University of Technology Sydney UTS: Rules, Policy and Legislation


The information in this site is maintained by Governance Support Unit

Act
By-law
Rules
Delegations
Policies
A-Z
by classification
What's new in policies?
Standing Orders
Faculty Management
Controlled Entities and Commercial Activities
Legislation, Rules
and Policies home


GSU home
Data Governance Policy

Purpose

Scope

Principles

Policy statements

Policy ownership and support

Definitions

Approval information

PDF version

References


1. Purpose

1.1 The Data Governance Policy (the policy) establishes a framework for effective data management at UTS by:

  • establishing the principles and practices for the effective management and use of the university’s corporate data
  • developing a data conscious environment to provide secure, well managed and reliable data that supports university decision-making, planning and reporting, and
  • articulating responsibilities for the stewardship of corporate data and information systems supporting the implementation of this policy.

2. Scope

2.1 This policy applies to all staff, students and affiliates (hereafter users).

2.2 This policy must be adhered to in the collection and management of all corporate data.

2.3 This policy complements the provisions outlined in the following documents, which collectively operationalise data governance at UTS:

1. The collection and management of personal information should be undertaken in line with the Privacy Policy.

2. UTS will ensure appropriate strategies are in place to protect the university’s information systems from interference in line with these policies.

3. Principles

3.1 Corporate data is governed in line with this policy and stored in approved and appropriate information systems. At UTS, data is:

  • valued as a strategic asset of the university, essential to the university’s purpose of advancing knowledge and learning
  • shared wherever possible within the limitations required (for example, privacy) to support our strategic initiatives under the UTS 2027 strategy
  • managed, organised and readily available to support discoverability by appropriate users
  • usable and reusable when there is a shared understanding of what it signifies and when conditions of access and use are communicated clearly
  • trustworthy and of high quality supporting accurate reporting and evidence-based decision making, and
  • protected from loss, unauthorised use and disclosure through information security classification and security controls.

3.2 UTS will ensure appropriate strategies are in place to protect the university’s information systems from interference in line with the Information Technology Security Vice-Chancellor’s Directive.

4. Policy statements

Data management and use

4.1 Corporate data must be:

  • actively managed throughout the data lifecycle, from collection to disposal, and stored in approved and appropriate information systems
  • secure and reliable, while also accessible for authorised use in accordance with clear and transparent control frameworks, and
  • assigned an information security classification in accordance with the Records Management Policy.

4.2 Accessibility, storage and control frameworks for all corporate data must be developed in accordance with the Privacy Policy and the Information Technology Security Vice-Chancellor’s Directive.

4.3 Primary and secondary purposes of corporate data should be clearly understood, applied and communicated in accordance with the Privacy Management Plan (available at Privacy regulations).

4.4 High-quality corporate data is important for accurate reporting and evidence-based decision making. Data quality requirements should be defined in the context of the purpose and use of the data, and necessary data quality monitoring mechanisms put in place.

4.5 Corporate data elements must be defined consistently throughout the university, and definitions made available to all users.

4.6 Disclosure of corporate data to an external party, including for research projects, must be explicitly authorised in accordance with this policy, the Records Management Policy, the Privacy Policy and, where relevant, with the appropriate research ethics clearance (see Research Policy).

4.7 All users are accountable for:

Data and systems stewardship

4.8 UTS acknowledges the need for effective management of corporate data. To that end:

4.9 The senior executive in consultation with the Chief Data Officer have overall responsibility for data management planning and improvement for agreed data domains and information systems. With regard to corporate data, members of the senior executive and the Chief Data Officer are responsible for:

  • assigning data and systems stewards and accountabilities for agreed data domains
  • approving allocated security classifications in accordance with the Information Security Classification Standard (available at Information security (SharePoint, staff only))
  • providing resources for the management of data and systems (in accordance with the UTS Delegations)
  • resolving any issues escalated from data and/or information system stewards
  • prioritising the management and improvement of data governance and associated information systems.

4.10 Data stewards are normally unit directors or senior managers assigned stewardship responsibility for a data domain (or sub-domain) by the Chief Data Officer.

4.11 Data stewards provide detailed oversight of data management, storage, planning and improvement for data within their domain of responsibility, including:

  • ensuring that corporate data is appropriately classified in line with this policy and the allocated security classifications in accordance with the Information Security Classification Standard (available at Information security (SharePoint, staff only))
  • understanding the policy and legal context for data collection, usage and accessibility (in particular, the Records Management Policy and the Privacy Policy) and managing data risk
  • implementing business processes to ensure appropriate data quality and management
  • being aware of relevant data flows between systems and setting the conditions for integration of data from different sources for data under their domain
  • authorising new data collection and data disposal exercises in accordance with the Privacy Policy and the Records Management Policy
  • considering requests for disclosure of corporate data in accordance with this policy and the Privacy Policy
  • defining user access and data security requirements for appropriate systems in accordance with this policy, the Privacy Policy and the Information Security Classification Standard (available at Information security (SharePoint, staff only)
  • ensuring that all staff are aware of the requirements for data handling as outlined in the User Cybersecurity Standard (available at Beyond the Firewall: Cybersecurity Standards (SharePoint)), and
  • arranging role appropriate training for current and potential users before granting systems (and, therefore, data) access.

4.12 Other university staff may be assigned the role of information systems stewards. Information systems stewards provide detailed oversight of an information system, and, under the provisions of this policy, are responsible for:

  • the management, maintenance and development of the system and its associated procedures
  • supporting data quality management initiatives through adoption of relevant technology
  • applying appropriate access controls in accordance with the Privacy Policy, this policy and allocated security classifications in accordance with the Information Security Classification Standard (available at Information security (SharePoint, staff only))
  • supporting data risk management through adoption of appropriate technology in accordance with the Infrastructure Cybersecurity Standard and the User Cybersecurity Standard (available at Beyond the Firewall: Cybersecurity Standards (SharePoint))
  • ensuring that all privacy requirements (eg privacy notices) outlined in the Privacy Policy and the Privacy Management Plan (available at Privacy regulations) are applied to the management of the information systems under their stewardship
  • ensuring that all recordkeeping requirements outlined in the Records Management Policy are applied to the management of information systems under their stewardship, and
  • working with deans and directors to ensure access to information systems is reviewed for accuracy and updated as required in a timely manner.

5. Policy ownership and support

The statements in this section are consistent with the Delegations and are in addition to specific statements outlined in section 4.

5.1 Policy owner: The Provost is responsible for enforcement and compliance of this policy, and ensuring its principles and statements are observed. The Provost is also responsible for approval of any associated university-level registers and procedures associated with this policy.

5.2 Policy contact: The Chief Data Officer is the primary point of contact for advice on implementing and administrating this policy and, in conjunction with the Governance Support Unit, for the consultation and review process. The Chief Data Officer is also responsible for liaising with the Director, Governance Support Unit and the Chief Information Officer to develop and maintain the Information Security Classification Standard (available at Information security (SharePoint, staff only)). See also Records Management Policy.

5.3 Others

The Office of the Chief Data Officer is responsible for:

  • managing and maintaining a register (or registers) of data governance roles on behalf of the university
  • the development of procedures, management tools and data steward networks to support the implementation of this policy, and
  • coordination of online educational resources and procedural documents.

The Information Technology Division (ITD), under the Chief Information Officer, is responsible for:

  • ensuring the university’s IT architecture and information systems operate in line with this and all related university policies (see section 3)
  • developing frameworks, procedures, management tools and information system steward networks to support the implementation of this policy, and
  • developing and maintaining a register of information system stewards on behalf of the university.

6. Definitions

These definitions apply for this policy and all associated procedures. These are in addition to the definitions outlined in Schedule 1, Student Rules.

Affiliates is defined in the Code of Conduct.

Corporate data means all data collected by or on behalf of the university or its staff in relation to its normal business activities. Corporate data includes but is not limited to data collection about students, staff, affiliates, teaching and learning activities, research management, external engagement, web and social media, finance and facilities; but excludes ‘research data’ as defined in the Research Policy.

Data is a collection of facts or statistics that may be used for a particular or unspecified purpose. The format of data and its manner of presentation or collection may vary, depending on the nature of the data.

Data breach means the loss and/or unauthorised access, disclosure or modification of information that would be classified as UTS sensitive or UTS confidential in the Information Security Classification Standard (available at Information security (SharePoint, staff only)).

Data domain means a broad category of corporate data. These domains are specified in the register of data governance roles and may be further specified into sub-domains.

Data element means the smallest named item of data that provides meaningful information (for example, name, address, year, category).

Data lifecycle means the five phases of data management recognised by UTS to achieve strategic and operational objectives and meet legislative requirements:

  • collection — the creation, acquisition or capture of data
  • storage — the appropriate retention and organisation of data
  • access — assuring that authorised users have access to necessary data
  • use — the appropriate utilisation of data by the appropriate authorised users
  • archive and disposal — the long-term storage or deletion of data that is no longer required (see Records Management Policy).

Data quality means an assessment about data's fitness for purpose in a particular context.

Data quality management means the processes in place to manage the accuracy, validity, completeness, consistency and timeliness of data.

Data steward means a dean, associate dean, director or other senior manager with stewardship responsibility for a data domain or sub-domain.

Discoverability (in the context of data governance) means providing a searchable catalogue of data so that it can be browsed, searched for, or recommended based on personal search history.

Information systems mean any university system used in the collection, creation, capture or storage of corporate data. This includes but is not limited to databases, business systems, applications, tracking systems, digital records, paper records and recordkeeping systems.

Information systems steward means a senior manager or director with stewardship responsibility for a university information system.

Approval information

Policy contact Chief Data Officer
Approval authority Vice-Chancellor
Review date 2024
File number UR18/310
Superseded documents NA

Version history

Version Approved by Approval date Effective date Sections modified
1.0 Vice-Chancellor 06/02/2018 03/04/2018 New policy.
1.1 Vice-Chancellor 02/06/2020 02/06/2020 Apply references to the new role and responsibilities of Chief Data Officer.
1.2 Director, Governance Support Unit 09/03/2021 06/04/2021 Amendments to reflect updates resulting from the Policy Impact Project (2020).
2.0 Vice-Chancellor 17/05/2021 28/05/2021 Amendments as a result of a scheduled three-year review.

PDF version

Data Governance Policy (PDF 180KB)

References

Academic Records Policy

Acceptable Use of Information Technology Facilities Policy

Information Security Classification Standard (available at Information security (SharePoint, staff only))

Information Technology Security Vice-Chancellor’s Directive

Infrastructure Cybersecurity Standard (available at Beyond the Firewall: Cybersecurity Standards (SharePoint))

Privacy Managment Plan (available at Privacy regulations)

Privacy Policy

Records Management Policy

Research Policy

UTS Delegations

User Cybersecurity Standard (available at Beyond the Firewall: Cybersecurity Standards) (SharePoint)

Additional resources

Address a data quality issue (Staff Connect)

Data governance at UTS: UTS Data and Information System Stewards Register (Staff Connect)