Document Comments

Bulletin Board - Review and Comment

Step 1 of 4: Comment on Document

How to make a comment?

1. Use this Comment Icon to open a comment box for your chosen Section, Part, Heading or clause.

2. Type your feedback into the comments box and then click "save comment" button located in the lower-right of the comment box.

3. Do not open more than one comment box at the same time.

4. When you have finished making comments proceed to the next stage by clicking on the "Continue to Step 2" button at the very bottom of this page.

 

Important Information

During the comment process you are connected to a database. Like internet banking, the session that connects you to the database may time-out due to inactivity. If you do not have JavaScript running you will recieve a message to advise you of the length of time before the time-out. If you have JavaScript enabled, the time-out is lengthy and should not cause difficulty, however you should note the following tips to avoid losing your comments or corrupting your entries:

  1. DO NOT jump between web pages/applications while logging comments.

  2. DO NOT log comments for more than one document at a time. Complete and submit all comments for one document before commenting on another.

  3. DO NOT leave your submission half way through. If you need to take a break, submit your current set of comments. The system will email you a copy of your comments so you can identify where you were up to and add to them later.

  4. DO NOT exit from the interface until you have completed all three stages of the submission process.

 

Information Governance and Management Framework

Section 1 - About this Document

Executive Summary

(1) The Information Governance and Management Framework (the Framework, this Framework) establishes the University of Newcastle’s (the University) overarching approach to governance and management of University information, including data and records.

Purpose

(2) The Framework defines the University's information governance and management roles, authorities, and structures to describe our approach to information management to meet current and future organisational needs and regulatory requirements. It includes all the University's information, including data and all files and records to:

  1. support strategic objectives;
  2. ensure University information is protected and preserved;
  3. enable effective, ethical and secure use of University information; and
  4. meet legislative and administrative obligations.

(3) This document should be read in conjunction with the policies listed in Section 8.

Scope

(4) The Framework applies to all University information, data and records (as defined by this Framework), excluding information generated by individuals listed below (See: Audience) as part of a program of studies or whilst attending an event. 

Audience

(5) Individuals who use, create or access University information must comply with this Framework. This includes, but it is not limited to, all University staff (including those employed by a controlled entity), contractors, third party providers and affiliates who are authorised to access and use University information. 

Definitions

(6) In the context of this document the following definitions apply: 

Defined Term Meaning
Data Set of characters or symbols to which meaning is or could be assigned (AS/NZS ISO30300:2020 – Section 3.2.4). The Council of Australasian University Directors of Information Technology (CAUDIT) defines data as a set of facts, representing a specific concept or concepts. Value is added to data when they are combined and presented to users within a context, turning them into meaningful information to support business decisions and enable operational decisions.  That is, DATA + CONTEXT = INFORMATION.
Data asset An individual unit of data that holds value and may include files, databases, documents, websites, physical records, learning materials, web pages, videos, audio recordings, and assessment materials (ASC).
Information Data in context with a particular meaning (AS/NZS ISO 30300:2020 – Section 3.4.7). Information is data that has been organised, or structured, or processed, in a way that it now has meaningful context and can be understood and interpreted by people or systems. Information is data that has been given significance through relational connection, analysis, or interpretation, turning it into a valuable resource. (USC)
Information domain A concept for information sharing, independent of, and across information systems and security domains, including:
i.   identification of information sharing participants as individual members;
ii.  shared information objects; and
iii. linked to a security policy that identifies the roles and privileges of the members and the protections required for the information objects (NIST).
Information Management Planning, collection, control, distribution and exploitation of information resources within an organisation, including systems development, and disposal or long-term preservation (AS ISO 5127:2017 – Clause 3.2.1.23).
Record Record means any document or other source of information compiled, recorded or stored in written form or on film, or by electronic process, or in any other manner or by any other means (State Records Act S.3 (1) – Definitions). A record, whether digital or physical, is a piece of information that serves as evidence of the University’s activities, decisions, and transactions. It is maintained to meet legal, regulatory, fiscal, operational, or historical requirements.
Records management A field of management responsible for the efficient and systematic control of the creation, receipt, maintenance, use and disposition (disposal) of records, including processes for capturing and maintaining evidence of and information about business activities and transactions in the form of records (AS ISO 15489.1:2017 – Clause 13.15). (State Records, NSW).
Senior responsible officer (SRO) The Senior Responsible Officer (SRO) is the individual within the public office who has been delegated strategic and corporate responsibility for records and information management. The SRO is usually a senior manager reporting to the Chief Executive or to the Chief Information Officer. At the University of Newcastle, the University Secretary is the SRO with a responsibility for ensuring that records and information management is in place and operating effectively to support business operations. (State Records, NSW).
State archive State archive means a state record that Museums of History NSW has control of under the State Records Act. (State Records Act, 2.3 (1) – Definitions).
State record State records means a record made or received by a person:
i.   while exercising official functions in a public office, or
ii.  for a purpose of a public office, or
iii. for the use of a public office. (State Records Act, 1998, S.3(1) Definitions).
University information University information refers to data, information, and records, including:
i.   records, as defined by the State Records Act, 1998 (NSW).
ii.  active, semi-active and archived information assets.
iii. information assets classed as State archives.
iv.  structured and unstructured information.
v.   data assets (physical and digital); and
vi.  research data hosted on-campus or externally with third party vendors.
Top of Page

Section 2 - Principles

(7) University information is integral to its operations and effectiveness. The below principles establish the core characteristics of information governance at the University and must be complied with, as far as reasonably possible, by all individuals who use, create or access University information.

Principle 1:  Information should be business enabling, aligned to our functions and support informed decision making. 

(8) Information should be designed and managed so that it directly supports the University to meet its obligations. The University strives to deliver data analyses, dashboards, reports, and visualisations for information and data-driven decision making.

Principle 2: Information must be secure, valued, and managed as an asset. 

(9) Information is a core component of the University services and operations, and must be supported and maintained as a secure, long-term business asset in accordance with approved authorities. 

(10) On behalf of the Museums of History NSW, the University is a custodian of the information about the University and our community. This information is both digital and analogue, and the University creates policies, plans and processes to realise and protect these assets.

(11) We describe and register our information assets and ensure each asset has an authorised custodian.

Principle 3: Information should be trustworthy so it can be used and reused with confidence. 

(12) Information must be accurate, authentic and trusted, allowing its ongoing use and reuse by the University and our community. 

Principle 4:  Information should be high quality. 

(13) Quality information is essential to meet our strategic objectives, and when appropriate, it will be used for improved service planning and delivery, and business performance insights. 

(14) The University implements innovative processes, tools, and technologies to enhance consistency, efficiency, capability, authority and quality of information. 

Principle 5: Information must be managed across the full lifecycle, protected from unauthorised use and inappropriate deletion. 

(15) Information must be appropriately managed from procurement and service design, through creation, storage and to final disposition. This includes the protection of personal, health and sensitive information, and prevention of deletion until enabled by legal destruction authorisation. 

Principle 6: Information should be available and open to the community and government. 

(16) University information should be discoverable and used by those with a legitimate need. The University promotes accessibility through appropriate access, formats, and metadata, and through interoperability as needed across systems, channels, and technologies.

(17) Information often has a lifespan longer than the technology on which it is hosted, therefore information is considered as a separate entity to technology and must be governed in accordance with its value and risk.

Principle 7: Information governance must be supported through leadership.

(18) Leaders must recognise their information management responsibilities and understand that the value of information captured in University systems and activities.

(19) The University is committed to ensuring that information management is appropriately resourced and supported through strategies, policies, guidance and procedures, along with information governance education and training. 

Principle 8: Information must be captured.

(20) The capture of information in approved information management systems is essential for managing its use and access over time. Fit for purpose information storage should allow the creation of information assets to inform, implement, document, and communicate our activities and decisions, promoting the ability to work cohesively and provide accessibility.

Top of Page

Section 3 - Information Governance

(21) University information governance defines the roles and responsibilities, decision rights, controls, and processes used to manage University information.

Information Classification

(22) University information is grouped according to information domains based on the CAUDIT Higher Education Data Reference Model. Each information domain is assigned to an Information Domain Custodian and Information Leader (who oversees a group of domains based on organisational structures). For more information, view the Information Security Access Control Policy and Information Classification and Protection Policy

Information Governance Committee

(23) The Information Governance Committee (IGC) provides advice and recommendations for strategy, policy and risk related matters impact on the University's Information. The membership, roles and responsibilities of the IGC are codified in its Terms of Reference.

Artificial Intelligence

(24) The University has adopted several Artificial Intelligence (AI) platforms and technologies and implemented policies to support academic integrity and ethical usage in teaching and research. The University recognises the efficiencies and innovation AI offers and they are implemented in a secure and ethical manner in accordance with the Digital Technology Conditions of Use Policy. The University is committed to following the principles laid out in the National Framework for the assurance of AI in government to ensure any use we make of AI is safe and responsible. 

Information Systems Governance

(25) University information is:

  1. retained in various business applications and storage systems across the University; and/or
  2. stored in both On-Premises and Cloud based repositories. 

(26) Digital Technology Solutions (DTS) is responsible for:

  1. managing records of business system applications, including data sensitivity and business criticality designations;
  2. determining data sensitivity and business criticality designations through a structured process in collaboration with system owners and in accordance with the Information Classification and Protection Policy and Business Continuity Management Framework;
  3. maintaining records of system owners and information service providers;
  4. assessing and reviewing new applications and systems during the design stage and prior to deployment to ensure appropriate security considerations have been included in accordance with the DTS Digital Governance Framework. 

(27) Records Governance Services is responsible for:

  1. maintaining a Record and Information Asset Register (in consultation with DTS). 

Risk Mitigation

(28) Consideration of risk is a key component underlying this Framework. University information is subject to internal and external audits to:

  1. assess integrity and performance of specific information management processes, services or environments; and 
  2. monitor adherence to mandatory legislative obligations including information creation and retention, information access, or privacy protections for personal information and health information.

(29) The major risks for the University's information assets are identified in the Record and Information Asset Register.

(30) The following operational measures also serve as risk mitigation strategies:

  1. Information Governance Committee.
  2. Records Governance Services business responsibilities for the University records management program, including the Business System Recordkeeping Assessment Checklist used as a validation tool to assess all new business systems and review existing systems. 
  3. Assurance activities and annual reporting surveys to ensure the University is accountable and meeting its information requirements.
  4. Cyber security controls aligned with the NIST Cyber Security Framework (CSF). 
  5. Business Continuity planning / testing.
Top of Page

Section 4 - Information Management

Information Lifecycle Management 

(31) Management of University information drives improvements in performance and infrastructure costs and influences how the University manages information. For all University information, the lifecycle management process should include the following phases, commensurate with the value of the University information:

  1. Plan and design: University information management should be carefully planned, with management activities designed to meet University needs and compliance requirements throughout the lifecycle.
  2. Create, capture and classify: University information may be obtained through several means including manual data entry and automatic capture via devices or systems. At the time information is acquired, key metadata should be recorded, including the information security classification.
  3. Store and secure: University information must be stored appropriately, with consideration given to security and access management.
  4. Manage and maintain: University information management is an active process. Information should be managed to maintain its integrity, quality and usability.
  5. Share and (re)use: Sharing and re-use of University information requires oversight to ensure it is ethical and compliant with University policies and legislative requirements. Information should be discoverable to streamline sharing and re-use for appropriate activities.
  6. Retain and archive: University information should be retained while required and archived in line with any relevant record retention periods.
  7. Dispose or destroy: University information should be destroyed in an appropriate manner at the end of its useful life, ensuring that records are destroyed (or transferred to the appropriate owner) in line with Records Governance Policy.
Top of Page

Section 5 - Roles and Responsibilities

(32) The Vice-Chancellor has University-wide authority and accountability under legislation for the compliant collection and management of the University's information and may sub-delegate these responsibilities to other roles in accordance with the Governance Rule

(33) The Chief Digital & Information Officer (CDIO) is responsible for the management of the technical and specialist teams relevant to information governance and for oversight of the infrastructure framework for the management of information and the University's IT Security Programs.

(34) The University Secretary is the Senior Responsible Officer (SRO) under the State Records Act 1998

(35) Individuals, as defined in Audience of this Framework and as it relates to information that they create, manage or use, are responsible for:

  1. fulfilling the responsibilities as an information owner,system owner and/or system administrator as dictated by University policy;
  2. controlling and safeguarding University information;
  3. ensuring quality and integrity of information by embedding information governance and compliance processes into daily operations and systems;
  4. capturing or creating University information; and
  5. selecting the best source of information to meet a specific use-case and defining criteria of what makes information fit for purpose.

(36) The Senior Manager, Digital Governance (DTS) is responsible for data governance as codified in the Data Governance Policy.

(37) Records Governance Services responsibilities are codified in the Records Governance Policy.

(38) The Privacy and Rights to Information Manager responsibilities are codified in the Privacy Management Plan and the Privacy Policy

Governance and Management Committees:

(39) The University's governance includes Council, Risk Committee, Academic Senate and its committees. The Vice-Chancellor maintains the Executive Leadership Team as an advisory body on matters of strategy and operations. 

(40) The Chief Operating Officer maintains various committees supporting digital technology services and library services.   

Top of Page

Section 6 - Compliance Requirements

(41) Compliance with this Framework is important in protecting the University's information. Breaches may be reported via the University Breach Register.  Non-compliance may result in proceedings in accordance with an employment contract, or Enterprise Agreement or the Staff Code of Conduct.

Top of Page

Section 7 - References

(42) The following information sources have been referenced in developing this Framework:

  1. Australian National Audit Office – Audit Lessons Insights – Records Management (2025)
  2. Australian Government Office of the National Data Commissioner – The Foundational Four.
  3. NSW Information Management Framework.
  4. University of Newcastle Act, 1989.
  5. State Records Act, 1998.
  6. National Archives of Australia – Information and Data Governance Framework (2024).
Top of Page

Section 8 - Supporting Documents

(43) Art & Special Collections Management Framework

(44) Copyright Compliance Policy

(45) Complaint Management Procedure

(46) Cyber Security Incident Management Procedure

(47) Data Breach Policy (Personal and Health Information)

(48) Data Governance Policy.

(49) Digital Security Policy

(50) Information Classification and Protection Policy

(51) Information Security Access Control Policy

(52) Privacy Policy

(53) Privacy Management Plan

(54) Records Governance Policy

(55) Responsible Conduct of Research Policy.

(56) Research Data and Primary Materials Management Procedure.