Use the link at the bottom of this page to download a template of this document that can be customised for your organisation.
--------------------------------------------------------------------------------
1 Data Management Policy
This document is the Data Management Policy for all data within <Organisation Name>.
1.1 Overview
<Adapt the wording to be appropriate to your organisation>
<Organisation Name> creates, stores, uses, transmits and deletes data of various types for various purposes. The sensitivity and value of the data ranges from publicly available data to highly sensitive personal data. This policy details how <Organisation Name> manages data to meet its cyber security obligations, and where appropriate, complies with other policies, legislation and regulations.
This Data Management Policy ensures <Organisation Name>:
- Complies with data protection laws and regulations, and follows good practice
- Protects the rights of clients, personnel, volunteers and partners
- Is transparent about how it stores and processes data, particularly personal data
- Protects itself from the risks of data breaches
1.2 Scope
<Adapt the wording to be appropriate to your organisation, and adjust the list to describe the types of data that are relevant for your organisation. The list here is simply examples.>
All data created, stored, used, transmitted or deleted by <Organisation Name> are within the purview of this Policy. This includes:
- Publicly available data on websites and other disseminated sources
- Low value and low sensitivity data (e.g. general documents, advertising material, etc)
- High value and highly sensitive data (e.g. commercial-in-confidence documents, etc)
- Personnel data
- Client data
- Financial records
- Emails and messages, including voice messages
- Data belonging to, or managed on behalf of, third-parties
- Data stored locally, off-site, remotely, in-cloud and with third-parties
This policy applies to all internal personnel, volunteers, consultants, contractors, and third-parties acting on behalf of <Organisation Name>.
1.3 Objectives
All data in the scope of this policy will be managed to achieve and maintain the following objectives:
- Confidentiality – protecting data in appropriate ways so that only authorised access and disclosure is permitted in accordance with the classification of the data
- Integrity – guarding against improper data modification, destruction or corruption, including ensuring data non-repudiation and authenticity where relevant
- Availability – maintaining timely and reliable access to and use of data
1.4 Obligations
All data in the scope of this policy will be managed in accordance with the data standards and classifications defined in this policy. These include:
- Classifying all data appropriately
- Storing all data in ways appropriate for its classification, including encrypted as required
- Transmitting and transporting data securely
- Destroying sensitive and high value data securely
<Organisation Name> will comply with all relevant legislation and regulations, including:
<Choose the ones that apply to your organisation, and add others that are relevant; e.g. industries such as healthcare, insurance and retail may have specific compliance requirements.>
- Privacy Act 1988 (Commonwealth)
- Australian Privacy Principles (Commonwealth)
- Australian Copyright Act 1968 (Commonwealth)
- Freedom of Information Act 1982 (Commonwealth)
- Freedom of Information Act 2016 (ACT)
- Privacy and Personal Information Protection Act 1998 (NSW)
- Information Privacy Act 2014 (ACT)
- Information Act 2002 (NT)
- Workplace Privacy Act 2011 (ACT)
- Information Privacy Act 2009 (Qld)
- Invasion of Privacy Act 1971 (Qld)
- Privacy and Data Protection Act 2014 (Vic)
- Personal Information Protection Act (Tas)
Legal and regulatory obligations may include data creation, storage, access protection, transmission, retention, sharing and destruction.
<Organisation Name> will ensure it remains in compliance with relevant legislation and regulations as they are enacted in the future.
1.5 Data Classification Scheme
<This is an example scheme. Modify as appropriate for your organisation.>
Data is classified into one of the following <three> classification levels:
- Public – data that can be shared publicly or disclosed without restriction
- Internal – data that is restricted to <Organisation Name> personnel and others engaged by <Organisation Name>
- Private – data that is sensitive or high value and must be protected against unauthorised viewing, modification, distribution, sharing and deletion; access to Private data must be restricted to personnel formally approved to have that access
1.6 Data Classifications
All data in the scope of this policy will be classified as follows:
<These are examples only. Create the relevant list for your organisation.>
- Personnel records – Private
- Client records – Private
- Proprietary materials – Internal
- General and miscellaneous information – Internal
- Websites – Public
1.7 Data Stewards
All data in the scope of this policy will be assigned to <individual personnel within Organisation Name> who will have overall responsibility for the management of that data as data stewards.
<These are examples only. Create the relevant list for your organisation.>
The following data stewards are assigned:
- Personnel records – Human Resources Manager
- Client records – Clinic Manager
- Proprietary materials – Business Manager
- General and miscellaneous information – IT Manager
- Websites – IT Manager
Comments
0 comments
Please sign in to leave a comment.