Bulletin Board - Document Comments

Bulletin Board - Review and Comment

Step 1 of 3: Comment on Document

There are 3 steps in the submission process. You must complete all three steps in one session, otherwise your comments will be lost.

1. Use this Protected Document icon to open a comment box.

2. Type your feedback and then click the"Save Comment" button in the lower-right of the comment box.

3. Do not open more than one comment box at the same time.

4. When you have finished making comments, go to step 2 by clicking on the “Save and Continue” button at the very bottom of this page.

Important Information

During the comment process you are connected to a database. Like internet banking, the session that connects you to the database may time-out due to inactivity or if you close your browser or go to a different tab/window and try to come back.

To ensure that your comments are received:

  1. DO NOT jump between web pages/applications while logging comments.

  2. DO NOT log comments for more than one document at a time.

  3. DO NOT leave your submission unfinished. If you need to take a break, submit your current set of comments now and return later to make a further submission. You will receive a copy of your comments so that you can see what you have already said.

  4. DO NOT exit from the interface until you have completed all three steps of the submission process.  Simply saving a comment in the comment box does not mean it is submitted and if you exit the system, you will not be able to retrieve it later.

When you finalise your submission in step 3 your comments will be emailed to the Document Author with a copy to you, and to policy@mq.edu.au for record keeping purposes.

Data Governance Policy

Section 1 - Purpose

(1) The purpose of this Policy is to establish a framework of principles for governing the University’s data as a strategic asset, enabling its responsible use while protecting the University and its community. This Policy complements existing policies on information classification, privacy, and cybersecurity, and defines the framework for governing University Data.

Background

(2) This Policy applies to all types of data created, collected, or used by the University and its controlled entities. For clarity, three main categories of data are recognised:

  1. Enterprise Data is the University’s official and authoritative data. It includes information assets held in enterprise systems, databases, applications, or repositories that support core functions such as education, research management, finance, human resources, and administration. It also covers Enterprise Data Products developed from these sources (e.g., curated datasets, dashboards, reports, AI models).
    1. Enterprise Data does not include personal notes, working drafts, informal communications (e.g., chat messages, ad hoc emails), or duplicate “convenience copies” unless such materials are formally designated as official records or required to be retained under legislation, regulation, or University policy.
  2. Research Data refers to the materials or information on which a research output is based, regardless of format. This includes, for example, observations, recordings, survey responses, experimental results, software code, specimens, images, raw and processed datasets. Research Data is governed in detail by the Research Data Management Policy and Research Data Management Procedure, which sets out requirements for documentation, storage, retention, and sharing.
  3. Local Data is created and managed by individuals, teams, or business units outside of enterprise systems, usually for immediate or operational purposes. It often takes the form of spreadsheets, small databases, or documents stored on devices, departmental drives, SharePoint, or OneDrive. Local Data may contain extracts of Enterprise Data, third-party data, or data generated locally for analysis, reporting, or day-to-day decision-making. Unlike Enterprise Data, Local Data is not authoritative or centrally governed but must still be handled responsibly where it contains sensitive, confidential, or regulated information.

Scope

(3) This Policy applies to:

  1. all employees of the University and its controlled entities;
  2. all students of the University including former students;
  3. all University researchers and Graduate Research (GR) students; and
  4. any person who handles University data for or on behalf of the University or its controlled entities, including contractors, agents, visitors, honorary, clinical or adjunct appointees and consultants of the University.

(4) This Policy applies to all types of digital data except where explicitly stated.

(5) Non-digital data is out of the scope of this Policy.

(6) The Policy does include specific provisions for the governance of Enterprise Data and Enterprise Data Products, and is aligned with the specific provisions for the governance of Research Data as described in the Research Data Management Policy.

(7) To fully operationalise Data Governance across the University, this Policy works in conjunction with the following University policies:

  1. Privacy Policy – specific provisions to ensure protection of the personal data;
  2. Cyber Security Policy – specific provisions to ensure security of all types of data;
  3. Data Breach Policy – specific provisions to meet obligations in event data is breached;
  4. Responsible and Ethical Use of Artificial Intelligence Policy – specific provisions to ensure data used for artificial intelligence is ethical;
  5. Glossary Policy – specific provisions for how business definitions are managed to provide clarity on how Enterprise Data should be interpreted and presented;
  6. Records and Information Management Policy - specific provisions to ensure University’s Records and information system complies with legislative requirements; and
  7. any relevant policies specific to individual controlled entities.

(8) This Policy also works in conjunction with specific procedures and guidelines that provide detailed requirements on how key elements of data governance are applied and are listed in the appropriate sections below.

Top of Page

Section 2 - Policy

Part A - Data Governance Principles

(9) The University’s Data Governance Principles apply to all types of data and are designed to protect the University and all Data Users as outlined in clause 3 of the Policy.

(10) The use of data includes the creation and collection of any data assets.

(11) The following Data Governance Principles form a Charter for the Use of University Data and every user of University data must:

  1. abide by the provisions of the Privacy Policy;
  2. only retain data for as long as necessary to fulfil the purposes for which it was collected and abide by the provisions of the Records and Information Management Policy and Retention and Disposal Procedure;
  3. ensure that the data has an agreed Data Owner who is accountable for ensuring compliance with the provisions of this Policy;
  4. be transparent about how the data is being used and the governance that is being applied;
  5. ensure that data is being used ethically and responsibly and in accordance with the Research Data Management Policy, the Research Data Management Procedure and the Responsible and Ethical Use of Artificial Intelligence Policy;
  6. ensure that data is classified and is managed in accordance with the Information Classification and Handling Procedure;
  7. ensure that the quality of the data is fit for purpose;
  8. store data in University approved systems where it is protected from loss, unauthorised access, use and disclosure and abide by the provisions of the Cyber Security Policy and the Data Breach Policy;
  9. use the minimum amount of data necessary to fulfil the agreed purpose, and access to data should only be granted where appropriate; and
  10. continually seek to enhance the governance of University data including regular reviews, audits, and compliance reporting as appropriate.

Part B - Enterprise Data Governance Structure

(12) The Vice-Chancellor will nominate a member of the Executive Group as the Enterprise Data Governance Executive Sponsor to be accountable for ensuring the implementation of, and compliance with, this Policy.

(13) The Data Governance Executive Sponsor will establish Domain-specific Data Governance Groups that will drive the implementation of this Policy and associated procedures to ensure compliance across the University and its controlled entities from a business perspective.

(14) The Data Governance Groups will operate within the existing management structures of the University and its controlled entities.

(15) A Data Design Authority (DDA) will be established to operate under the governance of the IT Architecture Review Board (ARB) and will drive the implementation of this Policy and associated procedures from an enterprise IT architecture and design perspective.

Part C - Enterprise Data Governance Roles and Responsibilities

(16) The Enterprise Data Governance Executive Sponsor:

  1. will direct Domain Data Governance Groups, Data Owners, and Data Custodians to provide compliance reports according to the requirements of this Policy; and
  2. will provide compliance reports to the governing bodies of the University as required.

(17) The Chief Data Officer is responsible for leading and coordinating the definition, implementation, and continuous improvement of this Policy and its associated procedures, standards, and guidelines in support of the Data Governance Executive Sponsor.

(18) The Chief Information and Digital Officer (CIDO) will support the Executive Sponsor with the management, operation, and security of all infrastructure and applications that hold Enterprise Data, and the implementation of this Policy and associated procedures from a technology perspective.

(19) Domain Data Governance Groups:

  1. are established by the Data Governance Executive Sponsor and will cover all Domains of the University and controlled entities, to ensure all Enterprise Data is included;
  2. operate under the authority of a nominated management committee that will provide oversight and set strategic direction;
  3. support the Data Governance Executive Sponsor with compliance reporting for their Domain as required and must:
    1. develop and maintain Domain-specific data strategies aligned with the strategic priorities of the Domain;
    2. assign Data Owners and Data Stewards for all Enterprise Data;
    3. approve and provide oversight of the use of Enterprise Data for analytics and Artificial Intelligence (AI) ensuring compliance with relevant policies, procedures and guidelines and ensure that Enterprise Data risk is documented, assessed, and managed in accordance with the Risk Management Policy and associated frameworks and processes;
    4. establish lifecycle management principles including retention and disposal considerations for Enterprise Data;
    5. establish Access Management principles for Enterprise Data;
    6. assign librarians for Domain-specific business terms and provide oversight of the development of the Glossary of associated business definitions;
    7. provide oversight of the certification of Enterprise Data Products;
    8. provide oversight of data quality management of Enterprise Data;
    9. lead policy reviews related to Data Governance and standard settings within their Domains; and
    10. drive data literacy, adoption, and training initiatives.

(20) Data Owners:

  1. are assigned by the Domain Data Governance Groups as accountable for applying the provisions of this Policy and associated procedures to designated Enterprise Data assets and must:
    1. approve classification;
    2. define their purpose and approve usage;
    3. delegate a Data Steward to manage day-to-day governance activities;
    4. define clear rules for Access Management and monitor compliance;
    5. ensure adherence to agreed Data Lifecycle principles including retention and disposal;
    6. ensure certification of Enterprise Data Products;
    7. ensure effective management of data quality; and
    8. ensure compliance with privacy, ethical, legal, regulatory, and information security obligations.

(21) Data Stewards:

  1. are delegated by Data Owners as the business subject matter experts responsible for day-to-day governance of designated Enterprise Data assets and must:
    1. act as expert advisors to the Data Owners on matters related to Enterprise Data Governance;
    2. lead good data management practice;
    3. work with users and Data Custodians to resolve data quality issues;
    4. ensure management of business Metadata;
    5. ensure effective data quality monitoring controls; and
    6. support Access Management approvals and reviews.

(22) The Data Design Authority (DDA):

  1. is established by the Chief Information and Digital Officer (CIDO) and Chief Data Officer(CDO) and will operate as a technical advisory group under the IT Architecture Review Board (ARB);
  2. is accountable for ensuring the IT Enterprise Data Platform is compliant with the Data Governance Policy and procedures; and must:
    1. assign Data Custodians for Enterprise Data;
    2. own, maintain, and manage the Information Asset Register;
    3. define guidelines, standards, and practices for the technical implementation of the requirements of this Policy and associated procedures; and
    4. ensure all design activities relating to the Enterprise Data Platform comply with the agreed guidelines, standards and practices.

(23) Data Custodians:

  1. are responsible technical experts for designated Enterprise Data assets and must:
    1. ensure data is properly secured, classified, and accessed according to this Policy and associated procedures;
    2. manage the lifecycle of data from creation to disposal;
    3. support and maintain data quality, definitions, and Metadata;
    4. monitor and report on data usage, compliance, and governance adherence; and
    5. collaborate with Data Stewards to resolve data issues and support governance initiatives.
Top of Page

Section 3 - Procedures

(24) Data Management Procedure.

Top of Page

Section 4 - Guidelines

(25) Nil.

Top of Page

Section 5 - Definitions

(26) The following specific definitions apply for the purpose of this policy:

  1. Access Management means the security practice that regulates, controls, and monitors who can access a designated data asset. This is usually role-based as determined by defined access principles.
  2. Data Custodian is a role responsible for the technical implementation of data systems, including storage, access, and security. Other roles may include implementing access controls, monitoring system usage and security, managing authentication per this Policy.
  3. Data Governance refers to a framework that defines decision-making, roles, responsibilities, policies, procedures and standards for the effective management of University data.
  4. Data Lifecycle refers to the progression of a data asset through various stages from creation or collection, through access and usage, to retention, archival or secure destruction/disposal.
  5. Data Owner is role accountable for the data, ensuring its quality, security, and appropriate use. Other activities may include access authorisation, definition of data sensitivity, ensuring compliance per this Policy.
  6. Data Steward is a role responsible for managing data definitions, standards, and ensuring data quality. A Data Steward is a nominated authority of the Data Owner. Other responsibilities may include maintenance and management of Metadata, supports access reviews per the Data Governance Policy.
  7. A Domain is a defined area of organisational activity and accountability that represents a coherent set of related functions, processes, and data assets, aligned to the University’s core purposes and operations. Domains provide a structured framework for assigning stewardship, governance responsibilities, and decision-making authority over data. Examples include (but are not limited to) Education, Research, Staff/Human Resources, and Finance. Each Domain is distinct in scope, while interconnected with other Domains through shared data and processes, and is governed to ensure consistency, integrity, and alignment with institutional objectives.
  8. Enterprise Data Platform is the IT-managed environment for collecting, processing, and managing Enterprise Data to support data integration, operational reporting, and the development of strategic Enterprise Data Products.
  9. Information Asset Register is a comprehensive and centralised inventory of the University’s key information assets, documenting ownership, classification, usage, retention.
  10. Metadata is descriptive information about data that enables it to be discovered, accessed, and managed.