View Current

Information and Records Management procedure

This is the current version of this document. To view historic versions, click the link in the document's navigation bar.

Section 1 - Preamble

(1) This Procedure is effective from 4 June 2018.

Top of Page

Section 2 - Purpose

(2) This Procedure documents requirements for the control of University data and information.

Top of Page

Section 3 - Scope

(3) This Procedure applies to all University data, information and records, whether received, created, maintained, copied, disseminated or disposed of by the University in the course of its operations.

Top of Page

Section 4 - Policy

(4) This Procedure is pursuant to the Information and Records Management policy.

Top of Page

Section 5 - Procedure

Information Management Framework

(5) The Information and Records Services Team, in collaboration with other organisational units of the University as required, will facilitate awareness and training activities for staff in relation to information and records management, including information classification and recordkeeping requirements.

(6) Information Owners will implement information and records management practices for their organisational unit, including determining appropriate information classification.

(7) Managers will ensure that their staff members, including consultants and contractors, are aware of and educated about information and records management, including the information classification and recordkeeping requirements appropriate to their role. (Refer to the Information and Records Services website for further information.)

Information classification

(8) Staff will undertake the information classification and recordkeeping requirements required by their role, to preserve the confidentiality, integrity and availability of information, and will not damage, conceal or give unauthorised access to information.

(9) If classification of information is unclear, the information must be protected in a manner consistent with the more secure of the possible classification levels until the information owner can apply the correct classification, which must be done within 20 working days of creation or receipt.

(10) Unless otherwise stated, all externally provided information that is not clearly in the public domain should be restricted to access by staff only.

Information storage

(11) All confidential, personal and proprietary Information will be stored, in the first instance, in primary storage devices.

(12) Where there is a clear business requirement, copies of confidential, personal and proprietary information may be temporarily stored on portable storage devices administered by the University, but only where the storage device is physically secured to prevent unauthorised access and, if electronic, the files containing the Information are password protected.

(13) Where there is a clear business requirement to have copies of confidential, personal or proprietary Information on devices provided by an external service provider, staff will submit requests to the University Information Manager or nominee as stated in the Data Use Agreement and/or Privacy Imapact assessments, who will determine whether to approve the request.

(14) All data and information held electronically will be stored and secured according to technology standards defined by the Chief Digital Officer.

Access

(15) The Head of Organisational Unit that is responsible for devices or applications in which information is managed or stored, will ensure that access to those devices or applications is given on a needs basis and that access rights are reviewed at least annually.

Disposal

(16) Staff will not dispose of a record except:

  1. in accordance with the Deakin University Retention and Disposal Authority, and
  2. with the prior approval of the Information and Records Services Team.

(17) Staff will not destroy information where the information:

  1. is, or is reasonably likely to be, required in evidence in a legal proceeding, or
  2. is the subject of a request for access received by the University under the Freedom of Information Act 1982 (Vic).

Archives

(18) The Information and Records Services Team will assess and manage records judged to be of archival value or requiring long-term storage and preservation.

Breaches

(19) All members of the University should immediately report any suspected or perceived breach of the Information and Records Management policy, Procedure or Guidelines, or associated legislation, to their relevant Head of Organisational Unit in the first instance, the University Information Manager or as appropriate under other legislative and policy provisions.

(20) Breaches will be investigated, and disciplinary action will be taken as appropriate.

Top of Page

Section 6 - Definitions

(21) For the purpose of this Procedure:

  1. data: as defined in the Information and Records Management policy.
  2. information: as defined in the Information and Records Management policy.
  3. Information Owner: as defined in the Information and Records Management policy.
  4. portable storage device: any device that is small, lightweight and capable of storing data and information; including but not limited to CDs, DVDs, floppy discs, removable hard drives, USB flash drives and memory sticks, laptops, tablet computers, PDAs, mobile phones, iPods and MP3 players, and other devices.
  5. primary storage device: any device which is capable of storing data and information and which is a fixed storage device owned and administered by the University.
  6. record: as defined in the Information and Records Management policy.