Procedures

Data Handling - Procedure

Printer-friendly version
Body

1.0    Purpose and Scope

This procedure outlines data handling requirements for all data, information and records at The University of Queensland (UQ). Members of the UQ community who handle UQ data and information must comply with this procedure. This includes (but is not limited to) students, staff, contractors and consultants, visitors, title holders and third parties.  

The requirements and controls outlined in this procedure aim to:

  • protect UQ’s community and information,

  • reduce UQ’s cyber security risk,

  • enable safe and ethical information use, and

  • ensure compliance with UQ’s legislative obligations.

 This procedure should be read in conjunction with the following:

2.0    Process and key controls

Individuals must:

  1. Handle data and information according to their information security classification.

  2. Use UQ-approved IT services throughout the information lifecycle. Contact IT support to raise any queries about services.

  3. Comply with UQ and IT procurement processes and requirements if acquiring new information systems or services. Visit the ICT procurement web page for more information.

  4. Limit the collection, use, retention, disclosure or sharing of personal, SENSITIVE or PROTECTED information (e.g. driver’s licence details, student grades linked to student identity, health data). Deidentify data wherever possible.

  5. Wherever possible, use existing data instead of recapturing or duplicating data. For information on accessing UQ data, visit the Explore and access data webpage for corporate data, and the Library guide for research data.

  6. Comply with any local processes and practices regarding data handling and information systems.

  7. Use UQ-managed devices (laptops, desktops and mobile devices if provided) where possible.

  8. Seek advice from cyber security, information and records management teams as required (see Appendix for details).

  9. Align with the AIATSIS Code of Ethics for Aboriginal and Torres Strait Islander Research when handling Indigenous data, noting that the code’s principles apply to research and other activities that can impact upon, or be of importance to, Aboriginal and Torres Strait Islander peoples.

2.1    Exceptions

Exceptions to this procedure (e.g. if certain requirements cannot be met) must be managed in accordance with the Cyber Security Exceptions Procedure.

2.2    Additional obligations

Information Domain Custodians are responsible for ensuring that specific industry or research requirements (e.g. Australian Code for the Responsible Conduct of Research, Payment Card Industry Data Security Standard) are identified within their assigned domains, and that appropriate controls are implemented.

Additional or alternative controls may also apply to UQ data and information associated with a contract, licence or agreement (e.g. a data sharing agreement).

2.2.1    Additional research obligations

Staff (including contractors) and HDR candidates must adhere to the research data management classifications and controls that are specified in the relevant contractual agreements or ethics approvals.

They must also define additional or alternate classifications and associated controls in a research data management plan (to be stored in UQRDM) for the following types of information:

  • National security information: additional controls may apply if staff create or capture information that if subject to a data breach, would damage the national interest or have national security implications. Refer to the Australian Government Protective Security Policy Framework.

  • Defence Industry Security Program (DISP): alternate security controls apply if staff capture or create information as part of a DISP research project. Contact Research Ethics and Integrity for more information.

See the Research Data Management Policy for more information on research data management plans.

3.0    Key Requirements

The UQ community must manage data and information appropriately throughout the information lifecycle. In each phase of the information lifecycle, controls and requirements apply based on the information security classification and these are defined in the sections below.

Requirements in the ‘plan and design’ phase apply throughout the lifecycle.

 3.1    Plan and Design

Individuals must comply with the following requirements (as relevant):

  1. Research data: for each research project, a First Named Investigator (also referred to as Lead Chief Investigator) and the relevant organisational unit must be identified at the start of the project. The First Named Chief Investigator assumes the role of the Information Steward for the duration of the project. Upon project completion (or departure from UQ), the role of Information Steward transfers to the identified Head of School or Director of Institute. See the Administration of Research Funding Policy for criteria for the First Named Chief Investigator role.

  2. Access policies: Information Domain Custodians are responsible for approving access policies (including any changes) for their information domains. Individuals should only be given access to the data required to execute their responsibilities. Access policies must be reviewed periodically in line with the Access and Privileges Management Framework.

  3. Use UQ-approved IT services throughout the information lifecycle. If procuring a new IT service, or using any other non-UQ approved IT service to handle data, comply with the Software Acquisition and Use Procedure, the ICT Procurement Framework and the Procurement Policy. Consult Information Technology Services (ITS) to ensure that all legislative, security and information management requirements are met.

  4. Consider any future requirements regarding records retention, disposal, archiving, decommissioning systems, transfer of data, and ongoing management.

  5. Consider metadata when identifying data entry/capture requirements.

  6. Consider any risks (including cyber security risks) associated with the information or IT services being used. If required, conduct a risk assessment in alignment with the Enterprise Risk Management Framework.

3.1.1    Privacy Impact Assessments (PIAs)

When proposing new or changed IT services or processes that will handle personal information, a PIA may be required.

  1. At a minimum, if a proposed new IT service (or changes to an existing service) will handle personal information, staff (e.g. the project team) should undertake a Threshold Privacy Assessment (TPA) to determine whether a PIA is required. TPAs should be submitted to the relevant Information Steward(s) and the Right to Information (RTI) and Privacy Office.

  2. Information Stewards are responsible for conducting PIAs, which must be reviewed by the RTI and Privacy Office and approved by the relevant Information Domain Custodian. The approved PIA must be provided to the RTI and Privacy Office for record keeping.

Resources and templates for TPAs and PIAs are available under the Staff Resources section of the RTI and Privacy website.

3.1.2    Data sovereignty

The location and jurisdiction of services used to store/process data must be considered to ensure UQ’s legislative and security requirements are met.

To avoid risks associated with data sovereignty, only use appropriate UQ-approved IT services throughout the information lifecycle and consult ITS regarding use of any new IT services.

When cloud services are utilised, consideration must be given to the cloud service provider country of origin, regardless of the location in which the data is stored. In certain circumstances, laws in the jurisdiction in which the company is based (or where the data is stored/processed) may mean third parties (including government entities) within that country could access the data. Data sovereignty restrictions also apply to offline data (e.g. backups).

When considering data hosting outside Australia or situations where a vendor can access data from another country, e.g. to provide user support, the following requirements apply:

  • Personal information may only be transferred outside of Australia (including the storage of personal information in cloud-based services on servers located outside of Australia) in compliance with section 33 of the Information Privacy Act 2009 (Qld). Where personal information is proposed to be transferred offshore, a Privacy Impact Assessment should be undertaken to ensure all compliance obligations are met - see section 3.1.1 above for more details.

  • SENSITIVE and PROTECTED information: consult Data Strategy and Governance to ensure all security risks are managed correctly. Further risk assessments may be required and Legal Services can also assist if needed.

3.2    Create, Capture and Classify

Individuals must comply with the following requirements (as relevant):

  1. Ensure data is accurate, valid and complete at the time of capture and creation to maintain data quality.

  2. Identify and record metadata (such as the individual who created the data) where possible.

  3. Classify data and information at the time of creation or capture, according to the Information Security Classification Procedure and direction from the relevant Information Steward.

  4. Any collection of personal information must comply with the Privacy Management Procedures. For more information, contact the RTI and Privacy Office.

  5. Consider the University’s moral and ethical obligations at the time of data collection (e.g. transparent disclosure of information about data collection, processing, and use). View UQ’s Enterprise Data Ethics Framework.

  6. Only create or capture data required for a legitimate and defined University purpose, to minimise the collection of personal information and/or SENSITIVE or PROTECTED information.

  7. For Microsoft Office 365 documents and emails, ensure the correct sensitivity label is applied in accordance with the relevant information security classification. If not updated, the ‘OFFICIAL’ label will be applied by default. Read more about sensitivity labels.

3.3    Store and Secure

Individuals must comply with the following requirements (as relevant):

Classification

Handling requirement

All

  1. Remove access to UQ information and systems when they are no longer required, or when an individual leaves UQ, changes their role, or ends their partnership or affiliation with UQ. View the departure checklist for more information.

  2. Set secure passwords - read UQ’s password guidelines.

  3. Store UQ information in UQ-approved IT systems to ensure regular backups. Visit the Where to store files and information web page for guidance.

    1. Ensure that appropriate access controls are in place, commensurate with the nature and sensitivity of the information.

    2. Certain research data may be saved to local hard drives if they are being regularly and automatically backed up. Read more about backups.

  4. Avoid unnecessary duplication of data across IT services, devices, and storage locations, including hard copies.

  5. Store records in approved record keeping systems in alignment with the Keeping Records at UQ Procedure.

  6. Do not use USB drives and portable hard drives unless they are encrypted.

  7. Follow cyber security best practice – visit the stay cyber safe web page for more details.

  8. Use UQ-approved online collaboration tools (e.g. UQ RDM, SharePoint and Microsoft Teams). Assign at least two (but no more than is necessary) administrators who must ensure access and permissions are set based on business need.

  9. Report actual or suspected data loss or breaches (including lost or stolen devices) as soon as possible via UQ’s cyber security website or by calling IT support.

PUBLIC

  1. Restrict write access based on business need. PUBLIC information may be read by anyone but doesn’t need to be published.

  2. Collaboration space administrators must review write access annually.

OFFICIAL

  1. Restrict write access based on business need (e.g. specific teams). Where possible and appropriate, restrict read access based on business need.

  2. Collaboration space administrators must review read and write access every 12 months.

SENSITIVE

  1. Restrict write access based on strict business need (e.g. specific individuals or groups). Where possible and appropriate, restrict read access based on strict business need.

  2. Collaboration space administrators must review read and write access every six months.

  3. Ensure hard copy information is stored in a locked cabinet when not being used.

PROTECTED

  1. Restrict write access based on very strict business need (e.g. only the individuals required). Where possible and appropriate, restrict read access based on very strict business need. Staff screening may be required.

  2. Collaboration space administrators must review read and write access every three months.

  3. Use file-based encryption where possible. Store back-up encryption passwords in UQ’s enterprise vault.

  4. Where possible, use online files rather than copying/downloading them to local storage for processing. Do not use web-based file shares which synchronise files to local storage (e.g. OneDrive). Delete any local copies of files when they are no longer required.

  5. Ensure hard copy information is stored in a locked cabinet when not being used.

Supporting information:

Endpoint Security Standard

Application Security Standard

Data Security Controls Standard

Access and Privileges Management Framework

Authentication Framework

Network Security Controls Standard

3.4    Manage and Maintain

Individuals must comply with the following requirements (as relevant):

Classification

Handling requirement

All

  1. Notify Data Strategy and Governance if an Information Leader, Information Domain Custodian or Information Steward is exiting their current role. Ensure an acting Information Leader, Information Domain Custodian or Information Steward is appointed to ensure information governance and management responsibilities are met during the transition.

  2. Information Stewards must ensure that data and information within their entities are actively managed to ensure data quality, ongoing continuity of discovery and access (e.g. ensuring the relevant IT services hosting the information are serviced and supported appropriately), and compliance with UQ’s privacy and information management requirements.

  3. Technical Owners must review the information security classification of IT services (with support from Data Strategy and Governance) in alignment with the Application Security Standard.

PUBLIC and OFFICIAL

  1. Proactively review the information security classification of documents, data sets and collaboration spaces as information or requirements change, or at least every 36 months.

SENSITIVE

  1. Proactively review the information security classification of documents, data sets and collaboration spaces as information or requirements change, or at least every 24 months.

PROTECTED

  1. Proactively review the information security classification of documents, data sets and collaboration spaces as information or requirements change, or at least every 12 months.

Supporting information:

Application Security Standard

Access and Privileges Management Framework

Information Security Classification Procedure

3.5    Share and Reuse (transmission)

Individuals must comply with the following requirements (as relevant):

Classification

Handling Requirement

All

  1. A data sharing agreement may be required to access or use corporate UQ data. This includes the use of data for integration, analytics, or reporting. Visit the Request access to data page.

  2. Sharing data outside UQ requires approval from the relevant Information Steward (a data sharing agreement may be used to facilitate this approval). Ensure the agreement or contract includes data handling and security provisions that align with UQ’s policies, procedures and internal security controls. Engage with Data Strategy and Governance before proceeding.

  3. Personal information may only be used (i.e. within UQ) or disclosed (i.e. outside UQ) in accordance with the Privacy Management Policy. Except where explicitly allowed for under the Privacy Management Policy, any disclosure or secondary use of personal information may require a privacy impact assessment (see section 3.1.1).

  4. UQ data should be used in an ethical and responsible manner, including any sharing or reuse. Visit the data ethics web page or read the Enterprise Data Ethics Framework.

  5. Validate the identity of individuals receiving UQ data (e.g. check UQ email, check via phone call) and their authorisation to receive the data.

  6. Only share or transfer information using UQ-approved IT services. Read more about where to store files and information.

  7. Only share data (internally or externally) if required for a legitimate and defined University purpose or requirement, to minimise the disclosure of personal information and/or SENSITIVE or PROTECTED information.

  8. Do not print data unless there is a genuine requirement to do so.

SENSITIVE and PROTECTED

  1. Only share research data using IT services approved to handle SENSITIVE and PROTECTED data, in accordance with ethics approvals. Read more about where to store files and information.

  2. If transporting large data sets using physical storage devices, ensure devices are encrypted and passwords are shared securely with the receiver.

  3. Do not print data unless there is a genuine requirement to do so. If required, do not use printers in low security areas or connected to general office networks. Use managed printers that require staff to log in at the printer to collect printouts.

Links:

Destruction of Records Procedure

Data Security Controls Standard

Network Security Controls Standard

Authentication Framework

3.6    Retain and Archive

Individuals must comply with the following requirements (as relevant):

  1. Retain data and information only for as long as UQ has a business requirement to retain it (including any records retention requirements). Dispose of data and information if no longer required.

  2. Retain and archive records in compliance with the Keeping Records at UQ Procedure (see section 3.2 for retention schedules) and the Public Records Act 2002 (Qld).

  3. Contact the relevant Information Steward to recommend the retention or archival of high risk, high value, vital and permanent retention records. Information Stewards will review and seek approval from the appropriate Information Domain Custodian.

  4. If decommissioning a system that contains UQ data, consult Data Strategy and Governance regarding any decisions to retain, transfer or dispose of the data.

  5. Comply with research data retention requirements in the Australian Code for the Responsible Conduct of Research.

3.7    Dispose and Destroy

Individuals must comply with the following requirements (as relevant):

  1. The relevant Information Domain Custodian must endorse the destruction of University records within their domain. However, the final approval must be obtained from the Manager, Data Strategy and Governance, in compliance with the Destruction of Records Procedure.

  2. Ensure data is disposed of securely, including all copies, backups and devices (if required). Submit an IT support request regarding device redeployment and disposal.

  3. Printed documents and other information in a physical format (e.g. tapes, CDs) must be disposed of using approved secure shredding and destruction services.

4.0    Roles, Responsibilities and Accountabilities

Key roles and responsibilities relevant to this procedure are outlined in the subsections below. Refer to the Information Governance and Management Framework for a comprehensive list of information governance and management roles. 

4.1     Vice-Chancellor

The Vice-Chancellor is accountable for ensuring the collection and management of UQ’s information and records in accordance with relevant legislative, regulatory and policy obligations.

4.2    Chief Information Officer (CIO)

The CIO is accountable for developing, maintaining and implementing information management capabilities, policies, procedures and technical standards to protect UQ’s information. 

4.3    Information Domain Custodians

Information Domain Custodians are responsible for the following (for their information domain/s):

  • Defining business area specific (e.g. research) operating procedures and controls to ensure legislative and policy obligations are met, and to ensure the confidentiality, integrity, availability and appropriate and ethical use of information. 

  • Approving privacy impact assessments.

  • Approving access policies (including any changes) for their information domains.

  • Approving requests to retain or archive high risk, high value, vital and permanent retention records.

  • Endorsing disposal requests for records for approval by the Manager, Data Strategy and Governance.

4.4    Information Stewards

Information Stewards are responsible for the following (for the information entity/entities they are assigned to):

  • Providing advice and making decisions regarding day-to-day management of information. 

  • Conducting privacy impact assessments and submitting approved assessments to the RTI and Privacy Office.

  • Setting and/or endorsing an overall information security classification for each information entity.

  • Reviewing and recommending decisions regarding records disposal and the retention or archiving or high risk, high value, vital and permanent retention records.

  • Reviewing and approving data access requests (e.g. data sharing agreements).

  • Applying UQ-wide policies and procedures and business area specific (e.g. Research) operating procedures and controls to ensure legislative and policy obligations are met. 

4.5    Technical Owners

The Technical Owner is the staff member responsible for the ongoing technical management of a service or asset (e.g. information system).

They are responsible for:

  • Supporting Information Stewards to implement technical controls outlined in this document and associated procedures and standards. Visit the IT procedures, frameworks and standards library for more information.

  • Assisting Information Stewards to conduct privacy impact assessments for the implementation of new systems or business processes (or changes to existing systems or processes) as required.

4.6    Manager, Data Strategy and Governance

The Manager, Data Strategy and Governance is responsible for:  

  • maintaining and implementing this procedure,

  • escalating high-rated risks to UQ committees requiring resolution as required, and

  • approving records disposal requests. 

4.6.1    Data Strategy and Governance Team

The Data Strategy and Governance Team supports the Manager, Data Strategy and Governance to maintain and implement this procedure. The team is also responsible for:

  • Reporting to UQ committees on information management compliance as required (including reporting on records management and data sharing internally and externally).  

  • Facilitating data sharing agreements (DSAs) and maintaining a register of DSAs.

  • Providing advice regarding data handling (including during projects).

  • Advising on the management, treatment, and preservation of vital, high-risk, high-value and permanent retention records.

  • Maintaining and implementing records management procedures.

  • Delivering training and awareness regarding data handling principles and processes.

  • Providing training and support for Information Domain Custodians and Information Stewards.

4.7    Right to Information (RTI) and Privacy Office

The RTI and Privacy Office is responsible for:

  • Providing advice and leadership regarding privacy compliance, privacy impact assessments and the management of personal information.

  • Providing advice to business units on notifying individuals affected by privacy breaches.

  • Maintaining records of approved Privacy Impact Assessments.

4.8    UQ community

Members of the UQ community are responsible for:

  • Complying with this procedure (and any business area-specific information management procedures) to handle the University’s information ethically and securely.

  • Reporting real or suspected data breaches or cyber security incidents via the cyber security webpage.

  • Reporting lost or stolen devices containing UQ information to IT support.

  • Using UQ-approved IT services and consulting ITS regarding the use of new IT services to handle data.

  • Seeking approval before destroying UQ records in compliance with the Destruction of Records Procedure.

  • Managing and reviewing access permissions (e.g. read and write access) for documents and collaborative spaces (e.g. SharePoint and Teams) they manage.

5.0    Monitoring, Review and Assurance

The Data Strategy and Governance team will:

  • Provide training and deliver awareness initiatives to the wider UQ community as required, to improve data literacy and awareness across UQ.

  • Report on information and records management risk and compliance to the IT Policy, Risk and Assurance Committee (IT PRAC) quarterly and to other UQ committees as required, in alignment with the IT Governance and Management Framework

  • Maintain and update the information entity catalogue to ensure its accuracy.

  • Review and update this procedure as required to ensure its accuracy.

6.0    Recording and Reporting

The Data Strategy and Governance team maintains UQ’s information entity catalogue which records:

  • Information domains and information entities,

  • Information Leaders, Information Domain Custodians and Information Stewards assigned to each business area, domain and entity (respectively), and

  • information security classifications for each UQ information entity (as a minimum, UQ information entities will be assigned a classification based on the highest classification rating of the information held).

The Data Strategy and Governance team also maintains a register of all submitted data sharing agreements.

The RTI and Privacy Office maintains a register of approved Privacy Impact Assessments (PIAs) and is responsible for (where applicable) reporting privacy breaches to the relevant Information Commissioner or privacy regulator. The RTI and Privacy Office also provides management with an annual report on UQ’s compliance with the Information Privacy Act and other relevant privacy laws.

Information management roles and responsibilities should be captured as a research data management record in UQ RDM. Research data management plans should also be stored in UQ RDM where possible.

7.0    Appendix

7.1    Key contacts

Individuals can seek advice from the following groups as required:

  • Information Stewards: advice regarding classifying information, local data handling processes, data access requests, and appropriate and ethical use of information.

  • Data Strategy and Governance: advice regarding information governance and management, data handling requirements, data access requests, UQ-approved information systems, records retention requirements, UQ-approved record keeping systems, and records disposal or transfer.

  • ICT Procurement: advice regarding procuring new IT systems, services and software.

  • Right to Information and Privacy: advice regarding personal information (e.g. consent, collection notices) and privacy, privacy impact assessments.

  • Cyber security: Advice regarding cyber security risk assessments, security controls, cyber security incidents, additional security requirement relating to third party agreements.

  • ITS relationship managers: advice regarding new IT services, key changes to existing IT services, integrations, projects with IT requirements. Read more.

7.2    Definitions

Custodians
Chief Information Officer Mr Rowan Salt
Custodians
Chief Information Officer Mr Rowan Salt