Table of Contents
Commitment
1.1
The University of Hong Kong (“The University”) recognises data and information under its possession as a critical asset or resource of the University, and is committed to ensuring the proper management and security of such data and information.
1.2
In pursuit of this goal the University promotes international/well-recognised standards or “good practices” of information security and data management where applicable (e.g., COBIT, DAMA-DMBOK, ISO27001, ITIL, RCUK). The University’s Information Security and Data Management Policy (“this Policy”) applies to all University operations, both on and off campus, and shall be applied in conjunction with other applicable university policies, including the Policy on the Management of Research Data and Records.
Key Definitions
1.3
Data/Information – As a general concept refers to some existing information or knowledge that is represented or coded in some form suitable for better usage or processing.
1.4
Institutional Data/Information refers to data/information that is:
(a) Relevant to planning, managing, operating, controlling or auditing administrative functions of an administrative, academic or research unit of the University;
(b) Created, received, maintained, or transmitted resulting from administrative, academic or research activities;
(c) Generated by a University staff, research group/team or agent using any of the above data/information.
1.5
Data/Information Architecture is composed of models, policies, rules or standards that govern which data/information is collected, and how it is stored, arranged, integrated, and put to use in data/information systems and in organisational activities or processes.
1.6
Data/information Life Cycle includes every phase of a data/information from its beginning to its end, from creation (sometimes up to the requirement stage before its creation) to its retirement.
1.7
Data/information Management is the development and execution of architectures, policies, practices and procedures that properly manage the full data/information life cycle needs of the University.
1.8
Data/information Availability refers to ensuring data and the functions of associated information systems are available and protected from service disruption.
1.9
Data/information Confidentiality refers to ensuring only authorised persons can access the data.
1.10
Data/information Integrity refers to maintaining the accuracy and consistency of data/information over its entire life cycle, and is the opposite of data corruption.
1.11
Data/information Quality is an essential characteristic that determines the reliability of data/information for making decisions. High quality data/information are fit for their intended uses in operations, decision making and planning.
1.12
Personal Data is any data or information that relates to a living person and can be used to identify that person, and such exists in a form in which access or processing is practicable. Such data is required to be appropriately collected, managed and protected in accordance with Personal Data (Privacy) Ordinance and relevant guidance. Examples include personal phone numbers, addresses, identity card numbers, photos, medical records and employment records.
1.13
Information Technology Resources include:
(a) All computers, peripherals, and related equipment and software; voice communications infrastructure, peripherals, and related equipment and software; data communications infrastructure, peripherals, and related equipment and software that are used to process, store and/or transmit institutional data/information;
(b) All other associated tools, instruments, and facilities; and
(c) Services that make use of any of these technology resources.
The above components may be individually controlled (e.g., assigned to an employee) or shared in a single-user or multi-user manner; they may be stand-alone or networked; and they may be stationary or mobile.
1.14
Information Security is the practice of defending data/information from breaches of confidentiality, integrity and availability (e.g., unauthorised access, use, disclosure, disruption, modification, perusal, inspection, recording or destruction). Such practice supports data/information management.
Philosophy
1.15
The value of data/information as a critical asset or resource to the University is increased through its assured quality and adequate and appropriate distribution, use and secured to enhance administrative or other forms of effectiveness; its value is diminished through low quality, misuse, misinterpretation, alteration, theft, destruction or inappropriate access restriction.
1.16
The level of value protection applied to data/information should correspond to their sensitivity and their criticality to the mission, reputation and operations of the University, and should be adequately secured for the level of risk without being overly restrictive or burdensome.
Aims
1.17
Successful management and protection of data/information is critical to the administrative, academic and research functions of the University, minimising the enterprise risk of data/information breaches, as well as the safeguarding of the University’s reputation. Through active planning, organisation and control of such assets or resources, the University will:
(a) Manage data/information as an asset or resource to serve the running of University operations and improve the quality of services to University communities;
(b) Provide data/information that are consistent, reliable and accessible to meet the University’s needs;
(c) Deliver data management services that result in sufficiently high quality of data/information that help maximise the efficiency and effectiveness of operational processes; and
(d) Implement, maintain, operate and renew/update security measures to adequately safeguard institutional data/information and information technology resources such that they are adequately prevented from deliberate, unintentional or unauthorised alteration, destruction inappropriate disclosure or use, and/or intrusion, and to ensure the adequate satisfaction of confidentiality, integrity and availability requirements.
1.18
The University is committed to meeting internationally-recognised standards of personal data privacy protection, and will take all reasonably practicable steps and provide necessary resources to meet its commitment and achieve its goals, paying particular attention to the following required organisation-wide efforts:
(a) Ensuring compliance with the requirements of Personal Data (Privacy) Ordinance, and all other relevant legal and regulatory requirements;
(b) Ensuring compliance with all institutional requirements related to this Policy;
(c) Identifying and assessing challenges or risks that pose a barrier or threat to its commitment and aims, and managing those challenges or risks;
(d) Ensuring the designation of necessary common/shared or dedicated resources in organisational units to help meet their compliance requirements under this Policy;
(e) Ensuring that staff, students, contractors and relevant third party users (e.g., visitors, authorised service providers) are adequately informed of those risks and, where appropriate, receive adequate instruction, training, and supervision, requiring them to comply with all relevant requirements;
(f) Consulting and engaging with relevant stakeholders on data/information management matters where needed;
(g) Coordinating and collaborating with other organisations with which the University exchanges data or information.
Key Roles and Responsibilities
1.19
The Council is the sponsor of this Policy.
1.20
Whilst the University has ultimate ownership of all institutional data/information, effective governance and management of institutional data/information will require the proper delegation of accountabilities and responsibilities within a well-established structure of related roles, which shall include, but not be limited to, Data Owners, Data Stewards, Data Custodians and Data Users.
1.21
Data Owners – The head of an administration office / faculty / department / school / centre (“unit”), or the Principal / Chief Investigator of a research programme or project, who is the decision maker with respect to data collected and/or used in conducting the unit’s business. He or she has decision-making authority over any data collected and/or used by the unit.
Key responsibilities: Interpret and implement information security and data management policies, standards and guidelines, or delegate this responsibility (but not accountability) to a Data Steward where appropriate.
1.22
Data Stewards – Any appropriate individual assigned by a Data Owner to facilitate the interpretation and implementation of information security and data management policies, standards and guidelines.
Key responsibilities:
(a) Facilitate the interpretation and implementation of information security and data management policies, standards and guidelines to meet the needs of the University for the use of data;
(b) Work with Data Owners, with assistance from Information Technology Services (ITS)/University Data Protection Officer (refer to relevant sections below for references) where necessary, to assure that data is appropriately classified, managed and protected. Identify and implement procedures and controls for data protection, and when necessary, work with the data protection and information security personnel in ITS to enforce the procedures and controls;
(c) Play the role as the University’s “Personal Data Protection Coordinators” (“PDPCs”).
1.23
Data Custodians – Organisational functions (e.g., Human Resources Section, IT functions of faculties or departments) or individuals (e.g., staff, students, contractors, third party users) that are entrusted to operate on university data/information (through including but not limited to the access, operation or construction of systems) on a need basis as part of their assigned functions or employment or contractual duties.
Key responsibilities:
(a) Be familiar with the University’s governance and classification structures in relation to information security and data/information management; and
(b) Comply with all related policies, standards, guidelines and procedures issued by the University associated with information security and data/information management, and equip themselves with necessary knowledge and skills to enable such compliance (including, for example, attendance of required training).
1.24
To align with the modern model of data/information governance and management in universities, the Registrar shall be the Data Owner of institutional data/information centrally administered, managed, processed or stored under the Registry.
1.25
Data Users – Individuals (e.g., staff, students, contractors, relevant third party users) or organisation functions (e.g., academic departments accessing student-related data on University Student Information System) that are entrusted to access and use university data on a need basis as part of their assigned employment or contractual duties or functions.
Key responsibilities:
(a) Be familiar with the University’s governance and classification structures in relation to information security and data/information management; and
(b) Comply with all related policies, standards, guidelines and procedures issued by the University associated with information security and data/information management, and equip themselves with necessary knowledge and skills to enable such compliance (including, for example, attendance of required training).
1.26
A successful information security and data/information management programme demands a positive commitment from all University staff, students, contractors, relevant third party users (e.g., visitors, authorised service providers) (regardless of their respective roles as Data Owners, Data Stewards, Data Custodians, Data Users, etc.). All such individuals have the responsibility to ensure that they are equipped with the necessary knowledge and skills (including, for example, having attended all required training and/or studied relevant information published by the University), comply with this Policy, do not create risks for and protect the University, themselves or others and to take all reasonable steps to address any foreseeable risks associated with data and information associated with the University.
1.27
Data Owners, Data Stewards, Data Custodians and Data Users together shall form the University’s “first line of defence” for the implementation of effective information security and data/information management, consisting of individuals who are closer to relevant issues and risks and are in a better position to identify, assess and manage them.
1.28
All staff, students, contractors and relevant third party users (e.g., visitors, authorised service providers) are bound by the various statutory data protection principles in Personal Data (Privacy) Ordinance and have a duty of confidentiality to protect personal data/information. Enquires about the University’s privacy policy and practices corresponding to Personal Data (Privacy) Ordinance should be addressed to the University Data Protection Officer (referred below in this section) through designated communication channels.
1.29
ITS is one of the major Data Custodians of the University through provisioning IT-related services for various information technology resources of the University, and supporting respective Data Owners in the implementation of good information security and/or data management practices and compliance with relevant policies / standards. On the other hand, recognising that there may exist information technology resources that are not directly developed, implemented, administrated, maintained or operated by ITS (e.g., by IT personnel that are directly under a particular faculty or department and as the Data Custodian), ITS shall also play a key role in the University-wide effort of ensuring that sound information security and data management practices are being implemented and that relevant policies are complied with across the University. ITS shall therefore establish a “Data and Security Team” that is independent and reasonably separated from other functions of ITS and be responsible for:
(a) Developing and maintaining additional information technology policies, standards or guidelines from time to time (whenever necessary) that apply to the University at large, with endorsement by [ITPC] (refer to “Oversight Bodies” section);
(b) Setting related risk assessment methodology (in consultation with University Protection Officer for the privacy risk assessment component) and data/information asset inventory standards (i.e. standards for creating and maintaining formal records of data/information assets) for endorsement by [ITPC] (refer to “Oversight Bodies” section) and University-wide general adoptions (for the purpose of consistent applications by Data Owners and Data Custodians);
(c) Establishing and maintaining a “common reporting platform” for the collect, consolidation and analysis of risk related information (e.g., from risk assessment reports and data/information asset inventory submitted by Data Owners) for the purpose of supporting relevant risk management and reporting activities; and
(d) Facilitating the resolution of common/shared information security issues amongst central administration offices, faculties, departments, ITS and other relevant organisation units of the University; and
(e) Performing periodic and ad-hoc assessment and ongoing monitoring of compliance in relation to information security and data management at the University, as well as providing support (i.e. non-first tier technical advice and incident management support associated with the management or use of data/information) where appropriate.
ITS, as one of the major Data Custodians of the University and its key information technology service provider, shall be responsible for, but not limited to, the following (in the context of this Policy):
(a) Providing a reliable and secure “central University information technology infrastructure” with effective support (including but not limited to controlling permissions to access such central infrastructure);
(b) Formulation of University-wide data architectures and information security architectures, as well as related common standards (with such standards reviewed and endorsed by the Data and Security Team, and approved by [ITPC] where deemed necessary);
(c) Working with Data Owners and their delegates to:
- Support policy, process, and practice related implementation and/or improvement efforts associated with institutional data/information;
- Resolve shared information security and data/information management issues; and
- Provide appropriate technical advice and user support associated with the management or use of data/information.
1.30
The following individuals and organisation units together form the University’s “second line of defence” for information security and data/information management, which periodically reviews and challenges how issues and risks are being identified, assessed and managed by the “first line of defence”:
(a) University Data Protection Officer for policy matters and advices concerning personal data protection (refer to the University’s Privacy Statement and related information);
(b) Data and Security Team of ITS (a function within ITS that is without direct Data Custodian responsibilities) for matters concerning the compliance of data (including personal data) and information security;
(c) Task Force on Management of Research Data and Records for research data management compliance (refer to the task force’s terms of reference).
These individuals and organisation units shall also provide applicable support and consultation to the “first line of defence” that are deemed necessary in ensuring the effective implementation of the University’s information security and data management policies, including but not limited to providing information and guidance on appropriate processing of institutional data/information and producing “good practice” guidance material for and delivering training to relevant stakeholders.
1.31
The following individual(s) and organisation unit(s) shall form the University’s “third line of defence” for information security and data/information management, which shall reassure management and related governance bodies that issues and risks associated with information security and data/information management are effectively managed:
(a) Internal Audit Function.
Oversight Bodies
1.32
To enable and ensure effective governance over how institutional data/information and information technology resources are managed and protected across the University, there shall be oversight body:
[Information Technology Policy Committee] – Designated by the Council, [ITPC] provides strategic oversight of information technologies and related risks to ensure their well-coordinated governance, including information security and data management for the purpose of this Policy (refer to terms of reference of [ITPC]).
1.33
The responsibilities of [ITPC] shall include but are not limited to the following aspects in relation to the governance of information security and data management of the University:
(a) Creation, maintenance and overall implementation of this Policy;
(b) Ensuring that staff, students, contractors and relevant third party users (e.g., visitors, authorised service providers) are aware of this Policy;
(c) Ensuring adequate resources for the implementation of this Policy;
(d) Ensuring proper delegation of accountabilities and responsibilities within a well-established structure of related roles;
(e) Monitoring and enforcing compliance;
(f) Recommending disciplinary action for non-compliance if necessary;
(g) Appointing the conduct of regular reviews of this Policy, having regard to any relevant changes in risk levels, legislation, regulations, organisational policies and contractual obligations;
(h) Ensuring there is clear direction and visible management support for related initiatives.
1.34
The Task Force on Management of Research Data and Records, given its unique position as part of the University’s research function as well as information security and data management function, shall have two reporting lines from a governance perspective:
(a) To [ITPC] – On research data management related matters with administrative implications; and
(b) To University Research Council – On research data management related matters with academic implications.
Enforcement
1.35
Any failure to comply with this Policy shall be reported to [ITPC] through designated reporting channels, which shall review such a case (either as a single case or with other similar cases collectively) to decide if any action should be taken. Serious offences may result in disciplinary action.
Review
1.36
This Policy and its effectiveness will be reviewed periodically by [ITPC] and be reported to [ITPC] for endorsement of the Council.
Communication
1.37
This Policy will be effectively communicated to staff, students, contractors and relevant third party users (e.g., visitors, authorised service providers) through an appropriate communication strategy.
Resources
- HKU Code of Practice of Personal Data Protection
- ITS Personal Information Collection Statements
- ITS Privacy Policy Statement
References
Edited by Data and Security Team, 5 August 2020