Table of Contents
Planning
3.1
Data/Information management planning shall be conducted by Data Owners to produce a data/information management plan (based on the published standard and/or template(s)) that enables the development and documentation of clear requirements and procedures for the collection, storage, use, re-use, access and retention or destruction of institutional data/information. The data/information management plan shall be maintained and reviewed by the respective Data Owner at an appropriate frequency to ensure it is up-to-date.
3.2
Data Owners shall conduct, on a periodic basis at an appropriate frequency, information risk assessments in order to determine the appropriate level of data/information risk responses and security measures. Such assessment shall, at a minimum, identify and classify the nature of data/information held (e.g., value, potential threats), the adverse consequences should risks be materialised or security be breached, the likelihood of those consequences occurring, non-compliance or potential non-compliance with this Policy, and determine the appropriate risk responses. Once completed, a copy of the report of the information risk assessment shall be provided to [ITPC] with the coordination of ITS.
3.3
Data Owners shall establish and promote explicit criteria for data/information validity, availability, accessibility, interpretation and ease of use to ensure data/information quality, and implement action programmes for ongoing data/information quality assurance / improvement as part of the data/information management plan (based on any applicable standard and/or template published).
3.4
Data Owners shall also have the ultimate responsibility for producing and maintaining documentation on data/information that enable or support data/information management planning and data/information management activities (“data/information documentation”), based on requirements or guidelines (e.g., in the form of standard and/or template(s)). Some or all of these responsibilities may be assigned to Data Stewards.
3.5
A critical component of data/information documentation is the “Data/Information Asset Inventory”, which comprises a list of data/information that is under the ownership of the respective Data Owner, and such data/information are appropriately described and classified based on the University data/information classification scheme. Data Owners shall establish a process that ensures the continued accuracy of the data/information asset inventory and link such asset inventory information with data/information management planning and executions, and shall always keep the document available for compliance-related inspections and information risk assessments coordinated by ITS for the purpose of reporting to [ITPC].
Collecting and Maintaining Data/Information
3.6
Data Owners shall establish appropriate responsibilities, procedures and methods to ensure collections of institutional data/information are complete, valid, reliable and timely to the extent possible (based on any applicable standard and/or template published)
3.7
With respect to procedures and methods for data/information collection of digital data/information, such data/information should be collected and maintained as close as possible to the source or creation point of the data/information. Separate collection and maintenance and unnecessary duplication of data/information that are kept by the central administration offices should be avoided. Data Owners shall determine the most proper source or creation point of data/information with advices from the relevant central administration office(s) and/or ITS.
3.8
Data Owners, with appropriate involvement from relevant Data Custodians, shall ensure that information technology systems that capture and update institutional data/information have appropriately incorporated edit and validation checks to assure the accuracy of the data/information, or that the data/information has not been altered in an unauthorised manner. Edit and validation checks are concerned with the process of ensuring that a system (and its related system(s)) operate(s) on clean, correct and useful data through the employment of “validation rules” (often built into the system) that check for correctness, meaningfulness, and security of data that are input to the system.
3.9
Data Owners, with appropriate involvement from relevant Data Custodians, shall establish effective procedures that, upon written identification and notification of erroneous data/information, and if confirmed, timely corrective measures shall be taken to correct the cause of the erroneous data/information, correct the data/information in its official storage location, and notify users who have received or have accessed erroneous data/information.
Accessing and Using Data/Information
Access to Data/information
3.10
Access to institutional data/information refers to the permission to view, query or capture such data/information, but does not necessarily imply delivery or support of specific methods or technologies of data/information access. It is crucial for Data Owners to ensure that proper access rights to institutional data/information have been assigned to authorised Data Custodians/Users.
3.11
Data Owners, typically through their respective Data Stewards, shall ensure that rights to access to institutional data/information are granted only through University staff who have been designated by the Data Owners / Data Stewards as authorised individual(s) to perform the granting of access rights for that data/information. All individuals accessing institutional data/information (i.e. Data Custodians/Users) must be appropriately authenticated, and additional forms of more stringent authentication should be considered where necessary.
3.12
Data Owners, typically through their respective Data Stewards, shall ensure that authorisation of access to institutional data/information to any Data Custodian/User are based on appropriateness to the Data Custodian/User’s role and the intended use/function, and that such authorisation shall be reviewed for validity on a periodic basis at an appropriate frequency.
3.13
Data Owners, typically through their respective Data Stewards, shall ensure that accesses to institutional data/information shall be in compliance with applicable requirements of the University and that they are granted only to those individuals or systems (in the case of non-human access through the use of system) that have been authorised.
3.14
Data Owners, typically through their respective Data Stewards and/or Data Custodians, shall ensure that access authorisation of access to data are documented, reviewed, modified and terminated in accordance with applicable University requirements. To allow for audit trails and potential investigations, access records should be kept for a minimum of six months, or for longer, where necessary.
3.15
With respect to physical access to locations hosting restricted or confidential data/information, Data Owners, through the respective Data Custodians responsible for operating the physical security of such locations, shall ensure that such physical access should be monitored with access records properly maintained.
3.16
With respect to remote access to information technology systems containing restricted or confidential data/information, Data Owners, through the respective Data Custodians responsible for operating such information technology systems, shall ensure that such remote access are properly identified and recorded, as well as controlled via a well-defined access control policy and tight access controls (e.g., in the data/information asset inventory), including secure access control protocols using appropriate levels of encryption and authentication.
Using Data/Information
3.17
Data Owners, through assistance from respective Data Custodians, shall set requirements or rules regarding the manipulation, modification or reporting of institutional data/information and for creating derived data or information.
Storing and Transmitting Data/Information
Storing Data/Information
3.18
Data Owners, with support from respective Data Custodians, shall identify the official data/information storage location(s) for each type of institutional data/information and, where appropriate, reflect such identified information in the data/information asset inventory.
3.19
Data Owners, through respective Data Custodians, shall ensure that restricted or confidential data/information are kept secure, using, where applicable, dedicated and reliable storage and an appropriate level of physical security and/or digital security (according to applicable standards published and updated by ITS).
3.20
Data Owners, through respective Data Custodians, shall ensure that, for operations involving restricted and confidential data/information being stored and/or transmitted, the use of appropriate level of encryption for such information shall be adopted as an additional layer of defence where existing physical or digital security is insufficient, and shall be complied with by Data Custodians/Users with access to such information according to applicable standards published and updated by ITS.
3.21
Data Owners, through respective Data Custodians, shall ensure that, for operations involving documents that contain restricted or confidential information, such documents shall be marked with appropriate designation according to the University’s data/information classification system, and such practice shall be complied with by Data Custodians/Users with access to such documents.
Passing or Transmitting Data/Information
3.22
Data Custodians/Users shall ensure that restricted or confidential data/information is only passed or sent to another party (both within and outside the University) only when such need is confirmed and where the recipient is trusted, with permission having been granted by the Data Owner where needed, and that appropriate safeguards have been taken (e.g., encryption, sealed envelope). Data Owners shall ensure that proper procedures and/or access to safeguards for usage are in place according to applicable standards published and updated by ITS.
3.23
Data Custodians/Users shall ensure that permission of the Data Owner is obtained before restricted or confidential data/information can be taken off site, or be transported outside their intended University information technology system. Data Owners shall ensure that proper procedures are in place.
3.24
When transmitting restricted or confidential institutional data/information in digital format, Data Users shall ensure that such data is transmitted through an appropriate electronic data transmission system provided by the University (e.g., University email system). Data Custodians responsible for the University’s electronic data transmission systems shall ensure that adequate controls are implemented to suitably protect electronic data transmission of restricted or confidential data/information (e.g., sending such information through email) from unauthorised use and access according to applicable standards published and updated by ITS. Data Users shall not seek to bypass such controls in their electronic data transmission activities.
Copy/Use of portable devices or media
3.25
Data Custodians/Users shall ensure that number of copies made of restricted or confidential data/information, whether in hardcopy or on portable devices or media, are kept to a minimum, with a record kept of their distribution where appropriate. Should such copies be no longer needed, they should be deleted or, if in the case of hard copies, destroyed where possible. Data Owners shall ensure that relevant and proper equipment or facilities are available where practically possible.
3.26
Data Custodians/Users shall ensure that portable devices or media containing restricted or confidential data/information are appropriately protected from unauthorised access. Data Owners shall ensure that relevant and proper equipment or facilities are available where possible. These should be carried out in accordance with applicable standards published and updated by ITS.
Archiving, Deleting and Destructing Data/Information
3.27
Archiving requirements and strategies for storing and preserving historical data should be determined for each type of institutional data/information by the Data Owner (with reference to any relevant guidelines approved by [ITPC]), and shall be implemented accordingly by the Data Custodian concerned.
3.28
Data Owners, through support from respective Data Custodians, shall ensure that proper policies, procedures and tools are in place for the secure disposal/destruction of restricted or confidential data/information in both physical and digital form.
External Parties / Third-Party Management
3.29
Data Owners shall ensure that any University’s data/information or information systems that are being accessed, processed, communicated or managed by third parties (being either a part of or outside the University) are protected by proper written agreements that cover all relevant information security and data management requirements and appropriate security measures commensurate with the classification(s) of the data/information concerned (be covered in contractual arrangements for non-University parties), as well as appropriate security measures, and shall obtain sufficient comfort that such third parties are capable of complying and/or have complied with such requirements.
Resources
Edited by Data and Security Team, 5 August 2020.