Comments

Document Feedback - Review and Comment

Step 1 of 4: Comment on Document

How to make a comment?

1. Use this Protected Document to open a comment box for your chosen Section, Part, Heading or clause.

2. Type your feedback into the comments box and then click "save comment" button located in the lower-right of the comment box.

3. Do not open more than one comment box at the same time.

4. When you have finished making comments proceed to the next stage by clicking on the "Continue to Step 2" button at the very bottom of this page.

 

Important Information

During the comment process you are connected to a database. Like internet banking, the session that connects you to the database may time-out due to inactivity. If you do not have JavaScript running you will recieve a message to advise you of the length of time before the time-out. If you have JavaScript enabled, the time-out is lengthy and should not cause difficulty, however you should note the following tips to avoid losing your comments or corrupting your entries:

  1. DO NOT jump between web pages/applications while logging comments.

  2. DO NOT log comments for more than one document at a time. Complete and submit all comments for one document before commenting on another.

  3. DO NOT leave your submission half way through. If you need to take a break, submit your current set of comments. The system will email you a copy of your comments so you can identify where you were up to and add to them later.

  4. DO NOT exit from the interface until you have completed all three stages of the submission process.

 

Data Governance Policy

Section 1 - Key Information

Policy Type and Approval Body Administrative – Vice-Chancellor
Accountable Executive – Policy Chief Operating Officer
Responsible Manager – Policy Chief Data and Analytics Officer (DDA)
Review Date 13 November 2027
Top of Page

Section 2 - Purpose

(1) Data Governance is the exercise of authority, control, and shared decision-making (planning, monitoring and enforcement) over the management of data assets.

(2) Institutional data is defined as data created, received, maintained and/or transmitted by the University. Institutional data is used for reporting and decision making. Examples include: enrolment data, financial data, human resources data, course data, and subject data.

(3) This Policy establishes the principles, roles and responsibilities required for effective institutional Data Governance, the core component of data management.

Top of Page

Section 3 - Scope

(4) This Policy applies to:

  1. all institutional data;
  2. students, staff, contractors, third-parties, CONAGOTHs (Consultants, Agency or Other) and other members of the University community who use or have access to the University’s data.

(5) This Policy does not apply to:

  1. Research data as defined in Research Data Management Policy.
Top of Page

Section 4 - Key Decisions

Key Decisions  Role
Approve data sets, business terms, access, quality rules, reference data and business entities. Data Owner / Custodian
Approve data classifications in terms of sensitivity and security, taking into account relevant legislation and privacy acts. Data Owner / Custodians
Implement security measures to safeguard sensitive data, both from external threats (such as cyberattacks) and internal risks (such as unauthorized access). This may involve setting up firewalls, encryption, access controls, and security protocols. IS Custodians
Work with the different internal entities (information security, corporate risk, and compliance risk) to define the policies and programs to ensure data delivery, protection, and retirement. Chief Data and Analytics Officer
Monitor and provide guidance on collection, legal and regulatory requirements to ensure compliance with data protection laws and advise on data sensitivity classifications for Personal Information (PI). Privacy Officer
Approve data sources for metadata scanning and profiling. Data Information Governance Council (DIGC)
Top of Page

Section 5 - Policy Statement

(6) The University acknowledges the role of institutional data in achieving its strategic and operational objectives. The University applies the following fundamentals when governing institutional data:

  1. Institutional data is an asset of the University
  2. It is governed through defined roles and responsibilities
  3. Individuals are responsible for the data they collect and manage on behalf of the University
  4. Data must be of good quality e.g. accuracy, completeness, consistency, timeliness, validity and uniqueness, and managed consistently across its lifecycle
  5. The management of institutional data must comply with applicable legislation and relevant policies
  6. Institutional data is held securely and protected from unauthorised access, use and disclosure
Top of Page

Section 6 - Procedures

Part A - Roles and Responsibilities

Senior Executive

(7) The Chief Operating Officer is accountable for the University’s Data Governance. They are:

  1. responsible for ensuring it is adequately resourced and aligned to the University’s strategic objectives; and
  2. the final point of escalation in relation to data governance issues, including non-compliance of this Policy which will be handled under the Code of Conduct.

Data and Analytics & Associated Roles

Chief Data and Analytics Officer

(8) The Chief Data and Analytics Officer (DDA) is responsible for:

  1. establishing and maintaining the University’s Data Governance Framework;
  2. promoting good data governance by working with data owners to ensure they embed data governance requirements across the data assets for which they are accountable; and
  3. ensuring appropriate processes are in place to enable data security on reports, dashboards, Application Programming Interfaces (APIs) and the University’s data warehouse.

Data Modelers, Data Engineers and Business Analysts

(9) Data Modelers, Data Engineers and Business Analysts are responsible for:

  1. ensuring that data is accurately defined, modeled, stored and transmitted in alignment with business, technical and legislative requirements;
  2. ensuring data assets conform with the University’s Data Governance Framework;
  3. ensuring the relevant Data Owner has approved the use of the data in advance;
  4. reporting data asset security risks or incidents to the Chief Information Security Officer (CISO); and
  5. reporting privacy risks or incidents in accordance with the Privacy Policy.

Privacy Officer

(10) The Privacy Officer is responsible for:

  1. providing privacy advice as follows: 
    1. advice to Data Owners and Data Stewards to help inform the data sensitivity
    2. advice on what legislation inform data classifications
  2. providing privacy training to employees and raising awareness about the importance of privacy in data governance
  3. receiving and assessing privacy incidents and concerns.

Data Owners & Data Stewards

Data Owners (also sometimes referred to as Data Custodians)

(11) Data Owners are senior managers who are accountable for the data assets associated with the operational units which they manage (e.g. the Executive Director, Human Resources (HR) is responsible for HR-related data assets).

(12) A Data Owner is accountable for:

  1. accuracy of data assets, including definitions, data sets, data and security classifications; 
  2. setting and/or approving the conditions of use, including any system or storage requirements. They have the right to override the assigned security classification based on revised risk. However, care must be taken to ensure data is protected;
  3. ensuring access is on a ‘need to know basis’ and conforms with:
    1. privacy law obligations; and
    2. security and data classification requirements.
  4. complying with the University’s record keeping requirements in relation to the storage, retention and destruction of data.

(13) All Data Owners are members of Data Information Governance Council (which is outlined in more detail below).

Data Stewards

(14) Data Stewards are appointed by the Data Owner to support them in managing day-to-day data-related activities.

(15) A Data Steward is responsible for:

  1. assigning the data and security classifications for which they are responsible
  2. contributing to the Data Governance Working Group, the function of which is described in more detail below
  3. providing expertise on data assets associated with their operational unit

Information Services

Chief Information Officer (CIO)

(16) The Chief Information Officer is accountable for:

  1. ensuring adequate security controls are in place to protect data against unauthorised access, breaches, and other security threats;
  2. prioritising data security in regards to the nature of the risk;
  3. ensuring data protection from unauthorised disclosure or interception;
  4. overseeing the management of platforms (e.g. databases, files system, communication channels).

Chief Information Security Officer (CISO) & Information Services (IS) Custodian

(17) The CISO & IS Custodians are responsible for:

  1. the technical management, security, and maintenance of data assets. In particular:
    1. implementing and maintaining the IT infrastructure that supports data storage, processing, and transmission;
    2. ensuring data is securely backed up, reliably recovered, and protected from unauthorised access through robust security measures and access controls;
  2. working with data stewards, business analysts, and other stakeholders to enforce data governance;
  3. the technical aspects of data lifecycle management, including data archiving, purging, and ensuring data integrity;
  4. conducting regular audits and implementing updates and patches to maintain system security and efficiency.

Information Architects

(18) The Information Architect is responsible for:

  1. ensuring consistency and interoperability across system integrations;
  2. data architecture for the organisation, including the enterprise data model, application register and their associated data business entities;
  3. overseeing the data lifecycle, from creation to disposal, balancing business needs with regulatory requirements;
  4. ensuring data quality to utilise the full potential of data assets while also mitigating risks associated with data governance.

Records Management

(19) The Records Management Office is responsible for:

  1. data retention, ensuring that data is retained in compliance with legal and regulatory requirements and supports data lifecycle management;
  2. auditing and reviewing data retention and disposal practices to ensure compliance.

Part B - Governance Structure

Data Information Governance Council (DIGC)

(20) The Data Information Governance Council is a forum for Data Owners and other designated officials (who have planning, policy-level, and management responsibility for data within their functional areas) to discuss data assets.

(21) The Data Information Governance Council will:

  1. meet regularly and upon the request of Chief Data and Analytics Officer
  2. monitor data quality
  3. promote data literacy, awareness, and appropriate data use
  4. ensure alignment with the strategic plan

Data Governance Working Group (DGWG)

(22) The Data Governance Working Group consists of data governance leads, data stewards, subject matter experts, data modelers, Privacy Officer, Information Services security, digital records representatives and information architects.

(23) The Data Governance Working Group will:

  1. monitor and review business terms, metrics, enterprise information model updates, data sets, data classifications, reference data, marketplace collections and data quality rules.

Part C - Classifications

(24) Data classifications are used to manage and protect data based on sensitivity, value, and regulatory requirements. Security classifications protect information e.g. documents, data sets, business terms and metrics. Both classifications ensure handling of data is compliant with laws, regulations, policies and standards throughout its lifecycle. To do this institutional data is to be classified as follows:

Sensitivity Classification

(25) The classification is based on the impact disclosing the data has on the University:

  1. None – data that is not sensitive and poses no risk to the University if exposed or accessed by unauthorised individuals.
  2. Low - data that has a low impact on the University if exposed or accessed by unauthorised individuals.
  3. Medium - data that could pose a moderate risk to the University if exposed or accessed improperly.
  4. High - data that has a significant impact on the University if accessed, or modified without authorisation.

(26) Data sensitivity classification can be used for data security, compliance, incident response and data lifecycle management.

Security Classification

(27) The classification determines the level of protection on the information:

  1. Public – freely disclosed to the public without any risk of harm to the University. Is for open access and does not require special handling.
  2. Internal - intended for use within the University and not for public disclosure. Unauthorised access could cause moderate harm but typically would not have severe consequences.
  3. Confidential - if disclosed without authorisation, could cause significant harm. Access is usually limited to specific individuals or groups.
  4. Restricted - highest level of classification and is applied to information that, if disclosed without authorisation, could cause severe damage.
Top of Page

Section 7 - Definitions

(28) For the purpose of this Policy and Procedures:

  1. Data Asset: is a resource that is owned and controlled, is expected to be of value and to generate positive future economic benefit.
  2. Business Domain: an area of responsibility or a grouping of naturally coherent concepts.
  3. Business Entity: a business entity encapsulates data with common characteristics. It is used to align, Data Governance, Data Flow Diagrams, Integration, Conceptual Models and Logical Models, Data Sources.
  4. Business Term: the definition of key business information that is used in day-to-day business operations and analysis. Business terms also help to provide the link from information to the underlying data.
  5. Data: any recorded information and can include technical data, computer software documents, financial information, management information, representation of facts, numbers, or datum of any nature that can be communicated, stored, and processed.
  6. Data attribute: this is the smallest unit of data, the column or field level in tables and files.
  7. Data classification: Is the process of separating and organizing data into relevant groups (“classes”) based on their shared characteristics, such as their level of sensitivity, the risks they present, and could be the compliance regulations that protects the data.
  8. Data governance framework: is a structured approach that ensures data assets are managed effectively, efficiently, securely, and in compliance with relevant regulations and policies. It encompasses the processes, roles, policies, standards, and technologies.
  9. Data set: the collection of data attributes within a business context. A data set may be in the format of a flat file, database table, report, application programming interface (API), etc.
  10. Enterprise Information Model: La Trobe’s Enterprise Information Model is derived from the Higher Education Data Reference Model published by the Council of Australasian University Directors of Information Technology (CAUDIT). It defines our foundation, enabling and core business domains to allow further data categorizing into each domain’s business entities. It provides a reference point for all data management activities.
  11. Health information: health information has the meaning set out in the Health Records Act 2001 (Vic). Health information is personal information: about the physical, mental or psychological health or disability of an individual; about an individual’s expressed wishes regarding the future provision of health services to them; about a health service provided, or to be provided, to an individual; collected to provide a health service; about an individual collected in connection with organ or body substance donation; or that is genetic information in a form which is or could be predictive of the health of the individual or of their descendants.
  12. Personal information: has the meaning set out in the Privacy and Data Protection Act 2014 (Vic) and includes information or an opinion (including information or an opinion forming part of a database), whether true or not, and whether recorded in a material form or not, about an individual whose identity is apparent, or can reasonably be ascertained, from the information or opinion.
  13. Security Classification: The process of categorizing information assets based on the level of protection required. This classification helps in determining the appropriate security controls, access restrictions, and protective measures required to safeguard the data from unauthorized access, disclosure, or misuse.
  14. Sensitive information: personal information about an individual’s racial or ethnic origin, political opinions, membership of a political, professional or trade association or trade union, religious beliefs or affiliations, philosophical beliefs, sexual preferences or practices or criminal record.
Top of Page

Section 8 - Authority and Associated Information

(29) This Policy is made under the La Trobe University Act 2009.

(30) Associated information includes:

  1. Records Management Policy
  2. Information Security Policy
  3. Research Data Management Policy
  4. Code of Conduct
  5. Risk Management Policy
  6. Critical Incident and Business Continuity Management Policy
  7. Data Governance Framework (under development)

  8.