Document Comments

Bulletin Board - Review and Comment

Step 1 of 4: Comment on Document

How to make a comment?

1. Use this Comment Icon to open a comment box for your chosen Section, Part, Heading or clause.

2. Type your feedback into the comments box and then click "save comment" button located in the lower-right of the comment box.

3. Do not open more than one comment box at the same time.

4. When you have finished making comments proceed to the next stage by clicking on the "Continue to Step 2" button at the very bottom of this page.

 

Important Information

During the comment process you are connected to a database. Like internet banking, the session that connects you to the database may time-out due to inactivity. If you do not have JavaScript running you will recieve a message to advise you of the length of time before the time-out. If you have JavaScript enabled, the time-out is lengthy and should not cause difficulty, however you should note the following tips to avoid losing your comments or corrupting your entries:

  1. DO NOT jump between web pages/applications while logging comments.

  2. DO NOT log comments for more than one document at a time. Complete and submit all comments for one document before commenting on another.

  3. DO NOT leave your submission half way through. If you need to take a break, submit your current set of comments. The system will email you a copy of your comments so you can identify where you were up to and add to them later.

  4. DO NOT exit from the interface until you have completed all three stages of the submission process.

 

Information Governance and Management Framework

Section 1 - About this Document

Executive Summary

(1) The Information Governance and Management Framework (the Framework, this Framework) establishes the University of Newcastle’s (the University) overarching approach to governance and management of University information, including data and records.

Purpose

(2) The Framework defines the University's information governance and management roles, authorities, and structures to describe our approach to information management to meet current and future organisational needs and regulatory requirements. It includes all the University's information, including data and all files and records to:

  1. support strategic objectives;
  2. ensure University information is protected and preserved;
  3. enable effective, ethical and secure use of University information; and
  4. meet legislative and administrative obligations.

(3) This document should be read in conjunction with the policies listed in Section 8.

Scope

(4) The Framework applies to all University information, data and records (as defined by this Framework), regardless of format and location created, but excluding information generated as part of a program of studies or whilst attending an event by individuals listed in the Audience.

Audience

(5) Individuals who use, create or access University information must comply with this Framework. This includes, but is not limited to, all University staffcontrolled entity staff, contractors, third party providers and affiliates who are authorised to access and use University information. 

Definitions

(6) In the context of this document the following definitions apply: 

Defined Term Meaning
Data A set of characters or symbols to which meaning is or could be assigned (AS/NZS ISO30300:2020–Section 3.2.4). The Council of Australasian University Directors of Information Technology (CAUDIT) defines data as a set of facts, representing a specific concept or concepts. Value is added to data when they are combined and presented to users within a context, turning them into meaningful information to support business decisions and enable operational decisions.  That is, DATA + CONTEXT = INFORMATION.
Information Data in context with a particular meaning is referred to as information. Data as information will be organised, or structured, or processed, in a way that gives it meaningful context and can be understood and interpreted by people or systems. (Source: AS/NZS ISO 30300:2020 – Section 3.4.7). Information is given significance through relational connection, analysis, or interpretation, turning it into a valuable resource.  For example:
i.   all information collected, used or generated during research including published and unpublished research data, research materials, master data, reference data, metadata, and records;
ii.  information resources;
iii. artificial intelligence systems and tools;
iv.  information created by controlled entities. (Source – University of Southern Cross)
Information domain A concept for information sharing, independent of, and across information systems and security domains, including:
i.   identification of information sharing participants as individual members;
ii.  shared information objects; and
iii. linked to a security policy that identifies the roles and privileges of the members and the protections required for the information objects (Source:  NIST).
Information Management Planning, collection, control, distribution and exploitation of information resources within an organisation, including systems development, and disposal or long-term preservation (Source:  AS ISO 5127:2017 – Clause 3.2.1.23).
Metadata To be considered authoritative, information, records and data must include specific metadata (data about the data) that describes:

Content - what the records contain;
Structure – the format and layout of the records;
Business Context – the circumstances under which the records were created, received and used;
Relationships – how the records relate to other records and information;
Actions and events – the business activities connected to the records;
Retrieval information – data needed to find and present the records.

This metadata needs to be stored in systems and updated whenever changes occur to keep the information and records accurate over time. (Source:  State Records NSW)
Record Record means any document or other source of information compiled, recorded or stored in written form or on film, or by electronic process, or in any other manner or by any other means (State Records Act S.3 (1) – Definitions).

A record, whether digital or physical, is a piece of information that serves as evidence of the University's activities, decisions, and transactions. It is maintained to meet legal, regulatory, fiscal, operational, or historical requirements.

Under the Government Information (Public Access) Act 2009 at Schedule 4, S.10 a record means any document or other source of information compiled, recorded or stored in written form or by electronic process, or in any other manner or by any other means. A reference in this Act includes a reference to a copy of the record.
Records management A field of management responsible for the efficient and systematic control of the creation, receipt, maintenance, use and disposition (disposal) of records, including processes for capturing and maintaining evidence of and information about business activities and transactions in the form of records. (Source: AS ISO 15489.1:2017 – Clause 13.15l; State Records, NSW)
Senior responsible officer (SRO) The Senior Responsible Officer (SRO) is the individual within the University who has been delegated strategic and corporate responsibility for records and information management. At the University of Newcastle, the University Secretary is the SRO with a responsibility for ensuring that records and information management is in place and operating effectively to support business operations. (Source:  State Records, NSW).
State archive State archive means a state record that Museums of History NSW has control of under the State Records Act. (State Records Act, 2.3 (1) – Definitions).
State record State records means a record made or received by a person:
i.   while exercising official functions in a public office, or
ii.  for a purpose of a public office, or
iii. for the use of a public office. (State Records Act, 1998, S.3(1) Definitions).
University information University information refers to data, information, and records, including:
i.   records, as defined by the State Records Act, 1998 (NSW);
ii.  active, semi-active and archived information assets;
iii. information assets classed as State archives;
iv.  structured and unstructured information;
v.   physical and digital data; and
vi.  research data hosted on-campus or externally with third party vendors.
Top of Page

Section 2 - Principles

(7) University information is integral to its operations and effectiveness. The below principles establish the core characteristics of information governance at the University and must be complied with, as far as reasonably possible, by all individuals who use, create or access University information.

Principle 1:  Information should be business enabling, aligned to our functions and support informed decision making. 

(8) Information should be designed and managed so that it directly supports the University to meet its objectives and obligations. The University strives to deliver data analyses, dashboards, reports, and visualisations for information and data-driven decision making.

Principle 2: Information must be secure, valued, and managed as an asset. 

(9) Information is a core component of the University services and operations, and must be supported and maintained as a secure, long-term business asset in accordance with approved authorities. 

(10) On behalf of the Museums of History NSW, the University is a custodian of information about the University and our community. This information is both digital and analogue, and the University creates policies, plans and processes to realise and protect these assets.

(11) We describe and register our information assets and ensure each asset has an authorised custodian.

Principle 3:Information should be high quality.

(12) Quality information is essential to meet our strategic objectives, and when appropriate, it will be used for improved service planning and delivery, and business performance insights. 

(13) The University implements innovative processes, tools, and technologies to enhance consistency, efficiency, capability, authority and quality of information. 

Principle 4: Information should be trustworthy so it can be used and reused with confidence. 

(14) In addition to privacy legislation obligations, information must be accurate, authentic and trusted, allowing its appropriate and authorised use and reuse by the University and our community, ensuring compliance with the Privacy Policy and Privacy Management Plan, and the AIATSIS Code of Ethics for Aboriginal and Torres Strait Islander Research, where relevant.

Principle 5: Information must be captured.

(15) The capture of information in approved information management systems is essential for managing its use and access over time. Fit for purpose information storage should allow the creation of information assets and associated metadata to inform, implement, document, and communicate our activities and decisions, promoting the ability to work cohesively and provide accessibility.

Principle 6: Information must be managed across the full lifecycle, protected from unauthorised use, disclosure, and inappropriate deletion. 

(16) Information must be appropriately managed from procurement and service design, through creation, storage and to final disposition. This includes the protection of personal information, health information and sensitive information, and the prevention of deletion until enabled through compliant destruction authorisation. 

Principle 7: Information should be available and open to the community and government. 

(17) University information should be discoverable and used by those with a legitimate need. The University promotes accessibility through appropriate access, formats, and metadata, and through interoperability as needed across systems, channels, and technologies.

(18) Information often has a lifespan longer than the technology on which it is hosted, therefore information is considered as a separate entity to technology and must be governed in accordance with its value and risk.

Principle 8: Information governance must be supported through leadership.

(19) Leaders must recognise their information management responsibilities and understand that the value of information captured in University systems and activities.

(20) The University is committed to ensuring that information management is appropriately resourced and supported through strategies, policies, guidance and procedures, along with information governance education and training. 

Top of Page

Section 3 - Information Governance

(21) University information governance defines the roles and responsibilities, decision rights, controls, and processes used to manage University information.

Information Classification

(22) University information is classified to acknowledge the associated risks and to determine appropriate controls. For more information, view the Information Security Access Control Policy and Information Classification and Protection Policy.

(23) University data is grouped according to information domains based on the CAUDIT Higher Education Data Reference Model. Each domain is assigned to a data owner, who is responsible for ensuring appropriate access, quality, and use of the data. 

Information Governance Committee

(24) The Information and Data Governance Committee (IDGC) provides advice and recommendations for strategy, policy and risk related matters that impact on the University's Information. The membership, roles and responsibilities of the IDGC are codified in its Terms of Reference.

Artificial Intelligence

(25) The University may adopt Artificial Intelligence (AI) platforms and technologies and implement relevant policies to support academic and research integrity and ethical AI use. The University recognises the efficiencies and innovation AI offers and implements AI opportunities in accordance with the University's strategic direction, risk appetiteDigital Security Policy and the Digital Technology Conditions of Use Policy.

(26) The University is committed to following the principles laid out in the National Framework for the assurance of AI in government to ensure any use we make of AI is safe and responsible. 

(27) For more research, view the Policy on the Use of Generative AI in Teaching, Learning and Assessment and Generative AI in Research Guideline.

Information Systems Governance

(28) University information is:

  1. retained in various business applications and storage systems across the University; and/or
  2. stored in both on-premises and cloud based repositories. 

(29) Digital Technology Solutions (DTS) is responsible for:

  1. managing records of business system applications, including data sensitivity and business criticality designations;
  2. determining data sensitivity and business criticality designations through a structured process in collaboration with the Senior Responsible Officer (SRO) and system owners and in accordance with the Information Classification and Protection Policy and Business Continuity Management Framework;
  3. maintaining records of system owners and information service providers;
  4. assessing and reviewing new applications and systems during the design stage and prior to deployment to ensure appropriate security and compliance considerations have been included in accordance with the DTS digital governance framework. 

(30) Records Governance Services will support DTS in the creation and maintainenance of a Record and Information Asset Register. 

Risk Mitigation

(31) Consideration of risk is a key component underlying this Framework. University information is subject to internal and external audits to:

  1. assess integrity and performance of specific information management processes, services or environments; and 
  2. monitor adherence to mandatory legislative obligations including information creation and retention, information access and copyright, or privacy protections for personal information and health information.

(32) The major risks for the University's information assets are identified in the Record and Information Asset Register.

(33) The following operational measures also serve as risk mitigation strategies:

  1. functions of the Information and Data Governance Committee (IDGC) as outlined in its Terms of Reference;
  2. assurance activities and annual reporting surveys to ensure the University is accountable and meetings its information requirements;
  3. cyber security controls aligned with the NIST Cyber Security Framework (CSF) and specified in the Digital Security Policy;
  4. privacy impact assessments as specified in the Privacy Management Plan;
  5. business continuity planning / testing as specified in the Business Continuity Management Framework
  6. compliance with the University records management program as specified in the Records Governance Policy; and
  7. relevant policies and procedures that serve to mitigate risks to information assets, as listed in this Framework.
Top of Page

Section 4 - Information Management

Information Lifecycle Management 

(34) Management of University information drives improvements in performance and infrastructure costs and influences how the University manages information. For all University information, the lifecycle management process should include the following phases, commensurate with the value of the University information:

  1. Plan and design: University information management should be carefully planned, with management activities designed to meet University needs and compliance requirements throughout the lifecycle.
  2. Create, capture and classify: University information may be obtained through several means including manual data entry and automatic capture via devices or systems. At the time information is acquired, key metadata should be recorded, including the information security classification.
  3. Store and secure: University information must be stored appropriately, with consideration given to security and access management.
  4. Manage and maintain: University information management is an active process. Information should be managed to maintain its integrity, quality and usability. This includes responsibility for Information Owners to ensure additional procedures are in place for:
    1. research data – ensuring that the management of research data complies, where required, with:
      1. the University's research ethics approval processes as required under the Responsible Conduct of Research Policy;
      2. Privacy Management Plan;
      3. relevant codes and guidelines including but not limited to the Australian Code for the Responsible Conduct of Research; and
      4. third-party agreements.
    2. Aboriginal and Torres Strait Islander people’s data – ensuring compliance with the AIATSIS Code of Ethics for Aboriginal and Torres Strait Islander Research;
    3. personal information and/or health information ensuring compliance with the University's Privacy Management Plan, Privacy Policy, Data Breach (Personal and Health Information) Policy and Agency Information Guide.
  5. Share and (re)use: Sharing and re-use of University information requires oversight to ensure it is ethical and compliant with University policies and legislative requirements. This means that information should be discoverable to streamline sharing and re-use for appropriate activities, excluding personal information and health information that must only be used and shared for the purposes disclosed at collection or where an exemption applies.
  6. Retain and archive: University information must be retained and archived in line with the relevant record retention periods.
  7. Dispose or destroy: University information must be destroyed in an appropriate manner at the end of its useful life, ensuring that records are destroyed (or transferred to the appropriate owner) in line with Records Governance Policy.
Top of Page

Section 5 - Roles and Responsibilities

(35) The Vice-Chancellor has University-wide authority and accountability under legislation for the compliant collection and management of the University's information and may sub-delegate these responsibilities to other roles in accordance with the Governance Rule

(36) The Chief Digital & Information Officer (CDIO) is responsible for the management of the technical and specialist teams relevant to information governance and for oversight of the infrastructure framework for the management of information, as well as the University's cybersecurity programs.

(37) The University Secretary is the Senior Responsible Officer (SRO) under the State Records Act 1998

(38) Individuals, as defined in Audience of this Framework and as it relates to information that they create, manage or use, are responsible for:

  1. fulfilling the responsibilities as an information ownersystem owner and/or system administrator as dictated by University policy including this Framework;
  2. controlling and safeguarding University information;
  3. ensuring quality and integrity of information by embedding information governance and compliance processes into daily operations and systems;
  4. capturing or creating University information; and
  5. selecting the best source of information to meet a specific use-case and defining the criteria to determine what makes information fit for purpose.

(39) The Senior Manager, Digital Governance (DTS) is responsible for developing and operationalising the University's approach to data governance.

(40) Records Governance Services responsibilities are codified in the Records Governance Policy.

(41) The Privacy and Rights to Information Manager responsibilities are codified in the Privacy Management Plan, Data Breach (Personal and Health Information) Policy, the Privacy Policy and the Agency Information Guide

Governance and Management Committees:

(42) The University's governance includes Council, Risk Committee, Academic Senate and its committees. The Vice-Chancellor maintains the Executive Leadership Team as an advisory body on matters of strategy and operations. 

(43) The Chief Operating Officer maintains various committees supporting digital technology services and library services.   

Top of Page

Section 6 - Compliance Requirements

(44) Compliance with this Framework is important in protecting the University's information. Breaches may be reported via the University Breach Register.  Non-compliance may result in proceedings in accordance with an employment contract, or Enterprise Agreement or the Staff Code of Conduct.

Top of Page

Section 7 - References

(45) The following information sources have been referenced in developing this Framework:

  1. Australian National Audit Office – Audit Lessons Insights – Records Management (2025)
  2. Australian Government Office of the National Data Commissioner – The Foundational Four.
  3. NSW Information Management Framework.
  4. University of Newcastle Act, 1989.
  5. State Records Act, 1998.
  6. National Archives of Australia – Information and Data Governance Framework (2024);
  7. other agencies, including CAUDIT.
Top of Page

Section 8 - Supporting Documents

(46) Agency Information Guide

(47) Art & Special Collections Management Framework

(48) Copyright Compliance Policy

(49) Complaint Management Policy

(50) Complaint Management Procedure

(51) Cyber Security Incident Management Procedure

(52) Data Breach Policy (Personal and Health Information)

(53) Digital Security Policy

(54) Information Classification and Protection Policy

(55) Information Security Access Control Policy

(56) Intellectual Property Policy and Intellectual Property Procedure

(57) Privacy Policy

(58) Privacy Management Plan

(59) Records Governance Policy

(60) Responsible Conduct of Research Policy.

(61) Research Data and Primary Materials Management Procedure.