University of Technology Sydney UTS: Rules, Policy and Legislation


The information in this site is maintained by Governance Support Unit

Act
By-law
Rules
Delegations
Policies
A-Z
by classification
What's new in policies?
Standing Orders
Faculty Management
Controlled Entities and Commercial Activities
Legislation, Rules
and Policies home


GSU home
Data Governance Policy

Purpose

Scope

Principles

Policy statements

Policy ownership and support

Definitions

Approval information

PDF version

References

1. Purpose

1.1 The Data Governance Policy (the policy) establishes a framework for effective data management at UTS by:

  • establishing the principles and practices for the management and use of the university’s corporate data
  • developing a data conscious environment to provide secure, well managed and reliable data that supports university decision-making, planning and reporting, and
  • articulating responsibilities for the stewardship of corporate data and information systems supporting the implementation of this policy.

2. Scope

2.1 This policy applies to all staff, students and affiliates (hereafter users) as well as any person with access to UTS information, corporate data and information technology resources.

2.2 This policy must be adhered to in the collection and management of all corporate data.

2.3 This policy complements the provisions outlined in the following policies, which collectively operationalise data governance at UTS:

1. The collection and management of personal information should be undertaken in line with the Privacy Policy.

2. UTS will ensure appropriate strategies are in place to protect the university’s information systems from interference in line with these policies.

3. Principles

3.1 Corporate data is governed in line with this policy and stored in approved and appropriate information systems. At UTS, data is:

  • valued as a strategic asset of the university, essential to the university’s purpose of advancing knowledge and learning
  • shared where possible within the limitations required (for example, privacy) to support our strategic initiatives under the UTS 2027 strategy
  • managed, organised and readily available to support discoverability by appropriate users
  • usable and reusable when there is a shared understanding of what it signifies and when conditions of access and use are communicated clearly
  • trustworthy and of high quality supporting accurate reporting and evidence-based decision-making, and
  • protected from loss, unauthorised use and disclosure through information security classification and security controls.

3.2 UTS will ensure appropriate strategies are in place to protect the university’s information systems from interference in line with the Information Security Policy.

4. Policy statements

Data management and use

4.1 Data at UTS must be:

  • actively managed throughout the data lifecycle, from collection to disposal, and stored in approved and appropriate information systems
  • secure, protected and reliable (where possible, encrypted) throughout its lifecycle, while also accessible for authorised use in accordance with clear and transparent control frameworks
  • protected from data leaks, and
  • assigned an information security classification in accordance with the Records Management Policy.

4.2 Accessibility, storage and control frameworks for all corporate data must be developed in accordance with the Privacy Policy and the Information Security Policy.

4.3 Primary and secondary purposes of corporate data should be clearly understood, applied and communicated in accordance with the Privacy Management Plan (available at Privacy regulations).

4.4 High-quality corporate data is important for accurate reporting and evidence-based decision making. Data quality requirements should be defined in the context of the purpose and use of the data, and necessary data quality monitoring mechanisms put in place.

4.5 Corporate data elements must be defined consistently throughout the university, and definitions made available to all users.

4.6 Disclosure of corporate data to an external party, including for research projects, must be explicitly authorised in accordance with this policy, the Records Management Policy, the Privacy Policy and, where relevant, with the appropriate research ethics clearance (see Research Policy).

4.7 Where practical, UTS data should be stored in Australia. Data may be stored or transferred offshore only after evaluating and mitigating any risks. Where data is stored or transferred offshore, the relevant information system and/or activity must be registered in the offshore data register managed by the Data Analytics and Insights Unit (refer Offshore data: Offshore Data Registration (SharePoint))

4.8 Data risks associated with the use of cloud-based information systems must be assessed and mitigated prior to procurement, approval and use by undertaking:

  • a privacy impact assessment where personal information forms part of the data to be stored offshore (refer Privacy Management Plan (available at Privacy regulations))
  • a digital recordkeeping assessment for any information that may create or capture records
  • a review of the vendor’s cybersecurity arrangements in line with the Information Security Policy and as required by the Chief Information Security Officer (CISO)
  • a legal review of the contract by the Legal Unit
  • a due diligence assessment of the vendor (to ensure Procurement Policy requirements are met), and
  • lodgment of these requirements, their outcomes and final arrangements in the university’s records management system in line with the Records Management Policy.

4.9 All users are accountable for:

  • data they collect and manage on behalf of the university whether on or off campus, and
  • prompt reporting of identified or suspected data breaches, which must be managed in line with the requirements of the Privacy Policy and the Information Security Policy.

Data and systems stewardship

4.10 UTS acknowledges the need for effective management of corporate data. To that end:

4.11 The senior executive in consultation with the Chief Data Officer (CDO) have overall responsibility for data management planning and improvement for agreed data domains and information systems. With regard to corporate data, members of the senior executive and the CDO are responsible for:

  • assigning data and systems stewards and accountabilities for agreed data domains
  • approving allocated security classifications in consultation with the CISO and in accordance with the Information Security Classification Standard (available at Information security (SharePoint))
  • providing resources for the management of data and systems (in accordance with the UTS Delegations)
  • resolving any issues escalated from data and/or information system stewards
  • prioritising the management and improvement of data governance and associated information systems.

4.12 Data stewards are normally unit directors or senior managers assigned stewardship responsibility for a data domain (or sub-domain) by the CDO. Guidance and resources for data stewards is available at UTS data governance (SharePoint).

4.13 Data stewards provide detailed oversight of and approvals for data management, storage, planning and improvement for data within their domain of responsibility, including:

  • ensuring that corporate data is appropriately classified in line with this policy and the allocated security classifications in accordance with the Information Security Classification Standard (available at Information security (SharePoint))
  • understanding the policy, risk management and legal context for data collection, storage, use and accessibility (refer to the Records Management Policy and the Privacy Policy)
  • ensuring data risks are managed in consultation with the relevant information system stewards
  • implementing business processes to ensure appropriate data quality and management
  • being aware of and maintaining documentation of relevant data flows between systems and setting the conditions for integration of data from different sources for data under their domain
  • authorising new data collection and data disposal exercises in accordance with the Privacy Policy and the Records Management Policy
  • considering requests for disclosure of corporate data in accordance with this policy and the Privacy Policy
  • defining user access and data security requirements for appropriate systems in accordance with this policy, the Privacy Policy and the Information Security Classification Standard (available at Information security (SharePoint))
  • ensuring that all staff are aware of the requirements for data handling as outlined in the Information Classification Handling Matrix for Users (available at Beyond the Firewall: Cybersecurity Standards (SharePoint)), and
  • arranging role appropriate training for current and potential users before granting systems (and, therefore, data) access.

4.14 Other UTS staff may be assigned the role of information system stewards. Information system stewards provide detailed oversight of an information system, and, working with data stewards under the provisions of this policy, are responsible for:

  • the management, maintenance and development of the system and its associated procedures
  • supporting data quality management initiatives through adoption of relevant technology
  • applying appropriate access controls in accordance with the Privacy Policy, this policy and allocated security classifications in accordance with the Information Security Classification Standard (available at Information security (SharePoint))
  • supporting data security through adoption of appropriate technology in accordance with the Information Security Policy and the Infrastructure Cybersecurity Standard and the User Cybersecurity Standard (available at Beyond the Firewall: Cybersecurity Standards (SharePoint))
  • ensuring that all privacy requirements (for example privacy notices) outlined in the Privacy Policy and the Privacy Management Plan (available at Privacy regulations) are applied to the management of the information systems under their stewardship
  • ensuring that all recordkeeping requirements outlined in the Records Management Policy are applied to the management of information systems under their stewardship
  • providing support and advice to data stewards on data risk management processes, particularly in the selection of cloud-based information systems, and
  • working with data stewards to ensure access to information systems is reviewed for accuracy and updated as required in a timely manner.

Breaches, complaints and exemptions

4.15 Breaches of this policy will be managed under the Code of Conduct, the relevant Enterprise agreement or the Student Rules as appropriate.

4.16 Complaints in relation to data governance will be managed in line with the Staff Complaints Policy or the Student Complaints Policy as appropriate.

4.17 Exceptions to the requirements of this policy may be submitted to the CDO for consideration and the Chief Operating Officer for decision. Exceptions must be recorded on a register by the office of the CDO.

5. Policy ownership and support

5.1 Policy owner: The Chief Data Officer (CDO) is responsible for enforcement and compliance of this policy, and ensuring its principles and statements are observed. The CDO is also responsible for approval of any associated university-level registers and procedures associated with this policy.

5.2 Policy contact: The Senior Manager Data Management Services is the primary point of contact for advice on implementing and administering this policy. The Senior Manager Data Management Services is also responsible for liaising with the University Secretary and the Chief Information Officer (CIO) and the Chief Information Security Officer (CISO) to develop and maintain the Information Security Classification Standard (available at Information security (SharePoint)). See also Records Management Policy.

5.3 Others

The Data Analytics and Insights Unit is responsible for:

  • managing and maintaining a register (or registers) of data governance roles on behalf of the university
  • developing procedures, management tools and data steward networks to support the implementation of this policy
  • managing and maintaining a register of exceptions to this policy, and
  • coordinating online educational resources and procedural documents.

The Information Technology Unit (ITU), under the CIO, is responsible for:

  • ensuing the university’s IT architecture and information systems operate in line with this and all related university policies (refer statement 2.3)
  • developing frameworks, procedures, management tools and information system steward networks to support the implementation of this policy
  • developing and maintaining a register of information system stewards on behalf of the university
  • providing advice and input into the Information Security Classification Standard and handling documents.

6. Definitions

These definitions apply for this policy and all associated procedures. These are in addition to the definitions outlined in Schedule 1, Student Rules. Definitions in the singular also include the plural meaning of the word.

Affiliate is defined in the Code of Conduct.

Cloud-based information system means third party systems acquired for use by UTS in the form of Software as a Service (SaaS), Infrastructure as a Service (IaaS) or Platform as a Service (PaaS).

Corporate data means all data collected, created and/or published by or on behalf of the university or its staff in relation to its normal business activities. Corporate data includes but is not limited to data about students, staff, affiliates, teaching and learning activities, research management, external engagement, web and social media, finance and facilities; but excludes research data as defined in the Research Policy.

Data is a collection of facts or statistics that may be used for a particular or unspecified purpose. The format of data and its manner of presentation or collection may vary, depending on the nature of the data.

Data breach means the loss and/or unauthorised access, disclosure or modification of information that would be classified as UTS sensitive or UTS confidential in the Information Security Classification Standard (available at Information security (SharePoint)).

Data domain means a broad category of corporate data. These domains are specified in the register of data governance roles and may be further specified into sub-domains.

Data element means the smallest named item of data that provides meaningful information (for example, name, address, year, category).

Data lifecycle means the five phases of data management recognised by UTS to achieve strategic and operational objectives and meet legislative requirements:

  • collection — the creation, acquisition or capture of data
  • storage — the appropriate retention and organisation of data
  • access — assuring that authorised users have access to necessary data
  • use — the appropriate utilisation of data by the appropriate authorised users
  • archive and disposal — the long-term storage or deletion of data that is no longer required (refer Records Management Policy).

Data quality means an assessment about data's fitness for purpose in a particular context.

Data quality management means the processes in place to manage the accuracy, validity, completeness, consistency and timeliness of data.

Data steward means a dean, associate dean, director or other senior manager with stewardship responsibility for a data domain or sub-domain.

Discoverability (in the context of data governance) means providing a searchable catalogue of data so that it can be browsed, searched for, or recommended based on personal search history.

Due diligence means performing appropriate checks on a supplier to understand whether the supplier (and/or any contracted third parties) is genuine, capable and reliable, meets required standards and expectations, financially viable, has the required licences and status, complies with relevant legislation and is of good repute and integrity.

Encrypted means a mechanism of securing data by converting it into code. The purpose of encryption is to limit access and readability to those with authorised access.

Information system means any university system used in the collection, creation, capture or storage of corporate data. This includes but is not limited to databases, business systems, applications, tracking systems, digital records, paper records and recordkeeping systems.

Information system steward means a senior manager or director with stewardship responsibility for a university information system.

Offshore data storage means unpublished data stored in an alternative legal jurisdiction to Australia.

Approval information

Policy contact Chief Data Officer
Approval authority Vice-Chancellor
Review date 2024
File number UR18/310
Superseded documents NA

Version history

Version Approved by Approval date Effective date Sections modified
1.0 Vice-Chancellor 06/02/2018 03/04/2018 New policy.
1.1 Vice-Chancellor 02/06/2020 02/06/2020 Apply references to the new role and responsibilities of Chief Data Officer.
1.2 Director, Governance Support Unit 09/03/2021 06/04/2021 Amendments to reflect updates resulting from the Policy Impact Project (2020).
2.0 Vice-Chancellor 17/05/2021 28/05/2021 Amendments as a result of a scheduled three-year review.
2.1 Vice-Chancellor 29/06/2022 30/06/2022 Changes and updates to reflect new ownership under portfolio realignment under Fit for 2027 project. Inclusion of a breaches and complaints section. Improvement of corporate data definition. Updates regarding storage of data offshore.

PDF version

Data Governance Policy (PDF 212KB)

References

Academic Records Policy

Data governance at UTS (SharePoint)

Information Security Classification Standard (available at Information security (SharePoint))

Information Security Policy

Information Classification Handling Matrix for Users (available at Beyond the Firewall: Cybersecurity Standards (SharePoint))

Infrastructure Cybersecurity Standard (available at Beyond the Firewall: Cybersecurity Standards (SharePoint))

Offshore data: Offshore Data Registration (SharePoint)

Privacy Managment Plan (available at Privacy regulations)

Privacy Policy

Procurement Policy

Provision and Acceptable Use of Information Technology Resources Policy

Records Management Policy

Research Policy

UTS Delegations

User Cybersecurity Standard (available at Beyond the Firewall: Cybersecurity Standards (SharePoint))

UTS Data Stewards and Information Systems Stewards Register (SharePoint)