3-Level Defence and Implementation

Table of Contents

The 3-Level Defence



3-Level Defence and Implementation

Governance Organization


The oversight body

  • Information Technology Policy Committee (ITPC)

Established by Council, the oversight body to ensure the well-coordinated governance, including information security and data management for the purpose of this Policy.

The 3rd level of defence

  • Internal Audit Office

The 2nd level of defence

  • University Data Protection Officer
  • Data and Security Team of IT Services
  • Task Force on Management of Research Data and Records

The 1st level of defence

  • Data Owner

The head of an administration office / faculty / department / school / centre or the Principal / Chief Investigator of a research programme or project (“unit”) who is the decision maker with respect to data collected and/or used in conducting the unit’s business. He or she has decision-making authority over any data collected and/or usedby the unit.

  • Data Steward

Any appropriate individual assigned by a Data Owner to facilitate the interpretation and implementation of data and information security policies, standards and guidelines.

  • Data Custodian

Organisational functions (e.g., Human Resources Section) or individuals (e.g., staff,student, contractors, third party users) that are entrusted to operate on university data/information on a need basis as part of their assigned functions or employment orcontractual duties.

  • Data User

Individuals (e.g., staff, students, contractors, relevant third party users) or organisation functions (e.g., academic departments accessing student-related data on University Student Information System) that are entrusted to access and use university data on a need basis as part of their assigned employment or contractual duties or functions.