�鶹��madou

2.1���������� As a NSW public office, records created by �鶹��madou are governed by the and belong to the State of �鶹��madou. �鶹��madou's records:

• provide evidence of actions and decisions
• are vital assets that support daily functions and operations
• protect the interests of �鶹��madou and the rights of the �鶹��madou community and the people of New South Wales
• help �鶹��madou deliver services consistently and equitably.

2.2���������� �鶹��madou’s records are also �鶹��madou’s corporate memory and protect the interests of �鶹��madou and the rights of the �鶹��madou community.

2.3���������� Records must always be:

• created and captured to document �鶹��madou business activity
• captured to a �鶹��madou System of Record
• discoverable across �鶹��madou by those with legitimate need and appropriate access for as long as required
• accurate, up to date and complete, and never destroyed without written approval.

2.4���������� �鶹��madou protect records from unauthorised access, alteration, deletion or misuse, and ensure that �鶹��madou records retain value as evidence.

2.5���������� Records and information management practices support good decision-making, accountability and transparency to deliver best practice business outcomes.

2.6���������� Records and information management are a component of all processes, systems and services, and ownership of records is always defined and allocated.

2.7���������� Records are kept for as long as they are needed for business and legal accountability (including in accordance with retention and disposal authorities) and to meet community expectations.

2.8���������� Records are always retained according to current State Records NSW retention and disposal authorities which define the minimum periods before records can be destroyed. The prohibits the unauthorised disposal of State records, and a penalty may be imposed for breaches of the disposal provisions of the Act. The does not override any other obligations of an organisation to retain records.

2.9���������� Records are disposed of and destroyed according to the Records and Information Management procedure.

3.1���������� Privacy is embedded into the design of all �鶹��madou systems, services and practices.����

3.2���������� �鶹��madou collects, holds, uses and discloses personal and health information by lawful, fair and transparent means in compliance with this policy, the �鶹��madou Privacy Management Plan, relevant �鶹��madou Privacy Statements, and applicable ethics approval, codes, guidelines, third-party agreements and legislation in applicable jurisdictions.����

3.3���������� Personal and health information that is held by the University will only be used or disclosed:

a. for the purposes notified to the individual concerned at the time of collection; or

b. for a purpose for which the individual concerned has expressly consented to such use or disclosure; or

c. where required or authorised by law to use or disclose the information.

3.4���������� �鶹��madou takes reasonable steps to ensure the personal and health information it holds is up to date, accurate and relevant to the purpose for which it was collected.

3.5���������� Personal and health information collected and held by �鶹��madou can, where appropriate, be accessed and, on request, changed by the person to whom the personal and health information relates.

3.6���������� �鶹��madou protects the security of personal and health information against internal and external threats through de-identification and by regularly assessing the risk of unauthorised or unlawful use, disclosure, interference, accidental loss and damage.

3.7���������� Personal and health information collected and held by �鶹��madou is disposed of in a secure manner in accordance with this policy and applicable legislation.��

3.8���������� Privacy breaches are managed in accordance with �鶹��madou’s Privacy Procedure and applicable legislation.����

4.1���������� �鶹��madou complies with its legislative obligations to protect data, avoid or reduce possible harm to affected individuals and �鶹��madou, and prevent future breaches.

4.2���������� The Data Breach Procedure section below includes a Data Breach Management Plan, which �鶹��madou uses to assess and manage data breaches systematically.��

4.3���������� The Data Breach Management Procedure outlines the steps the Data Breach Management Committee will take in the event of a data breach, including but not limited to, notification of affected parties, as well as monitoring and reporting procedures. ����

4.4���������� �鶹��madou notifies individuals and entities affected by a data breach in accordance with legislative obligations.�� ��

4.5���������� �鶹��madou records data breaches and monitors, analyses and reviews the type and severity of suspected data breaches and the effectiveness of its response.�� ��

5.1���������� �鶹��madou information resources and digital communications platforms/technologies are used lawfully, ethically and responsibly.����

5.2���������� �鶹��madou information resources and digital communication platforms/technologies are used in compliance with this and other �鶹��madou policies and applicable legislation.��

5.3���������� Users of �鶹��madou information resources and digital communications platforms/technologies are responsible for their personal �鶹��madou accounts, and other �鶹��madou accounts that they use, as well as any they store, process or transmit using, or while connected to, a �鶹��madou information resource.��

5.4���������� Users of �鶹��madou information resources and digital communications platforms/technologies take all reasonable steps to protect �鶹��madou information resources from physical or digital theft, damage or unauthorised use.��

5.5���������� �鶹��madou provides access to �鶹��madou information resources and digital communication platforms/technologies for users to perform legitimate work, research or studies at �鶹��madou and all use is consistent with that purpose.

5.6���������� Incidental personal use of �鶹��madou information resources is permitted provided such use does not impact the performance of legitimate work, research or studies at �鶹��madou.��

6.1���������� The use of artificial intelligence (AI) systems or tools has the potential to benefit �鶹��madou, individuals, society and the environment.

6.2���������� AI systems or tools are used equitably with respect for human rights and diversity and to foster inclusion and accessibility.

6.3���������� AI systems or tools are trustworthy and are used responsibly, safely and reliably in accordance with their intended purpose throughout their life cycle.

6.4���������� The use of AI systems or tools are transparent, and people understand when AI is engaging with or affecting them and/or the environment.

6.5���������� AI systems or tools used at �鶹��madou are identifiable, explainable, interpretable, accountable and contestable throughout their life cycle.

6.6���������� AI systems or tools used at �鶹��madou are secure and resilient throughout their life cycle.

7.1���������� The Information Governance Steering Committee (IGSC) oversees �鶹��madou-wide information governance and provides oversight and assurance of related strategic initiatives to protect data, information and records across �鶹��madou.

7.2���������� The Research Data Governance and Management Committee oversees the governance and management of research data on behalf of the IGSC. ��

7.3���������� The Data Governance and Management Committee oversees the governance and management of data on behalf of the IGSC.

7.4���������� The University Leadership Team are responsible for:

• overseeing the management of personal and health information within their respective portfolios��
  
• nominating a University Compliance Owner (UCO) for personal and health information held within their portfolio, while remaining responsible for the performance of the UCO’s duties, which are set out in the Privacy procedure section below.

7.5���������� The Chief Information Officer has �鶹��madou-wide authority to:��

• establish mandatory standards and guidelines and determine the consultation process (in accordance with the �鶹��madou Policy Framework Policy) including the authority to expedite changes to facilitate the management of high or extreme cyber security risks
• decide whether work, use of equipment, or an operation must cease due to identified or perceived cyber security risk, or a major incident caused by that activity
• assign �鶹��madou-wide management responsibilities for the use of
• �鶹��madou information resources
• digital communication platforms/technologies
• artificial intelligence systems.

7.6���������� The Chief Data Officer is responsible for the overall management of �鶹��madou’s data governance and:

• defining and implementing an enterprise data analytics and management strategy
• ensuring data quality and security
• operating in a data driven environment
• maintaining the Data Governance Procedure, Information Governance Instruction Manual and the Data Breach Procedure.

7.7���������� The Manager, Records & Archives is responsible for the oversight of �鶹��madou records and information, and:

• overall management of �鶹��madou’s records and information
• measuring the performance of �鶹��madou against the Records and Information Management procedure section below
• maintaining the Records and Information Management Procedure and the Information Governance Instruction Manual
• leading records and information management initiatives
• collaborating with other relevant stakeholders to ensure best practice records and information practices are embedded across �鶹��madou
• working with other accountable stakeholders, including auditors, Government Information (Public Access) (GIPA) officers, and executive management to ensure that systems that manage records and information support organisational and public accountability.

7.8���������� ��Policy Leads have authority to change the:

• Privacy Procedure
• Data Breach Procedure
• Information Governance Instruction Manual

8.1���������� Where a person suspects that serious wrongdoing has occurred, including corrupt conduct, serious maladministration, a government information contravention, a privacy contravention, and/or a serious and substantial waste of public money, they must report this in accordance with the Public Interest Disclosure (Whistleblowing) Policy and Procedure.

8.2���������� Researchers must report potential breaches of the .

8.3���������� Non-compliance with this policy may constitute a breach of the �鶹��madou Code of Conduct and Values.

8.4���������� Failure to manage �鶹��madou records in accordance with the is an offence under section 21 of the Act.��

��

Every must be managed throughout its life cycle, where appropriate, in accordance with ethics approvals, codes, guidelines, third-party agreements and applicable legislation.

The data management lifecycle is aligned with the ��and the .��

1.1���������� Every data element must be linked to:

a.������������ a who is responsible for the oversight and management of the data delegated to them, and

b.������������ a who is responsible for the quality and integrity, ethics, implementation and enforcement of data management within their business unit or research project.

1.2�� �� �� This information must be captured as a record in a .

1.3���������� The Data Custodian must assign each data element a .

1.4���������� The Data Custodian must create a data management plan for each non-research data domain. The plan must be maintained and adhered to throughout the data management life cycle.

1.5���������� For each research activity or project, the researcher must create a r in consultation with the Data Custodian. The plan must be maintained and adhered to throughout the data management life cycle.

1.6������ must be defined and documented in each data management plan by the Data Custodian.

1.7������ Metadata must be described and managed throughout the data management life cycle.

Data creation or collection

2.1���������� Data should only be created or collected for use in accordance with the data management plan to fulfil the .

2.2���������� Data must be accurate, valid and complete at the time of creation or collection.

2.3���������� Data Custodians must ensure that any data being created or collected (other than research data) complies with:��

a.������������ the Data Ethics Guideline, and

b.������������ the Data Quality Guideline set out in Appendix 2: Information Governance Instruction Manual. In accordance with this Guideline, data must be monitored, enhanced and reported.

2.4���������� Data should be collected and recorded immediately or in real time, wherever possible.

2.5���������� The collection of data outside Australia must comply with the data collection laws of that jurisdiction. For example, personal data collected from European Union citizens must comply with the requirements of the .

2.6���������� Data created or collected outside a �鶹��madou campus must be transported to a �鶹��madou campus or transmitted to a �鶹��madou information resource, unless an agreement specifies otherwise.

2.7���������� For the types of data listed in the box below, the following additional data collection procedures must be followed:

����������������������������������������������������������������������������

����������������������������������������������������������������������������������������������

Data classification and labelling

2.8���������� The Data Custodian (in collaboration with the researcher where appropriate) is required to classify each data element for which they are responsible in accordance with the �鶹��madou Data Classification Standard and, where appropriate, any relevant classification requirements stipulated by state/federal legislation, funding bodies and/or external Data Custodians.

2.9���������� Once the data element is classified, the Data Custodian (in collaboration with the researcher where appropriate) must assign it a confidentiality risk rating in accordance with the Cyber Security Standard – Data Security.

2.10�� Following assignment of the confidentiality risk rating the Data Custodian (in collaboration with the researcher where appropriate) must determine the respective label in accordance with the procedures set out in Appendix 2: Information Governance Instruction Manual.

2.11�� Data Custodians must conduct regular audits of data classification and data security compliance.

2.12�� Where a data element’s original classification has changed, it must be re-classified and re-labelled throughout the data management life cycle. The new classification and label must be recorded by the Data Custodian in the relevant data management plan.

Data cleansing

3.1���������� Unnecessary duplication of data across IT services, devices, and storage locations including hard copies, must be avoided.

3.2���������� Data cleansing includes detecting and correcting data errors to improve the quality of data.

3.3���������� All data (other than research data) must be cleansed routinely via an automated process where possible, in accordance with the Data Quality Guideline as set out in Appendix 2: Information Governance Instruction Manual.

Data storage

3.4���������� Data must be stored in a �鶹��madou approved storage platform in accordance with the Records and Information Management procedure section below.

3.5���������� Data storage must be secure, appropriate to the classification and confidentiality risk rating of the data, and comply with legal, ethical and funding requirements.

3.6���������� The Data Custodian (in collaboration with the research and/or IT and Cyber where appropriate) must determine the appropriate storage platform for the data in accordance with the Cyber Security Standard – Data Security.

3.7 Data in physical format should always be stored securely with appropriate access restrictions.

3.8 For the types of data listed in the box below, the following additional procedures must be followed:

��

4.1���������� The Data Custodian and Data Steward must manage and maintain the data, where appropriate and plausible, throughout its life cycle.

4.2���������� Data Stewards must review and revise the accuracy, completeness, consistency, timeliness, integrity and validity of all data (other than research data) on a regular basis in accordance with the Data Quality Guideline and the Data Ethics Guideline.

4.3���������� ��Data Custodians must ensure that data management plans are updated and regularly reviewed.

4.4���������� Data Stewards must ensure that metadata is appropriately measured, monitored and subject to quality and assurance audits throughout the data management life cycle.

4.5���������� ��For the types of data listed in the box below, the following additional procedures must be followed:

������������������������������������������������������������������������������������������������������

��������������������������������������������

Data sharing

5.1���������� �鶹��madou data must not be accessed, viewed, shared or used by anyone from outside the business unit that is responsible for managing the data without data sharing approval or other written approval from the relevant Data Custodian, unless an exemption applies or has been granted by the Data Custodian. The sharing of data must accord with the classification of the data.

5.2���������� �鶹��madou data must not be accessed, viewed, shared or used by an external third-party (including product vendors and service providers) without the third-party entering into an approved and legally binding agreement with �鶹��madou to ensure data security and protection from unauthorised access, use or disclosure, unless an exemption has been granted by the external Data Custodian.

5.3���������� Where appropriate, before any data (other than publicly available data) is shared outside �鶹��madou, the Data Steward must verify the data to ensure its quality, integrity and security will not be compromised.

5.4���������� The process for obtaining data sharing approval is set out in Appendix 2: Information Governance Instruction Manual. Further information and resources are located on the

5.5���������� The Data Governance Office may conduct regular reviews of data sharing compliance and take action to address any non-compliance.

5.6���������� For the types of data listed in the box below, the following additional procedures must be followed:

Data transmission

5.7���������� �鶹��madou data must only be transmitted in accordance with the Cyber Security Standard – Data Security and any relevant data sharing approval or other relevant legal instrument.

5.8���������� Data that has a ‘medium’ confidentiality risk rating must be encrypted in transit when transmitted through public or untrusted networks in accordance with the algorithms and protocols in the Cyber Security Standard – Data Security.

5.9���������� �鶹��madou Legal & Compliance must conduct a Privacy Impact Assessment before data (that is not subject to a data sharing agreement or other binding legal agreement) that contains personal information or health information about an individual is transferred outside New South Wales or to a Commonwealth agency.

5.10�� Before transmission of digital information to non-OECD member countries (including for processing or storage) occurs, the proposed transmission must be referred to the Chief Information Security Officer or their delegate for additional control requirements.

5.11�� Appendix 2: Information Governance Instruction Manual sets out the procedures in relation to the import/export of research data.

Data access, use and re-use

5.12 �鶹��madou data is held and controlled by �鶹��madou not by any individuals. This does not however prevent its (re)use. All �鶹��madou records remain the property of the State of NSW in accordance with the State Records Act 1998 (NSW).

5.13 Data must be used only in accordance with its data and security classification and label and only for the purpose(s) for which it was collected.

5.14 Access to data must be granted on a least privilege and need to know basis, in accordance with the

5.15 Personal use of data (other than research data) is prohibited.

5.16 Access to and the (re)use of data must be recorded in the data management plan.

5.17 For the types of data in the box below, the additional procedures stated must be followed, where relevant:

������������������������������������������������

������������������������������������������

6.1���������� Data must be retained in accordance with the Records and Information Management Procedure.

7.1���������� Data must be disposed of and destroyed in accordance with the Records and Information Management procedure.

8.1.�������������������� The Chief Data & Insights Officer

See the responsibilities section of the Information Governance policy above for the responsibilities and authorities of the Chief Data and Insights Officer, which include enterprise data governance and management activities.

8.2.�������������������� Information Governance and Assurance Office

The Information Governance and Assurance Office supports the Chief Data & Insights Officer to maintain and implement the principles and procedures in relation to information governance. The office is responsible for:

• ensuring that key information governance roles are appointed, inducted and are aware of their responsibilities
• providing information governance training and deliver awareness initiatives to the �鶹��madou community as required, to improve information literacy and awareness across �鶹��madou
• responding to information governance legislative and regulatory requirements
• reporting to committees on information governance assurance and compliance as required
• undertaking initiatives to enhance data life cycle management at �鶹��madou.

The Information Governance and Assurance Office can be contacted via email at datagov@unsw.edu.au.

8.3.�������������������� Data Executives

Data Executives are senior leaders with planning and decision-making authority for a specific data domain. The role provides high-level oversight of data and data quality for the data domain. It also serves as an escalation point to resolve any matters that are unable to be resolved by the Data Custodians and Data Stewards for a data domain.

The Data Executives, as a group, are responsible for overseeing the continuous improvement of �鶹��madou’s data governance and management.

Data Executives are delegated by the Information Governance Steering Committee and in turn delegate day-to-day accountability for the data assigned to them to Data Custodians and Data Stewards.

A list of the Data Executives at �鶹��madou is set out in the Information Governance Instruction Manual.

8.4.�������������������� Data Custodians

Data Custodians are business leaders with day-to-day accountability for oversight and management of one or more data domains delegated to them by a Data Executive. For example, the Head of HR Systems is the Data Custodian for the human resources domain. Heads of Schools, Heads of Research Institutes, Chief Investigators and/or Principal Investigators, and supervisors may be the Data Custodian for the research domain. Heads of Schools (or Chief Investigators or Principal Investigators) are responsible for maintaining a register of confidential information.

For each assigned domain, the Data Custodian is responsible for:

• key data management decisions and directions
• ensuring that specific industry or research requirements (e.g. Australian Code for the Responsible Conduct of Research, Payment Card Industry Data Security Standard) are identified within their assigned domains, and that appropriate controls are implemented
• reviewing and approving data sharing approvals; and the quality and integrity, ethics, implementation and enforcement of data management.

Data Custodians are responsible for ensuring research data and materials have continuous custodianship and, when people with a role or responsibility in a research project leave �鶹��madou, should appoint an appropriate replacement (in consultation with the data steward).

A list of the Data Custodians at �鶹��madou is set out in the Information Governance Instruction Manual. N.B. The list does not include Data Custodians responsible for research at �鶹��madou.

8.5.�������������������� Data Stewards

Data Stewards are functional or operational leaders who represent a business unit related to a specific data domain. Every data domain (including research projects) must have one or more Data Stewards. Data Stewards are responsible for the quality and integrity, ethics, implementation and enforcement of data management within their business unit.

A list of the Data Stewards at �鶹��madou is set out in the Information Governance Instruction Manual. N.B. The list does not include Data Stewards responsible for research at �鶹��madou.

8.6.�������������������� Data users

Data users are members of the �鶹��madou community who use data that they have been granted access to for authorised purposes to carry out their day-to-day duties.

Data users are responsible for:

• using data in compliance with this policy and relevant legislation
• using data ethically and securely while respecting confidentiality and privacy
• ensuring the data they consume is fit for its specific purpose/s, and
• providing feedback about the quality of data to relevant Data Stewards.

8.7.�������������������� External data users

External data users are persons or organisations who access, input, amend, delete, extract, or analyse data and the information created by data in/from a �鶹��madou information resource and are not employees, contractors, consultants or authorised agents of �鶹��madou. For example, vendors of information systems and information services used by �鶹��madou are external data users.

��

1.1������ Full and accurate records must be created to document �鶹��madou business activity. Any document in any format that provides evidence of the University's business activities is a record.

1.2������ Examples of records might include emails sent or received that document business activity, reports, correspondence, briefing notes, meeting agendas and minutes, file notes of conversations or decisions.

Systems

2.1���������� All records or business activities must be captured to a �鶹��madou System of Record. These are business systems that have been assessed to ensure the requirements of a record are met.

2.2���������� ��A �鶹��madou System of Record must be:

• a system that is managing �鶹��madou records such as (Records and Archives Management System)
• capable of meeting any legislative requirements for these records
• able to capture (and return) fixed, complete, authentic, reliable, useable records
• able to capture (and show) core metadata (description, structure, context, related records, events, retrieval information) during and beyond the life of the record itself
• secure and able to restrict access to records (and metadata) or groups of records to meet accountability, legislative and business requirements
• able to prevent deletion of records and metadata unless as part of authorised disposal activity
• able to capture an audit log of system activity
• able to support migration and/or controlled disposal of records depending on the period for which records must be retained
• authorised as a �鶹��madou System of Record, have an identified records and information management (RIM) Steward and (RIM) Custodian.

2.3���������� The assessment process to determine if a business system is a �鶹��madou System of Record is to be completed by the RIM Steward using this and is maintained by the Records & Archives Office.

2.4���������� Records and information management is assessed by the RIM Steward in all outsourced, cloud and similar service arrangements in consultation with the Records & Archives Office.

2.5���������� The RIM Steward must ensure that records and information are maintained throughout system and service migrations.

2.6���������� System decommissioning takes into account retention and disposal requirements for records and information held in the system before final approval by the Manager, Records & Archives.

Long-term records

2.7���������� State archives and University archives are routinely identified and transferred by the Records & Archives Office to safeguard, manage and preserve records with long-term value.

2.8���������� Records that are more than 20 years old are by default under the deemed to be open to public access unless a CPA (Closed to Public Access) direction has been made by �鶹��madou. CPAs are created and maintained by the Records & Archives Office.

High risk and high value records

2.9���������� �鶹��madou is required to identify the systems, records and information needed to support its’ high value and high-risk processes.

2.10�� High risk and high value records are one (or more) of the following:

• records �鶹��madou is required to retain for more than 20 years
• records of �鶹��madou’s core activities (research, teaching)
• records of �鶹��madou’s key corporate functions (personnel, finance, student administration)
• records containing personal or health information
• records of agreements and contracts for expenditure of $150,000 or more (including GST)
• records of significant organisational change.

2.11�� Records of high-risk high value business and the systems that manage them are identified and documented by the Records & Archives Office to enable them to be prioritised and any risks evaluated and managed appropriately.

2.12�� A �鶹��madou is used by the Records & Archives Office to identify where records of high-risk high value business are captured. The completion of these evaluations is the responsibility of the RIM Custodian.

2.13�� RIM Stewards retain overall responsibility for ensuring records of high risk and high value business are safely managed and protected by business continuity plans.

2.14�� A business and the systems that manage them is maintained by the Records & Archives Office.

2.15�� The Records & Archives Office routinely monitors and reviews compliance with the requirements for the identification and management of high-risk records.

Metadata records

3.1���������� The following metadata must be recorded for records and information:��

a.�������� a description of their content

b.�������� their structure (form and format) and the relationships between their components which comprise them

c.�������� the business context in which they were created or received and used; who created them, why they were created, how they have been used and managed

d.�������� relationships with other records, information and metadata

e.�������� business actions and events involving the records and information throughout their existence

f.���������� information that may be needed to retrieve and present them.

3.2���������� Metadata must be configured in systems and carried forward to accompany the records through system changes.

Storage and scanning

3.3�� Records and information in digital format must be stored in an appropriate, secure location in accordance with the Cyber Security Standard – Data Security. Hard copy records should always be stored securely with appropriate access restrictions.

3.4�� Portable storage devices storing medium or high Confidentiality Risk rated digital information must comply with the Cyber Security Standard – Data Security.

3.5�� Portable storage devices of an unknown source or origin must not be used.

3.6�� Records stored offsite should use �鶹��madou’s of storage. Records stored offsite must always be appraised and a disposal authority applied prior to their transfer.

3.7�� Scanning records from hardcopy to digital only impacts their format; it has no bearing on the minimum legal period for which they must be retained. However, it may be possible to destroy the source paper records as part of this process if the conditions for their destruction have been met.

3.8�� The Records & Archives Office routinely monitors and reviews compliance with record storage requirements.

4.1�� Records must be linked to a current authorised retention and disposal authority.

4.2�� For the types of data in the box below, the additional procedures stated must be followed, where relevant:

��

��

��

5.1�� Records must never be destroyed by the RIM Custodian without undergoing a formal process of appraisal, and consultation where appropriate with the researcher and the approval of the Records & Archives.

5.2�� Once the destruction of record is approved, the RIM Custodian must ensure that the records are securely and irretrievably destroyed.

5.3�� Records that are ephemeral or facilitative and do not have any continuing value are destroyed in accordance with Normal Administrative Practice (NAP). What constitutes NAP is described here https://www.recordkeeping.unsw.edu.au/recordkeeping/normal-administrative-practice-nap

5.4�� The Records & Archives Office monitors and reviews compliance with record disposal and destruction requirements.

6.1�� Manager, Records & Archives

See the responsibilities section of the Information Governance policy above for the responsibilities and authorities of the Manager, Records & Archives.

��

6.2�� Records & Archives Office

The Records & Archives Office supports the Manager, Records & Archives, to maintain and implement the principles and procedures in relation to records and information management. The Office is responsible for:

• support for the management of all records, in any format, including access to and use of the enterprise recordkeeping system RAMS
• providing records and information management training and initiatives to the �鶹��madou community as required, to improve records and information management practice across �鶹��madou
• the collection, maintenance and provision of access to, �鶹��madou’s archival collections
• consultancy services on records and information management including business process analysis, redesign and support for the identification of digital recordkeeping solutions
• oversight of the �鶹��madou System of record framework
• providing advice on, and authorisation for, the disposal of records
• responding to records and information management legislative and regulatory requirements.

6.3�� ��Records and Information Management (RIM) Stewards

RIM Stewards retain responsibility for ensuring that:

• appropriate systems and processes are in place for capturing, storing and disposing of records within their areas of responsibility
• employees in their business unit are aware of their recordkeeping responsibilities
• �鶹��madou Systems of Record are available within their areas for the capture and management of records and that any new systems or process are assessed prior to implementation
• their employees are aware of the need to appraise records before destruction and to never destroy records without the necessary approval
• high risk and high value business records and the systems which manage them are identified and responsibility for capturing and managing these records is assigned.

6.4�� Records and Information Management (RIM) Custodians

RIM Custodians are responsible for:��

• the records and information managed by the business systems and/or processes for which they have been assigned custodianship
• identifying the records of their Unit’s activities, and ensuring the appropriate capture, storage, classification and disposal of these records
• ensuring systems managing high risk and high value business records are protected by business continuity strategies and plans
• ensuring employees are aware of their recordkeeping responsibilities and how to meet them.

��

Effective: 1 February 2025�� �� �� �� �� �� �� ����Responsible: Chief Assurance and Legal Officer�� �� �� �� �� �� �� �� �� �� �� �� ��Lead: Manager, Records & Archives

1.1�� �鶹��madou manages personal and health information in accordance with this policy and the Privacy Management Plan.

2.1�� Before any new project (other than a research project or activity) that is designed to hold or process personal information and/or health information on behalf of �鶹��madou is implemented, it may be subject to a Privacy Impact Assessment (PIA). A PIA ensures that personal information and/or health information is protected from unauthorised access, use, modification or disclosure.

2.2�� The sponsor of the new project is responsible for notifying �鶹��madou Legal & Compliance and, where appropriate the �鶹��madou IT Cyber Security Strategy & Governance team, that a new project has been proposed.

2.3�� The procedure for conducting a PIA is set out in Appendix 2: Information Governance Instruction Manual.

2.4�� �鶹��madou Legal & Compliance will advise the new project sponsor of the outcome of the PIA assessment.��

3.1�� �鶹��madou publishes open access information that can be accessed via the Accessing University Information webpage or by conducting a search of �鶹��madou’s website at /.

3.2�� �鶹��madou may disclose information that is not published on its website informally or through a formal application process in accordance with the .

3.3�� Informal requests for information should be emailed to:��gipaa@unsw.edu.au

3.4�� The procedure for requesting information is set out in Appendix 2: Information Governance Instruction Manual.

4.1�� Privacy complaints about �鶹��madou may be resolved through the Complaints Management and Investigations Policy and Procedure, or through an application for internal review under the (PIPP Act). Further information about internal or external complaints is set out in the Privacy Management Plan.

4.2�� The procedure for making a privacy complaint is set out in Appendix 2: Information Governance Instruction Manual.

5.1. University Leadership Team

See the responsibilities section of the Information Governance policy above for the responsibilities and authorities of the University Leadership Team.

5.2. �鶹��madou Legal & Compliance

�鶹��madou Legal & Compliance is responsible for:

• providing advice on the privacy obligations imposed by this policy and applicable privacy laws.
• supporting the University Compliance Officers to develop local protocols and privacy statements for use in their area of responsibility
• developing guidelines, training and other supporting material to support awareness of obligations imposed by applicable privacy laws
• conducting internal reviews of privacy complaints received in accordance with applicable legislation.

5.3. University Compliance Owners (UCOs)

UCOs are responsible for:

• ensuring that University-wide procedures implemented to support this policy are applied in the management of personal and health information within their respective portfolios
• implementing effective local procedures to ensure that personal and health information held within their portfolio is managed in accordance with this policy
• ensuring that any person who has access to the personal information held within their portfolio understands their responsibilities regarding such information
• ensuring that privacy statements that comply with all applicable laws are provided to individuals when their personal information is collected.

��

Effective: 1 February 2025�� �� �� �� �� �� �� ��Responsible: Chief Assurance and Legal Officer�� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� ����Lead: Head of Compliance & Privacy Law

1.1�� A data breach occurs when any data (whether in digital or hard copy) held by �鶹��madou is lost or subjected to unauthorised access (both internal and external to �鶹��madou), modification, disclosure, or other misuse or interference. Examples include:

• unauthorised access to, or the unauthorised collection, use, or disclosure of, data
• accidental loss, unauthorised access, or theft of classified material, data or equipment on which such data is stored (such as loss of paper records, laptop, iPad or USB stick)
• unauthorised use, access to, or modification of data or information systems (such as, sharing of user login details (deliberately or accidentally) to gain unauthorised access or make unauthorised changes to data or information systems)
• unauthorised disclosure of confidential information (such as an email sent to an incorrect recipient or document posted to an incorrect address or addressee) or personal information posted on the website without consent
• a compromised user account (such as accidental disclosure of user login details through phishing)
• failed or successful attempts to gain unauthorised access to �鶹��madou information or information systems
• equipment failure, malware infection or disruption to or denial of IT services resulting in a data breach
• the loss or theft of a device containing personal information or health information
• a �鶹��madou database or information repository containing personal or health information being subject to a cyber-attack
• a device, database or information repository containing personal or health information being accessed without authorisation
• �鶹��madou inadvertently providing personal or health information to an unauthorised person or entity.

2.1�� A data breach involving personal information and/or health information (whether in digital or hard copy) occurs when there is:

• unauthorised access to or unauthorised disclosure (whether internal or external to �鶹��madou) of personal information or health information held by �鶹��madou; or
• a loss of personal information or health information held by �鶹��madou in circumstances that are likely to result in unauthorised access to, or unauthorised disclosure of, the information.

2.2�� Where a data breach involves personal information or health information, and a reasonable person would conclude that the access or disclosure of the information is likely to result in serious harm to an individual to whom the information relates, such a data breach will constitute an “eligible data breach” and be subject to mandatory data breach notification obligations prescribed by the (‘PIPP Act’) (and in certain circumstances by other privacy laws).

3.1�� Anyone who has identified a suspected or confirmed a data breach must immediately raise a ticket via the IT Service Centre: (itservicecentre@unsw.edu.au).

3.2�� ��On receiving the notification, the IT Service Centre will:

a.�������� forward the notification to the Cyber Security Incident Response Team who will assess the breach to determine whether the breach constitutes a cyber security incident; and

b.�������� the Data Breach Management Committee (DBM Committee).��

3.3�� The Cyber Security Incident Response Team will immediately notify the DBM Committee of the outcome of their assessment of the data breach.��

4.1�� Where a ticket is raised to report a suspected or confirmed data breach the IT Service Centre will immediately notify all members of the Data Breach Management Committee (DBM committee).

4.2�� Upon such notification, the DBM committee will:

a.�������� immediately update the IT ticket to note that the breach has been referred to them

b.�������� in consultation with the Committee as a whole, assign a member of the Committee (the lead investigator) to assess and manage the data breach in accordance with the Data Breach Management Plan, set out in Appendix 2: Information Governance Instruction Manual

c.�������� notify the Critical Incident Team if the data breach is determined by the Committee to amount to a major data breach; and

d.�������� provide support and guidance to the staff member(s) who identified the data breach.

5.1�� Where the suspected or confirmed data breach involves personal information or health information, �鶹��madou Legal & Compliance will assess the breach. If there are reasonable grounds to suspect that the breach is an eligible data breach, �鶹��madou Legal & Compliance will:

a.�������� immediately update the IT ticket to note that the breach has been referred to them

b.�������� notify the General Counsel of the potential eligible data breach

c.�������� assign a lead investigator on behalf of the DBM committee and assess and manage the data breach in accordance with the Data Breach Management Plan, the mandatory data breach notification obligations prescribed by the PPIP Act, and any contractual obligations relating to the data impacted by the breach.

d.�������� in accordance with s 59ZJ of the PPIP Act, the functions of the Vice-Chancellor, acting as the head of �鶹��madou for the purpose of Part 6A of the PPIP Act, are delegated to the General Counsel.

6.1�� Upon referral of a suspected or confirmed data breach or eligible data breach, the lead investigator will enact the Data Breach Management Plan, as set out in the Information Governance Instruction Manual, as follows:

• immediately contain the breach and conduct a preliminary assessment
• evaluate the risks associated with the breach
• notify affected individuals or entities
• notify employee who reported the breach
• investigate the cause of the breach to prevent future breaches.

7.1. IT Service Centre

IT Service Centre receives the first notification of the suspected or confirmed data breach and creates a ticket.

7.2. Cyber Security Incident Response Team

The Cyber Security Incident Response Team assesses the suspected or confirmed data breach to determine whether it constitutes a cyber security incident.

7.3. Data Breach Management Committee

The Data Breach Management Committee implements the Data Breach Management Plan for a suspected or confirmed data breach or eligible data breach, appoints lead investigator, notifies Chief Legal Officer of suspected or confirmed eligible data breach.

The Data Breach Management Committee has authority to change the:

• Data Breach Procedure
• Information Governance Instruction Manual�� ����

7.4. Lead Investigator

The Lead Investigator investigates the suspected or confirmed data breach or eligible data breach in accordance with the Data Breach Management Plan.

7.5. Chief Legal Officer

The Chief Legal Officer, in the case of an eligible data breach notifies the Privacy Commissioner and individuals that are affected by the breach.

1.1�� �鶹��madou information resources and provisioned digital communication platforms/technologies must be used for in an ethical, lawful and responsible manner.

1.2�� Users are accountable for all activities originating from their own and other �鶹��madou accounts they access.

1.3�� Users must take all reasonable steps to protect �鶹��madou information resources from physical or digital theft, damage or unauthorised use.

1.4�� Users must only store, process or transmit digital information in accordance with this policy.

1.5�� Senders, recipients and managers of digital communication platforms/technologies are required to exercise due diligence to ensure the protection of confidential communications.

1.6�� Digital communication platforms/technologies should not be used to send sensitive and confidential information unless the appropriate security measures including encryption have been taken.

1.7�� Employees are responsible for capturing and retaining digital communications relating to �鶹��madou’s business activities so that they are accessible as records to meet business and evidential needs.

1.8�� Employees are responsible for:

a.�������� reporting any spam, phishing, malware and other malicious digital communications

b.�������� reporting any digital communications sent intentionally or unintentionally that violates the Cyber Security Standard – Data Security or may result in a data breach.

1.9�� ��Employees must complete �鶹��madou assigned cyber security awareness training.��

2.1������ �鶹��madou recognises that the nature of work, study and research at �鶹��madou means that a user may use �鶹��madou information resources and digital communication platforms/technologies for a broad range of legitimate purposes (consistent with the principles of academic freedom). However, users must not use �鶹��madou information resources or digital communications platforms/technologies to:

a.�������� harass, stalk, menace, defame, vilify, or unlawfully discriminate against another person

b.�������� collect, use or disclose personal information except in accordance with this policy

c.�������� knowingly copy, download, store or transmit material which infringes the intellectual property of any other party

d.�������� knowingly distribute spam, phishing, chain letters, or any other type of unauthorised widespread distribution of unsolicited digital communications in contravention of the Spam Act 2003 (Cth)

e.�������� represent or create the impression of representing �鶹��madou unless authorised to do so

f.���������� represent another person or claim to represent another person unless explicitly authorised, or

g.�������� otherwise cause loss or harm to the reputation of �鶹��madou.

2.2������ Users must not:

a.�������� use another person’s account including those assigned to other individuals and system accounts, without a delegation and approval to do so

b.�������� share their password or other authentication factor with any other person

c.�������� assist or permit the use of �鶹��madou information resources or digital communications platforms/technologies by an unauthorised person

d.�������� attempt to gain unauthorised access to or access for an unauthorised purpose �鶹��madou information resources or digital communications platforms/technologies

e.�������� use �鶹��madou information resources, or personal devices, or digital communications platforms/technologies to intentionally or knowingly compromise the confidentiality, integrity, availability or privacy of �鶹��madou information resources or digital information

f.���������� travel with �鶹��madou Information Resources (for any purpose) to a destination deemed by �鶹��madou to be high risk, without the approval of the �鶹��madou Risk Management team.

g.�������� use �鶹��madou information resources or digital communications platforms/technologies to access, display, store, copy, process, transmit or provide prohibited or restricted material, other than in accordance with section 3 of this procedure below

h.�������� intentionally distribute spam, phishing, chain letters, or any other type of unauthorised widespread distribution of unsolicited digital communications

i.������������ intentionally distribute viruses, worms, Trojan horses, malware, corrupted files, hoaxes, or other items of a destructive or deceptive nature, including using a platform/technology to distribute software that covertly gathers or transmits information about an individual

j.������������ use language that is excessively violent, incites violence, threatens violence, or contains harassing content

k.���������� create a risk to a person’s safety or health, create a risk to public safety or health, compromise national security, or interfere with an investigation by law enforcement��

l.������������ attempt to manipulate, circumvent or interfere with the security and functionality of the platform/technology in any manner����������

m.������ intentionally circumvent identity controls or other cyber security controls other than for authorised testing

n.�������� test, bypass, deactivate or modify the function of any cyber security control (including an operating system), knowingly install or use malicious software or connect an end-of-life, end-of-support, or intentionally compromised device to �鶹��madou information resources or digital communications platforms/technologies except for research or teaching purposes; and (ii) with written approval of the Head of School as part of an approved course or equivalent and in an isolated testing environment or isolated network

o.�������� collect or use email addresses, screen names information or other identifiers without the consent of the person identified (including without limitation, phishing, spidering, and harvesting).

3.1������ Users can access, display, store, copy, or transmit prohibited or restricted material on or using �鶹��madou information resources for research or teaching purposes only (i) in accordance with all applicable laws, ��including those jurisdictions where the data is collected, stored or published, policies, procedures, and standards, including the ; and (ii) with human or animal ethics approval where appropriate; and (iii) with the express written approval of a relevant Deputy Vice-Chancellor (for prohibited material) or a Head of School or equivalent (for restricted material).

3.2������ Users can access, display, store, copy, or transmit prohibited or restricted material on or using �鶹��madou information resources for the purpose or intention of investigation of a potential breach of a code of conduct, policy, procedure by the Conduct and Integrity Office or Human Resources.

4.1������ �鶹��madou provides access to �鶹��madou information resources and digital communications platforms/technologies for users to perform work, research or studies at �鶹��madou and all usage must be consistent with that purpose, other than the exceptions in the next clause.

4.2������ Users are permitted limited and incidental personal use of �鶹��madou information resources and digital communications platforms/technologies. However, this use must not:

a.�������� directly or indirectly impose an unreasonable burden on any �鶹��madou information resource or burden �鶹��madou with incremental costs

b.�������� unreasonably deny any other user access to any �鶹��madou information resource

c.�������� contravene any law, �鶹��madou’s Code of Conduct and Values and �鶹��madou policies or interfere with or conflict with �鶹��madou’s functions.

d.�������� in the case of employees, interfere with the execution of their responsibilities.

4.3������ Users who store, process or transmit their own personal information as part of their personal use of a �鶹��madou information resource are responsible for deciding how that information is secured (such as, encrypted) and backed up.

4.4������ �鶹��madou is not responsible for ensuring that personal data is retained or providing such data to a user.

4.5������ Personal emails remain subject to the provisions of this policy and as such may be accessed in accordance with the monitoring and surveillance section of this procedure below.

4.6������ Excessive use of �鶹��madou information resources (such as to generate or mine crypto currency) is not permitted, except for research or teaching purposes, and with the express written approval of the Head of School or equivalent.

4.7������ Employees and students must not use �鶹��madou information resources or digital communications platforms/technologies for:

a.�������� financial or commercial gain for themselves or any third party; or

b.�������� private professional practice.

5.1������ Employees performing duties at �鶹��madou using personal devices must ensure that these devices:

a.�������� are password protected, or have an equivalent access restriction mechanism enabled

b.�������� have malware protection enabled, where available

c.�������� are patched or updated promptly and

d.�������� are encrypted.

5.2������ Employees must report the loss or theft of, or damage of a personal device containing �鶹��madou data to �鶹��madou Campus Security and to the IT Service Centre at the earliest opportunity in accordance with the reporting data breach requirement set out in the Data Breach Procedure.

5.3������ �鶹��madou does not guarantee that a personal device will be able to access, or be compatible with, all �鶹��madou information resources.

5.4������ Using personal accounts or storing information locally on personal devices for University business is prohibited.

5.5������ If personal accounts are used, �鶹��madou systems that are accessible via a personal device (e.g. Outlook, Teams, OneDrive) must be used. Any information generated must be automatically saved in a �鶹��madou system.

5.6������ If there are no other options but to use a personal account, the information generated must be captured to a �鶹��madou system as soon as practicable.

6.1������ �鶹��madou takes reasonable precautions to protect the security of �鶹��madou information resources and digital communications platforms/technologies but does not guarantee that �鶹��madou information resources and digital communications platforms/technologies will always be available, secure, confidential, or free from defects, including malicious software.

6.2������ �鶹��madou accepts no responsibility for loss or damage (including consequential loss or damage or loss of data) arising from the use of �鶹��madou information resources and digital communications platforms/technologies, or from the maintenance and protection of �鶹��madou information resources and digital communications platforms/technologies.

6.3������ Subject to complying with all applicable laws, �鶹��madou may take any necessary action in accordance with the Cyber Security Policy, to mitigate any threat to �鶹��madou information resources and digital communications platforms/technologies, with or without notice.

6.4������ �鶹��madou reserves the right to:

a.�������� limit or terminate the use of �鶹��madou information resources and digital communications platforms/technologies, with or without notice, subject to clause 11.4 of this Procedure

b.�������� view, copy, disclose or delete digital information stored, processed, or transmitted using �鶹��madou information resources and digital communications platforms/technologies subject to complying with all applicable laws

c.�������� monitor or examine the security of any device connecting to �鶹��madou information resources and digital communications platforms/technologies, to identify or address a cyber security threat

d.�������� monitor, access, examine, take custody of, and retain any �鶹��madou information resource and digital communications platforms/technologies.

6.5������ Access to a �鶹��madou information resource, or storage, processing and transmitting of data (including email) may be delayed or prevented in the event of misuse or suspected misuse, or in the event of a security event or suspected security event.

6.6������ �鶹��madou may at any time require a user to:

a. acknowledge in writing that they will abide by this policy

b. complete relevant training in �鶹��madou policies and procedures.

7.1������ Transmission of digital communications to multiple users must only be undertaken using a �鶹��madou approved service provider.

7.2������ The transmission must be controlled so that users do not receive a large quantity of unwanted and unsolicited digital communications as this can reduce the effectiveness of the digital communications platforms/technologies.

7.3������ Users may solicit communications on a particular topic by subscribing to a �鶹��madou mailing list or third-party mailing list from which they can also unsubscribe at will.

7.4������ Unsolicited communications may only be sent to multiple users where the communication is related to their �鶹��madou duties and the sender has a relevant work relationship with the recipients.

7.5������ Any broadcast email to students should be conducted via Student Communications or Faculty/School specific communications channels.

7.6������ Special interest groups must issue invitations to join before including any group or individual in a mailing list, and members have the right to unsubscribe at will.

7.7������ Users who wish to send a broadcast digital communication to the �鶹��madou community, or a substantial subset of the community (such as all academics) must follow the procedure set out in Appendix 2: Information Governance Instruction Manual.

8.1������ The use of scanned signatures is discouraged as they are vulnerable to forgery. The digital signature technology approved by �鶹��madou will be published by �鶹��madou IT. Alternate solutions such as electronic and digital signatures should be used instead for all official documents.

9.1������ �鶹��madou may terminate the access of any user whom it believes is not operating in compliance with this procedure or the law.

10.1������ All data stored, processed, or transmitted using any �鶹��madou information resource and digital communications platforms/technologies:

a.�������� may be recorded and monitored on an ongoing and continuous basis, in accordance with the �鶹��madou Cyber Security Standards

b.�������� may be subject to the Government Information (Public Access) Act 2009 (NSW)

c.�������� may be subject to the Privacy and Personal Information Protection Act 1998 (NSW)

d.�������� may be subject to the Health Records and Information Privacy Act 2002 (NSW)

e.�������� may be subject to the State Records Act 1998 (NSW), and

f.���������� will remain in the custody and control of �鶹��madou other than where the conditions for external sharing of �鶹��madou data stated in the data management procedure section above are met.

10.2������ Users should be aware that personal use of �鶹��madou information resources and digital communications platforms/technologies may result in �鶹��madou holding personal information about the user or others which may be accessed and used by �鶹��madou to ensure compliance with this and other policies.��

10.3������ Scanning and monitoring of personal drives and devices connected to a �鶹��madou Information Asset must not unreasonably intrude into the personal affairs of individual employees or students.��

10.4������ The following approvals are required for access by a person other than the owner or custodian to �鶹��madou storage services and storage devices such as mailboxes, Microsoft 365 services, hard drives, and file shares that may also contain personal information.������

10.5������ No access is to be provided without two signatures. An authorisation from only one person (regardless of the seniority of the person or the role that they perform) is insufficient to provide access.

10.6������ �鶹��madou IT will:��

a.�������� provide a University-wide directory, which will include email addresses��

b.�������� make available a mailing list system for creating email lists and to establish lists for valid purposes

c.�������� monitor the performance of the existing central email system and its usage to ensure the service meets the needs of its users within the available resources

d.�������� administer usage of the central service and apply temporary or permanent usage constraints or limits to the service for any user (including discontinuance or deactivation) who is in breach of this policy or any other �鶹��madou rules or policies, or applicable Federal or State law. Any such decision may be appealed to the Chief Information Officer

e.�������� retroactively detect and remove malicious emails that have already been delivered to users.

10.7������ �鶹��madou may exercise its legal right to read any digital communication sent via �鶹��madou information resources. The information viewed by any third party authorised to read the digital communication (i.e. other than the sender or recipient), will only be used for the sanctioned purpose.

11.1������ The use and disclosure of an individual’s digital identity must comply with this policy, �鶹��madou’s Privacy Management Plan and Privacy Statements.

11.2������ Forms of identity used to access �鶹��madou information resources should not be published together with the identity of the user. However, identities may be published within �鶹��madou’s internal directory.

11.3������ The identity of students can be displayed in a teaching context, to an individual student or between an individual student and their teacher or class support. However, employees and students must not:

a.�������� display a list of students’ identities to a class or other group, and/or

b.�������� share a list of students’ identities to a class or other group without an approved data sharing approval.

11.4������ �鶹��madou Estate Management and other �鶹��madou business units may provide user’s identities with access to physical buildings and to spaces within buildings. An identity for this purpose should be classified as private under the �鶹��madou Data Classification Standard.

11.5������ A list of persons who have access to spaces which includes first name, last name and identity can be shared with employees who have legitimate business reasons to have access to this information. This information must not be shared via email.

12.1.�������������������� In the event of misuse or suspected misuse of �鶹��madou information resources �鶹��madou may:

a.�������� withdraw or restrict a user’s access to �鶹��madou information resources

b.�������� commence disciplinary action

c.�������� notify the Police or other relevant government authority.

13.1������ The loss, theft or damage to �鶹��madou information resources must be reported at the earliest opportunity to �鶹��madou Campus Security and to the IT Service Centre in accordance with the reporting data breach requirement set out in the Data Breach Procedure.

13.2������ Any person who notices a potential or actual cyber security incident must report it as soon as possible to the �鶹��madou IT Service Centre or �鶹��madou IT Cyber Security Team.��

14.1������ Any non-compliance with the use of Information Resources and digital communications platforms/technologies procedure must be approved in accordance with the Cyber Security Standard - Framework Exemption, including a mandatory risk assessment and agreed compensating controls.��

15.1. The Chief Information Officer

See the responsibilities section of the Information Governance policy above for the responsibilities and authorities of the Chief Information Officer.

16.2. �鶹��madou IT��

�鶹��madou IT facilities, services and manages �鶹��madou information resources.��

16.3. Users of �鶹��madou information resources and digital communication platforms/technologies

Users of �鶹��madou information resources are responsible for using �鶹��madou information resources in accordance with this policy.��

��

��

1.1������ Users are accountable for all activities originating from their use of artificial intelligence (AI) systems or tools.

1.2������ AI systems or tools must be used ethically, lawfully and responsibly.

1.3������ Users of AI systems or tools must ensure that confidentiality of highly sensitive, sensitive, commercial and/or personal information is maintained throughout the data management life cycle.��

2.1������ Before any AI system or tool (other than for using an approved, deployed enterprise grade system i.e. CoPilot) is used an AI self-assurance assessment must be conducted.

2.2������ The AI self-assurance assessment (based on the ) comprises the following elements that must be considered before using an AI system or tool:

a.�������� sensitive data - The AI system or tool does not involve the use or creation of highly sensitive, sensitive, commercial and/or personal data without consent/approval

b.�������� harm - The AI system or tool is respectful of fundamental human rights, the rights of the child and/or the environment

c.�������� compliance - The AI system or tool complies with �鶹��madou policies, relevant legislation, and the Ethical and Responsible Use of Artificial Intelligence at �鶹��madou principles ��

d.�������� fairness - The outputs of the AI system or tool are equitable, inclusive, accessible and free from bias and there is a mechanism for challenging outcomes

e.������������ business value - The AI system or tool aligns with �鶹��madou's core values, Strategic Plan, improves services or efficiencies and there is an approved budget for the initial and ongoing costs

f.�������������� transparency and accountability - The AI system or tool provides identifiable, explainable, reliable, and interpretable outputs to the user and there is clear accountability and monitoring to ensure that the system or tool continues to function as designed.

2.3������ Data used to train the AI system or tool must be diverse and representative of the population it serves.

2.4������ Data must only be used and stored in an AI system or tool in accordance with its classification.

2.5������ AI systems and tools deployed at �鶹��madou must be continuously monitored by users after deployment to identify any emerging biases or unfair outcomes.

3.1 The Chief Information Officer

See the responsibilities section of the Information Governance policy above for the responsibilities and authorities of the Chief Information Officer.

��3.2��Users of AI systems or tools

Users are responsible for using AI systems or tools in accordance with this policy.

��

Effective: 1 February 2025�� �� �� �� �� �� �� ����Responsible: Vice-Presdient, Operations�� �� �� �� �� �� �� ��Lead: Chief Information Officer

Legislative compliance

This policy is intended to ensure that �鶹��madou complies with the:

1.������������ (NSW)

2.������������ (NSW)

3.������������ (Cth)

4.������������ (NSW)

5.������������ (NSW)

6.�������� (NSW)��

7.�������� (NSW)

8.������������ �� (NSW)

9.�������� (NSW)��

10.�� (Cth)

11.�� (Cth)��

12.���� (Cth)

13.����

14.���� (Cth).������

15.���� (NSW)

��

Supporting documents

��Information Governance Instruction Manual��

Information Governance Instruction Manual