Information and Records Management Procedure

This is the current version of this document. You can provide feedback on this policy to the document author - refer to the Status and Details on the pale grey navigation bar above.

Section 1 - Preamble

(1) This Procedure was approved by the Vice-Chancellor on 4 June 2010 and incorporates all amendments to 27 October 2014.

(2) This Procedure is pursuant to the Information and Records Management Policy.

Section 2 - Purpose

(3) The Procedure documents requirements for the control of university data and information..

Section 3 - Scope

(4) This Procedure applies to all University Data, Information and Records, whether received, created, maintained, copied, disseminated or disposed of by the University in the course of its operations.

Section 4 - Policy

(5) Refer to the Information and Records Management Policy.

Section 5 - Procedure

Information classification

(6) The Records Unit, in collaboration with other organisational areas of the University as required, will facilitate awareness and training activities for staff members in relation to information and records management, including information classification and recordkeeping requirements.

(7) Information owners will implement information and records management practices for their organisational area, including determining appropriate information classification.

(8) Managers will ensure that their staff members, including consultants and contractors, are aware of and educated about information and records management, including the information classification and recordkeeping requirements appropriate to their role.

(9) Staff members will undertake the information classification and recordkeeping requirements required by their role, to preserve the confidentiality, integrity and availability of information, and will not damage, conceal or give unauthorised access to information.

(10) If classification of information is unclear, the information must be protected in a manner consistent with the more secure of the possible classification levels until the information owner can apply the correct classification, which must be done within 20 working days of creation or receipt.

(11) Unless otherwise stated, all externally provided information that is not clearly in the public domain should be restricted to access by staff members only.

Information storage

(12) All confidential, personal and proprietary Information will be stored, in the first instance, in primary storage devices.

(13) Where there is a clear business requirement, copies of confidential, personal and proprietary information may be temporarily stored on portable storage devices administered by the University, but only where the storage device is physically secured to prevent unauthorised access and, if electronic, the files containing the Information are password protected.

(14) Where there is a clear business requirement to have copies of confidential, personal or proprietary Information on devices provided by an external service provider, staff members will submit requests to the Chief Operating Officer or nominee, who will determine whether to approve the request.

(15) All data and information held electronically will be stored and secured according to technology standards defined by the Chief Digital Officer.

Access

(16) The head of the organisational area that is responsible for devices or applications in which information is managed or stored, will ensure that access to those devices or applications is given on a needs basis and that access rights are reviewed at least annually.

Disposal

(17) Staff members of the University will not dispose of a record except:

  1. in accordance with the retention schedule, and
  2. with the prior approval of the Records Unit.

(18) Staff members of the University will not destroy information where the information:

  1. is, or is reasonably likely to be, required in evidence in a legal proceeding, or
  2. is the subject of a request for access received by the University under the Freedom of Information Act 1982 (Vic).

Archives

(19) The Records Unit will assess and manage records judged to be of archival value or requiring long-term storage and preservation.

Breaches

(20) All members of the University should immediately report any suspected or perceived breach of the Information and Records Management Policy, Procedure or Guidelines, or associated legislation, to the head of the relevant organisational area in the first instance, or as appropriate under other legislative and policy provisions.

(21) Breaches will be investigated, and disciplinary action will be taken as appropriate.

Section 6 - Definitions

(22) For the purpose of this Procedure:

  1. Data: as defined in the Information and Records Management Policy.
  2. Information: as defined in the Information and Records Management Policy.
  3. Information Owner: as defined in the Information and Records Management Policy.
  4. Portable Storage Device: any device that is small, lightweight and capable of storing data and information; including but not limited to CDs, DVDs, floppy discs, removable hard drives, USB flash drives and memory sticks, laptops, tablet computers, PDAs, mobile phones, iPods and MP3 players, and other devices.
  5. Primary Storage Device: any device which is capable of storing data and information and which is a fixed storage device owned and administered by the University.
  6. Record: as defined in the Information and Records Management Policy