1.0 Purpose and Scope
This procedure outlines data handling requirements for all data, information and records at The University of Queensland (UQ). Members of the UQ community who handle UQ data and information must comply with this procedure. This includes (but is not limited to) students, staff, contractors and consultants, visitors, title holders and third parties.
The requirements and controls outlined in this procedure aim to:
-
protect UQ’s community and information,
-
reduce UQ’s cyber security risk,
-
enable safe and ethical information use, and
-
ensure compliance with UQ’s legislative obligations.
This procedure should be read in conjunction with the following:
-
supporting IT procedures, frameworks and standards [16].
2.0 Process and key controls
Individuals must:
-
Handle data and information according to their information security classification [17].
-
Use UQ-approved IT services throughout the information lifecycle [18]. Contact IT support [19] to raise any queries about services.
-
Comply with UQ and IT procurement processes and requirements if acquiring new information systems or services. Visit the ICT procurement web page [20] for more information.
-
Limit the collection, use, retention, disclosure or sharing of personal, SENSITIVE or PROTECTED information (e.g. driver’s licence details, student grades linked to student identity, health data). Deidentify data wherever possible.
-
Wherever possible, use existing data instead of recapturing or duplicating data. For information on accessing UQ data, visit the Explore and access data webpage [21] for corporate data, and the Library guide [22] for research data.
-
Comply with any local processes and practices regarding data handling and information systems.
-
Use UQ-managed devices (laptops, desktops and mobile devices if provided) where possible.
-
Seek advice from cyber security, information and records management teams as required (see Appendix for details).
-
Align with the AIATSIS Code of Ethics for Aboriginal and Torres Strait Islander Research when handling Indigenous data, noting that the code’s principles apply to research and other activities that can impact upon, or be of importance to, Aboriginal and Torres Strait Islander peoples.
2.1 Exceptions
Exceptions to this procedure (e.g. if certain requirements cannot be met) must be managed in accordance with the Cyber Security Exceptions Procedure [4].
2.2 Additional obligations
Information Domain Custodians are responsible for ensuring that specific industry or research requirements (e.g. Australian Code for the Responsible Conduct of Research, Payment Card Industry Data Security Standard) are identified within their assigned domains, and that appropriate controls are implemented.
Additional or alternative controls may also apply to UQ data and information associated with a contract, licence or agreement (e.g. a data sharing agreement).
2.2.1 Additional research obligations
Staff (including contractors) and HDR candidates must adhere to the research data management classifications and controls that are specified in the relevant contractual agreements or ethics approvals.
They must also define additional or alternate classifications and associated controls in a research data management plan [23] (to be stored in UQRDM) for the following types of information:
-
National security information: additional controls may apply if staff create or capture information that if subject to a data breach, would damage the national interest or have national security implications. Refer to the Australian Government Protective Security Policy Framework [24].
-
Defence Industry Security Program (DISP): alternate security controls apply if staff capture or create information as part of a DISP research project. Contact Research Ethics and Integrity [25] for more information.
See the Research Data Management Policy [14] for more information on research data management plans.
3.0 Key Requirements
The UQ community must manage data and information appropriately throughout the information lifecycle [18]. In each phase of the information lifecycle, controls and requirements apply based on the information security classification [17] and these are defined in the sections below.
Requirements in the ‘plan and design’ phase apply throughout the lifecycle.
3.1 Plan and Design
Individuals must comply with the following requirements (as relevant):
-
Research data: for each research project, a First Named Investigator (also referred to as Lead Chief Investigator) and the relevant organisational unit must be identified at the start of the project. The First Named Chief Investigator assumes the role of the Information Steward for the duration of the project. Upon project completion (or departure from UQ), the role of Information Steward transfers to the identified Head of School or Director of Institute. See the Administration of Research Funding Policy [26] for criteria for the First Named Chief Investigator role.
-
Access policies: Information Domain Custodians are responsible for approving access policies (including any changes) for their information domains. Individuals should only be given access to the data required to execute their responsibilities. Access policies must be reviewed periodically in line with the Access and Privileges Management Framework [27].
-
Use UQ-approved IT services throughout the information lifecycle. If procuring a new IT service, or using any other non-UQ approved IT service to handle data, comply with the Software Acquisition and Use Procedure [28], the ICT Procurement Framework [20] and the Procurement Policy [29]. Consult Information Technology Services [30] (ITS) to ensure that all legislative, security and information management requirements are met.
-
Consider any future requirements regarding records retention, disposal, archiving, decommissioning systems, transfer of data, and ongoing management.
-
Consider metadata when identifying data entry/capture requirements.
-
Consider any risks (including cyber security risks) associated with the information or IT services being used. If required, conduct a risk assessment in alignment with the Enterprise Risk Management Framework [31].
3.1.1 Privacy Impact Assessments (PIAs)
When proposing new or changed IT services or processes that will handle personal information, a PIA may be required.
-
At a minimum, if a proposed new IT service (or changes to an existing service) will handle personal information, staff (e.g. the project team) should undertake a Threshold Privacy Assessment (TPA) to determine whether a PIA is required. TPAs should be submitted to the relevant Information Steward(s) and the Right to Information (RTI) and Privacy Office.
-
Information Stewards are responsible for conducting PIAs, which must be reviewed by the RTI and Privacy Office and approved by the relevant Information Domain Custodian. The approved PIA must be provided to the RTI and Privacy Office for record keeping.
Resources and templates for TPAs and PIAs are available under the Staff Resources section of the RTI and Privacy website [32].
3.1.2 Data sovereignty
The location and jurisdiction of services used to store/process data must be considered to ensure UQ’s legislative and security requirements are met.
To avoid risks associated with data sovereignty, only use appropriate UQ-approved IT services throughout the information lifecycle and consult ITS regarding use of any new IT services.
When cloud services are utilised, consideration must be given to the cloud service provider country of origin, regardless of the location in which the data is stored. In certain circumstances, laws in the jurisdiction in which the company is based (or where the data is stored/processed) may mean third parties (including government entities) within that country could access the data. Data sovereignty restrictions also apply to offline data (e.g. backups).
When considering data hosting outside Australia or situations where a vendor can access data from another country, e.g. to provide user support, the following requirements apply:
-
Personal information may only be transferred outside of Australia (including the storage of personal information in cloud-based services on servers located outside of Australia) in compliance with section 33 of the Information Privacy Act 2009 (Qld). Where personal information is proposed to be transferred offshore, a Privacy Impact Assessment should be undertaken to ensure all compliance obligations are met - see section 3.1.1 above for more details.
-
SENSITIVE and PROTECTED information: consult Data Strategy and Governance [33] to ensure all security risks are managed correctly. Further risk assessments may be required and Legal Services [34] can also assist if needed.
3.2 Create, Capture and Classify
Individuals must comply with the following requirements (as relevant):
-
Ensure data is accurate, valid and complete at the time of capture and creation to maintain data quality.
-
Identify and record metadata (such as the individual who created the data) where possible.
-
Classify data and information at the time of creation or capture, according to the Information Security Classification Procedure [17] and direction from the relevant Information Steward.
-
Any collection of personal information must comply with the Privacy Management Procedures [13]. For more information, contact the RTI and Privacy Office [35].
-
Consider the University’s moral and ethical obligations at the time of data collection (e.g. transparent disclosure of information about data collection, processing, and use). View UQ’s Enterprise Data Ethics Framework [15].
-
Only create or capture data required for a legitimate and defined University purpose, to minimise the collection of personal information and/or SENSITIVE or PROTECTED information.
-
For Microsoft Office 365 documents and emails, ensure the correct sensitivity label is applied in accordance with the relevant information security classification. If not updated, the ‘OFFICIAL’ label will be applied by default. Read more about sensitivity labels [36].
3.3 Store and Secure
Individuals must comply with the following requirements (as relevant):
Classification |
Handling requirement |
---|---|
All |
|
PUBLIC |
|
OFFICIAL |
|
SENSITIVE |
|
PROTECTED |
|
Supporting information: Endpoint Security Standard [43] Application Security Standard [44] Data Security Controls Standard [45] |
3.4 Manage and Maintain
Individuals must comply with the following requirements (as relevant):
Classification |
Handling requirement |
---|---|
All |
|
PUBLIC and OFFICIAL |
|
SENSITIVE |
|
PROTECTED |
|
Supporting information: Application Security Standard [44] |
3.5 Share and Reuse (transmission)
Individuals must comply with the following requirements (as relevant):
Classification |
Handling Requirement |
---|---|
All |
|
SENSITIVE and PROTECTED |
|
Links: Destruction of Records Procedure [51] Data Security Controls Standard [45] |
3.6 Retain and Archive
Individuals must comply with the following requirements (as relevant):
-
Retain data and information only for as long as UQ has a business requirement to retain it (including any records retention requirements). Dispose of data and information if no longer required.
-
Retain and archive records in compliance with the Keeping Records at UQ Procedure [41] (see section 3.2 for retention schedules [52]) and the Public Records Act 2002 (Qld).
-
Contact the relevant Information Steward to recommend the retention or archival of high risk, high value, vital and permanent retention records. Information Stewards will review and seek approval from the appropriate Information Domain Custodian.
-
If decommissioning a system that contains UQ data, consult Data Strategy and Governance [33] regarding any decisions to retain, transfer or dispose of the data.
-
Comply with research data retention requirements in the Australian Code for the Responsible Conduct of Research [53].
3.7 Dispose and Destroy
Individuals must comply with the following requirements (as relevant):
-
The relevant Information Domain Custodian must endorse the destruction of University records within their domain. However, the final approval must be obtained from the Manager, Data Strategy and Governance, in compliance with the Destruction of Records Procedure [51].
-
Ensure data is disposed of securely, including all copies, backups and devices (if required). Submit an IT support request [54] regarding device redeployment and disposal.
-
Printed documents and other information in a physical format (e.g. tapes, CDs) must be disposed of using approved secure shredding and destruction services [55].
4.0 Roles, Responsibilities and Accountabilities
Key roles and responsibilities relevant to this procedure are outlined in the subsections below. Refer to the Information Governance and Management Framework [3] for a comprehensive list of information governance and management roles.
4.1 Vice-Chancellor
The Vice-Chancellor is accountable for ensuring the collection and management of UQ’s information and records in accordance with relevant legislative, regulatory and policy obligations.
4.2 Chief Information Officer (CIO)
The CIO is accountable for developing, maintaining and implementing information management capabilities, policies, procedures and technical standards to protect UQ’s information.
4.3 Information Domain Custodians
Information Domain Custodians are responsible for the following (for their information domain/s):
-
Defining business area specific (e.g. research) operating procedures and controls to ensure legislative and policy obligations are met, and to ensure the confidentiality, integrity, availability and appropriate and ethical use of information.
-
Approving privacy impact assessments.
-
Approving access policies (including any changes) for their information domains.
-
Approving requests to retain or archive high risk, high value, vital and permanent retention records.
-
Endorsing disposal requests for records for approval by the Manager, Data Strategy and Governance.
4.4 Information Stewards
Information Stewards are responsible for the following (for the information entity/entities they are assigned to):
-
Providing advice and making decisions regarding day-to-day management of information.
-
Conducting privacy impact assessments and submitting approved assessments to the RTI and Privacy Office.
-
Setting and/or endorsing an overall information security classification for each information entity.
-
Reviewing and recommending decisions regarding records disposal and the retention or archiving or high risk, high value, vital and permanent retention records.
-
Reviewing and approving data access requests (e.g. data sharing agreements).
-
Applying UQ-wide policies and procedures and business area specific (e.g. Research) operating procedures and controls to ensure legislative and policy obligations are met.
4.5 Technical Owners
The Technical Owner is the staff member responsible for the ongoing technical management of a service or asset (e.g. information system).
They are responsible for:
-
Supporting Information Stewards to implement technical controls outlined in this document and associated procedures and standards. Visit the IT procedures, frameworks and standards [16] library for more information.
-
Assisting Information Stewards to conduct privacy impact assessments for the implementation of new systems or business processes (or changes to existing systems or processes) as required.
4.6 Manager, Data Strategy and Governance
The Manager, Data Strategy and Governance is responsible for:
-
maintaining and implementing this procedure,
-
escalating high-rated risks to UQ committees requiring resolution as required, and
-
approving records disposal requests.
4.6.1 Data Strategy and Governance Team
The Data Strategy and Governance Team supports the Manager, Data Strategy and Governance to maintain and implement this procedure. The team is also responsible for:
-
Reporting to UQ committees on information management compliance as required (including reporting on records management and data sharing internally and externally).
-
Facilitating data sharing agreements (DSAs) and maintaining a register of DSAs.
-
Providing advice regarding data handling (including during projects).
-
Advising on the management, treatment, and preservation of vital, high-risk, high-value and permanent retention records.
-
Maintaining and implementing records management procedures.
-
Delivering training and awareness regarding data handling principles and processes.
-
Providing training and support for Information Domain Custodians and Information Stewards.
4.7 Right to Information (RTI) and Privacy Office
The RTI and Privacy Office is responsible for:
-
Providing advice and leadership regarding privacy compliance, privacy impact assessments and the management of personal information.
-
Providing advice to business units on notifying individuals affected by privacy breaches.
-
Maintaining records of approved Privacy Impact Assessments.
4.8 UQ community
Members of the UQ community are responsible for:
-
Complying with this procedure (and any business area-specific information management procedures) to handle the University’s information ethically and securely.
-
Reporting real or suspected data breaches or cyber security incidents via the cyber security webpage [56].
-
Reporting lost or stolen devices containing UQ information to IT support [54].
-
Using UQ-approved IT services and consulting ITS regarding the use of new IT services to handle data.
-
Seeking approval before destroying UQ records in compliance with the Destruction of Records Procedure [51].
-
Managing and reviewing access permissions (e.g. read and write access) for documents and collaborative spaces (e.g. SharePoint and Teams) they manage.
5.0 Monitoring, Review and Assurance
The Data Strategy and Governance team will:
-
Provide training and deliver awareness initiatives to the wider UQ community as required, to improve data literacy and awareness across UQ.
-
Report on information and records management risk and compliance to the IT Policy, Risk and Assurance Committee (IT PRAC) quarterly and to other UQ committees as required, in alignment with the IT Governance and Management Framework [57].
-
Maintain and update the information entity catalogue to ensure its accuracy.
-
Review and update this procedure as required to ensure its accuracy.
6.0 Recording and Reporting
The Data Strategy and Governance team maintains UQ’s information entity catalogue which records:
-
Information domains and information entities,
-
Information Leaders, Information Domain Custodians and Information Stewards assigned to each business area, domain and entity (respectively), and
-
information security classifications for each UQ information entity (as a minimum, UQ information entities will be assigned a classification based on the highest classification rating of the information held).
The Data Strategy and Governance team also maintains a register of all submitted data sharing agreements.
The RTI and Privacy Office maintains a register of approved Privacy Impact Assessments (PIAs) and is responsible for (where applicable) reporting privacy breaches to the relevant Information Commissioner or privacy regulator. The RTI and Privacy Office also provides management with an annual report on UQ’s compliance with the Information Privacy Act and other relevant privacy laws.
Information management roles and responsibilities should be captured as a research data management record in UQ RDM. Research data management plans should also be stored in UQ RDM where possible.
7.0 Appendix
7.1 Key contacts
Individuals can seek advice from the following groups as required:
-
Information Stewards: advice regarding classifying information, local data handling processes, data access requests, and appropriate and ethical use of information.
-
Data Strategy and Governance [49]: advice regarding information governance and management, data handling requirements, data access requests, UQ-approved information systems, records retention requirements, UQ-approved record keeping systems, and records disposal or transfer.
-
ICT Procurement [20]: advice regarding procuring new IT systems, services and software.
-
Right to Information and Privacy [32]: advice regarding personal information (e.g. consent, collection notices) and privacy, privacy impact assessments.
-
Cyber security [42]: Advice regarding cyber security risk assessments, security controls, cyber security incidents, additional security requirement relating to third party agreements.
-
ITS relationship managers: advice regarding new IT services, key changes to existing IT services, integrations, projects with IT requirements. Read more [30].
7.2 Definitions
-
Data: refer to the Information Management Policy [58].
-
Information: refer to the Information Management Policy [58].
-
Record: refer to the Information Management Policy [58].
-
UQ community: refer to the Information Management Policy [58].
-
Information entity: refer to the Information Management Policy [58].
-
Information domain: refer to the Information Management Policy [58].
-
Personal information: refer to the Privacy Management Policy [13].
-
Write access: access to edit information.
-
Read access: access to view information.
-
Access policy: A policy specifying who can create, access or modify information for a particular domain. See the Access and Privileges Management Framework [27] for more information.
-
Data breach: where data is lost, or accessed or disclosed without authorisation, either accidentally or due to malicious activity.