(1) This Procedure outlines data handling requirements for all data, information and records at The University of Queensland (UQ). Members of the UQ community who handle UQ data and information must comply with this Procedure. This includes (but is not limited to) students, staff, contractors and consultants, visitors, title holders and third parties. (2) The requirements and controls outlined in this Procedure aim to: (3) This Procedure should be read in conjunction with the Information Governance and Management Framework, the Information Management Policy, and associated policies and procedures including: (4) Individuals must: (5) Exceptions to this Procedure (e.g. if certain requirements cannot be met) must be managed in accordance with the Cyber Security Exceptions Procedure. (6) Information Domain Custodians are responsible for ensuring that specific industry or research requirements (e.g. Australian Code for the Responsible Conduct of Research, Payment Card Industry Data Security Standard) are identified within their assigned domains, and that appropriate controls are implemented. (7) Additional or alternative controls may also apply to UQ data and information associated with a contract, licence or agreement (e.g. a data sharing agreement). (8) Staff (including contractors) and HDR candidates must adhere to the research data management classifications and controls that are specified in the relevant contractual agreements or ethics approvals. (9) They must also define additional or alternate classifications and associated controls in a research data management plan (to be stored in UQRDM) for the following types of information: (10) See the Research Data Management Policy for more information on research data management plans. (11) The UQ community must manage data and information appropriately throughout the information lifecycle. In each phase of the information lifecycle, controls and requirements apply based on the information security classification and these are defined in the sections below. (12) Requirements in the ‘plan and design’ phase apply throughout the lifecycle. (13) Individuals must comply with the following requirements (as relevant): (14) When proposing new or changed IT services or processes that will handle personal information, a PIA may be required. (15) Resources and templates for TPAs and PIAs are available under the Staff Resources section of the RTI and Privacy Office website. (16) The location and jurisdiction of services used to store/process data must be considered to ensure UQ’s legislative and security requirements are met. (17) To avoid risks associated with data sovereignty, only use appropriate UQ-approved IT services throughout the information lifecycle and consult ITS regarding use of any new IT services. (18) When cloud services are utilised, consideration must be given to the cloud service provider country of origin, regardless of the location in which the data is stored. In certain circumstances, laws in the jurisdiction in which the company is based (or where the data is stored/processed) may mean third parties (including government entities) within that country could access the data. Data sovereignty restrictions also apply to offline data (e.g. backups). (19) When considering data hosting outside Australia or situations where a vendor can access data from another country (e.g. to provide user support), the following requirements apply: (20) Individuals must comply with the following requirements (as relevant): (21) Individuals must comply with the following requirements (as relevant): (22) Individuals must comply with the following requirements (as relevant): (23) Individuals must comply with the following requirements (as relevant): (24) Individuals must comply with the following requirements (as relevant): (25) Individuals must comply with the following requirements (as relevant): (26) Key roles and responsibilities relevant to this Procedure are outlined in the subsections below. Refer to the Information Governance and Management Framework for a comprehensive list of information governance and management roles. (27) The Vice-Chancellor is accountable for ensuring the collection and management of UQ’s information and records in accordance with relevant legislative, regulatory and policy obligations. (28) The CIO is accountable for developing, maintaining and implementing information management capabilities, policies, procedures and technical standards to protect UQ’s information. (29) Information Domain Custodians are responsible for the following (for their information domain/s): (30) Information Stewards are responsible for the following (for the information entity/entities they are assigned to): (31) The Technical Owner is the staff member responsible for the ongoing technical management of a service or asset (e.g. information system). (32) Technical Owners are responsible for: (33) The Manager, Data Strategy and Governance is responsible for: (34) The Data Strategy and Governance team supports the Manager, Data Strategy and Governance to maintain and implement this Procedure. The team is also responsible for: (35) The RTI and Privacy Office is responsible for: (36) Members of the UQ community are responsible for: (37) The Data Strategy and Governance team will: (38) The Data Strategy and Governance team maintains UQ’s information entity catalogue which records: (39) The Data Strategy and Governance team also maintains a register of all submitted data sharing agreements. (40) The RTI and Privacy Office maintains a register of approved Privacy Impact Assessments (PIAs) and is responsible for (where applicable) reporting privacy breaches to the relevant Information Commissioner or privacy regulator. The RTI and Privacy Office also provides management with an annual report on UQ’s compliance with the Information Privacy Act 2009 and other relevant privacy laws. (41) Information management roles and responsibilities should be captured as a research data management record in UQ RDM. Research data management plans should also be stored in UQ RDM where possible. (42) Individuals can seek advice from the following groups as required:Data Handling Procedure
Section 1 - Purpose and Scope
Top of PageSection 2 - Process and key controls
Exceptions
Additional obligations
Additional research obligations
Section 3 - Key Requirements
Plan and Design
Privacy Impact Assessments (PIAs)
Data sovereignty
Create, Capture and Classify
Store and Secure
Classification
Handling requirement
Manage and Maintain
Classification
Handling requirement
Share and Reuse (transmission)
Classification
Handling Requirement
Retain and Archive
Dispose and Destroy
Top of PageSection 4 - Roles, Responsibilities and Accountabilities
Vice-Chancellor
Chief Information Officer (CIO)
Information Domain Custodians
Information Stewards
Technical Owners
Manager, Data Strategy and Governance
Data Strategy and Governance Team
Right to Information and Privacy Office (RTI and Privacy Office)
UQ community
Top of PageSection 5 - Monitoring, Review and Assurance
Top of PageSection 6 - Recording and Reporting
Section 7 - Appendix
Key contacts
Definitions
Term
Definition
Data
refer to the Information Management Policy.
Information
refer to the Information Management Policy.
Record
refer to the Information Management Policy.
UQ community
refer to the Information Management Policy.
Information entity
refer to the Information Management Policy.
Information domain
refer to the Information Management Policy.
Personal information
refer to the Privacy Management Policy.
Write access
access to edit information.
Read access
access to view information.
Access policy
a policy specifying who can create, access or modify information for a particular domain. See the Access and Privileges Management Framework for more information.
Data breach
where data is lost, or accessed or disclosed without authorisation, either accidentally or due to malicious activity.
View current
This is the current version of the approved document. You can provide feedback on this document to the Enquiries Contact - refer to the Status and Details tab from the menu bar above.
All
• Remove access to UQ information and systems when they are no longer required, or when an individual leaves UQ, changes their role, or ends their partnership or affiliation with UQ. View the departure checklist for more information.
• Set secure passwords - read UQ’s password guidelines.
• Store UQ information in UQ-approved IT systems to ensure regular backups. Visit the Where to store files and information web page for guidance.
– Ensure that appropriate access controls are in place, commensurate with the nature and sensitivity of the information.
– Certain research data may be saved to local hard drives if they are being regularly and automatically backed up. Read more about backups.
• Avoid unnecessary duplication of data across IT services, devices, and storage locations, including hard copies.
• Store records in approved record keeping systems in alignment with the Keeping Records at UQ Procedure.
• Do not use USB drives and portable hard drives unless they are encrypted.
• Follow cyber security best practice – visit the stay cyber safe web page for more details.
• Use UQ-approved online collaboration tools (e.g. UQ RDM, SharePoint and Microsoft Teams). Assign at least two (but no more than is necessary) administrators who must ensure access and permissions are set based on business need.
• Report actual or suspected data loss or breaches (including lost or stolen devices) as soon as possible via UQ’s cyber security website or by calling IT support.
PUBLIC
• Restrict write access based on business need. PUBLIC information may be read by anyone but doesn’t need to be published.
• Collaboration space administrators must review write access annually.
OFFICIAL
• Restrict write access based on business need (e.g. specific teams). Where possible and appropriate, restrict read access based on business need.
• Collaboration space administrators must review read and write access every 12 months.
SENSITIVE
• Restrict write access based on strict business need (e.g. specific individuals or groups). Where possible and appropriate, restrict read access based on strict business need.
• Collaboration space administrators must review read and write access every six months.
• Ensure hard copy information is stored in a locked cabinet when not being used.
PROTECTED
• Restrict write access based on very strict business need (e.g. only the individuals required). Where possible and appropriate, restrict read access based on very strict business need. Staff screening may be required.
• Collaboration space administrators must review read and write access every three months.
• Use file-based encryption where possible. Store back-up encryption passwords in UQ’s enterprise vault.
• Where possible, use online files rather than copying/downloading them to local storage for processing. Do not use web-based file shares which synchronise files to local storage (e.g. OneDrive). Delete any local copies of files when they are no longer required.
• Ensure hard copy information is stored in a locked cabinet when not being used.
Supporting information:
All
• Notify Data Strategy and Governance (datagovernance@uq.edu.au) if an Information Leader, Information Domain Custodian or Information Steward is exiting their current role. Ensure an acting Information Leader, Information Domain Custodian or Information Steward is appointed to ensure information governance and management responsibilities are met during the transition.
• Information Stewards must ensure that data and information within their entities are actively managed to ensure data quality, ongoing continuity of discovery and access (e.g. ensuring the relevant IT services hosting the information are serviced and supported appropriately), and compliance with UQ’s privacy and information management requirements.
• Technical Owners must review the information security classification of IT services (with support from Data Strategy and Governance) in alignment with the Application Security Standard.
PUBLIC and OFFICIAL
• Proactively review the information security classification of documents, data sets and collaboration spaces as information or requirements change, or at least every 36 months.
SENSITIVE
• Proactively review the information security classification of documents, data sets and collaboration spaces as information or requirements change, or at least every 24 months.
PROTECTED
• Proactively review the information security classification of documents, data sets and collaboration spaces as information or requirements change, or at least every 12 months.
Supporting information:
All
• A data sharing agreement may be required to access or use corporate UQ data. This includes the use of data for integration, analytics, or reporting. Visit the Request access to data page.
• Sharing data outside UQ requires approval from the relevant Information Steward (a data sharing agreement may be used to facilitate this approval). Ensure the agreement or contract includes data handling and security provisions that align with UQ’s policies, procedures and internal security controls. Engage with Data Strategy and Governance (datagovernance@uq.edu.au) before proceeding.
• Personal information may only be used (i.e. within UQ) or disclosed (i.e. outside UQ) in accordance with the Privacy Management Policy. Except where explicitly allowed for under the Privacy Management Policy, any disclosure or secondary use of personal information may require a privacy impact assessment (see clauses 14-15).
• UQ data should be used in an ethical and responsible manner, including any sharing or reuse. Visit the data ethics web page or read the Enterprise Data Ethics Framework.
• Validate the identity of individuals receiving UQ data (e.g. check UQ email, check via phone call) and their authorisation to receive the data.
• Only share or transfer information using UQ-approved IT services. Read more about where to store files and information.
• Only share data (internally or externally) if required for a legitimate and defined University purpose or requirement, to minimise the disclosure of personal information and/or SENSITIVE or PROTECTED information.
• Do not print data unless there is a genuine requirement to do so.
SENSITIVE and PROTECTED
• Only share research data using IT services approved to handle SENSITIVE and PROTECTED data, in accordance with ethics approvals. Read more about where to store files and information.
• If transporting large data sets using physical storage devices, ensure devices are encrypted and passwords are shared securely with the receiver.
• Do not print data unless there is a genuine requirement to do so. If required, do not use printers in low security areas or connected to general office networks. Use managed printers that require staff to log in at the printer to collect printouts.
Links: