Document Comments

Bulletin Board - Review and Comment

Step 1 of 4: Comment on Document

How to make a comment?

1. Use this Comment Icon to open a comment box for your chosen Section, Part, Heading or clause.

2. Type your feedback into the comments box and then click "save comment" button located in the lower-right of the comment box.

3. Do not open more than one comment box at the same time.

4. When you have finished making comments proceed to the next stage by clicking on the "Continue to Step 2" button at the very bottom of this page.

 

Important Information

During the comment process you are connected to a database. Like internet banking, the session that connects you to the database may time-out due to inactivity. If you do not have JavaScript running you will recieve a message to advise you of the length of time before the time-out. If you have JavaScript enabled, the time-out is lengthy and should not cause difficulty, however you should note the following tips to avoid losing your comments or corrupting your entries:

  1. DO NOT jump between web pages/applications while logging comments.

  2. DO NOT log comments for more than one document at a time. Complete and submit all comments for one document before commenting on another.

  3. DO NOT leave your submission half way through. If you need to take a break, submit your current set of comments. The system will email you a copy of your comments so you can identify where you were up to and add to them later.

  4. DO NOT exit from the interface until you have completed all three stages of the submission process.

 

Data Governance Policy

Section 1 - Executive Summary

(1) Data comprises the strategic assets of the University of Newcastle (University) because it supports the University's operations, compliance, reporting and decision making.

(2) For data to remain useful to the University, it must be handled in a manner that preserves its quality, security and reliability.

(3) All users of the University's data have a role in preserving the quality, security and reliabiity of University data in line with this Policy.

Top of Page

Section 2 - Purpose

(4) The purpose of this Policy is to:

  1. establish roles and responsibilities for data governance;
  2. establish the principles for University data governance; and
  3. define standards for the quality, security and reliability of University data.
Top of Page

Section 3 - Scope

(5) This Policy applies to all University data regardless of its format and including oral data, physical data and electronic data.

(6) This Policy must be applied at all times when engaged in University business or otherwise representing the University.

(7) This Policy is supported by and must be read in conjunction with the following documents:

  1. Information Management and Governance Framework;
  2. Records Governance Policy;
  3. Privacy Policy;
  4. Privacy Management Plan;
  5. Data Breach Policy (Personal and Health Information);
  6. Information Classification and Protection Policy;
  7. Information Security Access Control Policy;
  8. Digital Technology Conditions of Use Policy;
  9. Digital Security Policy;
  10. Learning Analytics Policy and Learning Analytics Procedure; and
  11. research policies including, but not limited to, Responsible Conduct of Research Policy and Research Data and Primary Materials Management Procedure.

(8) Data may constitute a record, as defined by the State Records Act. In such cases, the data, as a record, is subject to the requirements of the Records Governance Policy in addition to this Policy.

(9) This Policy does not apply to the University's controlled entities.

Top of Page

Section 4 - Audience

(10) This Policy should be read and understood by all University staff, students; University volunteers, contractors and vendors; and members of advisory and governing bodies, in all campuses and locations of the University.

Top of Page

Section 5 - Definitions

(11) In the context of this document, the following definitions apply:

  1. “Data” means a set of characters or symbols to which meaning is or could be assigned (As/NZS ISO30300:2020 – Section 3.2.4). The Council of Australasian University Directors of Information Technology (CAUDIT) defines data as a set of facts, representing a specific concept or concepts. Value is added to data when they are combined and presented to users within a context, turning them into meaningful information to support business decisions and enable operational decisions. That is, DATA + CONTEXT = INFORMATION;
  2. “Data domain” means a logical grouping of related data elements that represent a specific business function or subject area within the University . Examples include student data, human resources data, finance data and research data. The University has adopted the CAUDIT Data Reference Model to define data domains;
  3. “Data Owner” means a senior business, College , or unit manager who assumes responsibility of data within a specific data domain or dataset;
  4. ”Data Steward” means an individual responsible for managing the quality, integrity, and compliance of data within a specific data domain or dataset;
  5. “Electronic data” means data created, processed, stored or transmitted in digital form. This includes structured data (for example, databases), unstructured data (for example, documents or emails), and multimedia files;
  6. “Oral data” means spoken data captured during University activities, such as interviews, lectures, meetings, or focus groups. When recorded (for example, audio or video), oral data becomes a digital asset and is subject to governance requirements for storage, classification and access;
  7. “Physical data” means data represented in a tangible, non-digital format, such as printed documents, handwritten notes, or other hard copy materials;
  8. “Record” means any document or other source of information compiled, recorded or stored in written form or on file, or by electronic process, or in any other manner or by any other means ( State Records Act S.3(1) – Definitions). A record, whether digital or physical, is a piece of information that serves as evidence of the University's activities, decisions, and transactions. it is maintained to meet legal, regulatory, fiscal, operational, or historical requirements. Under the Government Information (Public Access) Act 2009 at Schedule 4, S.10 a record means any document or other source of information compiled, recorded or stored in written form or by electronic process, or in any other manner or by any other means. A reference in this Act includes a reference to a copy of the record.
  9. University data” means oral, physical or electronic data that is created, processed, stored, or communicated by the University;
Top of Page

Section 6 - Roles and Responsibilities

(12) All users of University data are responsible for:

  1. applying this policy to the data they collect, use and manage on behalf of the University, regardless of location, device or technology used;
  2. complying with related policies including but not limited to the Data Breach Policy (Personal and Health Information) and Information Management and Governance Framework;
  3. immediately reporting suspected or actual compromise of technologies used to store, process or communicate data to the Cyber Security team. This includes issues or incidents with artificial intelligence (AI) and AI-driven data;
  4. reporting data quality issues to the relevant Data Stewards (see Table 1 or roles and responsibilities).

(13) Specialist data governance responsibilities are provided in Table 1.

Table 1 – Specialist Data Governance Responsibilities

Role Responsibility
Chief Digital & Information Officer (CDIO) The CDIO is responsible for this policy and oversees the implementation of it across the University. The CDIO is also responsible for data governance practices within Digital Technology Solutions (DTS).
Digital Governance team The Digital Governance team within DTS is responsible for development, implementation, and maintenance of data governance policies, frameworks and procedures. The team provides subject matter expertise for all University data governance matters. The team maintains the data governance portal, data governance tooling, and develops and implements training resources. The Digital Governance team identifies Data Owners for assignment to data domains, and provides training for Data Owners where required.
Data Owners Data Owners are responsible for data within their assigned data domain (e.g. HR, student data). This includes data appropriate collection and use, access, quality and security. Data Owners are endorsed by the Data Governance Committee.
Data Stewards Data Stewards are responsible for the management of data quality, defining metadata, and implementing the Standards for Data Management (see Section 8) for their assigned data sets. Data Stewards are responsible for conducting regular reviews of data quality and data protections. Data Stewards are identified by Data Owners or System Owners.
Data Governance Committee The Data Governance Committee monitors and guides the implementation of the University's Data Governance Policy. It provides a formal, enterprise-wide governance body that ensures the University's information and data assets are standardised, and are managed responsibly, securely and strategically, aligning with institutional goals and maintaining regulatory compliance.
Top of Page

Section 7 - Data Governance Principles

(14) The University upholds the following data governance principles.

(15) Data:

  1. can be routinely created and captured as part of normal business practice;
  2. must be managed in accordance with legal and business requirements, and so that it can be shared as a reliable and trustworthy asset;
  3. should be identifiable, retrievable and accessible;
  4. must be protected from unauthorised or unlawful access, destruction, loss, deletion or alteration;
  5. must be kept for as long as needed for business, legal and accountability requirements;
  6. should be systematically and accountably destroyed when legally appropriate to do so.
Top of Page

Section 8 - Standards for Data Management

(16) At a minimum, the following requirements apply to the use of University data.

Ownership

(17) All University data must have a Data Owner assigned.

Classification and Protection

(18) Data must be classified according to the Information Classification and Protection Policy, State Records Act and its standards, where relevant.

(19) University data must be stored in systems and storage locations approved in accordance with the Digital Security Policy

(20) Where data contains personal information or sensitive information, data sovereignty requirements must be met, ensuring that University data is stored and processed within jurisdictions that comply with the applicable national and international laws and the University's Privacy Management Plan.

(21) Data must be protected using security controls appropriate to the classification level in accordance with the Information Classification and Protection Policy.

Access

(22) Access to data should only be provided for authorised purposes and to authorised individuals, systems, and services in accordance with the Information Security Access Control Policy. Granting of access to a particular data domain is the responsibility of the designated Data Owner.

(23) Decisions to grant internal access to data must be documented and auditable, and supported by appropriate mechanisms such as data access agreements or user access approvals. This requirement applies specifically to data accessed for purposes such as system integrations, application workflows, and business intelligence or analytics reporting. This clause does not apply to platform-native sharing capabilities (for example, within Sharepoint or Teams) or to ad-hoc distribution methods such as email, which are governed by separate policies and controls. Note: A staff member may have access to data by virtue of access granted by a System Owner.

(24) Data access agreement guidance can be provided by the Digital Governance team.

(25) University data must not be shared with external parties unless in accordance with a legally binding agreement that is approved by an authorised delegate and stipulates conditions for use, handling and protection.

Cataloguing and Consistency

(26) Data assets should be catalogued for visibility and discovery.

(27) Data assets should have consistent definitions.

(28) Data should not be duplicated across systems, platforms, devices and storage locations unless required for business reasons.

Legal and Ethical Compliance

(29) Data must be handled in accordance with relevant University policies and applicable national and international laws.

(30) Data collection, use, handling and transformation should be ethical in all contexts and free from bias wherever possible.

Data Quality and Lifecycle Management

(31) Data must be maintained throughout its lifecycle which spans collection, storage, access, usage, archiving, and disposal.

(32) Data quality standards are defined and reflect the value, purpose and usage of data.

(33) Data must be subject to regular quality reviews.

Emerging Technologies and Artifical Intelligence (AI)

(34) The use of University data in emerging technologies and AI must be in accordance with relevant University policies and procedures and applicable laws.

(35) Any application of AI-powered systems for the management of data must include documentation of methodologies and auditability features.

User Awareness

(36) Staff should be provided with regular data management training to support awareness of data governance policies and procedures.

Top of Page

Section 9 - Enforcement

(37) Non-compliance with the provisions of this Policy may result in action under the University's policies, delegations, Staff Code of Conduct, Student code of Conduct or the relevant enterprise agreement/employment contract, and may also result in referral to a statutory authority and/or agency.

Top of Page

Section 10 - Relaxing Provision

(38) To provide for exceptional circumstances in any case, the Chief Digital & Information Officer may relax any provision of this policy, provided that the relaxation:

  1. does not compromise compliance with external obligations (including but not limited to contractual, legislative, or accreditation requirements);
  2. does not override a decision made under a formal delegation of authority; and
  3. does not replace a decision that is subject to a formal delegation of authority.

(39) A relaxation may be requested in writing to the Digital Governance team and will be assessed based on the potential business impact, the security risk that the proposed relaxation may pose, and any compensation controls that may be implemented in relation to the relaxation.