security Manual).

2.0 Process and Key Controls

This procedure defines how to protect and handle digital data and information to meet University priorities and requirements. This procedure should be read in conjunction with the below documents:

2.1 Information security classification levels

The context of UQ classification levels are described below, as defined in the Information Security Classification Procedure (6.40.01b2).

Classification Description
OFFICIAL - PUBLIC

Information that if breached owing to accidental or malicious activity would have an insignificant impact.

The information is authorised for public access, however it may not be made available in the public domain.

OFFICIAL - INTERNAL

Information that if breached owing to accidental or malicious activity would be unlikely to cause harm to UQ, another organisation or an individual if released publicly.

The information has a restricted audience, and access must only be authorised based on academic, research or business need.

SENSITIVE

Information that if breached owing to accidental or malicious activity could reasonably be expected to cause harm to UQ, another organisation or an individual if released publicly.

The information has a restricted audience, and access must only be authorised based on strict academic, research or business need.

PROTECTED

Information that if breached owing to accidental or malicious activity could reasonably be expected to cause serious harm to UQ, another organisation or an individual if released publicly.

The information has a restricted audience, and access must only be authorised based on very strict academic, research or business need.

National Security Information

If you are handling national security information, classified material or systems that are considered to have confidentiality requirements above PROTECTED, you should refer to the Australian Government Protective Security Policy Framework (PSPF) and contact the Security and Counter-Terrorism Group within Queensland Police Service via phone (07 3364 4549) or email (counter.terrorism@police.qld.gov.au).

3.0 Key Requirements

The minimum controls listed in this section must be applied commensurate with the Information Security Classification through the information management lifecycle. The information management lifecycle at UQ includes the below phases. Note that in the diagram, the ‘plan and design’ phase is illustrated within the centre, as these considerations should be reviewed at every subsequent information lifecycle management stage.

 

 

 

  • plan and design
  • create, capture and classify
  • store and secure
  • manage and maintain
  • share and reuse
  • retain and archive
  • dispose and destroy.

 

3.1 Plan and Design

Classification Handling requirement
All
  • All data must be assigned an appropriate Information Domain, Information Domain Custodian and Information Steward as per the Information Governance and Management Framework.
  • For research data, a First-named Chief Investigator (also referred to as Lead Chief Investigator) and Head of School or Institute must be determined / assigned at the start of the project.
  • When planning organisational roles and responsibilities, considerations should be given to minimising the number and types of roles which require highly privileged access to classified data.
  • If production data is used for testing, then test systems need to be treated the same as production systems in terms of data controls and mitigations.
  • Systems should be designed and configured following the principle of “least privilege” – consumers should only be given access to the data required to execute their responsibilities.
  • Data retention and disposal requirements must be understood.
  • Data Sovereignty must be considered. Refer to 3.8 Data sovereignty
SENSITIVE

A Privacy Impact Assessment (PIA) and Risk Assessment should be conducted for SENSITIVE data that include Personal Information. The PIA can be completed between the Information Steward and Information Service Provider.

PROTECTED
  • PIA and Risk Assessment must be conducted for PROTECTED data that include Personal Information. The PIA can be completed between the Information Steward and Information Service Provider.
  • All employees must complete training specific to dealing with PROTECTED data.

Links:

3.2 Create, Capture and Classify

Classification Handling requirement
All
  • Data quality at the time of creation is the primary responsibility of the Information Creator and must be compliant with the overarching policies and procedures.
  • The individual who created the data must be identified and recorded where possible.
  • Any business process specific to regulatory or legislative requirements for data creation must be considered and implemented.
  • Consideration should be given to the University’s moral and ethical obligations to educate and accurately inform the public.
  • Consideration should be given to whether the data could lead to reputational damage to the University or others (e.g. if breached).
  • Consideration should be given to the level of confidence and accuracy of data from a perspective of whether a data breach may lead to defamation.

Links:

3.3 Store and Secure

Classification Handling requirement
All
  • Systems should be designed and configured following the principle of “least privilege” – users and systems should only be given access to the data required to execute their responsibilities.
  • Account credentials should be centrally managed to reduce the number of systems handling credentials. Where possible, systems should use UQ Authenticate (Single Sign-On (SSO) is preferred, however Same Sign-On is acceptable).
  • Organisational policies and procedures relating to employee terminations, resignations or changes in responsibilities should carefully and thoroughly consider issues of data access control and retention. Account removal from systems, as well as management of role/group membership, should be automated.
  • Systems should enable and use exploit mitigation technology (i.e. ASLR, NX, stack canaries, and any other mitigations) recommended by hardware or OS software vendors.
  • Systems should use anti-virus software where possible, and regularly update definitions.
  • Systems should use Intrusion Detection Systems (IDS) and other techniques to detect exfiltration of data and unusual activity.
  • Systems should be designed to use network segmentation and default-deny firewalls to contain the impact of unauthorised access.
  • User authorisation for data access and modification should require multiple ‘factors’ (e.g. something you know, such as a password, and something you have, such as a device).
  • Password policies should be written to encourage the highest quality passwords possible, by following guidelines such as NIST Special Publication 800-63B. Users’ use of appropriate password managers and other aides which increase password quality should be encouraged.
  • Data should be backed up, using methods appropriate to its classification. Backups should be useable for the detection of unauthorised changes in the production copy as well as recovery from disasters (e.g. they should be append-only or use snapshots and offline storage).
  • Note: long term archival requirements are addressed under section 3.6 Retain and archive.
  • External providers storing data on UQ’s behalf should implement similar controls and mitigations to those required for storing it at UQ. 
OFFICIAL - PUBLIC
  • If deploying a system which supports encryption at rest, this functionality should be enabled and used.
    • Keys for encryption may be kept with the disks in the same system, but should not be stored on the disks (e.g. TPM is acceptable).
    • The procedure for key destruction/erasure should be known and tested, and reliably carried out at time of system disposal.
  • Access control for OFFICIAL – PUBLIC data is only required for modification or “write” operations. Public data may be read by anyone.
OFFICIAL - INTERNAL
  • Systems should support encryption at rest, and it should be enabled and used.
    • Keys for encryption may be kept with the disks in the same system, but should not be stored on the disks (e.g. TPM is acceptable).
    • The procedure for key destruction/erasure should be known and tested, reliably carried out at time of system disposal.
  • Systems must be kept in secure facilities with physical access control and mitigation such as alarms, surveillance and guard patrols.
  • Consider disabling features such as the ability to allow public access to data, for systems which support this (e.g. in AWS S3, disable public access at the bucket level).
  • Hardware purchased or used for storage should be tracked down to individual disks via the UQ asset management system where possible (with HDD serial numbers recorded where possible). Loss of hardware due to theft or misplacement should be detected quickly and reported to appropriate person up chain of command.
  • Regular review of access control policy (e.g. file system permissions, role/group membership) should be carried out by the Information Steward, looking for outdated or incorrect policy.
  • Local copies of data should not be made to portable devices. Data should remain on UQ managed endpoints.
  • Systems that support audit trail features, should have these enabled.
  • Detection and monitoring should be in place for phishing or credential compromise of users with data access.
  • External providers storing data on UQ’s behalf should be required either by contract or local law to inform UQ promptly if a breach is detected. Also refer to the Application Security Standard.
  • Systems should be designed to minimise the likelihood and impact of ‘horizontal movement’ between systems, or between system components. Suggested controls include firewalls, WAF, IDS, strict ACLs, etc. Designs involving a large internal trust domain (e.g. a trusted management VLAN) should be avoided.
SENSITIVE
  • Systems must support encryption at rest, and it must be enabled and used.
    • Keys for encryption should not be kept solely with the disks in the same system: at least part of the key should be stored outside the physical chassis.
    • The procedure for key destruction/erasure must be known and tested, reliably carried out at time of system disposal.
    • In some cases, physical security controls may be considered as the basis for an exemption for this requirement.
  • Systems must be kept in secure facilities with physical access control and mitigation such as alarms, surveillance and guard patrols. Surveillance should be monitored 24/7 and response to alarms should occur within a specified and agreed timeframe.
  • Must disable features such as the ability to allow public access to data, for systems which support this (e.g. in AWS S3, disable public access at the bucket level).
  • Hardware purchased or used for storage must be tracked down to individual disks via the UQ asset management system where possible (with HDD serial numbers recorded where possible). Loss of hardware due to theft or misplacement must be detected quickly and reported to appropriate person up chain of command.
  • Regular reviews of access control policy (e.g. file system permissions, role/group membership) must be carried out by the Information Steward, looking for outdated or incorrect policy.
  • Local copies of data must not be made to portable devices. Data must remain on UQ managed endpoints on the UQ secured networks.
  • Systems must support audit trail features, must have these enabled, and must be monitored for unusual activity. Audit trails should be stored separately in a tamper-proof fashion for a minimum retention period.
  • User authorisation for data access and modification must require multiple ‘factors’ (e.g. something you know, such as a password, and something you have, such as a device).
  • Detection and monitoring must be in place for phishing or credential compromise of users with data access.
  • External providers storing data on UQ’s behalf must be required either by contract or local law to inform UQ promptly if a breach is detected. Also refer to the Application Security Standard.
  • Procurement and tender processes must evaluate controls and mitigations implemented by external providers to ensure their equivalence to the minimum requirements set out in this procedure and relevant standards. Including these requirements in any formal contract should be strongly considered.
  • Systems must be designed to minimise the likelihood and impact of ‘horizontal movement’ between systems, or between system components.
  • System components which communicate over a network connection internally must treat that traffic as though it contains data at the same classification level as the highest stored within that system (and therefore must implement appropriate controls and mitigations for data transmission such as authentication, TLS etc.).
  • Suggested controls include firewalls, WAF, IDS, strict ACLs etc. Designs involving a large internal trust domain (e.g. a trusted management VLAN) must be avoided.
  • The University should solicit legal advice on the obligations of data storage providers prior to signing contracts. Refer to the ICT Procurement Framework.
  • Systems must implement mechanisms to automatically detect and mitigate bulk exfiltration of data (e.g. rate limits, network traffic monitoring).
  • Regular penetration testing of systems must be carried out and all findings acted upon.
  • Regular reviews of vendor contracts to evaluate their ongoing compliance with this procedure and future versions of it must be carried out.
  • Systems must not place credentials or authorisation tokens in log files or audit records.
PROTECTED
  • Systems must support encryption at rest, and it must be enabled and used.
    • Keys for encryption must not be kept solely with the disks in the same system; at least part of the key must be stored outside the physical chassis.
    • The procedure for key destruction/erasure must be known and tested, and reliably carried out at time of system disposal.
    • In some cases, physical security controls may be considered as the basis for an exemption for this requirement.
  • Systems must be kept in secure facilities with physical access control and mitigation such as alarms, surveillance and guard patrols. Surveillance must be monitored 24/7 and response to alarms must occur within a specified and agreed timeframe.
  • Systems should make use of policy preventing lone malicious actions, such as an N-person rule for access and modification to PROTECTED data.
  • Must disable features such as the ability to allow public access to data, for systems which support this (e.g. in AWS S3, disable public access at the bucket level).
  • Hardware purchased or used for storage must be tracked down to individual disks via the UQ asset management system where possible (with HDD serial numbers recorded where possible). Loss of hardware due to theft or misplacement must be detected quickly and reported to appropriate person up chain of command.
  • Regular reviews of access control policy (e.g. file system permissions, role/group membership) must be carried out by the Information Steward, looking for outdated or incorrect policy.
  • Local copies of data must not be made to portable devices. Data must remain on UQ managed endpoints on the UQ secured networks.
  • Systems must support audit trail features, must have these enabled, and must be monitored for unusual activity. Audit trails must be stored separately in a tamper-proof fashion for a minimum retention period. Automated actions such as account suspension and limits should be taken in response to anomalous behaviour.
  • Detection and monitoring must be in place for phishing or credential compromise of users with data access.
  • User authorisation for data access and modification must require multiple ‘factors’ (e.g. something you know, such as a password, and something you have, such as a device). Device factors with strong anti-cloning and anti-tampering features are highly recommended (e.g. Common Criteria EAL4 or higher).
  • External providers storing data on UQ’s behalf must be required either by contract or local law to inform UQ promptly if a breach is detected. Also refer to the Application Security Standard.
  • Procurement and tender processes must evaluate controls and mitigations implemented by external providers to ensure their equivalence to the minimum requirements set out in this procedure and relevant standards. Including these requirements in any formal contract should be strongly considered.
  • Systems must be designed to minimise the likelihood and impact of ‘horizontal movement’ between systems, or between system components.
  • System components which communicate over a network connection internally must treat that traffic as though it contains data at the same classification level as the highest stored within that system (and therefore must implement appropriate controls and mitigations for data transmission such as authentication, TLS, etc.). Suggested controls include firewalls, WAF, IDS, strict ACLs, etc. Designs involving a large internal trust domain (e.g. a trusted management VLAN) must be avoided.
  • The University should solicit legal advice on the obligations of data storage providers prior to signing contracts. Refer to the ICT Procurement Framework.
  • Systems must implement mechanisms to automatically detect and mitigate bulk exfiltration of data (e.g. rate limits, network traffic monitoring).
  • Regular penetration testing of systems must be carried out and all findings acted upon.
  • Must carry out regular reviews of vendor contracts to evaluate their ongoing compliance with this procedure and future versions of it.
  • Systems must not place credentials or authorisation tokens in log files or audit records.

Links:

3.4 Manage and Maintain

  Access control policy review  Pen testing of systems Surveillance response time Vendor contract review Cabling and network device audit Information Security Classification review
OFFICIAL - PUBLIC Not required Not required Not required Not required Not required Required every 36 months
OFFICIAL - INTERNAL Required every 12 months Recommended every 36 months Not required Recommended every 36 months Recommended every 36 months Required every 36 months
SENSITIVE Required every 6 months Required every 24 months Recommended within 1 hour Required every 36 months Required every 36 months Required every 24 months
PROTECTED Required every 3 months Required every 24 months Within 30 minutes Required every 24 months Required every 24 months Required every 12 months

3.5 Share and Reuse (transmission)

Classification Handling Requirement
OFFICIAL - PUBLIC
  • If data is subject to copyright, permission should be obtained from the copyright holder before transmission.
  • Data in transit should be protected by cryptographic security mechanisms which provide confidentiality and integrity, where systems support it and implementation cost is not prohibitive. TLS is recommended. 
OFFICIAL - INTERNAL
  • Data in transit should be protected by cryptographic security mechanisms which provide confidentiality and integrity. TLS is recommended. Mechanisms that support forward secrecy should be preferred.
  • Network devices should be located in secure areas, ideally with monitoring.
  • Regular inspections of key cabling runs and network devices looking for malicious changes or insertions should be carried out.
  • Wireless clients used to access data should use strict certificate checking for WPA-Enterprise (i.e. there should be mutual authentication), and regular scans for rogue access points should be carried out.
  • Data transferred in bulk via portable disks, devices and other media should be encrypted, with keys transferred separately.
  • Media used for bulk data transfer should be managed in accordance with best practice standards requiring prompt erasure after use.
  • Where available, dedicated systems should be used for the sharing and transmission of data, rather than ad-hoc methods (e.g. email, print outs).
  • Endpoint credentials used to secure communications should be managed in accordance with best practices for managing TLS certificates.
SENSITIVE
  • Data in transit must be protected by cryptographic security mechanisms which provide confidentiality and integrity. TLS is recommended. Forward secrecy must be enabled.
  • Network devices must be located in secure areas, with surveillance and an audit trail of physical access.
  • Regular inspections of key cabling runs and network devices looking for malicious changes or insertions must be carried out.
  • Wireless clients used to access data must use strict certificate checking for WPA-Enterprise (i.e. there should be mutual authentication), and regular scans for rogue access points must be carried out.
  • Data transferred in bulk via portable disks, devices and other media must be encrypted, with keys transferred separately.
  • Bulk transport of data should consider using secret sharing (e.g. N-out-of-M schemes) or cryptographic security protocols which split the data securely across multiple media.
  • Media used for bulk transfer must be managed in accordance with best practice standards requiring prompt erasure after use.
  • Where available, dedicated systems must be used for the sharing and transmission of data, rather than ad-hoc methods (e.g. email, print outs).
  • Endpoint credentials used to secure communications should be managed in accordance with best practices for managing TLS certificates.
  • Intermediary devices (e.g. network devices or printers) which handle SENSITIVE data should limit the use of features such as packet capture, traffic inspection, or print out recall, and where needed restrict the use of said features to the minimum possible number of employees. Disposal of such devices must be managed in accordance with a strict lifecycle procedure which includes erasure of all internal storage.
  • Do not print SENSITIVE data unless there is a genuine requirement to do so. If required, do not use printers that are located in low security areas or connected to general office networks. Printed documents must be disposed of securely in accordance with document disposal best practice.
  • Procurement and tender processes should evaluate controls and mitigations implemented by external providers to ensure their equivalence to the minimum requirements set out in this procedure. Including these requirements in any formal contract should be strongly considered. Must carry out regular reviews of vendor contracts to evaluate their ongoing compliance with this procedure and future versions of it.
PROTECTED
  • Data in transit must be protected by cryptographic security mechanisms which provide confidentiality and integrity. TLS is recommended. Forward secrecy must be enabled.
  • Network devices must be located in secure areas, with surveillance and an audit trail of physical access.
  • Regular inspections of key cabling runs and network devices looking for malicious changes or insertions must be carried out.
  • Wireless clients used to access data must use strict certificate checking for WPA-Enterprise (i.e. there should be mutual authentication), and regular scans for rogue access points must be carried out.
  • Data transferred in bulk via portable disks, devices and other media must be encrypted, with keys transferred separately and not reused for subsequent transfers.
  • Bulk transport of data must consider using secret sharing (e.g. N-out-of-M schemes) or cryptographic security protocols which split the data securely across multiple media.
  • Media used for bulk transfer must be managed in accordance with best practice standards requiring prompt erasure after use.
  • Where available, dedicated systems must be used for the sharing and transmission of data, rather than ad-hoc methods (e.g. email, print outs).
  • Endpoint credentials used to secure communications should be managed in accordance with best practices for managing TLS certificates.
  • Intermediary devices (e.g. network devices or printers) which handle PROTECTED data must strictly limit the use of features such as packet capture, traffic inspection, or print out recall, and where needed restrict the use of said features to the minimum possible number of employees. Disposal of such devices must be managed in accordance with a strict lifecycle procedure which includes erasure of all internal storage.
  • Do not print PROTECTED data unless there is a genuine requirement to do so. If required, do not use printers that are located in low security areas or connected to general office networks. Printed documents must be disposed of securely in accordance with document disposal best practice.
  • Procurement and tender processes must evaluate controls and mitigations implemented by external providers to ensure their equivalence to the minimum requirements set out in this procedure. Including these requirements in any formal contract should be strongly considered. Must carry out regular reviews of vendor contracts to evaluate their ongoing compliance with this procedure and future versions of it.

Links:

3.6 Retain and Archive

Classification Handling requirement
All
  • The Information Steward must approve the retention and archival of University data and records.
  • Digital archive storage solutions should follow controls as outlined under section 3.3 Store and Secure.
  • Data that is archived must be accessible, usable and readable, with due diligence taken to ensure archived data remains accessible and readable throughout the entire arching period. 

Links:

UQ Information Governance and Management Framework

3.7 Dispose and Destroy

Classification Handling requirement
All
  • Refer to the Destruction of Records Procedure.
  • Both the Information Domain Custodian and Information Steward must endorse the destruction of any University records. However, the final approval must be obtained from the UQ Records Manager, as per the Records Destruction Procedure.
  • Destruction process and approvals of data records needs to be documented and captured into the Enterprise Document and Records Management System.

Links:

3.8 Data Sovereignty

The table below describes overseas data handling restrictions based on the data's information security classification.

  Jurisdiction (in the order of preference)
Classification Queensland Australia New Zealand European Union Switzerland Singapore United States of America United Kingdom Other
OFFICIAL-PUBLIC
OFFICIAL-INTERNAL
SENSITIVE
PROTECTED
 

 Permitted |  Permitted with caution* |  Permitted with caution for research only*  |  Not permitted

* Risk assessment must be undertaken

Note:

  • Data sovereignty restrictions also apply to offline data.
  • When considering data hosting outside borders of Australia and New Zealand, it is highly recommended that UQ legal advice is obtained and if required a risk assessment is to be undertaken.
    • PROTECTED data must require UQ legal opinion and involve the Right to Information and Privacy Office.
    • SENSITIVE data should seek advice from the Right to Information and Privacy Office.
    • Personal information may only be transferred outside of Australia (including the storage of personal information in cloud-based services on servers located outside of Australia) in accordance with section 33 of the Information Privacy Act 2009 and other relevant privacy laws.
  • When cloud services are utilised, consideration must be given to the cloud service provider country of origin, regardless of the location in which the data is stored. In certain circumstances, the jurisdiction of the country of which the company is based may mean that the country is able to access the data.
  • If needed, special controls must be made to prevent the data from being stored in overseas jurisdictions either through contractual, procedural or technical means.
  • The risk assessment process must include consultation with representatives or delegates from the following areas, but not limited to:
    • Office of the Chief Information Officer
    • Right to Information and Privacy Office
    • Legal Services Division.

3.9 Exceptions

The controls and mitigations outlined in this procedure, are reflective of the ideal state. Any controls and mitigations that cannot be implemented must be managed through an exception as outlined in the Cyber Security Exceptions – Procedure.

4.0 Roles, Responsibilities and Accountabilities

Roles and responsibilities as pertinent to this procedure are outlined in the subsections below, and further roles and responsibilities are detailed in the Information Governance and Management Framework.

4.1 Information Service Providers

Information Service Providers as defined in the Information Governance and Management Framework are responsible for ensuring systems comply with the controls outlined in this document and any other policies, procedures and standards.

4.2 Records Management and Advisory Services

Records Management and Advisory Services (RMAS) is responsible for the strategic management of the University’s recordkeeping systems, records of enduring value, developing policies and providing advice.

5.0 Recording and Reporting

UQ’s Information Asset Register, maintained by the Information Technology Services division, will be used to record:

  • Information Domain Custodians, Information Stewards and Information Security Classifications for each UQ Information Domain.
  • Information Security Classifications of UQ Information Assets (as a minimum, UQ Information Assets will be assigned a classification based on the highest classification rating of the information held).

UQ’s Records Register, maintained by the Information Technology Services division, will be used to record:

  • Collections of all University records.
  • Destruction approval of records.

The Information Technology Services Division will provide the Information Technology Governance Committee with regular reports on the Information Asset Register.

6.0 Transitional Arrangements

The UQ Enterprise Data Governance Program is developing data governance operational models and training to support this procedure. Please consult the Enterprise Data Governance Program for further information and guidance related to this procedure.

 

Custodians
Chief Information Officer Mr Rob Moffatt

Procedures

Information Security Classification - Procedure

Printer-friendly version
Body

1.0   Purpose and Scope

This procedure outlines information security classification requirements for information, both digital and/or physical, at The University of Queensland (UQ) and should be read in conjunction with the Information Management Policy and the Information Governance and Management Framework. This procedure applies to:

  • All data or information that is created, collected, stored or processed by UQ, in electronic or physical formats.
  • All University staff and individuals or groups authorised by UQ to access University information.

The objectives of this procedure are to:

  • Provide for a consistent approach to the management of UQ information in all formats, including electronic and physical records.
  • Provide guidance for evaluating UQ information and applying the appropriate security classification.
  • Ensure UQ information security classifications are informed by confidentiality, integrity and availability requirements.
  • Protect and manage UQ information in accordance with relevant UQ policies and regulatory requirements.

2.0   Process and Key Controls

  1. Information Creators (as defined in the Information Governance and Management Framework) that create UQ information or receive information from an external third party must apply an information security classification to the information (as specified in section 3.1 of this procedure).
  2. Information Stewards (as defined in the Information Governance and Management Framework) must ensure an appropriate information security classification has been assigned to the information that they are responsible for.
  3. Where UQ information is shared with external parties there is an expectation that the third party will apply equivalent controls as per its information security classification.
  4. UQ information that is classified SENSITIVE and PROTECTED must not be stored using:
    • Non-UQ accounts on external storage services (e.g. Dropbox, Google Drive, Trello).
    • USB drives, CDs or DVDs.
    • Unsecure physical storage (e.g. paper records left on desks).
    • Local hard drives.

3.0   Key Requirements

3.1   Information Security Classifications

Information Creators are responsible for applying information security classifications to UQ information, taking into account the need to maintain and ensure the confidentiality, integrity and availability requirements.

  • Information Confidentiality – Ensure the information is only accessible to authorised UQ consumers. Consider the risks associated with unauthorised or inappropriate disclosure of the information.
  • Information Integrity – Ensure the quality, completeness and accuracy of the information. Consider the risks associated with changes to the information.
  • Information Availability – Ensure the information is available in the right format when it is needed. Consider the risks associated with information not being available or accessible.

All information at the University must be assigned one of the classifications in the table below. If a collection of information contains elements with different security classifications, the collection should be classified and handled based on the highest (most secure) classification level of information within the collection.

Information Security Classification Description Example data types
OFFICIAL – PUBLIC

Information that if breached owing to accidental or malicious activity would have an insignificant impact.

The information is authorised for public access, however it may not be made available in the public domain.

  • University strategy
  • Published course outline
  • Academic calendar
  • Published research data
OFFICIAL – INTERNAL (Default for all information)

Information that if breached owing to accidental or malicious activity would be unlikely to cause harm to UQ, another organisation or an individual if released publicly.

The information has a restricted audience, and access must only be authorised based on academic, research or business need.

  • Identity information of staff members or students (e.g. employee number or position title)
  • Internal correspondence
  • Business unit process and procedure
  • Team leave calendar
SENSITIVE (Default for all research projects)

Information that if breached owing to accidental or malicious activity could reasonably be expected to cause harm to UQ, another organisation or an individual if released publicly.

The information has a restricted audience, and access must only be authorised based on strict academic, research or business need.

  • Student and staff HR data (e.g. Tax File Numbers, passport details, bank account details)
  • Organisational financial data
  • Exam material
  • Exam results
  • Unpublished research data
PROTECTED

Information that if breached owing to accidental or malicious activity could reasonably be expected to cause serious harm to UQ, another organisation or an individual if released publicly.

The information has a restricted audience, and access must only be authorised based on very strict academic, research or business need.

  • Medical data
  • Personal data regarding persons under the age of 18
  • Credit card data
  • Commercially significant research results 

3.1.1   National Security Information (NSI)

Handling national security information, classified material or systems that are considered to have confidentiality requirements above PROTECTED should refer to the Australian Government Protective Security Policy Framework (PSPF) and the Security and Counter-Terrorism Group in Queensland Police Service. Telephone 07 3364 4549 or email counter.terrorism@police.qld.gov.au

The source of most NSI is the federal government and the information creator will be aware of the classification.

3.2   Information Reclassification

Information may be reclassified if its confidentiality changes, or if the information was incorrectly classified. Any protective marking must be amended to indicate the new classification.

3.3   Information Assets Held by UQ

The information asset register contains all information domains and the relevant security classification. The default classification may be overridden for sub-elements of the assets recorded in the register.

3.4   Information Handling Requirements

Information security classifications inform the minimum handling requirements for data, information and records in digital/electronic format. Refer to the Data Handling Procedure.

4.0 Roles, Responsibilities and Accountabilities

Roles and responsibilities as pertinent to this procedure are outlined in the subsections below. Further roles and responsibilities are detailed in the Information Governance and Management Framework

4.1   Information Creators

UQ Information Creators who capture or create information are responsible for:

  • Classifying the information in accordance with this procedure and any rules or procedures specified by the Information Domain Custodian.
  • Ensuring that the information is appropriately labelled with a protective marking (if necessary).
  • Managing and storing the information in line with its information security classification.

4.2   Information Consumers

UQ Information Consumers are responsible for using the data and information they require as defined in the Information Governance and Manangement Framework.

5.0   Monitoring, Review and Assurance

The Chief Information Officer (CIO) will ensure periodic review and monitoring of information management (including classification) is conducted to determine how well information management supports UQ’s business and strategic goals, and for its compliance with legislation.

6.0   Recording and Reporting

UQ’s Information Asset Register will be used to record:

  • Information Custodians, Information Stewards and information security classifications for each UQ information domain.
  • Information security classifications of UQ Information Assets (as a minimum, UQ Information Assets will be assigned a classification based on the highest classification rating of the information held).

The Information Technology Services Division will provide the Information Technology Governance Committee with regular reports on the Information Asset Register.

7.0   Transitional Arrangements

The UQ Enterprise Data Governance Program is developing operational models, training and detailed data handling guidelines to support this procedure. Please consult the Enterprise Data Governance Program for further information and guidance related to this procedure.

8.0   Appendix

8.1   Definitions

Data Element – Data elements are the smallest named item of data that conveys meaningful information or condenses lengthy description into a short code. Data elements are called ‘data field’ in the structure of a database.

Information – Includes, but is not limited to, physical (e.g. paper records) or digital files (e.g. email, voicemail, meeting minutes, video and audio recordings) in any format (e.g. PDF, .wav, .docx, or .jpeg) and data recorded by UQ applications (often in a database of some form).

Information Asset – A body of information, defined and managed as a single unit so it can be understood, shared, protected and exploited effectively. Information assets have recognisable and manageable value, risk, content and lifecycles.

Information Domain – A broad category or theme under which UQ information can be identified and managed. UQ uses the Topics and Entities outlined in the CAUDIT Higher Education Data Reference Model, in the context of business capabilities and organisation structures, as a guide to determine appropriate information domains.

Information Standards – Define and promote best practice in the acquisition, development, management, support and use of information systems and technology infrastructure which support the business processes and service delivery of Queensland public authorities.

Record – Information in any format that has been generated or received by UQ in the course of its activities, and which must be retained by UQ as evidence of its actions and decisions. A record can consist of one or more pieces of information that together form a record or context of the activity, action or event.

8.3   Related Policies and Procedures

Information Management Policy

Information Governance and Management Framework

Data Handling Procedure

Cyber Security Incident Management Procedure

Cyber Security Policy

Privacy Policy

Research Data Management Policy

Destruction of Records Procedure

8.4   Reference material

Queensland Government Information Security Policy (IS18:2018)

Queensland Government Information Security Classification Framework

Queensland Government Records Governance Policy

University Sector Retention and Disposal Schedule

General Retention and Disposal Schedule (GRDS)

Custodians
Chief Information Officer Mr Rob Moffatt

Forms

Printer-friendly version

Destruction Log and Approvals - Form

Destruction Log and Approvals - Form

Printer-friendly version
Body
Description: 

Request for Approval - Destruction of eligible legally time expired records.

Custodians
Chief Information Officer Mr Rob Moffatt
Destruction of Physical Paper Records - Process Map Guideline

Destruction of Physical Paper Records - Process Map Guideline

Printer-friendly version
Body
Description: 

Process map - Destruction of Physical Paper Records.

 

PLEASE NOTE: For full details on Records disposal obligations pease refer to Destruction of Records - Procedure.

Custodians
Chief Information Officer Mr Rob Moffatt
Custodians
Chief Information Officer Mr Rob Moffatt
Custodians
Chief Information Officer Mr Rob Moffatt