View current

Information Management Policy

This is the current version of the approved document. You can provide feedback on this document to the Enquiries Contact - refer to the Status and Details tab from the menu bar above.

Section 1 - Purpose and Scope

(1) The University of Queensland (UQ) values information in its many forms as a core strategic asset and will govern and manage it accordingly throughout its lifecycle. Effective information management ensures that the right information is available to the right person, in the right format and medium, at the right time. Information that enables UQ to perform its core functions is considered an asset.

(2) This Policy outlines expectations and requirements for the governance and management of information at UQ and is intended to enable UQ to:

  1. improve the integration and accuracy of its information;
  2. increase the impact of its research and teaching;
  3. improve compliance and reduce the risk of potential loss or misuse of information;
  4. make better use of information in its decision-making processes;
  5. provide a strong foundation to systematically manage information, ensuring that information of strategic importance and high value is prioritised; and
  6. obtain valuable knowledge through the increased discoverability and appropriate accessibility of its information.

Scope

(3) This policy defines principles for the governance and management of UQ’s data, information and records. The relationship between data, information and records is defined in the linked diagram (showing Data, to Information, to Record), and detailed definitions and examples are in the Appendix. 

(4) This Policy applies to anyone accessing or using UQ’s information, including but not limited to:

  1. Staff;
  2. Contractors and consultants;
  3. Students;
  4. Visitors; and
  5. Title holders and third parties.

(5) Exceptions to this Policy must be approved by the Chief Information Officer, in alignment with the Cyber Security Exceptions Procedure.

Top of Page

Section 2 - Principles and Key Requirements

(6) Robust and effective information management is fundamental to UQ’s functions and operations, as it:

  1. provides for the appropriate management of information throughout the information lifecycle in compliance with legislative obligations and UQ’s policies and procedures,
  2. ensures UQ meets its legislative record keeping obligations, and
  3. helps to ensure that the right information is available to the right person, in the right format, at the right time.

(7) The principles and requirements in this policy are related and intended to be applied holistically where possible. These principles are supported by the governance and management structures defined in the Information Governance and Management Framework.

Protect information as an asset

(8) Effective information management allows UQ to realise the value of its data, enables accountability and transparency, mitigates risk, and allows businesses to operate.

(9) UQ will:

  1. identify and acknowledge the value of its information (i.e. its value to UQ, to UQ’s community, and to others);
  2. implement appropriate controls to protect the confidentiality, integrity, and availability of UQ’s information;
  3. ensure that information governance roles, responsibilities and decision rights are assigned in alignment with the Information Governance and Management Framework;
  4. manage information and records in UQ-approved information systems;
  5. manage information throughout the information lifecycle (see Appendix) in accordance with the Data Handling Procedure, Information Security Classification Procedure, Archives Policy, Privacy Management Policy and the Keeping Records at UQ Procedure
  6. ensure digital information remains digital and is not converted to a physical format unless required; and
  7. maintain a culture that supports effective information management to ensure the UQ community understands the value of information.

Information is findable and accessible

(10) The UQ community and members of the public should have access to relevant and appropriate UQ information where necessary.

(11) UQ will:

  1. maintain information systems to enable efficient cataloguing and discovery of information;
  2. proactively provide access to information where appropriate, including via the Publication scheme, administrative access schemes and Disclosure log;
  3. provide access to documents in accordance with the access regimes set out in the Information Privacy Act 2009 and Right to Information Act 2009;
  4. provide for the amendment of personal information in accordance with the Information Privacy Act 2009; and
  5. give staff timely access to information required to undertake their official duties.

(12) For more information, read the Access to and Amendment of UQ Documents Procedure, and visit the UQ Explore and Access Data web page.

Information is suitable for all of its uses

(13) Information quality is key to generating value from our information and supporting UQ’s strategic objectives. Information quality includes accuracy, completeness, consistency, timeliness, validity, and uniqueness.

(14) UQ will:

  1. establish and maintain practices and processes to improve information quality; and
  2. consider the context under which information is collected, created or captured to ensure information is suitable for its primary use, and for any additional uses.

UQ meets its information management and record keeping obligations

(15) To strengthen information and records management practices, UQ will:

  1. comply with records and information management requirements in contracts and agreements applicable to its operations;
  2. adhere to industry best practice and standards where possible; 
  3. implement information and record management procedures and guidelines to support compliance with relevant legislation, regulations, and policies, including (but not limited to):
    1. Information Privacy Act 2009 (Qld)
    2. Public Records Act 2002 (Qld)
    3. Queensland State Archives - Records Governance Policy (Qld);
  4. ensure UQ's information is findable, accessible, interoperable, and reusable, in accordance with the FAIR Principles (Findability, Accessibility, Interoperability, and Reuse); and
  5. provide training and resources to ensure the UQ community understands their information management responsibilities and can comply with legislation and relevant UQ policies, procedures and guidelines.

Information privacy, confidentiality and security is assured

(16) To help protect UQ’s information and its community, UQ will:

  1. manage and use information ethically and in accordance with the Enterprise Data Ethics Framework, Privacy Management Policy, Student Code of Conduct and Staff Code of Conduct;
  2. respect and maintain the privacy of individuals and their information;
  3. manage system access permissions and privileges to ensure only authorised persons can access or modify information; and
  4. protect information and maintain security controls in alignment with the Cyber Security Policy and Data Handling Procedure.

Records are managed throughout their lifecycle

(17) UQ’s records must be managed in compliance with the Public Records Act 2002 and UQ’s record management requirements. The legislation and supporting instruments set requirements regarding vital, high-value, high risk and historically significant permanent records.

(18) UQ will:

  1. capture records as soon as possible to provide evidence of an event, decision or action and maintain them in approved information systems in alignment with the Keeping Records at UQ Procedure;
  2. retain records in compliance with the relevant retention and disposal schedule, prioritising the protection of vital, high-value, high-risk and historically significant permanent records; and
  3. dispose or transfer ownership of records in compliance with the Archives Policy, Destruction of Records Procedure and Queensland’s Records Governance Policy
Top of Page

Section 3 - Roles, Responsibilities and Accountabilities

(19) The roles below are a summary of key information governance and management roles and responsibilities. Refer to the Information Governance and Management Framework for a comprehensive list.

Information Trustee (Vice-Chancellor)

(20) The Vice-Chancellor is accountable for ensuring the collection and management of UQ’s information and records in accordance with relevant legislative, regulatory and policy obligations.

Chief Information Officer (CIO)

(21) The Chief Information Officer (CIO) is accountable for developing, maintaining and implementing information management capabilities, policies, procedures and technical standards to protect UQ’s information.

(22) The CIO is responsible for ensuring that information roles (i.e. Information Leaders, Information Domain Custodians and Information Stewards) are assigned across UQ.

IT Policy, Risk and Assurance Committee (IT PRAC)

(23) The IT PRAC is responsible for reviewing compliance, assurance or risk reports regarding information governance and management. Read the IT Governance and Management Framework for more information and the committee terms of reference.

Information Domain Custodians

(24) An Information Domain Custodian is assigned to one or more information domains (see the information entity catalogue for more details). For example, the Chief Human Resources Officer is the Information Domain Custodian for the Human Resources domain.

(25) For each assigned information domain, the Information Domain Custodian is responsible for:

  1. key information management decisions and directions;
  2. defining business area specific (e.g. Research) operating procedures and controls to ensure legislative and policy obligations are met, to ensure the confidentiality, integrity, availability and appropriate and ethical use of information; and
  3. assigning Information Stewards to oversee day to day information management.

Information Stewards

(26) An Information Steward is assigned to one or more information entities (see the information entity catalogue for more details). For example, the Director, People Services is the Information Steward for the Staff, Worker, Leave and Timesheet information entities (within the Human Resources domain).

(27) For each assigned entity, the Information Steward is responsible for:

  1. providing advice and making decisions regarding the day-to-day management of information; and
  2. implementing UQ-wide and business area specific decisions, policies, procedures, and standards, to ensure legislative and policy obligations are met.

Associate Director, Data Services

(28) The Associate Director, Data Services is responsible for

  1. maintaining and implementing this policy; and
  2. escalating high-rated risks to UQ committees requiring resolution as required.

Data Strategy and Governance Team

(29) The Data Strategy and Governance Team supports the Associate Director, Data Services to maintain and implement this policy. The team is responsible for:

  1. responding to information governance and management legislative and regulatory requirements (under the remit of the CIO, as defined in the Compliance Legislation Register); 
  2. reporting to UQ committees on information management compliance as required; and
  3. undertaking initiatives to enhance information management and improve information security at UQ.

Records Governance Team

(30) The Records Governance Team is responsible for:

  1. advising on and auditing compliance with record keeping obligations; 
  2. recording the existence of vital, high-risk, high-value records (including records that need to be retained permanently)
  3. maintaining a register of UQ systems approved to retain records;
  4. advising on the management, treatment and preservation of vital, high-risk, high-value and permanent retention records;
  5. developing strategies for records capture, maintenance, lifecycle and archive management; and
  6. maintaining and implementing record keeping and destruction procedures.

Right to Information and Privacy Office (RTI and Privacy Office)

(31) The RTI and Privacy Office is responsible for:

  1. managing UQ’s administrative access schemes and its obligations under the Right to Information Act 2009 and Information Privacy Act 2009; and
  2. providing advice and leadership in relation to privacy compliance across UQ.

UQ Community

(32) Members of the UQ community have a responsibility to:

  1. comply with this policy and associated procedures to create, store, access and use the University’s information ethically and securely; and
  2. notify Information Technology Services regarding actual or suspected breaches of this policy, the Information Governance and Management Framework and/or UQ’s obligations regarding the collection and management of information.
Top of Page

Section 4 - Monitoring, Review and Assurance

(33) The Data Strategy and Governance team ensures that key information governance roles (such as Information Domain Custodian and Information Steward) are appointed, inducted and are aware of their responsibilities. Additionally, the team will provide information governance and management training and deliver awareness initiatives to the wider UQ community as required, to improve information literacy and awareness across UQ.

(34) The Data Strategy and Governance team will report on information management risk and compliance to the IT Policy, Risk and Assurance Committee (IT PRAC) and other UQ committees as required, in alignment with the IT Governance and Management Framework.

(35) The Data Strategy and Governance team will review and update this policy as required to ensure its accuracy.

Top of Page

Section 5 - Recording and Reporting

(36) The Information Asset Register provides details regarding information collected in the course of managing the University.

(37) The Information Entity Catalogue provides a high-level overview of the information domains at UQ, and the different information entities within each domain.

(38) Documents released to applicants under the Right to Information Act 2009 are progressively published via the Disclosure log.

(39) The Approved Systems for Record Keeping Register provides details regarding UQ systems that contain records.

Top of Page

Section 6 - Appendix

Definitions

Term Definition
Data Values or individual facts in their most basic format that exist independent of any given context. Data are raw values that can be processed. When data are processed, combined with other data, organised, structured or presented in a given context, it is referred to as information. Examples include individual fields in a database or pixels in an image file.
Information Consists of data that has been processed, analysed, or interpreted within a given context. Information can exist in any format. Examples include physical (paper, DNA) or digital (audio, PDF file, .jpeg). 
Record Consists of information that has been generated or received by UQ in the course of its activities that is retained by UQ as evidence of activities or decisions, or because the information has cultural, community or organisational value. Certain records must be retained for a specified period to meet legislative requirements. Records can be managed in a range of systems, both digitally and physically. Examples include meeting minutes, contracts and financial transactions. 
Information Domain A broad category or theme under which University information can be identified and managed. See the Information Entity Catalogue for an overview of the information domains at UQ.
Information entity A specific group of information that is related to an information domain. Examples of information entities include ‘digital learning' data for the teaching and learning domain, ‘budget’ data for the finance domain, and ‘salary’ data for the human resources domain.
UQ community Anyone who uses UQ information and communications technology (ICT) resources, and anyone who creates, accesses or uses UQ’s information. This includes (but is not limited to) students, staff, contractors and consultants, visitors, title holders and third parties.

Related UQ Policies and Procedures

(40) Related UQ policies and procedures include:

  1. Information Governance and Management Framework
  2. Information Security Classification Procedure
  3. Data Handling Procedure
  4. Keeping Records at UQ Procedure
  5. Destruction of Records Procedure
  6. Access to and Amendment of UQ Documents Procedures
  7. Cyber Security Incident Management Procedure
  8. Cyber Security Policy
  9. Privacy Management Policy
  10. Archives Policy.

Related Legislation

(41) A full list of legislative instruments can be found in the Information Governance and Management Framework.

Information Lifecycle

(42) See linked Information Lifecycle diagram. The information lifecycle includes:

  1. plan and design;
  2. create, capture and classify;
  3. store and secure;
  4. manage and maintain;
  5. share and reuse;
  6. retain and archive; and
  7. dispose or destroy.