Apply Now
Navigation
Home
Governance Policy

Information Governance Policy

Purpose

  • The purpose of this Policy is to —

    • establish robust, accountable, and transparent information governance practices that operationalise the University’s commitment to responsible data governance and integrity, and ensure compliance with Indian laws and where relevant, Australian laws;
    • define roles, responsibilities, and procedures for protecting, retaining, and managing University Information;
    • protect the University Community from misuse, unauthorised access, loss, or improper handling of data; and
    • uphold rights to fair and transparent processing, correction, and erasure of data.
  • This Policy is to be read in conjunction with the following —

    • UWA India Privacy Policy
    • Information Privacy Policy Guide
    • Information Protection Classification Guide
    • Information Retention Policy Procedures

Scope

  • This Policy applies to the entire University Community and applies to all University operations, records and information systems.

Definitions

Australian laws are the key legal instruments that are applicable to this policy, including but not limited to:

  • Australian Privacy Act 1988 (Cth)
  • Australian Privacy Principles (APPs)

Data refers to any information, records, documents, or content regardless of format or medium collected, created, received, stored, processed, or transmitted by or on behalf of the University. This includes, but is not limited to, personal information, sensitive information, academic and administrative records, electronic files, and metadata.

Indian laws refer to the key legal instruments that this Policy needs to comply with, including not limited to:

  • Digital Personal Data Protection Act, 2023
  • Information Technology Act, 2000

Information Protection refers to providing security for University Information based on its risk, legal requirements and business value.

Information Retention refers to the collection, management and retention of University Information and Records for as long as required in accordance with relevant statutory and University requirements.

Personal Information refers to information or an opinion about an identified, or an individual who is reasonably identifiable, whether true or not and whether recorded in a material form or not.

Records refers to any University Information, digital or physical, created or received as evidence of a business transaction or activity.

Sensitive Information refers to information or an opinion about an individual’s racial or ethnic origin, political opinion, religious beliefs, association memberships, sexual orientation, criminal record or health, genetic or biometric information that is also Personal Information.

System of Record refers to an endorsed University Information Management System identified as the authoritative source for a specific type of Record.

University refers to the UWA India entity.

University Community refers to all staff, students, contractors, honorary appointees, visiting academics, affiliates, and any other persons acting in an official capacity on behalf of the University.

University Information refers to all data, records and information created, captured, processed, stored, shared and/or disposed of, by the University Community or on behalf of the University, in any format or medium.

Vital Record refers to records identified as critical to the University’s operations, the loss of which may cause irreparable harm to the ongoing functioning of the University.

Governance & Roles

  1. Governance Structure
    • The Chief Operating Officer (COO) has oversight of this Policy. The COO will formally delegate responsibility for maintaining the register of information governance roles and the authority for records management to a designated senior officer.
    • Regular training on information governance, privacy, and recordkeeping is mandatory for all staff upon induction and annually thereafter.
  2. Roles & Responsibilities
    • Accountability for Information Protection, Information Retention, and Privacy is assigned through the following key roles outlined in Table XX, which are responsible for handling University Information across all operations.
Role Responsible Description
Information Owner The University Ensuring all University Information is managed in accordance with relevant laws, policies, and standards, and for delegating authority for its management.
Information Steward Senior employee with delegated authority for a specific business capability Ensuring all University Information and Records in their area are correctly classified, handled, retained, and disposed of in compliance with University policies, and that staff are aware of and comply with these requirements.
Information Custodian Subject Matter Expert on behalf of the Information Steward Responsible for the day-to-day operation and monitoring of controls for a specific type of information, including its storage, security, access, backup, retention, and disposal, and for reporting any suspected breaches or incidents.
Business System Owner Senior employee responsible for a specific University Information Management System Ensuring that the system is managed in a way that supports and enforces the University's classification, handling, retention, and disposal requirements for the information it contains.
Information User Any member of the University Community Responsible for handling all University Information and Records appropriately throughout their lifecycle from creation to disposal in accordance with all relevant policies and procedures, and for reporting any suspected breaches.

Information Protection

  1. Principles
    • University Information must be protected from unauthorised access, modification, misuse, loss, or inappropriate disclosure, in line with its classification.
    • University Information must be stored in a University-endorsed Information Management System.
    • The University is not responsible for the protection, backup, or recovery of University Information stored outside of an endorsed system.
  2. Classification
    • Information Stewards will be accountable and assign classification of University Information as:
      • Public Information intended, or available, for release to the Public (e.g., course catalogues or program descriptions); or
      • Confidential Information limited to University Information Users (UIU), requiring basic access control, where unauthorised access could cause minor negative impact (e.g. internal procedures and operational guides); or
      • Confidential Restricted Information limited to UIU with business needs or organisational function, where unauthorised access could cause moderate negative impact (e.g. staff employment records or student academic records); or
      • Highly Restricted Information limited to UIU with role-specific business needs, where unauthorised access could cause major or catastrophic negative impact (e.g. student personal data or payroll and banking information)
      1. Classification dictates access, handling, retention, and sharing obligations.
  3. Security, Backup, and Recovery
    • Security controls (technical, physical, organisational) must match data classification. Multi-factor authentication is required for access to Highly Restricted data.
    • University IT is responsible for ensuring all information in endorsed systems is adequately backed up. Business System Owners are accountable for ensuring backup scopes and schedules meet business requirements.
    • University IT will perform periodic checks to ensure backup media is viable and can be restored.
  4. Breach Response
    • Any suspected or confirmed unauthorised access, loss, or disclosure must be reported to the Privacy Officer and the designation senior officer within 24 hours.
    • The University will investigate, and if a notifiable data breach has occurred (as per Indian or Australian law), affected individuals and authorities will be informed promptly.
  5. Takedown Powers
    • The University will remove University Information from its IT assets upon receiving an appropriately authorised request from law enforcement or a regulatory body.
    • The University may also exercise takedown powers for material that is illegal, in breach of University policy, or alleged to infringe third-party copyright.

Information Retention

  1. Principles
    • University Records must be retained only as long as required by law, regulation, or business need, and disposed of securely when no longer needed.
    • The University will maintain a formal Recordkeeping Plan that documents retention periods for all record types in compliance with Indian and relevant Australian law.
  2. Systems of Record & Vital Records
    • All University Records must be captured and managed in an endorsed System of Record, with appropriate metadata to ensure traceability.
    • The University will maintain a Vital Records Register to identify and protect records essential for business continuity.
  3. Disposal & Destruction
    • Disposal must be authorised by the Information Steward or the ultimate accountable party.
    • Record disposal means the range of processes including the retention, deletion or destruction of records in or from recordkeeping systems and may include the migration or transmission of records between systems, and the transferring of custody or ownership of records. Disposal and destruction must be carried out securely (e.g. shredding, secure erasure) and logged accordingly.
    • Non-Records (drafts, duplicates, trivial emails), once reference ceases, should be regularly disposed to reduce growth of redundant, obsolete and trivial University information.

Information Privacy

  1. Privacy by Design
    • All new systems, processes, or projects involving personal data must undergo a Privacy Impact Assessment, with documentation of privacy and security controls.
    • Collection of personal and sensitive information is limited to what is necessary and collected directly from individuals where possible.
  2. Consent & Notice
    • The University will only collect Personal Information or Sensitive Information with the individual’s explicit, informed consent where required by law. This means:
      • Sensitive Information will not be collected unless the individual has consented and the information is reasonably necessary for one or more of the University’s functions;
      • where consent is required, the University will provide a clear explanation of what is being collected and why, and individuals may withdraw their consent at any time; and
      • if the law allows the University to collect or use information without consent (e.g., for core operations), consent is not required.
    • Privacy Collection Notices will be provided at all collection points, referencing the Privacy Policy and including options for un-subscription.
  3. Third-Party Processing
    • Third-party processors (including cloud vendors) must comply with the University’s privacy, security, and retention standards by contract.
    • Regular due diligence must be conducted on critical vendors handling University Information.

For further information on Information Privacy, please refer to the UWA India Privacy Policy.

Training, Monitoring & Review

  • All staff must complete annual information governance and privacy training.
  • Compliance is monitored through periodic audits, access reviews, and policy compliance checks.
  • This Policy is reviewed at least every two years or when relevant law changes.

Non-Compliance & Enforcement

  • Breaches of this Policy may result in disciplinary action, up to and including termination.
  • Serious or repeated breaches and data incidents will be reported to the highest levels of University management and, if required, to regulators.

Policy Owner & Contact

  • Questions and clarifications regarding this Policy can be directed to the designated senior officer at [insert contact details].
  • Suspected breaches should be reporting to the University Privacy officer at [insert contact details].
CRICOS 00126G | PRV12169, Australian University

35 Stirling Highway
Perth WA 6009 Australia

(+61 8) 6488 6000

Emergency

(+61 8) 6488 2222

CRICOS 00126G | PRV12169, Australian University

Australia

The University of Western Australia is a top 100 global university and a founding member of Australia’s Group of Eight. Based in Perth, Western Australia, UWA is internationally recognised for excellence in research, teaching, and industry engagement across the Indo-Pacific region.

The University of Western Australia is working closely with the University Grants Commission (UGC) to secure the necessary approvals for its proposed campuses and course offerings in India. Courses will commence following receipt of the required approvals.

This page