• Section 1 - Purpose and Context
• Section 2 - Definitions
• Section 3 - Policy Statement
• Section 4 - Procedures

Section 1 - Purpose and Context

(1) The University and its controlled entities are committed to the effective and efficient use of information assets and the transparent, appropriate, safe (including cyber secure) and compliant management of it as a resource which underpins world class research and teaching and ensures business decisions are based on consistent and trustworthy data.

(2) This framework has been developed to mature practices and create a culture that ensures appropriate oversight is in place to properly manage and maintain our information assets, with a focus on cyber security and the Privacy Protection Principles (refer to the Privacy and Personal Information Protection Act 1998 (NSW)).

(3) This framework establishes the principles, processes, standards and shared responsibilities related to the management of information (including data) of the University and its controlled entities. The framework is designed to ensure the integrity, availability and confidentiality of information and data, aligning with best practices and in accordance with requirements of Higher Education Standards Framework (Threshold Standards) 2021 – Standard 7 (Representation, Information and Information Management).

(4) This framework provides direction on the creation, classification, ownership, storage and retention of information and data in accordance with Privacy and Personal Information Protection Act 1998 (NSW) and State Records Act 1998 (NSW). It includes clarification on roles and responsibilities for data steward and emphasises the importance of holding individuals responsible for the information assets they manage.

(5) This framework includes the identification, risk assessment and management of high-value and sensitive information systems and assets. It supports cyber security for information assets including the implementation of a relevant security by design approach.

(6) The Information Governance Framework will be fully integrated with the University's digital strategy, risk management program and Information Security Management System (ISMS), ensuring that all data-related decisions support the overarching strategic objectives and risk appetite of the institution.

(7) This framework must be read and understood in conjunction with the Information Governance Procedures - Classifications and relevant University policies and procedures, including, but not limited to the:

1. Acceptable Use of Digital Services Policy 
2. Biological and Gene Technology Work Safety Policy 
3. Compliance Policy 
4. Cyber Security Policy 
5. Digital Information Security Policy 
6. Foreign Arrangements and Foreign Interference Policy  
7. Open Access to Research Policy 
8. Password Protection Guide 
9. Privacy Policy 
10. Privacy Management Plan 
11. Privacy Impact Assessment Procedures 
12. Privacy Data Breach Response Plan 
13. Records and Archives Management Policy  
14. Research Data Management Policy 
15. Risk Management Policy 
16. Information Governance Procedures - Classifications 

Section 2 - Definitions

(8) For the purposes of this framework, definitions that apply can be found in the Policy DDS Glossary, in addition to the following:

1. Data means information stored in any University or controlled entity Digital Service including but not limited to systems, services, databases and webpages.
2. Data Governance means “the exercise of authority and control (planning, monitoring and enforcement) over the management of data assets." [DAMA, DMBOK 2017].
3. Data Stewardship means data governance roles with specific stewardship responsibilities.
4. Digital Information means processed and transformed data held within any University or controlled entity Digital Services that is useful for the University's pursuit of its educational, research and business goals.
5. Digital Services means all IT resources and services (e.g., data, voice, video) delivered through electronic means. This includes the capture, storage, retrieval, transfer, communication and/or dissemination of information electronically and the technologies used in support of these activities. Such technologies encompass systems, software, hardware, communications and network facilities. The method of delivery may be hosted within University IT facilities, externally or a combination. They may be paid or free, subscribed or purchased, provided through a cloud or as a managed service.
6. Health Information has the same meaning as in the Health Records and Information Privacy Act 2002 (NSW) (HRIP Act). 
7. Information Governance means a system that manages how an organisation uses its information. It includes policies and processes for collecting, storing, using and sharing information. The key components include decision rights, an accountability framework, data quality, data protection and data sharing.
8. Information Asset means facts about a situation, person or event, held in University or controlled entity systems as data or in any other form or place in the University.
9. Information Compliance means the process of adhering to policies and decisions derived from internal directives, procedures and requirements, or from external laws, regulations, standards and agreements.
10. Metadata means data that describes/provides context for a data asset or data element.  Examples include definitions/descriptions, who owns it, when it was created, when it was last updated, and what format it is stored in.
11. Personal Information has the same meaning as in the Privacy and Personal Information Protection Act 1998 (NSW) (PPIP Act) that identifies a person and can include name, address and other details, photographs, images, video or audio footage.
12. Information Protection Principles refers to the 12 NSW Privacy Principles outlined in the Privacy and Personal Information Protection Act 1998 (NSW) (PPIPA Act) that the University must abide by when collecting, storing, using and disclosing personal information.
13. Privacy Principles consist of the 13 Australian Privacy Principles defined in the Privacy Act 1988 (Cth). These principles are similar to the 12 Privacy Principles found in the PPIPA Act. They apply to the University's controlled entities, provided they meet the definition of an organisation as outlined in the Act, and in some limited circumstances apply to the University. For further information, refer to the Privacy Act 1988 (Cth).

Section 3 - Policy Statement

(9) The University and its controlled entities seek to create a progressive and inclusive data-driven environment, that promotes transparency, streamlines efficiency, increases accuracy and encourages evidence informed decision-making. This includes a commitment to empowering our stakeholders with reliable, comprehensive information, ensuring compliance and data security (refer to the Cyber Security Policy), using leading technologies and forward-thinking strategies. This includes maintaining a strong security posture through proactive threat intelligence, vulnerability management, and security monitoring.

(10) The Information Governance Hierarchy at the University is:

1. Information Governance Committee
2. Information Governance Group – provides advice and support to the steering committee on information governance matters
3. Information Governance Forum – provides a space for information asset owners to network and share learnings across divisions.
4. Executive Information Asset Steward – accountable officer for all information assets in their business unit, including the security and quality of information collected and held.
5. Information Asset Owners – senior business leader who has accountability and decision-making authority within their domain
6. Business Data Stewards – subject matter experts for the information systems in their domain
7. Technical Data Stewards – IT professionals operating as technical and data quality analysts
8. Information Asset Users – individuals who have been granted access to information or information systems and data.

(11) The University and its controlled entities are committed to designing information assets that are:

1. Digitised wherever possible
2. Ready for re-use, interoperable across the organisation and available and usable as needed
3. Discoverable across our organisation by those with legitimate need
4. Accurate, up to date and complete
5. Protected from unauthorised access, alteration, deletion, destruction, disclosure or misuse
6. Disposed of appropriately in accordance with legislative requirements.

(12) The University and its controlled entities are committed to designing governance mechanisms that ensure information and data management decisions are made with integrity, accountability and transparency, with the Privacy Protection Principles and Privacy Principles in mind and deliver good business outcomes that align with the University Strategic Plan.

(13) The University and its controlled entities are committed to ensuring that our people understand and appreciate the value of information and data as an asset for the organisation, the government, the intellectual property of the nation, and the cultural heritage of our people.

(14) The key principles in the management of the University's and its entities information assets are:

1. Using an Information Assets Classification to ensure the consistent management of and access to information assets. Metadata for all information assets must include information security classifications, data retention schedules, and access control requirements.
2. Information assets have clear lines of responsibility and accountability, recognising that it is a strategic asset and business enabler to the University with real and measurable value.
3. Procedures regarding University and controlled entities information and data governance are  accessible to members of the University, its entities and to the public. Notification about collection, use, availability, disclosure and disposal are important features of transparency.
4. The University's and its controlled entities information and data governance processes advance the uses of information assets that demonstrate operational, analytical, and ethical integrity, free of actual or perceived conflicts of interest.
5. Information assets are subject to clear and auditable access protocols that are consistent with roles and responsibilities. Disclosure of information or data to external parties including third parties or the public must be explicitly authorised in accordance with relevant information/data sharing policies and Privacy Protection Principles. Information assets must be managed across their lifecycle, and protected from unauthorised access, use, disclosure or deletion. Regular audits and security assessments will be conducted to verify compliance with these access protocols.
6. University and controlled entity information and data governance procedures support an environment wherein  information assets are not unnecessarily duplicated, are safely and transparently managed, with controlled access and shared through clear procedures and guidelines within the limitations of human, digital, and physical resources.
7. Information and data governance is recognised as a collective responsibility. Everyone who manages, uses, or provides information or data is a partner in its governance with collaboration embedded in information and data management practices.
8. Information that is either a State Record, Archives or cultural heritage are managed in accordance with the University's Records and Archives Management Policy.
9. Ensure that information management practices support good decision-making recognising that integrity, accountability and transparency are essential to delivering good business outcomes and building public trust.
10. All external data sharing and third-party engagements must adhere to the University's information governance policies. All data sharing agreements with external parties must include clauses that address data security, privacy, and compliance requirements, as well as incident reporting procedures.
11. The University will establish and maintain ongoing training and awareness programs to ensure that all employees, contractors, and relevant stakeholders are knowledgeable about the principles, responsibilities, and practices outlined in this framework.

(15) The University will conduct regular audits and performance reviews of its information governance practices. Results will be reported to the Information Governance Committee to drive continuous improvement and ensure compliance with all relevant legislative and regulatory requirements.

Section 4 - Procedures

(16) The responsibility for the ownership of information assets is with that part of the University or University controlled entity best placed to make decisions about the collection, security, management, use and disposal, and to identify and manage the associated risks.

(17) The Data and Information Governance Structure at the University and its controlled entities manage information assets using the following key areas. (Refer to the Data and Information Governance Structure on the Data Governance at Western page (staff login required):

1. Data and Information Classification
2. Data architecture
3. Data modelling and design
4. Storage and operations, including transfer and sharing
5. Security, including Cyber Security, Data Loss Prevention and Incident Response
6. Data integration and interoperability
7. Archiving and content management
8. Reference and master data
9. Data warehousing and business intelligence
10. Metadata
11. Information asset quality and integrity
12. Disposal of Information assets
13. Data and information classification at the University is classified in accordance with the Information Governance Procedures - Classifications.

(18) Information Governance Roles and Responsibilities (Decision Rights and Accountability Framework).

(19) Data and Information Governance Structure on the Data Governance at Western page (staff login required).

(20) Data HQ.

(21) Cyber Security website.

(22) Records and Archives Management Services website.