Policy

Information Management - Policy

Printer-friendly version
Body

1    Purpose and Scope

The University of Queensland (UQ) values information in its many forms as a core strategic asset and will govern and manage it accordingly throughout its lifecycle. Effective information management ensures that the right information is available to the right person, in the right format and medium, at the right time. Information that enables UQ to perform its core functions is considered an asset.

This policy outlines expectations and requirements for the governance and management of information at UQ and is intended to enable UQ to:

  • improve the integration and accuracy of its information,

  • increase the impact of its research and teaching,

  • improve compliance and reduce the risk of potential loss or misuse of information,

  • make better use of information in its decision-making processes,

  • provide a strong foundation to systematically manage information, ensuring that information of strategic importance and high value is prioritised, and

  • obtain valuable knowledge through the increased discoverability and appropriate accessibility of its information.

1.1 Scope

This policy defines principles for the governance and management of UQ’s data, information and records. The relationship between data, information and records is defined below, and detailed definitions with examples are in the Appendix. 

This policy applies to anyone creating, accessing or using UQ’s information, including but not limited to:

  • staff

  • contractors and consultants

  • students

  • visitors

  • title holders and third parties.

Exceptions to this policy must be approved by the Chief Information Officer, in alignment with the Cyber Security Exceptions Procedure.

2    Principles and Key Requirements

Robust and effective information management is fundamental to UQ’s functions and operations, as it:

  • provides for the appropriate management of information throughout the information lifecycle in compliance with legislative obligations and UQ’s policies and procedures,

  • ensures UQ meets its legislative record keeping obligations, and

  • helps to ensure that the right information is available to the right person, in the right format, at the right time.

The principles and requirements in this policy are related and intended to be applied holistically where possible. These principles are supported by the governance and management structures defined in the Information Governance and Management Framework.

2.1 Protect information as an asset

Effective information management allows UQ to realise the value of its data, enables accountability and transparency, mitigates risk, and allows businesses to operate. 

UQ will:

  • Identify and acknowledge the value of its information (i.e. its value to UQ, to UQ’s community, and to others).

  • Implement appropriate controls to protect the confidentiality, integrity, and availability of UQ’s information.

  • Ensure that information governance roles, responsibilities and decision rights are assigned in alignment with the Information Governance and Management Framework.

  • Manage information and records in UQ-approved information systems.

  • Manage information throughout the information lifecycle (see Appendix) in accordance with the Data Handling Procedure, Information Security Classification Procedure, Archives Policy, Privacy Management Policy and the Keeping Records at UQ Procedure.

  • Ensure digital information remains digital and is not converted to a physical format unless required.

  • Maintain a culture that supports effective information management to ensure the UQ community understands the value of information.

2.2 Information is findable and accessible 

The UQ community and members of the public should have access to relevant and appropriate UQ information where necessary. 

UQ will:

  • Maintain information systems to enable efficient cataloguing and discovery of information.

  • Proactively provide access to information where appropriate, including via the Publication scheme, administrative access schemes and Disclosure log.

  • Provide access to documents in accordance with the access regimes set out in the Information Privacy Act 2009 and Right to Information Act 2009.

  • Provide for the amendment of personal information in accordance with the Information Privacy Act 2009.

  • Give staff timely access to information required to undertake their official duties.

For more information, read the Access to and Amendment of UQ Documents Procedure, and visit the Explore and access data web page.

2.3 Information is suitable for all of its uses

Information quality is key to generating value from our information and supporting UQ’s strategic objectives. Information quality includes accuracy, completeness, consistency, timeliness, validity, and uniqueness. 

UQ will:

  • Establish and maintain practices and processes to improve information quality.

  • Consider the context under which information is collected, created or captured to ensure information is suitable for its primary use, and for any additional uses.

2.4 UQ meets its information management and record keeping obligations

To strengthen information and records management practices, UQ will:

  • Comply with records and information management requirements in contracts and agreements applicable to its operations.

  • Adhere to industry best practice and standards where possible.

  • Implement information and record management procedures and guidelines to support compliance with relevant legislation, regulations, and policies, including (but not limited to):

  • Information Privacy Act 2009 (Qld)

  • Public Records Act 2002 (Qld)

  • Records Governance Policy (Qld)

  • Ensure UQ's information is findable, accessible, interoperable, and reusable, in accordance with the FAIR Principles.

  • Provide training and resources to ensure the UQ community understands their information management responsibilities and can comply with legislation and relevant UQ policies, procedures and guidelines.

2.5 Information privacy, confidentiality and security is assured

To help protect UQ’s information and its community, UQ will:

2.6 Records are managed throughout their lifecycle

UQ’s records must be managed in compliance with the Public Records Act 2002 and UQ’s record management requirements. The legislation and supporting instruments set requirements regarding vital, high-value, high risk and historically significant permanent records.

UQ will:

3    Roles, Responsibilities and Accountabilities

The roles below are a summary of key information governance and management roles and responsibilities. Refer to the Information Governance and Management Framework for a comprehensive list. 

3.1 Information Trustee (Vice-Chancellor) 

The Vice-Chancellor is accountable for ensuring the collection and management of UQ’s information and records in accordance with relevant legislative, regulatory and policy obligations.

3.2 Chief Information Officer (CIO) 

The Chief Information Officer (CIO) is accountable for developing, maintaining and implementing information management capabilities, policies, procedures and technical standards to protect UQ’s information.

The CIO is responsible for ensuring that information roles (i.e. Information Leaders, Information Domain Custodians and Information Stewards) are assigned across UQ.

3.3 IT Policy, Risk and Assurance Committee (IT PRAC)

The IT PRAC is responsible for reviewing compliance, assurance or risk reports regarding information governance and management. Read the IT Governance and Management Framework for more information and the committee terms of reference. 

3.4 Information Domain Custodians

An Information Domain Custodian is assigned to one or more information domains (see the information entity catalogue for more details). For example, the Chief human Resources Officer is the Information Domain Custodian for the Human Resources domain.

For each assigned information domain, the Information Domain Custodian is responsible for:

  • key information management decisions and directions

  • defining business area specific (e.g. Research) operating procedures and controls to ensure legislative and policy obligations are met, to ensure the confidentiality, integrity, availability and appropriate and ethical use of information

  • assigning Information Stewards to oversee day to day information management.

3.5    Information Stewards

An Information Steward is assigned to one or more information entities (see the information entity catalogue for more details). For example, the Director, People Services in the Information Steward for the Staff, Worker, Leave and Timesheet information entities (within the Human Resources domain).

For each assigned entity, the Information Steward is responsible for:

  • providing advice and making decisions regarding the day-to-day management of information

  • implementing UQ-wide and business area specific decisions, policies, procedures, and standards, to ensure legislative and policy obligations are met.

3.6 Associate Director, Data Services

The Associate Director, Data Services is responsible for

  • maintaining and implementing this policy

  • escalating high-rated risks to UQ committees requiring resolution as required.

3.6.1 Data Strategy and Governance Team 

The Data Strategy and Governance Team supports the Associate Director, Data Services to maintain and implement this policy. The team is responsible for:

  • responding to information governance and management legislative and regulatory requirements (under the remit of the CIO, as defined in the Compliance legislation register)

  • reporting to UQ committees on information management compliance as required

  • undertaking initiatives to enhance information management and improve information security at UQ.

3.7 Records Governance Team 

The Records Governance Team is responsible for:

  • advising on and auditing compliance with record keeping obligations

  • recording the existence of vital, high-risk, high-value records (including records that need to be retained permanently)

  • maintaining a register of UQ systems approved to retain records

  • advising on the management, treatment and preservation of vital, high-risk, high-value and permanent retention records

  • developing strategies for records capture, maintenance, lifecycle and archive management

  • maintaining and implementing record keeping and destruction procedures.

3.8 Right to Information and Privacy (RTIP) Office

The RTIP Office is responsible for:

  • Managing UQ’s administrative access schemes and its obligations under the Right to Information Act 2009 and Information Privacy Act 2009.

  • Providing advice and leadership in relation to privacy compliance across UQ.

3.9 UQ community

Members of the UQ community have a responsibility to:

  • Comply with this policy and associated procedures to create, store, access and use the University’s information ethically and securely.

  • Notify Information Technology Services regarding actual or suspected breaches of this policy, the Information Governance and Management Framework and/or UQ’s obligations regarding the collection and management of information.

4. Monitoring, Review and Assurance

The Data Strategy and Governance Team ensures that key information governance roles (such as Information Domain Custodian and Information Steward) are appointed, inducted and are aware of their responsibilities. Additionally, the team will provide information governance and management training and deliver awareness initiatives to the wider UQ community as required, to improve information literacy and awareness across UQ. 

The Data Strategy and Governance team will report on information management risk and compliance to the IT Policy, Risk and Assurance Committee (IT PRAC) and other UQ committees as required, in alignment with the IT Governance and Management Framework.

The Data Strategy and Governance team will review and update this policy as required to ensure its accuracy. 

5. Recording and Reporting

The Information Asset Register provides details regarding information collected in the course of managing the University.

The Information Entity Catalogue provides a high-level overview of the information domains at UQ, and the different information entities within each domain.

Documents released to applicants under the Right to Information Act 2009 are progressively published via the Disclosure log.

The Approved Systems for Record Keeping Register provides details regarding UQ systems that contain records.

6. Appendix

6.1 Definitions

Data - values or individual facts in their most basic format that exist independent of any given context. Data are raw values that can be processed. When data are processed, combined with other data, organised, structured or presented in a given context, it is referred to as information. Examples include individual fields in a database or pixels in an image file.

Information – consists of data that has been processed, analysed, or interpreted within a given context. Information can exist in any format. Examples include physical (paper, DNA) or digital (audio, PDF file, .jpeg). 

Record - consists of information that has been generated or received by UQ in the course of its activities that is retained by UQ as evidence of activities or decisions, or because the information has cultural, community or organisational value. Certain records must be retained for a specified period to meet legislative requirements. Records can be managed in a range of systems, both digitally and physically. Examples include meeting minutes, contracts and financial transactions. 

Information domain – a broad category or theme under which University information can be identified and managed. See the Information Entity Catalogue for an overview of the information domains at UQ.

Information entity – a specific group of information that is related to an information domain. Examples of information entities include ‘digital learning' data for the teaching and learning domain, ‘budget’ data for the finance domain, and ‘salary’ data for the human resources domain.

UQ community – anyone who uses UQ information and communications technology (ICT) resources, and anyone who creates, accesses or uses UQ’s information. This includes (but is not limited to) students, staff, contractors and consultants, visitors, title holders and third parties.

6.2 Related UQ Policies and Procedures

6.3 Related Legislation

A full list of legislative instruments can be found in the Information Governance and Management Framework.

6.4    Information Lifecycle

The information lifecycle includes:

  • plan and design

  • create, capture and classify

  • store and secure

  • manage and maintain

  • share and reuse

  • retain and archive

  • dispose or destroy.

Custodians
Chief Information Officer Mr Rowan Salt

Forms

Printer-friendly version

Custodians
Chief Information Officer Mr Rowan Salt
Custodians
Chief Information Officer Mr Rowan Salt