View Document

Information Governance Policy

This is the current version of this document. You can provide feedback on this policy to the document author - refer to the Status and Details on the document's navigation bar.

Section 1 - Purpose

(1) This policy establishes the framework and principles for effective information governance which supports the functions and activities of the RMIT Group.

Top of Page

Section 2 - Overview

(2) RMIT University is a public institution under Victorian law and stands on Aboriginal Country of the Kulin Nation. RMIT recognises and acknowledges the Bundjil Statement that helps all RMIT staff to respectfully work, live and study on Aboriginal Country.

(3) RMIT is committed to managing information as an organisational asset which is created, used and shared effectively whilst meeting legislative requirements.

(4) Information governance provides the framework, strategic objectives, policies and standards to manage information as an asset. This policy and supporting procedures and resources support the strategic plan of the organisation to drive outcomes and support continuous improvement and ultimately optimise integrity, security, availability and quality of information.

Top of Page

Section 3 - Scope

(5) This policy applies to all RMIT staff including staff of controlled entities, students, temporary employees, contractors, visitors and third parties globally who manage RMIT information with the exception of research data as defined by the Research Policy.

Top of Page

Section 4 - Policy


(6) RMIT is the custodian of all information managed by the RMIT Group. No individual function or group own any part of data or information.

(7) RMIT will take reasonable and necessary steps to ensure information security protection. Information Security Classifications will enable appropriate management of information.

(8) RMIT information will be

  1. collected, created, managed, used, re-used and shared according to ethical practices, any applicable laws and with due consideration to individual privacy.
  2. appropriately stored to ensure protection from loss and unauthorised access.
  3. accessible, transparent and available to be used and shared whilst respecting matters of identity, privacy and confidentiality. This applies to internal as well as third party data.
  4. managed in accordance with records management and archiving requirements.

(9) RMIT will implement procedures and practices to ensure all information is captured accurately and completely and managed throughout its lifecycle.

(10) RMIT will provide access to formal or informal learning material to ensure staff have the knowledge, competencies and ability to interact with information in their roles.


(11) Information governance is overseen by the Chief Data and Analytics Officer (CDAO) with sponsorship of the Vice-Chancellor's Executive (VCE).

(12) The Information Governance Board provides an information governance forum for the RMIT Group.

(13) The Information Trustees are accountable for their respective domain area as set out in the Information Domain Register.

(14) The Information Stewards Group (ISG) provide operational support and recommendations to the Information Governance Board.

(15) The Information Stewards are responsible for identifying and managing information-related risks and issues for their assigned information entities and for escalating these to the data trustees accordingly.

(16) All RMIT staff including staff of controlled entities, students, temporary employees, contractors, visitors and third parties are responsible for:

  1. ensuring the quality and completeness of information which they collect or create
  2. ensuring that they understand and adhere to procedures and resources under this policy which govern the management, control, storage, transfer and destruction of information throughout its lifecycle
  3. supporting a culture that promotes good information governance practices and reporting any identified compliance breaches or incidents
  4. managing RMIT information in accordance with the Privacy Policy and Information Technology and Security Policy.


(17) Investigations of breaches of this policy or non-compliance with legislation are undertaken in accordance with the Compliance Breach Management Procedure.

(18) This policy is to be read in conjunction with existing university policy documents which include but are not limited to the following:

  1. Research Policy
  2. Privacy Policy
  3. Information Technology and Security Policy
  4. Intellectual Property Policy


(19) The Information Governance Board will review this policy annually and undertake a major review every three years in accordance with the Policy Governance Framework.

Top of Page

Section 5 - Schedules

(20) This policy includes the following schedule(s):

  1. Schedule 1 – Security Classification Levels
Top of Page

Section 6 - Procedures and Resources

(21) Refer to the following documents which are established in accordance with this policy:

  1. Classification of Analytics Data Standard
  2. Destruction of Information Procedure
  3. Information Management Standard
  4. Key Term Definition Standard
  5. Long Term Storage of Information Standard
  6. Master Data Management Standard
  7. Retention and Disposal Authority Standard
  8. Source Data Extract Controls Standard

(22) Local resources are available via the Data & Analytics website.

Top of Page

Section 7 - Definitions

Data Data is a fundamental component of information. It forms the building blocks of information. Data includes metadata, reference data and derived data. The definition of data in this policy excludes ‘Research Data’ as defined and governed by the Research Policy.
Information Information is data in context which has relevance and is timely. For the purpose of this policy, the term ‘information’ refers to information, records and data, with the exception of ‘Research Data’ as defined and governed by the Research Policy.
Record Information in any format created, received and maintained as evidence and information by an organisation or person, in pursuance of legal obligations or in the transaction of business. Records include (but are not limited to) emails, documents, websites, photographs, conversations undertaken via Instant Messaging clients, meeting minutes, research data, posts to RMIT social media sites.
Chief Data and Analytics Officer (CDAO) The Chief Data and Analytics Officer is appointed to provide organisation-wide oversight of all data and information related functions. This includes providing strategic guidance for data governance across the whole organisation including information management, records management, data quality management, analytics, business intelligence, data security and data privacy.
Information Governance Board (IGB) The IGB recognises information as a valuable asset and advocates for information governance. The IGB endorses strategy, provides strategic advice for information governance activities and issues, monitors progress against strategy, ensure risks are managed and that decisions are made in accordance with all applicable policies and regulations. Further details are set out in the Information Governance Board Terms of Reference.
Information Trustee   An information trustee is accountable for one or more domains of RMIT’s information. This accountability is outlined in the Information Domain Register. The information trustee may delegate the management and handling of operational responsibilities associated with the information asset to an information steward.
Information Stewards Group (ISG) The ISG is comprised of Information Stewards who provide operational oversight of information governance activities, identify information governance issues, identify opportunities for improvement, provide support for resolving issues and harnessing opportunities and escalating these to the IGB where appropriate for comments, decisions, approval or sponsorship. Further details are set out in the Information Stewards Group Terms of Reference.
Information Steward   An information steward is responsible for ensuring that information assigned to them by the information trustee is meeting RMIT’s requirements. This includes monitoring, managing and escalating any risks and issues associated with the information.