Data Governance Policy
On this page
Purpose | Scope | Principles | Policy statements | Roles and responsibilities | Definitions | Approval information | Version history | References
1. Purpose
1.1 The Data Governance Policy (the policy) establishes a framework for effective data management at UTS by:
- establishing the principles and practices for the management and use of the university’s corporate data
- developing a data conscious environment to provide secure, well managed and reliable data that supports university decision-making, planning and reporting, and
- articulating responsibilities for the stewardship of corporate data and information systems supporting the implementation of this policy.
2. Scope
2.1 This policy applies to all staff, students and affiliates (hereafter users) as well as any person with access to UTS information, corporate data and information technology resources.
2.2 This policy must be adhered to in the collection and management of all corporate data.
2.3 This policy complements the provisions outlined in the following policies, which collectively operationalise data governance at UTS:
- the Privacy Policy, which protects the privacy, in particular, personal information, of all individuals
- the Records Management Policy, which outlines the processes for full and accurate recordkeeping and management
- the Academic Records Policy, which articulates the requirements relating to official academic record documents issued to students and graduates
- the Research Policy, which defines the requirements for the management of research data, primary materials and research records, and
- the Artificial Intelligence Operations Policy, which guides the use, procurement and development of artificial intelligence capabilities at UTS, and
- the Acceptable Use of Information Technology Resources Policy and the Information Security Policy, which define the requirements for information system access control and system security.
3. Principles
3.1 Corporate data is governed in line with this policy and stored in approved and appropriate information systems. At UTS, data is:
- valued as a strategic asset of the university, essential to UTS’s purpose of advancing knowledge and learning
- shared where possible within the limitations required (for example, privacy) to support the UTS 2027 strategy
- managed, organised and readily available to support discoverability by appropriate users
- usable and reusable when there is a shared understanding of what it signifies and when conditions of access and use are communicated clearly
- trustworthy and of high quality supporting accurate reporting and evidence-based decision-making, and
- protected from loss, unauthorised use and disclosure through information security classification and security controls.
3.2 UTS will ensure appropriate strategies are in place to protect the university’s information systems from interference in line with the Information Security Policy.
4. Policy statements
Data management and use
4.1 Data at UTS must be:
- actively managed throughout the data lifecycle, from collection to disposal, and stored in approved and appropriate information systems
- secure, protected and reliable (where possible, encrypted) throughout its lifecycle, while also accessible for authorised use in accordance with clear and transparent control frameworks
- protected from data leaks, and
- assigned an information security classification in accordance with the Records Management Policy.
4.2 Accessibility, storage and control frameworks for all corporate data must be developed in accordance with the Privacy Policy and the Information Security Policy.
4.3 Primary and secondary purposes of corporate data should be clearly understood, applied and communicated in accordance with the Privacy Management Plan (available at Privacy regulations).
4.4 High-quality corporate data is important for accurate reporting and evidence-based decision-making. Data quality requirements should be defined in the context of the purpose and use of the data, and necessary data quality monitoring mechanisms put in place.
4.5 Corporate data elements must be defined consistently throughout the university, and definitions made available to all users.
4.6 Disclosure of corporate data to an external party, including for research projects, must be explicitly authorised in accordance with this policy, the Records Management Policy, the Privacy Policy and, where relevant, with the appropriate research ethics clearance (refer Research Policy).
4.7 Where practical, UTS data should be stored in Australia. Data may be stored or transferred offshore only after evaluating and mitigating any risks. Where data is stored or transferred offshore, the relevant information system and/or activity must be registered in the offshore data register managed by the Data Analytics and Insights Unit (refer UTS data governance: Offshore Data Registration (SharePoint)).
4.8 Data risks associated with the use of cloud-based information systems must be assessed and mitigated before procurement, approval and use by undertaking:
- a privacy impact assessment where personal information forms part of the data to be stored offshore (refer Privacy Management Plan (available at Privacy regulations))
- a digital recordkeeping assessment for any information that may create or capture records
- a review of the vendor’s cybersecurity arrangements in line with the Information Security Policy and as required by the Chief Information Security Officer (CISO)
- a legal review of the contract by the Office of General Counsel
- a due diligence assessment of the vendor (to ensure Procurement Policy requirements are met), and
- lodgment of these requirements, their outcomes and final arrangements in the university’s records management system in line with the Records Management Policy.
4.9 All users are accountable for:
- data they collect and manage on behalf of the university whether on or off campus, and
- prompt reporting of identified or suspected data breaches, which must be managed in line with the Data Breach Policy (where the breach involves personal and/or health information) and/or the Information Security Policy.
Data and systems stewardship
4.10 UTS acknowledges the need for effective management of corporate data. To that end:
- the Records Management Policy applies to any information system used by the university to collect and manage corporate data
- the Chief Information Officer has a role in providing resources for the management of data and oversight of information systems in line with the Acceptable Use of Information Technology Resources Policy and the Information Security Policy
- systems governance and data governance will work together to ensure data management is viewed holistically, and
- accountabilities for corporate data will be assigned and reviewed as necessary.
4.11 The senior executive in consultation with the Chief Data Officer (CDO) have overall responsibility for data management planning and improvement for agreed data domains and information systems. For corporate data, members of the senior executive and the CDO are responsible for:
- assigning data and information system stewards and accountabilities for agreed data domains
- approving allocated security classifications in consultation with the CISO and in accordance with the Information Security Classification Standard (available at Records and archives hub: Information security (SharePoint))
- providing resources for the management of data and systems (in accordance with the UTS Delegations)
- resolving any issues escalated from data and/or information system stewards
- prioritising the management and improvement of data governance and associated information systems.
4.12 Data stewards are normally unit directors or senior managers assigned stewardship responsibility for a data domain (or sub-domain) by the CDO. Guidance and resources for data stewards is available at UTS data governance (SharePoint).
4.13 Data stewards provide detailed oversight of and approvals for data management, storage, planning and improvement for data within their domain of responsibility, including:
- ensuring that corporate data is appropriately classified in line with this policy and the allocated security classifications in accordance with the Information Security Classification Standard (available at Records and archives hub: Information security (SharePoint))
- understanding the policy, risk management and legal context for data collection, storage, use and accessibility (refer the Records Management Policy and the Privacy Policy)
- ensuring data risks are managed in consultation with the relevant information system stewards
- implementing business processes to ensure appropriate data quality and management
- being aware of and maintaining documentation of relevant data flows between systems and setting the conditions for integration of data from different sources for data under their domain
- authorising new data collection and data disposal exercises in accordance with the Privacy Policy and the Records Management Policy
- considering requests for disclosure of corporate data in accordance with this policy and the Privacy Policy
- defining user access and data security requirements for appropriate systems in accordance with this policy, the Privacy Policy and the Information Security Classification Standard (available at Records and archives hub: Information security (SharePoint))
- ensuring that all staff are aware of the requirements for data handling as outlined in the Information Classification Handling Matrix for Users (available at Beyond the Firewall: Cybersecurity Standards (SharePoint)), and
- arranging role appropriate training for current and potential users before granting systems (and, therefore, data) access.
4.14 Information system stewards provide detailed oversight of an information system. Working with data stewards under the provisions of this policy, information system stewards are responsible for:
- the management, maintenance and development of the system and its associated procedures
- supporting data quality management initiatives through adoption of relevant technology
- applying appropriate access controls in accordance with the Privacy Policy, this policy and allocated security classifications in accordance with the Information Security Classification Standard (available at Records and archives hub: Information security (SharePoint))
- supporting data security through adoption of appropriate technology in accordance with the Information Security Policy and the Infrastructure Cybersecurity Standard and the User Cybersecurity Standard (available at Beyond the Firewall: Cybersecurity Standards (SharePoint))
- ensuring that all privacy requirements (for example, privacy notices) outlined in the Privacy Policy and the Privacy Management Plan (available at Privacy regulations) are applied to the management of the information systems under their stewardship
- ensuring that all recordkeeping requirements outlined in the Records Management Policy are applied to the management of information systems under their stewardship
- providing support and advice to data stewards on data risk management processes, particularly in the selection of cloud-based information systems, and
- working with data stewards to ensure access to information systems is reviewed for accuracy and updated as required in a timely manner.
Breaches, complaints and exemptions
4.15 Breaches of this policy will be managed under the Code of Conduct, the relevant Enterprise agreement or the Student Rules as appropriate.
4.16 Complaints in relation to data governance will be managed in line with the Staff Complaints Policy or the Student Complaints Policy as appropriate.
4.17 Exemptions to the requirements of this policy may be submitted to the CDO for consideration and the Chief Operating Officer for decision. Exemptions must be recorded on a register by the office of the CDO.
5. Roles and responsibilities
5.1 Policy owner: The Chief Data Officer (CDO) is responsible for policy enforcement and compliance, ensuring its principles and statements are observed. The CDO is also responsible for approval of any associated university-level registers and procedures associated with this policy.
5.2 Policy contact: The Senior Manager Data Management Services is the primary point of contact for advice on implementing and administering this policy. The Senior Manager Data Management Services is also responsible for liaising with the University Secretary, the Chief Information Officer (CIO) and the Chief Information Security Officer (CISO) to develop and maintain the Information Security Classification Standard (available at Records and archives hub: Information security (SharePoint)). Refer also Records Management Policy.
5.3 Implementation and governance roles:
The Data Analytics and Insights Unit is responsible for:
- managing and maintaining a register (or registers) of data governance roles on behalf of the university
- developing procedures, management tools and data steward networks to support the implementation of this policy
- managing and maintaining a register of exceptions to this policy, and
- coordinating online educational resources and procedural documents.
The Information Technology Unit (ITU), under the CIO, is responsible for:
- ensuing the university’s IT architecture and information systems operate in line with this and all related university policies (refer statement 2.3)
- developing frameworks, procedures, management tools and information system steward networks to support the implementation of this policy
- developing and maintaining a register of information system stewards on behalf of the university
- providing advice and input into the Information Security Classification Standard and handling documents.
6. Definitions
These definitions apply for this policy and all associated procedures. These are in addition to the definitions outlined in Schedule 1, Student Rules. Definitions in the singular also include the plural meaning of the word.
Affiliate is defined in the Code of Conduct.
Cloud-based information system means third party systems acquired for use by UTS in the form of Software as a Service (SaaS), Infrastructure as a Service (IaaS) or Platform as a Service (PaaS).
Corporate data means all data collected, created and/or published by or on behalf of the university or its staff in relation to its normal business activities. Corporate data includes but is not limited to data about students, staff, affiliates, teaching and learning activities, research management, external engagement, web and social media, finance and facilities; but excludes research data as defined in the Research Policy.
Data is a collection of facts or statistics that may be used for a particular or unspecified purpose. The format of data and its manner of presentation or collection may vary, depending on the nature of the data.
Data breach is defined in the Data Breach Policy.
Data domain means a broad category of corporate data. These domains are specified in the register of data governance roles and may be further specified into sub-domains.
Data element means the smallest named item of data that provides meaningful information (for example, name, address, year, category).
Data lifecycle means the 5 phases of data management recognised by UTS to achieve strategic and operational objectives and meet legislative requirements:
- collection — the creation, acquisition or capture of data
- storage — the appropriate retention and organisation of data
- access — assuring that authorised users have access to necessary data
- use — the appropriate utilisation of data by the appropriate authorised users
- archive and disposal — the long-term storage or deletion of data that is no longer required (refer Records Management Policy).
Data quality means an assessment about data's fitness for purpose in a particular context.
Data quality management means the processes in place to manage the accuracy, validity, completeness, consistency and timeliness of data.
Data steward means a dean, associate dean, director or other senior manager with stewardship responsibility for a data domain or sub-domain.
Discoverability (in the context of data governance) means providing a searchable catalogue of data so that it can be browsed, searched for, or recommended based on personal search history.
Due diligence means performing appropriate checks on a supplier to understand whether the supplier (and/or any contracted third parties) is genuine, capable and reliable, meets required standards and expectations, financially viable, has the required licences and status, complies with relevant legislation and is of good repute and integrity.
Encrypted means a mechanism of securing data by converting it into code. The purpose of encryption is to limit access and readability to those with authorised access.
Information system means any university system used in the collection, creation, capture or storage of corporate data. This includes but is not limited to databases, business systems, applications, tracking systems, digital records, paper records and recordkeeping systems.
Information system steward means a senior manager or director with stewardship responsibility for a university information system.
Offshore data storage means unpublished data stored in an alternative legal jurisdiction to Australia.
Approval information
Policy contact | Senior Manager Data Management Services |
---|---|
Approval authority | Vice-Chancellor |
Review date | 2024 |
File number | UR18/310 |
Superseded documents | NA |
Version history
Version | Approved by | Approval date | Effective date | Sections modified |
---|---|---|---|---|
1.0 | Vice-Chancellor | 06/02/2018 | 03/04/2018 | New policy. |
1.1 | Vice-Chancellor | 02/06/2020 | 02/06/2020 | Apply references to the new role and responsibilities of Chief Data Officer. |
1.2 | Director, Governance Support Unit (Delegation 3.14.1) | 09/03/2021 | 06/04/2021 | Amendments to reflect updates resulting from the Policy Impact Project (2020). |
2.0 | Vice-Chancellor | 17/05/2021 | 28/05/2021 | Amendments as a result of a scheduled three-year review. |
2.1 | Vice-Chancellor | 29/06/2022 | 30/06/2022 | Changes and updates to reflect new ownership under portfolio realignment under Fit for 2027 project. Inclusion of a breaches and complaints section. Improvement of corporate data definition. Updates regarding storage of data offshore. |
2.2 | Deputy Director, Corporate Governance (Delegation 3.14.2) | 12/04/2023 | 12/04/2023 | Changes to reflect new unit title of Office of General Counsel. |
2.3 | Director, Governance Support Unit (Delegation 3.14.1) | 16/03/2023 | 09/06/2023 | Minor update to reflect the new Artificial Intelligence Operations Policy. |
2.4 | Deputy Director, Corporate Governance (Delegation 3.14.2) | 13/11/2023 | 28/11/2023 | Minor update to reflect the new Data Breach Policy. |
2.5 | Deputy Director, Corporate Governance (Delegation 3.14.2) | 20/06/2024 | 08/07/2024 | Updates to reflect the review of the Acceptable Use of Information Technology Resources Policy and the Information Security Policy. |
Reference
Acceptable Use of Information Technology Resources Policy
Artificial Intelligence Operations Policy
Beyond the Firewall: Cybersecurity Standards (SharePoint)
Information Security Classification Standard (available at Records and archives hub: Information security (SharePoint))
Privacy Management Plan (available at Privacy regulations)
UTS data governance (SharePoint)