What are policies and procedures that address information management along with the ethical use of computers?

The University of Queensland (UQ) values information as a core strategic asset and will govern and manage it accordingly throughout its lifecycle. Effective information management ensures that the right information is available to the right person, in the right format and medium, at the right time. Information that enables UQ to perform its core functions is considered an asset.

This policy outlines expectations and requirements for the governance and management of information at UQ and is intended to enable UQ to:

• improve the integration and accuracy of its information,
• increase the impact of its research and scholarship,
• improve its compliance and reduce risks associated with potential loss or misuse of information,
• make better use of information in its decision-making processes,
• provide a strong foundation for systematically managing its information assets, ensuring that information of strategic importance and high value is prioritised, and
• obtain valuable knowledge through the increased discoverability and accessibility of its information.

1.1   Scope

The scope of the Information Management Policy includes the governance and management of UQ’s structured and unstructured information and data (physical, electronic or hybrid) that is collected and managed by UQ to perform its business functions and deliver its services.

This policy applies to consumers of UQ information and communications technology (ICT) resources and anyone creating or accessing UQ’s information assets, including but not limited to:

• Students
• Staff
• Contractors and consultants
• Visitors
• Affiliates and third parties.

Consumers that are connected to UQ networks, systems or services must comply with this policy, irrespective of location or device ownership (e.g. consumers with personally-owned computers). Exceptions to this policy must be approved by the Chief Information Officer.

2.0   Principles and Key Requirements

Robust and effective information management at UQ:

• provides for the creation, use and sharing of information in compliance with legislative requirements and mandatory standards,
• helps to ensure that the right information is available to the right person, in the right format, at the right time, and
• is fundamental to UQ’s functions and operations.

The principles and requirements in this policy are related and intended to be applied by consumers as a whole where possible.

2.1   Information is treated as an asset

Information management supports evidence of UQ decisions and activities, enables accountability and transparency, mitigates risk, and allows businesses to operate. To achieve this, UQ ICT consumers must apply the following measures to their information management practices:

• All UQ information assets must be clearly identified and classified and be allocated an Information Steward as outlined in the Information Governance and Management Framework. 
• Maintain adequate information and records and capture this information in digital or physical management systems capable of meeting requirements of this policy.
• Follow the Information Security Classification Procedure to classify all UQ information assets.
• Manage information throughout the information lifecycle in accordance with the Information Governance and Management Framework.
• Information with historic, permanent or long-term value will be archived or preserved, and not destroyed.
• Information that is of high risk or high value will be maintained and must not be destroyed without proper authorisation.
• Appropriate custodian and stewardship roles and responsibilities are assigned to information assets.

Consumers should seek to ensure digital information and records remain digital and will not be converted to a physical format unless required (the 'born digital, stay digital' principle). 

UQ will maintain facilities to enable efficient cataloguing, long term maintenance and discovery of information assets.

2.2   Information can be found and accessed

UQ facilitates the creation of large volumes of information. UQ consumers and members of the public should have access to relevant and appropriate UQ information where necessary. To achieve this:

• Non-confidential information about UQ will be available to the public.
• UQ will maintain procedures for responding to requests for information from the public.
• UQ staff will have timely access to information required to undertake their official duties.
• UQ staff, students, contractors, consultants, visitors, affiliates and third parties who have access to UQ networks and services will not provide or share UQ records or information which are not in the public domain with unauthorised parties.

2.3   Information is suitable for all of its uses

The quality of information must support UQ’s strategic objectives of academic and research excellence. To achieve this, UQ ICT consumers should apply the following information management practices:

• Administrative records should be created as soon as possible to document an event, decision or action.
• The quality of information should be ensured at the point of collection and the information stored in a suitable location in an appropriate information management system. UQ will establish and maintain procedures for ensuring information quality.
• Information recorded and captured should consider the primary purpose for which it is collected or created and its potential secondary uses. Information quality management should take into account potential future re-use of the information, which may not be known at the initial point of capture.

2.4   Information remains compliant

To strengthen its information and records management practices, UQ will:

• Comply with records and information management requirements in laws, regulations, contracts and agreements applicable to its operations (refer to section 6.2 and 6.3).
• Adhere to best practices and standards where possible.
• Establish and maintain records and information management guidelines and procedures.

Records cannot be destroyed until their retention period (as specified in the Retention and Disposal Schedules) has passed. In some instances, records must not be destroyed, even if the retention period has passed. This may occur when:

• A Disposal Freeze is issued by Queensland State Archives,
• The records are subject to legal processes such as discovery or subpoena,
• The records are required for internal or external investigation, or;
• The records are related to an application made under the Right to Information Act 2009.

This policy should be read in conjunction with other ICT policies and procedures and other UQ policies such as the: Privacy Policy; Public Records Act 2002 (Qld) and the approved Records Retention and Disposal Schedules.

2.5   Information privacy, confidentiality and security is assured

To help protect UQ information and its consumers, UQ will:

• Ensure all information is stored, accessed, managed and used in accordance with its information security classification.
• Safeguard personal and sensitive information and maintain controls for security of information as documented in the Cyber Security Policy.
• Establish and maintain procedures for the secure and appropriate sharing of confidential information.
• Preserve and maintain records to meet administrative, legal, fiscal and archival requirements and in accordance with at least the minimum requirements of approved retention and disposal schedules.

3.0   Roles, Responsibilities and Accountabilities

Information management is the responsibility of all UQ consumers. Specifically, each information domain (e.g. Learning & Teaching, Research Management, or Human Resources) must have a designated Information Domain Custodian and, one or more Information Stewards. The Information Domain Custodian and Information Steward roles will usually relate to the organisational hierarchy associated with the business functions primarily responsible for managing the domain’s data. These roles, and other important Information Management roles are explained in more detail in the Information Governance and Management Framework.

4.0   Monitoring, Review and Assurance

The CIO will ensure periodic review and monitoring of information management (including classification) is conducted to determine how well information management supports UQ’s business and strategic goals, and for its compliance with legislation. Results of this monitoring will be reported to the Information Technology Governance Committee (ITGC).

UQ’s Information Technology Governance Committee will review all ICT policies (three yearly) and procedures (annually) and ensure appropriate consultation is undertaken.

5.0   Recording and Reporting

UQ will meet its data retention obligations under the Telecommunications (Interception and Access) Act 1979 (Cth.).

6.0   Appendix

Data - There is a subtle difference between data and information. Raw data is a term used to describe data in its most basic digital format. Data is raw, individual facts that need to be processed.  When data is processed, combined with other data, organised, structured or presented in a given context, it is referred to as information.

Information – Includes, but is not limited to, physical (e.g. paper records) or digital files (e.g. email, voicemail, meeting minutes, video and audio recordings) in any format (e.g. PDF, .wav, .docx, or .jpeg) and data recorded by University applications (often in a database of some form).

Information Management - is a collection of capabilities delivered through people, processes and technology to ensure the confidentiality, integrity, availability, quality and security of our information assets throughout their life cycle.

Information Governance - is a collection of practices and processes, which provides a formal framework to apply control through defined roles and responsibilities for the management of information and data assets throughout their information lifecycle.

Information Asset - A body of information, defined and managed as a single unit so it can be understood, shared, protected and exploited effectively. Information assets have recognisable and manageable value, risk, content and lifecycles.

Information domain – A broad category or theme under which University information can be identified and managed. UQ uses the Topics and Entities outlined in the CAUDIT Higher Education Data Reference Model, in the context of business capabilities and organisation structures, as a guide to determine appropriate information domains.

Information Standards - Define and promote best practice in the acquisition, development, management, support and use of information systems and technology infrastructure which support the business processes and service delivery of Queensland public authorities.

Structured data - Data that resides in a consistent field structure and includes data in formats such as relational databases and spreadsheets. This data is often generated during business transactions and is stored in a business information system, e.g. student data, financial data, research data.

Unstructured data - Data that does not have a pre-defined data model or a consistent field structure that is easily readable by machines, and includes formats such as audio, video and unstructured text. Unstructured data may have structured elements, e.g. metadata associated with an email, xml document.

Record - Information in any format that has been generated or received by UQ in the course of its activities, and which must be retained by UQ as evidence of its actions and decisions. A record can consist of one or more pieces of information that together form a record or context of the activity, action or event.

Retention and Disposal Schedules – Legally binding documents that have been authorised by Queensland State Archives, the authority on records governance for public entities such as UQ. They define the status, minimum retention periods and consequent disposal actions authorised for specific classes of records.

6.2   Related UQ Policies and Procedures

6.3   Related legislation

The University is required under the Queensland Government’s Information asset custodianship policy (IS44) to identify and register information assets and assign roles and responsibilities to information assets, to protect information in accordance with Information security (IS18) information standard, to make full and accurate records in accordance with the Recordkeeping policy (IS40) and lawfully dispose records in accordance with the Retention and disposal of public records policy (IS31).

A full list of obligations can be found in the Information Governance and Management Framework