Status and Details

This page contains information about the status, approval and a summary of the changes from the previous version of the document. Please note that the Unit Head listed on this page is the current owner of this policy and may not reflect the University position/staff member who owned this policy at the time of publication.

Information Governance Procedures - Classifications

Show Field Notes

Status	Current	Indicates if this version of the document is in effect (Current), yet to come into effect (Future), or expired (Historic).
Effective Date	9th May 2025	This is the date on which this version of the document came into effect.
Review Date	9th May 2028	The next review of this document is scheduled to commence on this date.
Approval Authority	Vice-Chancellor and President	The noted authority approved this is version of the document.
Approval Date	8th May 2025	This is the date on which this version of the document was approved by the authorised authority.
Expiry Date	Not Applicable	This is the date on which this version expires. It may still apply, conditionally, after this date.
Unit Head	Philip Maloney General Counsel and University Secretary p.maloney@westernsydney.edu.au	This is the officer generally responsible for day to day administrative matters.
Enquiries Contact	Philip Maloney General Counsel and University Secretary p.maloney@westernsydney.edu.au	General enquiries should be directed to the officer/area listed.

Summary of Changes from Previous Version

The Data Remediation Task Force has been meeting regularly since July 2024 to implement the Data Destruction and Remediation Plan (DDRP) provided to the NSW Information Privacy Commissioner (IPC). One of the main objectives in Stage 4 of the plan is to establish ongoing compliance, ensuring that the University incorporates effective data hygiene practices throughout the organisation. The key deliverable in this stage is the Information Governance Framework, a crucial tool that defines decision rights and accountability. The framework incorporates the governance of both structured data (such as fields in databases) and unstructured data (Word documents, emails, PDFs, etc.). One of the critical limitations to the data remediation efforts was the lack of ownership and accountability for some of the systems and data repositories across the organisation. The Information Governance Framework addresses this through the introduction of �~Executive Information Asset Stewards’.

Currently, WSU does not have data classifications in place, which hinders its ability to identify and protect information, as well as to understand the magnitude of any data breaches. As a result, data classification efforts at WSU remain fragmented, heavily reliant on manual processes to govern and remediate. Implementing this framework is also essential for establishing security measures such as Disaster Loss Prevention (DLP). The Data Classifications will increase visibility across data estates and proactively manage sensitive data in line with legislative requirements such as the Privacy and Personal Information Protection Act 1998 (NSW) and the State Records Act 1998 (NSW). The Information Governance Policy and the associated Data Classification procedures have been developed and are now presented for the Vice Chancellor’s approval. These documents were created collaboratively by teams within ITDS, Cyber, Business Continuity Management, and Privacy and Records. They have also undergone extensive consultation with key stakeholders across the University, including public consultation with the entire WSU community on the Policy DDS Bulletin Board.

Once approved, it is proposed that the University adopt Microsoft Purview as a scalable classification and compliance solution to implement the classification schema. This will necessitate an increase in licensing to include this tool. Additionally, the University will need to adopt SharePoint, Teams, and OneDrive as the primary environments for staff and students. This initiative is part of a discrete project already identified within the Cyber
Resilience and Recovery work. This will require a longer term timeframe to implement, but the foundational pieces will be in place.

Clauses Amended:Guidelines: All
Procedures: All