Data Governance Policy

On this page

Purpose | Scope | Principles Policy statements Roles and responsibilities Definitions Approval information Version history References

1. Purpose

1.1 The Data Governance Policy (the policy) establishes a framework for effective data management at UTS by:

  1. establishing the principles and practices for the management and use of the university’s corporate data
  2. developing a data conscious environment to provide secure, well managed and reliable data that supports university operations, decision-making, planning and reporting, and
  3. articulating responsibilities for the stewardship of corporate data and information systems supporting the implementation of this policy.

2. Scope

2.1 This policy applies to all staff, students and affiliates (hereafter users) and any person with access to UTS information, corporate data and information technology resources.

2.2 This policy must be adhered to in the collection, use and management of all corporate data.

2.3 This policy works with the following policies to collectively operationalise data governance at UTS:

  1. the Privacy Policy, which protects the privacy, in particular, personal information, of all individuals
  2. the Data Breach Policy, which outlines how UTS identifies, responds to and manages a data breach involving personal information and/or health information
  3. the Records Management Policy, which outlines the processes for full and accurate recordkeeping and management
  4. the Academic Records Policy, which articulates the requirements relating to official academic record documents issued to students and graduates
  5. the Research Policy, which defines the requirements for the management of research data and primary materials
  6. the Artificial Intelligence Operations Policy, which guides the use, procurement and development of artificial intelligence capabilities at UTS, and
  7. the Acceptable Use of Information Technology Resources Policy and the Information Security Policy, which define the requirements for information system access control and system security.

3. Principles

3.1 Corporate data is governed in line with this policy and stored in approved and appropriate information systems. At UTS, data is:

  1. valued as a strategic asset of the university, essential to UTS’s purpose of advancing knowledge and learning
  2. shared where possible within the limitations required (for example, privacy) to support UTS’s operational and strategic goals
  3. managed, organised and readily available to support discoverability by appropriate users
  4. usable and reusable when there is a shared understanding of what it signifies and when conditions of access and use are communicated clearly
  5. trustworthy and of high quality supporting accurate reporting and evidence-based decision-making, and
  6. protected from loss, unauthorised use and disclosure through information security classification and security controls.

4. Policy statements

Data management and use

4.1 Data at UTS is valued as an asset and therefore must be: 

  1. assigned an information security classification in accordance with the Records Management Policy to guide appropriate handling and application of the technical controls 
  2. actively managed throughout the data lifecycle 
  3. collected with attention to accuracy and completeness and, if collecting personal information, in accordance with the Privacy Policy 
  4. stored in approved information systems that are appropriate to the assigned information security classification and protected from data loss 
  5. accessed for authorised use in accordance with clear and transparent control frameworks 
  6. used ethically and legally for valid business purposes, and 
  7. archived or disposed in a timely manner in accordance with the Records Management Policy.

4.2 High-quality corporate data is important for operational efficiency, compliance, accurate reporting and evidence-based decision-making. Data quality requirements should be defined in the context of the purpose and use of the data.

4.3 Data assets should be catalogued where possible to ensure visibility and support discovery. 

4.4 Corporate data elements must be defined consistently throughout the university and glossary definitions made available to all users. 

4.5 Unnecessary duplication of data across IT services, devices and storage locations should be avoided to reduce the risk of cyber attacks and high resource costs and to lessen the potential for ambiguity. 

4.6 UTS data must not be shared with third parties without the third party entering into a legally binding agreement with UTS to ensure data security and protection from unauthorised access, use or disclosure. 

4.7 Disclosure of corporate data to an external party, including for compliance activities or research projects, must be explicitly authorised by the relevant data steward in accordance with this policy, the Records Management Policy, the Privacy Policy and, where relevant, with the research ethics clearance (refer Research Policy).

4.8 Where practical, non-public UTS data should be stored in Australia. Data may be stored or transferred offshore only after evaluating and mitigating risks, with any residual risks accepted and approved by the data steward. Offshore data storage must be registered with the Data Analytics and Insights Unit (refer UTS data governance: Offshore Data Registration (SharePoint)).

4.9 All users are accountable for:

  1. data they collect, use and manage on behalf of the university whether on or off campus
  2. prompt reporting of identified or suspected data breaches, which must be managed in line with the Data Breach Policy (where the breach involves personal and/or health information) and/or the Information Security Policy.

4.10 Users must ensure that the data they consume is fit for its specific purpose(s). Any feedback about the quality of the data must be provided to relevant data stewards.

Data and systems stewardship

4.11 The governance of corporate data at UTS is implemented through a network of data and systems stewards who facilitate data sharing for legitimate purposes, while ensuring responsible management of data. Stewardship responsibilities are complementary to the information management responsibilities of deans, directors, chief officers and heads of areas outlined in the Records Management Policy.

4.12 The Chief Data Officer (CDO) has overall responsibility for data management planning and improvement for agreed data domains and information systems. The CDO is responsible for:

  1. assigning data and information system stewards and accountabilities for agreed data domains 
  2. approving the mapping of data categories to the Information Security Classification Standard, in consultation with the Chief Information Security Officer and University Records, via the UTS data reference model (refer UTS data governance: UTS Data Reference Model (SharePoint)) 
  3. resolving any issues escalated from data and/or information system stewards, and 
  4. prioritising the management and improvement of data governance and associated information systems.

4.13 To effectively manage corporate data:

  1. information system stewards for systems under the management of the Information Technology Unit are nominated by the Chief Information Officer (CIO) or otherwise by the CDO in consultation with the relevant data steward
  2. the CIO oversees the provision and management of information systems in line with the Acceptable Use of Information Technology Resources Policy and the Information Security Policy, and
  3. information systems governance and data governance will align as part of a holistic approach to data management.

4.14 Data stewards are normally unit directors or senior managers assigned stewardship responsibility for a data domain (or sub-domain) by the CDO. Guidance and resources for data stewards is available at UTS data governance (SharePoint).

4.15 Data stewards provide detailed oversight of and approvals for data management, storage, planning and improvement for data within their domain of responsibility, including: 

  1. understanding their responsibilities under this policy, including the risk management and legal context for data collection, storage, use and access (refer the Records Management Policy and the Privacy Policy
  2. ensuring that corporate data is appropriately classified in line with this policy and the allocated security classifications in the Information Security Classification Standard 
  3. defining user access and data security requirements for appropriate systems in line with this policy, the Privacy Policy and the Information Security Classification Standard 
  4. ensuring data risks are managed in consultation with the relevant information system stewards 
  5. setting the conditions for integration of data under their stewardship and maintaining documentation of relevant data flows between systems and business processes 
  6. identifying where data is critical for compliance, operational efficiency or to support decision-making and implementing data quality monitoring mechanisms in processes and/or systems to enable data that is fit for purpose 
  7. where they are responsible for external compliance reporting, validating that the data, whether from their domain or another domain, is of sufficient quality to meet the reporting requirements 
  8. authorising new data collection and data disposal exercises in accordance with the Privacy Policy and the Records Management Policy 
  9. considering requests for disclosure of corporate data in line with this policy and the Privacy Policy 
  10. ensuring that all staff are aware of the requirements for data handling as outlined in the Information Security Classification: User Handling Guide (available at Records and archives hub: Information security (SharePoint)), and 
  11. arranging role appropriate training for current and potential users before granting systems (and, therefore, data) access. 

4.16 Information system stewards provide detailed oversight of their information systems. Working with data stewards, information system stewards are responsible for: 

  1. the management, maintenance and development of the information system and its associated procedures 
  2. applying appropriate access controls in line with this policy, the Privacy Policy and allocated security classifications in the Information Security Classification Standard 
  3. working with data stewards to ensure access to information systems is reviewed for accuracy and updated as required in a timely manner 
  4. supporting data security through adoption of appropriate technology in accordance with the Information Security Policy and the Information Security Policy Framework (available at Beyond the Firewall: UTS Cybersecurity (SharePoint)) 
  5. providing support and advice to data stewards on data risk management processes 
  6. maintaining documentation of relevant data flows between systems and ensuring that the integration of sensitive or confidential data from different domains are covered by data sharing agreements as required 
  7. supporting data quality management initiatives through adoption of relevant technology 
  8. ensuring that all privacy requirements (for example, privacy notices) outlined in the Privacy Policy and the Privacy Management Plan (available at Privacy regulations) are applied to the management of the information systems under their stewardship, and 
  9. ensuring that all recordkeeping requirements outlined in the Records Management Policy are applied to the management of information systems under their stewardship.

Breaches, complaints and exemptions

4.17 Breaches of this policy will be managed under the Code of Conduct, relevant Enterprise agreement or the Student Rules as appropriate.

4.18 Complaints in relation to data governance will be managed in line with the Staff Complaints Policy or the Student Complaints Policy as appropriate.

4.19 Exemptions to the requirements of this policy may be submitted to the CDO for consideration and the Chief Operating Officer for decision. Exemption requests and the resulting decisions and rationale must be recorded on a register by the office of the CDO.

5. Roles and responsibilities

5.1 Policy owner: The Chief Data Officer (CDO) is responsible for policy enforcement and compliance, ensuring its principles and statements are observed. The CDO is also responsible for approval of any associated university-level registers and procedures associated with this policy.

5.2 Policy contact: The Head of Data Management Services is the primary point of contact for advice on implementing and administering this policy. The Head of Data Management Services is also responsible for liaising with the University Secretary, the Chief Information Officer (CIO) and the Chief Information Security Officer to develop and maintain the Information Security Classification Standard (available at Records and archives hub: Information security (SharePoint)). Refer also Records Management Policy.

5.3 Implementation and governance roles:

The Data Analytics and Insights Unit is responsible for:

  1. managing and maintaining a register (or registers) of data stewards and information system stewards
  2. developing procedures, management tools and data steward networks to support the implementation of this policy
  3. managing and maintaining a register of exceptions to this policy, and
  4. coordinating online educational resources and procedural documents.

The Information Technology Unit, under the CIO, is responsible for:

  1. ensuing the university’s IT architecture and information systems operate in line with this and all related university policies (refer statement 2.3), and
  2. developing frameworks, procedures, management tools and information system steward networks to support the implementation of this policy.

6. Definitions

These definitions apply for this policy and all associated procedures. These are in addition to the definitions outlined in Schedule 1, Student Rules. Definitions in the singular also include the plural meaning of the word.

Affiliate is defined in the Code of Conduct.

Corporate data means all data collected, created and/or published by or on behalf of UTS or its staff in relation to its normal business activities. Corporate data includes but is not limited to data about students, staff, affiliates, teaching and learning activities, research management, external engagement, web and social media, finance and facilities; but excludes research data as defined in the Research Policy.

Data is a collection of facts or statistics that may be used for a particular or unspecified purpose. The format of data and its manner of presentation or collection may vary, depending on the nature of the data.

Data breach is defined in the Data Breach Policy.

Data domain means a broad category of corporate data. These domains are specified in the register of data governance roles and may be further specified into sub-domains.

Data element means the smallest named item of data that provides meaningful information (for example, name, address, year, category).

Data lifecycle means the 5 phases of data management recognised by UTS to achieve strategic and operational objectives and meet legislative requirements:

  1. collection — the creation, acquisition or capture of data
  2. storage — the appropriate retention and organisation of data
  3. access — assuring that authorised users have access to necessary data
  4. use — the appropriate utilisation of data by the appropriate authorised users
  5. archive and disposal — the long-term storage or deletion of data that is no longer required (refer Records Management Policy).

Data quality means an assessment about data's fitness for purpose in a particular context.

Data quality management means the processes in place to manage the accuracy, validity, completeness, consistency and timeliness of data.

Data steward means a dean, associate dean, director or other senior manager with stewardship responsibility for a data domain or sub-domain.

Discoverability (in the context of data governance) means providing a searchable catalogue of data so that it can be browsed, searched for, or recommended based on personal search history.

Information system means any university system used in the collection, creation, capture or storage of corporate data. This includes but is not limited to databases, business systems, applications, tracking systems, digital records, paper records and recordkeeping systems.

Information system steward means a senior manager or director with stewardship responsibility for a university information system.

Offshore data storage means unpublished data stored in an alternative legal jurisdiction to Australia.

Approval information

Policy contactHead of Data Management Services
Approval authorityVice-Chancellor
Review date2029
File numberUR18/310
Superseded documentsNone.

Version history

VersionApproved byApproval dateEffective dateSections modified
1.0Vice-Chancellor06/02/201803/04/2018New policy.
1.1Vice-Chancellor02/06/202002/06/2020Apply references to the new role and responsibilities of Chief Data Officer.
1.2Director, Governance Support Unit (Delegation 3.14.1)09/03/202106/04/2021Amendments to reflect updates resulting from the Policy Impact Project (2020).
2.0Vice-Chancellor17/05/202128/05/2021Amendments as a result of a scheduled three-year review.
2.1Vice-Chancellor29/06/202230/06/2022Changes and updates to reflect new ownership under portfolio realignment under Fit for 2027 project. Inclusion of a breaches and complaints section. Improvement of corporate data definition. Updates regarding storage of data offshore.
2.2Deputy Director, Corporate Governance (Delegation 3.14.2)12/04/202312/04/2023Changes to reflect new unit title of Office of General Counsel.
2.3Director, Governance Support Unit (Delegation 3.14.1)16/03/202309/06/2023Minor update to reflect the new Artificial Intelligence Operations Policy.
2.4Deputy Director, Corporate Governance (Delegation 3.14.2)13/11/202328/11/2023Minor update to reflect the new Data Breach Policy.
2.5Deputy Director, Corporate Governance (Delegation 3.14.2)20/06/202408/07/2024Updates to reflect the review of the Acceptable Use of Information Technology Resources Policy and the Information Security Policy.
3.0Vice-Chancellor25/11/202404/12/2024Scheduled review.

Reference

Academic Records Policy

Acceptable Use of Information Technology Resources Policy

Artificial Intelligence Operations Policy

Data Breach Policy

Information Security Classification Standard (available at Records and archives hub: Information security (SharePoint))

Information Security Classification: User Handling Guide (available at Records and archives hub: Information security (SharePoint))

Information Security Policy

Information Security Policy Framework (available at Beyond the Firewall: UTS Cybersecurity (SharePoint))

Privacy Management Plan (available at Privacy regulations)

Privacy Policy

Records Management Policy

Research Policy

UTS data governance (SharePoint)

UTS Delegations

Acknowledgement of Country

UTS acknowledges the Gadigal people of the Eora Nation, the Boorooberongal people of the Dharug Nation, the Bidiagal people and the Gamaygal people, upon whose ancestral lands our university stands. We would also like to pay respect to the Elders both past and present, acknowledging them as the traditional custodians of knowledge for these lands.