Information Management Governance Policy
Prepared by: (signature of author) Endorsed by: (Manager)
Name: S Parsons Name: S Martin
Title: Information Systems Manager Title: Chief Operations Officer
Date: 09/05/2018 Date: 09/05/2018
____________________________________________________
____________________________________________________ Information Management Governance Policy 2
Contents
1 Introduction .................................................................................................................................. 4
1.1 Purpose of this document ........................................................................................................ 4
1.2 Scope of this document............................................................................................................ 4
1.3 Audience ................................................................................................................................... 5
2 Legislation ..................................................................................................................................... 6
3 Roles and responsibilities ............................................................................................................. 7
3.1 Information Management Governance Committee ................................................................ 7
3.2 Information Management Governance Committee Chair ....................................................... 7
3.3 Data Stewards .......................................................................................................................... 7
3.3.1 Appointment of Data Stewards ..................................................................................... 8
3.4 Data Custodian ......................................................................................................................... 8
3.4.1 Appointment of Data Custodians................................................................................... 8
3.5 Information Governance Secretary .......................................................................................... 9
3.6 Authorised Users ...................................................................................................................... 9
3.7 All staff...................................................................................................................................... 9
4 Information classification framework ........................................................................................ 10
4.1 Classification framework ........................................................................................................ 10
4.2 Classification labelling ............................................................................................................ 12
4.3 Derivative information ........................................................................................................... 13
4.4 Filing and naming conventions .............................................................................................. 13
5 Information management .......................................................................................................... 14
5.1 Information collection ............................................................................................................ 14
5.2 Information use ...................................................................................................................... 16
5.3 Information disclosure ........................................................................................................... 17
5.4 Delegation of access ............................................................................................................... 18
5.5 Review of access permissions ................................................................................................ 18
5.6 Information storage ............................................................................................................... 19
5.6.1 Physical (paper) information ........................................................................................ 19
5.6.2 Electronic information ................................................................................................. 19
5.7 Retention of information ....................................................................................................... 21
____________________________________________________
____________________________________________________ Information Management Governance Policy 3
5.8 Information archival ............................................................................................................... 21
5.9 Information disposal .............................................................................................................. 21
5.10 Information integrity .............................................................................................................. 22
6 Risk management ....................................................................................................................... 24
6.1 Risk assessment framework ................................................................................................... 24
6.2 Data breach and response ..................................................................................................... 26
7 Compliance and policy review .................................................................................................... 27
7.1 Compliance assessments........................................................................................................ 27
7.2 Audit logs ................................................................................................................................ 27
7.3 Policy review .......................................................................................................................... 27
8 Education and training ................................................................................................................ 28
8.1 Education and training ........................................................................................................... 28
8.2 New starters ........................................................................................................................... 28
9 Additional Resources .................................................................................................................. 29
Appendix 1 ......................................................................................................................................... 30
A. Information collection process .............................................................................................. 30
B. Information access process .................................................................................................... 32
C. Information disclosure process .............................................................................................. 34
D. Risk reporting procedure ....................................................................................................... 36
E. Data breach response process ............................................................................................... 38
Appendix 2 ......................................................................................................................................... 40
A. Summary RACI ........................................................................................................................ 40
Appendix 3 ......................................................................................................................................... 41
A. Acronyms ................................................................................................................................ 41
B. Glossary of Terms ................................................................................................................... 41
Appendix 4 ......................................................................................................................................... 43
A. Template response to organisations inappropriately submitting data to WAPHA ............... 43
____________________________________________________
____________________________________________________ Information Management Governance Policy 4
1 INTRODUCTION
The WA Primary Health Alliance (WAPHA) is a planning and commissioning body dedicated to building a robust and patient centred primary health and social care system to ensure improved health equity for all Western Australians. WAPHA operates WA’s three Primary Health Networks (PHNs); Perth North, Perth South and Country WA; with the objective to increase the efficiency and effectiveness of primary care services for patients and improve coordination of care. Information is one of WAPHA’s most valuable organisational assets, enabling effective planning and commissioning through data driven insights.
1.1 Purpose of this document
The purpose of this Information Management Governance Policy is to document the way in which WAPHA’s information is managed in order to effectively protect and best utilise information assets. This Policy document is to ensure:
• Alignment to WAPHA’s Information Management Strategy;
• Alignment with relevant legislation, policies, procedures and standards;
• Confidence in the data used to inform decisions;
• Effective assurance and control of data management processes;
• Clear roles and responsibilities in relation to information management; and
• Protection of the data through documented policies and procedures, and ongoing
communication, education and monitoring.
1.2 Scope of this document
The scope of this Policy covers the actions to secure, manage and distribute WAPHA information and any data stored and transmitted regardless of storage location, format or medium. In alignment with the Australian Institute of Health and Welfare1, this Policy will used the following definitions of data and information collections:
• Data: ‘factual information used as a basis for reasoning, discussion or calculation.’ Data
can be stored in structured formats (e.g. databases), semi-structured formats (e.g.
spreadsheets) and non-structured formats (e.g. documents).
1 Australian Institute of Health and Welfare – Data Governance Framework, 2014
____________________________________________________
____________________________________________________ Information Management Governance Policy 5
• Information Collections: Individual sets of data may be called ‘data collections’, ‘data
assets’ or ‘data holdings’. Data comprising a data collection may come from various
sources. They may be: collected or created internally by an organisation; obtained from, or
held on behalf of, single or multiple external organisations or governments; or merged from
a number of other data collections.
This Policy applies to all WAPHA personnel; employees, contractors, students, volunteers and agency personnel. This Policy also applies to external organisations and their personnel who have been granted access to WAPHA Information and Communications Technology (ICT) infrastructure, services and information assets. This document covers the following:
• Roles and responsibilities;
• Information classification framework;
• Information management;
• Risk management framework for IM;
• Compliance;
• Communication and training;
• Additional resources; and
• High level processes for key IM activities.
Together these elements comprise WAPHA’s IM Governance Policy, the roles responsible for key information management processes, the classification levels of information and how compliance is monitored. Information protection must be commensurate with the sensitivity of the information and be in accordance with the classifications defined in the Information Classification Framework section of this Policy and in accordance with the WAPHA ICT Security Policy. This Policy does not cover the protocols related to ICT infrastructure and cyber security framework.
1.3 Audience
This document contains key information for all WAPHA staff and in particular those responsible for making data-related decisions. Further, it provides guidance to the organisations and agencies that provide data to, or receive data from WAPHA, as well as its partners, stakeholders and end-users of WAPHA data and information.
____________________________________________________
____________________________________________________ Information Management Governance Policy 6
2 LEGISLATION
All data containing personal information is managed in accordance with the Information Privacy
Principles from Section 14 of the Privacy Act 1988 (Cth).
Other relevant legislation includes:
• Freedom of Information Act 1992 (WA)
• National Health Act 1953 (Cth)
• Health Services Act 2016 (WA)
____________________________________________________
____________________________________________________ Information Management Governance Policy 7
3 ROLES AND RESPONSIBILITIES
This section outlines a number of roles in relation to Information Management and outlines the responsibilities for each. A full RACI breakdown is provided in Appendix 2 (Responsible, Accountable, Consulted and Informed).
3.1 Information Management Governance Committee
The Information Management Governance (IMG) Committee is responsible for directing the effective and efficient management of the WAPHA information assets in alignment with organisational priorities. They are responsible for ensuring the appropriate security measures are developed, endorsed, instituted and monitored. For more details of the Committee, refer to the IMG Committee Terms of Reference. Other responsibilities include:
• Appointment of Data Stewards;
• Management of Extreme and High rated risks;
• Authorising the disclosure and access of Highly Sensitive and high value information assets
to external entities; and
• Issuing external communications related to Data breaches.
3.2 Information Management Governance Committee Chair
The IMG Committee Chair is responsible for providing leadership and direction to the Committee and for ensuring that the Committee fulfils its responsibilities of aligning Information Management with WAPHA’s priorities.
3.3 Data Stewards
Data Stewards are responsible for a data source/information collection to be developed, maintained and utilised in accordance with the strategic priorities of the organisation. This includes authorising access, use and disclosure of data from the collection for clearly defined purposes that align with organisational priorities and statutory obligations as outlined in the Information Management section of this Policy. Responsibilities include:
• Setting the strategic direction for the data collection and ensuring that development of an
information collection is aligned and delivered to serve organisational objectives;
• Ensuring, prior to the release of information, that any risks with potential to damage
WAPHA, an external party or individual, have been considered;
• Ensuring the use, disclosure and access to information meets any legislative and
contractual arrangements under which WAPHA operates;
• Nominating and endorsing a Data Custodian;
• Authorising access and disclosure for the data source/collection;
____________________________________________________
____________________________________________________ Information Management Governance Policy 8
• Informing relevant parties in the event of a data breach;
• Management of ‘Moderate’ rated IM risks;
• Maintaining a high level of business knowledge in order to assess risks and stakeholder
sensitivities pertaining to information and provide risk mitigation direction; and
• Developing business cases for the establishment of new information systems or
collections.
3.3.1 Appointment of Data Stewards The Information Management Governance Committee is responsible for appointing all Data Stewards. Specific competencies include business knowledge, data management knowledge, facilitation and negotiation, and communication.
3.4 Data Custodian
Data Custodians are responsible for the day-to-day management of a data source/information collection. Responsibilities include:
• Identifying existing or overlapping information sources;
• Establishing information collection procedures and maintaining quality standards;
• Documenting data elements within data sources;
• Applying relevant classifications and labels to information;
• Preserving the integrity and security of the information by ensuring appropriate storage;
• Establishing protocols relating to and ensuring the access, use and disclosure of
information in accordance with the relevant classification, legislation and contractual
requirements, and Data Steward directives;
• Ensuring the safe and secure transmission and/or access to information for authorised
users;
• Archiving relevant records;
• Conducting or arranging the conduction of periodic audit and compliance assessments;
• Communicating the information value and classification when the information is disclosed
to another entity; and
• Maintaining a comprehensive understanding of the information source in order to address
queries of access, validity and application to requests.
3.4.1 Appointment of Data Custodians Data Custodians are responsible for the day-to-day management, as well as ongoing operation and support for given information collection(s). The establishment of an individual with which users
____________________________________________________
____________________________________________________ Information Management Governance Policy 9
can direct queries for each information collection facilitates greater trust and usage rates of information, thereby driving WAPHA’s strategic priority to function as a data driven organisation. The role of Data Custodian of information collections must be assigned to a position, rather than an individual, to ensure any individual in the relevant position, be it acting or substantive, is able to exercise the responsibilities of the role. It is the responsibility of the Data Steward to assign data custodianship to the appropriate position based on the following criteria:
• Competence, skills and authority to discharge the custodianship responsibilities;
• Understanding of the relevant legislative requirements and policy frameworks; and
• Understanding of the business needs of information users.
Following the assignment of or change in custodianship duties the relevant information set and
collection details (title, description, position of Data Steward and Data Custodian etc.) are added
or updated in the WAPHA Information Register by the Information Governance Secretary.
3.5 Information Governance Secretary
The Information Governance Secretary is responsible for maintaining effective IMG related records and administration. Responsibilities include:
• Preparation and circulation of the IMG Committee meeting agenda;
• Documenting IMG Committee minutes and sending to IMC members; and
• Maintaining the Information Register.
3.6 Authorised Users
Authorised Users are those persons granted access to information collections. Authorised Users are responsible for ensuring the appropriate use of data in accordance with the accompanying agreements, policies and guidelines. They are responsible for ensuring that WAPHA information assets are used only for the purpose for which it was approved, and maintaining confidentiality and security of the information in accordance with the Information Classification Framework, and associated policies and procedures.
3.7 All staff
It is the responsibility of all WAPHA staff to familiarise themselves with the relevant practices and legal requirements to ensure the security and integrity of information within their possession (Appendix 4 and 5 particularly). All members of staff must ensure that information (in electronic or non-electronic format) is classified appropriately and to apply the relevant security procedures pertaining to that classification at all times. Staff are encouraged to discuss any classifications they believe to be inaccurate with the relevant Data Steward. All staff must familiarise themselves with the relevant policies, standards, processes and legislation.
____________________________________________________
____________________________________________________ Information Management Governance Policy 10
4 INFORMATION CLASSIFICATION FRAMEWORK
Information assets are a valuable resource that must be actively managed to enable WAPHA’s commissioning activities as well as compliance with applicable legislation, confidentiality and privacy requirements. Information security methods must be commensurate with the sensitivity of the information. Information with higher levels of sensitivity must be treated with protection not afforded to publicly available information due to the serious damage that unauthorised disclosure could cause to WAPHA or external parties, including members of the public. An information classification facilitates the identification of such information sources and the relevant controls necessary to protect them. This section outlines the framework to be used for the classification of information WAPHA collects, stores, uses and discloses to meet its operational and strategic priorities.
4.1 Classification framework
The classification of information (as set out in the diagram below) considers sensitivity and risk to ensure the necessary minimum security controls are in place when an information asset is added to WAPHA’s information collection.
Public
Protected (Internal)
Sensitive
Highly Sensitive
Figure 1: Information Classification Framework Hierarchy
____________________________________________________
____________________________________________________ Information Management Governance Policy 11
Table 1: Information Classification Framework Descriptions
Classification Description
Highly Sensitive Information should have restricted access within WAPHA. Contains personally identifiable information (patient and/or clinician), research or enterprise information that if released could result in a significant damage to WAPHA, be it reputational or contractual, or to external organisations or an individual. Access and disclosure of information must be controlled and will only be granted to an individual or group through the approval of the relevant Data Steward in order to perform one’s duties or through legislative requirements. Examples:
• High risk information sources • Identifiable patient/clinician data • Selected service provider contracts • Selected clinic/practice data
Sensitive Information containing hospital/practice/clinic identifiable information (not patient/clinician identifiable) and non-public information, including aggregated patient or provider information, research or organisational information. Disclosure could result in moderate reputational damage to WAPHA, external organisations or an individual. Examples:
• Moderate risk information sources • Aggregated patient/clinician data • Service Provider contracts
Protected (Internal)
Information that is available to employees and authorised non-employees but not generally publically available. Disclosure could cause minor or little direct impact to WAPHA, external organisations or individuals, but could raise concerns around data security within WAPHA. Examples:
• Minor risk information sources • WAPHA policies and procedures • Planning documentation • Training manuals and documentation • Internal communications • Contact details
____________________________________________________
____________________________________________________ Information Management Governance Policy 12
Classification Description
Public Information approved as suitable for public dissemination or deemed public by legislation or routine disclosure. Release of such information would have no adverse impact. Examples:
• Negligible risk information sources • Public health information • Public reports • Marketing material • Press announcements
Information should be classified by the relevant Data Custodian before being entered into WAPHA information systems and collections, as outlined in the Information Collection section of this document.
4.2 Classification labelling
Classification labels are used to facilitate the confidentiality and security of sensitive information. Clearly visible information classifications on the document or data set reduces the risk of mishandling and inappropriate disclosure. Considerations relating to labelling include that:
• Information assets classified as either Highly Sensitive or Sensitive must always be clearly
labelled within the document content or document name.
• The Data Custodian is responsible for labelling information with the appropriate
classification.
• It is recognised that some types of information will require special handling requirements
in addition to those associated with the relevant classification. Such information sources
are to be marked with a security caveat in addition to the classification, outlining necessary
controls and conditions of use.
The information classification marking requirements are outlined below in Table 2 below.
____________________________________________________
____________________________________________________ Information Management Governance Policy 13
Table 2: Information classfication labelling framework
Classification Marking requirements
Highly Sensitive Information must be clearly labelled either at the top or bottom of each page and within the file name. Hardcopy information should be clearly labelled at the top or bottom of each page.
Sensitive Information must be clearly labelled either at the top or bottom of each page and within the file name. Hardcopy information should be clearly labelled at the top or bottom of each page.
Protected (Internal) Documents and media should be labelled when distributing or sharing with an entity external to WAPHA.
Public Label these documents as ‘Public’ for easy reference.
4.3 Derivative information
In the event that WAPHA employees or authorised third parties generate or create new data sets based upon one or more existing information collections, it will be necessary to consider the classification of this new data set. This ‘derivative information’ could include, but not be limited to, an extract from a single source, a restatement of existing data, or a combination of existing information sources. Derivative information must be treated as a new information source, and the creators of derivative information must be aware of the risk associated with creating this new dataset. The classification of the dataset could feasibly differ from the source information collection and must be considered on a standalone basis. Combining datasets has the potential to increase the sensitivity of the data, whilst an extract of a Sensitive dataset could reduce the sensitivity if certain was not included in the extract. In all instances, the Data Custodian(s) of the source information collection(s) will need to be consulted. The Custodian(s) will need to oversee the classification and labelling of the new data set, in accordance with the Information Classification Framework and processes established elsewhere in this Policy.
4.4 Filing and naming conventions
Information filing and naming must be undertaken by the relevant Data Custodian in accordance with the WAPHA Naming Convention in order to ensure consistent conventions throughout the information collection. A folder is to carry the classification label of the highest level of security classification of information it holds. If the information to be added to a folder exceeds the security classification of the information to be added then the Data Custodian must change the marking of the folder to be consistent with the information to be added.
____________________________________________________
____________________________________________________ Information Management Governance Policy 14
5 INFORMATION MANAGEMENT
WAPHA collects, accesses, stores, uses and discloses large volumes of data in order to support its commissioning of services, much of which is sensitive personal health information. Information is critical to WAPHA’s business functions and must be collected and disclosed with consideration of the business relevance, quality, cost and security of information. This section outlines the policy for managing and handling information, including collection, use, disclosure, access, retention and disposal.
5.1 Information collection
Collection is the creation, acquisition or capture of the information required by WAPHA in order to support business, operational and legislative requirements. Knowing what to collect and the methods for collating information into the information collection is critical in maintaining standardisation and security of WAPHA’s information resources. This section outlines the methods for:
• Formalising the establishment of new information collections;
• Ensuring new information collections are aligned to WAPHA’s priorities and cognisant of
existing organisational information sources;
• Preventing the uncontrolled collection of information; and
• Ensuring the effective, efficient and accurate collection of information.
The following two key principles are intended to facilitate the collection of relevant, quality information for the purpose of developing WAPHA’s strategic and operational objectives and minimising the effort allocated to collecting and managing unnecessary information. Table 3: Key principles of information collection
Principle Description
Fit for purpose Information should only be collected when there is a legitimate business purpose which is aligned to WAPHA’s strategic and operational priorities. The process should not generate duplicate information sources, and should serve to maximise the usefulness of information in relation to WAPHA’s business needs. WAPHA’s Information Register provides a listing of WAPHA’s information sources and should be used to facilitate the detection of duplication or gaps.
Effective and efficient
WAPHA should seek the minimum data requirement to make a material difference with minimal collection effort. Cost should be considered before commencing the development of new information collections, with consideration into alternative methods of information acquisition.
____________________________________________________
____________________________________________________ Information Management Governance Policy 15
Table 4 outlines requirements for the effective and secure collection of WAPHA’s information resources. For further details concerning the process of collection, storage and disclosure of WAPHA’s information assets refer to
____________________________________________________
____________________________________________________ Information Management Governance Policy 16
Appendix . Table 4: Information collection requirements
Requirement Description
Data governance All information collections must be assigned a Data Steward and Data Custodian. Data Stewards are appointed by the Information Management Committee while Data Custodians are nominated and endorsed by the relevant Data Steward.
Approval for collection
All new information collections must have gained the relevant approval before being entered in the WAPHA system. For additions to existing information sources this requires approval from the relevant Data Steward, while the approval for new information collections requires approval from the Information Governance Committee.
Classification All new information sources must be classified according to the Information Classification Framework before being entered into WAPHA information systems. Refer to page 10 for further information concerning the Information Classification Framework
Security Following classification, information must be afforded the applicable protection to prevent unauthorised access, use or disclosure throughout its lifecycle. Refer to the Information management section for further information concerning the applicable protection and controls.
Information Register Following addition to WAPHA systems, the information must be logged in the Information Register with the associated information descriptors.
Notice to subjects When collecting personal information, in accordance with the Privacy Act 1988, WAPHA are required by law to provide notice to subjects about the types of information collected and the intended uses of this information.
Compliance with agreements of information use
Information collected from some third parties, including State and Federal governments, will be subject to the requirements of use, disclosure, security, privacy and intellectual property as outlined in the relevant third party agreement. All access and disclosure of third party information is to be strictly managed in accordance with the contract or agreement.
____________________________________________________
____________________________________________________ Information Management Governance Policy 17
5.2 Information use
Information use refers to the communication or handling of information within WAPHA and applies to all information owned, created, collected, managed, stored and disseminated. For example a Data Custodian sharing information with another WAPHA employee is classified as use, as is the act of an employee undertaking analysis on information. This section outlines the adequate controls and practices which need to be adhered to by all users of WAPHA’s information resources. The core principles of information use are as follows:
• Need to know - Data Custodians must ensure users are granted the minimum
requirements for information use to undertake their business role or for approved
purposes;
• Specific and authorised - the information must not be used by person(s) other than the
specified authorised person(s);
• Approved disclosure - authorised persons must not disclose information to any other
person(s) without prior approval from the Data Custodian;
• Specified use - the information must only be used for the purpose specified. Changes to
the purpose of the information use must first be approved by the Data Custodian;
• Secure and controlled use - the information must be protected by the appropriate security
and controls at all times as required by the relevant classification; and
• Duration of access - the information must not be kept for longer than approved without
additional approval from the Data Custodian.
In order to ensure that information within WAPHA is readily available to Authorised Users in a
secure and controlled location, it is recommended that Data Custodians develop an Information
Use Model outlining:
• Who is permitted to use a given information source (by role, position or working group, not
by individual names);
• The purpose for which the information may be used;
• Additional restrictions or requirements pertaining to the use of an information source; and
• Duration and level of access permitted to different users (read only, read/write,
administration access).
____________________________________________________
____________________________________________________ Information Management Governance Policy 18
5.3 Information disclosure
Information disclosure refers to the process of sharing information outside of WAPHA. Whether that be the release of information to an external entity or publishing documents for external consumption. Sharing information with contracted third parties is not classified as information disclosure but rather falls under information use. This section sets out how information under the control of WAPHA is readily available to only those parties as determined by legislative and contractual requirements. WAPHA may disclose information to related companies, agents or contractors who provide products and services to WAPHA or on behalf of WAPHA. In providing information to these parties WAPHA will ensure that all use is for the express purpose for which it was disclosed and in alignment to WAPHA’s strategic and operational priorities. Subject to law, the types of third parties which WAPHA may disclose information to include:
• WAPHA agents, contractors and external advisers;
• Other organisations with whom WAPHA has arrangements for the purpose of promoting
respective products and services; and
• Commonwealth and State government agencies and other funders.
Health information will not be disclosed for another purpose unless the disclosure is required or
authorised under law, a person has consented to the use or disclosure of their health information
for the purpose, for the use of research (de-identified data) or the disclosure is otherwise
permitted by the Privacy Act or Freedom of Information Act.
WAPHA’s information resources obtained through a Memorandum of Understanding (MOU), Data
Sharing Agreement (DSA) or other contract or agreement must always be disclosed in accordance
with the directives of the agreement.
It is the responsibility of the IMG Committee to authorise the disclosure of Highly Sensitive
information and information which is considered of significant value to WAPHA. It is the
responsibility of the Data Steward to authorise the disclosure all other information and to ensure
accordance with all relevant requirements. Once authorised it is the responsibility of the Data
Custodian to ensure the agreement of disclosure has outlined ownership of the information,
storage and security, disclosure arrangement, retention period, audit requirements, access
arrangements and disposal of data after the agreement expires before being approved by the Data
Steward.
____________________________________________________
____________________________________________________ Information Management Governance Policy 19
5.4 Delegation of access
The information access procedure ensures the right information is readily available to the appropriate users of WAPHA’s information whilst maintaining the necessary security and controls for sensitive information. The process for authorising access is dependent on the applicant and the classification of the information being accessed. The detailed process is set out in Appendix 1.
The principles for the authorisation of access are:
• Approvals for all external entities, including contractors, who require access to WAPHA’s
information assets and systems, excluding Highly Sensitive information, must be
authorised by the relevant Data Steward;
• Approvals for all external entities, including contractors, who require access to Highly
Sensitive information must be authorised by the IMG Committee;
• WAPHA employee access to all Highly Sensitive information must be authorised by the
relevant Data Steward;
• WAPHA employee access to all Internal and Sensitive classified information must be
authorised by the relevant Data Custodian;
• Permission groups should be authorised by the Data Steward, with the Data Custodian
working with IT to establish the new permission group;
• It is the responsibility of the Data Custodian to set, enforce and review the period of access
for all users; and
• All access permissions must be granted in accordance with the Information use section of
this document.
5.5 Review of access permissions
Access permissions to an information system or collection are managed and reviewed by the Data Custodian. Access permissions will be granted with an automated expiry whereby systems will give permissions to an individual with a set expiry date. This minimises the administration of permissions while creating a safeguard in the system. The expiry should be set to the length of the individual’s engagement which requires the information access. Early exits from the engagement would still need to be manually updated. Likewise, extensions could be handled pre-emptively to avoid disruption. In addition, the Data Custodian should conduct routine checks of the permissions based on staffing changes and undertakes periodic reviews of permissions. Following the departure of a WAPHA employee or contractor, HR will contact the relevant IT support to ensure the cancellation of access rights to the WAPHA network as well as notify Data Custodians of individual systems and collections to ensure all access rights have been removed.
____________________________________________________
____________________________________________________ Information Management Governance Policy 20
5.6 Information storage
Appropriate storage of information is crucial to enable both available information for the purpose of undertaking WAPHA’s operational duties and maintaining the appropriate security of information. The storage of information, be it electronic or physical, comprises of the location or medium of an information source throughout its lifecycle (as set out in Table 6).
5.6.1 Physical (paper) information WAPHA’s physical information must be appropriately stored in order to protect the information from unauthorised access and theft as well as damage. Storage of physical information assets must be consistent with the intended length of storage, value of the resource and the security and access requirements defined by its classification according to the Information Classification Framework. All electronic information which is printed is to maintain its classification.
5.6.2 Electronic information The majority of WAPHA’s information assets are electronically stored. Electronic information is vulnerable to loss, destruction, unauthorised copying and modification and as such its effective storage is necessary towards ensuring its integrity, reliability and usability. To ensure the effective storage of electronic information the storage requirements are:
• Electronic information is stored on appropriate and durable media to ensure the
information remains usable for as long as required.
• Electronic storage devices are subjected to regular integrity checks and periodically
refreshed to prevent information loss through media degradation or obsolescence.
• Backup files remain usable for as long as required.
Risk assessments are conducted on information prior to the selection of storage location and medium. For additional queries concerning the security and storage of information refer to the WAPHA ICT Security Policy.
____________________________________________________
____________________________________________________ Information Management Governance Policy 21
Table 5: Storage requirements
CLASSIFICATION LEVEL / STORAGE MEDIUM
Highly Sensitive Sensitive Protected (Internal) Public
Electronic • WAPHA endorsed server based storage
• Shared network drives or databases requiring authorisation of access from a Data Custodian.
• Not to be stored on local hard drives
• WAPHA endorsed server based storage, not local PC hard drives
• Shared network drives or databases requiring authorisation of access from a Data Custodian.
• Not to be stored on local hard drives
• WAPHA endorsed server based storage, not local PC hard drives
• Shared network drives or databases requiring authorisation of access from a Data Custodian.
• Not to be stored on local hard drives
• No restrictions
Physical (paper) • Store in lockable storage or secure area when not in use
• Clear desk policy at all times
• Must only remove documents from WAPHA office if transferred directly from office to destination
• Store in lockable storage or secure area when not in use
• Clear desk policy at all times
• Exercise diligence when removing from WAPHA offices, avoid if possible
• Reasonable precautions to be taken to ensure non-employees do not have access
• In lockable cabinet when not in use
• Maintain clear desk policy
• May be publically displayed
Removable media • Removable devices are not encouraged for the storage or transfer of information
• WAPHA registered device with appropriate encryption and authentication processes
• Ensure media remains in possession of owner at all times if being used outside of WAPHA
• Information must be transferred to primary storage as soon as possible, contents of media to be deleted before and after use
• Removable devices are not encouraged for the storage or transfer of information
• WAPHA registered device with appropriate encryption and authentication processes
• Ensure media remains in possession of owner at all times if being used outside of WAPHA
• Information must be transferred to primary storage as soon as possible
• All devices should be scanned for malicious software
• To be used as temporary storage only
• Store and transfer in a secure manner with authorisation from relevant Data Custodian
• All devices should be scanned for malicious software
____________________________________________________
____________________________________________________ Information Management Governance Policy 22
5.7 Retention of information
Personal data and other relevant information should be retained no longer than necessary for the intended purposes for which the data was collected (and in accordance with any instructions from the information provider where applicable), unless a longer retention period is required under applicable legal or regulatory requirements, or the retention framework of the agreement under which the information is collected. The Privacy Act 1988 requires that records containing personal information must be destroyed or permanently de-identified when no longer needed for any purpose for which the information may be used or disclosed. Some of WAPHA’s information collections have retention clauses conditional to the agreement of supply. Such information should be strictly retained for the period specified within the agreement and disposed of as directed. For example, under the Commonwealth PHN Funding Terms and Conditions, WAPHA is required to retain accurate records and accounts regarding each commissioned Activity including receipts, proof of purchase and invoices for at least 7 years after the Activity end date. It is the responsibility of the Data Custodian to ensure the retention of information for the necessary duration and following the expiry of a contracted term of retention, legislative holding period, or decrease in analytical value, the Data Custodian will be responsible for managing its disposal in accordance with the Information Disposal section of this Policy or as outlined within any agreement or contract under which the information was supplied.
5.8 Information archival
Information archiving is the process of moving information which is no longer actively used to a separate storage area for long-term retention. Archival information may be required for either future reference or retained for regulatory or contractual compliance. Archives serve as a way to protect the information from modification and minimise primary storage requirements. Information which has expired its period of analytical value but must be retained is to be archived in a separate storage location and managed by the associated Data Custodian and Data Steward. Archival information should be treated as read-only to ensure the protection and integrity of relevant material and unless otherwise required access should be restricted to the Data Custodian and Data Steward. It is the responsibility of the Data Custodian to transfer information to archival storage when appropriate, to apply the read-only restrictions and to limit access to the information.
5.9 Information disposal
The majority of WAPHA’s information resources will at some point expire their useable lifespan. Following the expiry of an agreement of retention or the passing of the useful duration of an information resource, it is a requirement to dispose of the information. Information disposal is the process of removing information in a way that renders it unreadable (physical information) or irretrievable (for electronic records).
____________________________________________________
____________________________________________________ Information Management Governance Policy 23
The method of disposal for an information source is dependent on the classification of the information. For example, Highly Sensitive information requires more stringent disposal methods than public information due to the higher risk associated with its sensitivity. It is the responsibility of Data Custodians to manage the timely and secure disposal of information in accordance with the classification and any legal or contractual obligations. Refer to Table 6 below for further detail. The physical printing of a dataset or its transference to removable media represents a potential risk to WAPHA and should be seen as the temporary storage of information. Printed information and data held on removable media should be disposed of immediately after use, as summarised in Table 6. Table 6: Information disposal matrix
CLASSIFICATION LEVEL / MEDIUM
Highly Sensitive Sensitive Protected (Internal)
Public
WAPHA servers
• Secure locations cleared by the Data Custodian
Physical (paper) • WAPHA confidential bins
• Shredded with crosscut shredders if not in WAPHA office
• WAPHA confidential bins
• Shredded with crosscut shredders if not in WAPHA office
• WAPHA confidential bins
• Shredded with crosscut shredders if not in WAPHA office
• Appropriate for disposal through recycling
Removable media
• Device to be cleared prior to and immediately after use
• To undergo periodic sanitisation
• Sanitisation prior to transfer to another location
• Device to be cleared prior to and immediately after use
• To undergo periodic sanitisation
• Sanitisation prior to transfer to another location
• Device to be cleared prior to and immediately after use
• To undergo periodic sanitisation
• Sanitisation prior to transfer to another location
• No restrictions
5.10 Information integrity
High quality information is critical for WAPHA to enable effective data driven decision making. Information integrity refers to the accuracy, timeliness, comparability, usability and relevance of information. These dimensions pertain to the ability for information to be used for its intended purpose and as a result the inherent value they represent to WAPHA. It is the responsibility of the Data Custodian to undertake a quality assessment of an information resource at the time of initial collection and periodically throughout its retention period to ensure the integrity of the information is sufficient and remains consistent. The Data Custodian will work to improve information quality with the Data Steward. In order to determine the scope of the underlying root causes and address data quality issues, WAPHA’s information sources will be assessed relative to the following dimensions:
____________________________________________________
____________________________________________________ Information Management Governance Policy 24
Table 7: Properties of information quality
Dimension Description
Accuracy The degree to which an information source is representative of reality.
Timeliness The degree to which an information source is current to the reality it is being used to assess.
Comparability The consistency and relationship of information over time. For instance, can it be linked to another information source over a period of time?
Usability The ease with which information can be understood and accessed.
Relevance The degree to which an information source represents the current and potential future needs of users.
____________________________________________________
____________________________________________________ Information Management Governance Policy 25
6 RISK MANAGEMENT
6.1 Risk assessment framework
Given the importance of information to WAPHA’s functions the effective identification, management and mitigation of information related risks is critical to ensuring the continued availability of information and adherence to necessary legal and contractual requirements. The risk management processes within the Information Management Governance Policy are aligned with WAPHA’s organisational risk management plan. This section is not intended to detail the full risk management strategy, however it will reiterate the rationale behind undertaking risk management, the guiding principles of risk management, the reporting process, and the IM risk assessment framework. It is the responsibility of all members of staff to develop a risk aware culture to enable:
• Effective decision making and planning;
• Identification of opportunities and risks;
• Proactive rather reactive management of risk;
• Effective communication and reporting of risk;
• Stakeholder confidence and trust; and
• Compliance with key regulatory requirements.
The IM risk assessment framework outlines the plan to identify, manage and mitigate information related risks that can adversely affect WAPHA or other third parties. The framework consists of three categories of information related risks as outlined below: Table 8: IM risk categories
Category Description
Disclosure / Data Breach
An intentional or unintentional release of information outside the operational restrictions under which it is governed (see more in the section below)
Information access and handling
Unauthorised access or management of WAPHA’s information resources
Legal and contractual
Breaches of contract or legislative requirements under which information is required to operate
Risks are rated in terms of their likelihood of occurrence and the consequences of their realisation. The matrix below outlines the ratings based on likelihood and consequence.
____________________________________________________
____________________________________________________ Information Management Governance Policy 26
Table 9: Risk rating framework
Risk rating
LIKELIHOOD CONSEQUENCE RATINGS
Insignificant Minor Moderate Major Catastrophic
Certain Moderate High High Extreme Extreme
Likely Moderate Moderate High High Extreme
Possible Low Moderate Moderate High Extreme
Unlikely Low Moderate Moderate High High
Rare Low Low Moderate Moderate High
The rating of an identified risk will inform the suggested time for mitigation as well as the authority under which it will be managed. Table 10: Risk rating framework
Rating Action required Authority
Low Manage by routine procedures. Data Custodian
Moderate Document management responsibility. Manage by periodic monitoring and improvement of controls.
Data Steward
High Detailed plan required to reduce/mitigate residual risk.
IMG Committee
Extreme
Detailed plan required. Suspend until residual risk is reduced to high or unless exposure authorised by the Chief Executive Officer on a case-by-case basis.
IMG Committee
Following the identification of a risk it is the responsibility of the Data Custodian to complete a Risk identification form before logging the risk in the Risk Register (refer to detailed process map in
____________________________________________________
____________________________________________________ Information Management Governance Policy 27
Appendix 0). The rating of a risk will determine the approach to mitigating the risk.
6.2 Data breach and response
A data breach is an incident in which information is compromised, disclosed, copied, transmitted, accessed, removed, destroyed, stolen or used by unauthorised individuals, whether intentionally or accidentally. All information held in any format or medium that has been assigned a classification of Protected (internal), Sensitive or Highly Sensitive which is suspected to have been subjected to a data breach should be managed in accordance with this Policy. Data breaches must be dealt with on a case-by-case basis by making an assessment of the risks and issues involved, to decide the appropriate course of action. Responses and mitigation strategies should be commensurate with the severity of the breach. The Privacy Act 1988 (Cth) requires any individuals who may be affected by a data breach that is likely to result in serious harm to be notified. The key steps to consider when responding to a breach or suspected breach are as follows:
• Notify the relevant Data Custodian;
• Contain the breach and make a preliminary assessment;
• Evaluate the risk for individuals associated with the breach;
• Consider legal/contractual obligations to notify concerned parties; and
• Review the incident and take action to mitigate the risk and prevent future breaches.
Refer to the Data breach response process in Appendix 1 and the Risk assessment framework for further information.
____________________________________________________
____________________________________________________ Information Management Governance Policy 28
7 COMPLIANCE AND POLICY REVIEW
7.1 Compliance assessments
Compliance assessments are undertaken to ensure all of WAPHAs sensitive information assets are accounted for and are being handled, stored and accessed in accordance with this Policy. The Data Custodian is responsible for conducting, or arranging compliance assessments for information sources under their custodianship. Information resources are to be assessed on a case-by-case basis as demanded by their classification and as deemed appropriate by the Data Custodian.
7.2 Audit logs
To maintain confidentiality and integrity of its information assets WAPHA will monitor access to identified information systems and collections through an audit logging process. The audit log ensures it is possible to maintain a ‘trail of evidence’ which can be used to investigate inappropriate or illegal access. Audit log access controls are also in place with explicit user authentication needed to view the audit log database. It is the responsibility of the Data Custodian to maintain the audit log and arrange the undertaking of an audit assessment with the IT service provider. Administrators will not read, write, modify or delete access to audit logs. Access restrictions to auditors or other independent roles reduces the risk of unauthorised access, modification and loss on the part of the administrator and also protects the administrator.
7.3 Policy review
This Policy was endorsed by the WAPHA IMG Committee on 9th May 2018. By its very nature this Policy is an evolving document that could be subject to change to maintain compliance with legislation and in line with WAPHA’s development. The Policy should be subject to regular review and modification as and when necessary and as a minimum:
• As part of an annual policy review;
• When there are significant changes to WAPHA’s information assets;
• When there are changes to the arrangements or laws which impact WAPHA’s operating
framework; or
• As deemed necessary by the IMG Committee, for example following a significant issue
relating to Information Management.
Any updates to this Policy should be overseen and then endorsed by the IMG Committee.
____________________________________________________
____________________________________________________ Information Management Governance Policy 29
8 EDUCATION AND TRAINING
8.1 Education and training
To maintain the security and integrity of WAPHA’s information assets, it is important to ensure staff understand the key IM related risks and processes to safeguard against threats. In order to ensure a high level of information management awareness among staff, WAPHA will maintain an education and training program for staff, which includes:
• Compulsory IM awareness training for all WAPHA staff to ensure they fully understand
effective IM and its integral role in informing WAPHA’s operational and strategic
objectives;
• Keep an up-to-date record of who has completed the relevant training; and
• Repeat IM awareness training for staff on an annual basis.
8.2 New starters
New starters will be supplied with the following documents and materials upon starting:
• Information Management educational flyers;
• WAPHA Code of Conduct;
• WAPHA Information Management Governance Policy (this document);
• WAPHA Internet e-mail practice Policy;
• WAPHA Naming Conventions; and
• WAPHA Strategic Plan.
New staff will be required to undertake necessary on-boarding training within 2 months of commencing at WAPHA;
• Information Management awareness training; and
• ICT and Cyber educational training.
____________________________________________________
____________________________________________________ Information Management Governance Policy 30
9 ADDITIONAL RESOURCES
Legislation, standards and guides • Australian Government Information Security Manual;
• Australian/International Records Management Standard ISO/AS 15489;
• Criminal Code Act 1913;
• Freedom of Information Act 1992;
• Health Services Act 2016;
• Information Privacy Principles (under Commonwealth Privacy Act 1988);
• ISO/IEC 27001 Information Security Management; and
• National Health Act 1953
Internal documents
• IMG Committee Terms of Reference;
• WAPHA Code of Conduct;
• WAPHA ICT Security Policy;
• WAPHA Internet e-mail practice Policy;
• WAPHA Naming Conventions; and
• WAPHA Strategic Plan 2015-2018.
____________________________________________________
____________________________________________________ Information Management Governance Policy 31
APPENDIX 1
A. Information collection process
____________________________________________________
____________________________________________________ Information Management Governance Policy 32
____________________________________________________
____________________________________________________ Information Management Governance Policy 33
B. Information access process
____________________________________________________
____________________________________________________ Information Management Governance Policy 34
____________________________________________________
____________________________________________________ Information Management Governance Policy 35
C. Information disclosure process
____________________________________________________
____________________________________________________ Information Management Governance Policy 36
____________________________________________________
____________________________________________________ Information Management Governance Policy 37
D. Risk reporting procedure
____________________________________________________
____________________________________________________ Information Management Governance Policy 38
____________________________________________________
____________________________________________________ Information Management Governance Policy 39
E. Data breach response process
____________________________________________________
____________________________________________________ Information Management Governance Policy 40
____________________________________________________
____________________________________________________ Information Management Governance Policy 41
APPENDIX 2
A. Summary RACI
WA
PH
A E
xecutiv
e
IMG
Com
mitt
ee
IM S
ecre
tary
Data
Ste
ward
Data
Custo
dia
n
HR
Auth
orised U
ser
Netw
ork
Adm
inis
trato
r
All
Sta
ff
Information collection
Determine organisational need for information C A R
Business case development I R A C
Business case approval R A C I
Executive approval R A C I I
Establishment of project groups R A I I
Establishment of method for information transfer R A
Initial quality assessment I R A
Assign classification and apply classification label C R A
Assign administration rights C R A
Document data elements R A
Update Information Register R I A I
Notify users of new information R A I
Information storage
Ensure privacy and security of information I R A
Request the creation of new directories I R A
Approve additional directories R A I
Establish new directories I C C I R A
Store information C R A I
Information archival C R A I
Information access and use
Complete Data access request form on WALLACE I R A R A
Approval of access to Public, Internal or Sensitive information I C R A
Approval of internal access to Highly Sensitive information I R A C
Approval of external entity access to Public, Internal or Sensitive information I R A C
Approval of external entity access to Highly Sensitive information I R A C I
Inform Authorised users of the requirements of use, storage, disclosure and disposal R A
Create additional permission groups A R
Permit access I I R A
Set period of access to information C R A
Document Authorised users and associated access periods R R A
Information disclosure
Pass information request to Information Management Secretary A R R R
Pass information request to relevant Data Custodian R A R
Liaise with requestor to ascertain information requirements A R
Approval for the disclosure of Public, Internal and Sensitive information I R A C
Approval for the disclosure of Highly Sensitive information R A C I
Develop contract/MOU outlining conditions of disclosure C A R
Prepare information for disclosure I R A
Arrange and execute secure transfer of information C R A
Information disposal
Ensure the disposal of information is in alignment with information classification requirements A R
Disposal of expiring information (exceeding useful lifespan or retention period) A R I
Risk management
Identifying and reporting risks I I A R R
Undertake preliminary risk assessment I R A
Complete risk identification form I R A
Preliminary risk mitigation plan I R A
Undertake full risk assessment R A R
Issue risk rating R A
Establishment of mitigation plans for risk rated: Low I C R A
Establishment of mitigation plans for risk rated: Moderate I R A C
Establishment of mitigation plans for risk rated: Extreme, High R A C I
Monitor actions and outcomes R A C I
Update IM risk register R A
Data breach and response
Notify data custodian(s) I R R A
Undertake containment measures I R A R R
File Data Breach Incident Form Part A C R R A
File Data Breach Incident Form Part B R A
Conduct breach assessment I R A
Notify Network Administrator I R A I
Conduct system integrity assessments I I R A
Review and plan mitigation strategy R A C
Issue internal communications I R A C
Issue external communications if required I R A C
Review Policies and Procedures I A R
Update IM risk register I R A
Management
Appointment of Data Stewards I R A
Appointment of Data Custodians I R A
Organising compulsory IM awareness training for all staff A C R R I
Provide new staff with necessary IM materials I R R A
Notify Netwrok Administrator and Data Custodians of outgoing staff R A
Remove access permissions for outgoing staff R A R
Compliance
Conducting compliance checks R A R
Audit logging R A R
Maintenance of the audit log R A C
Description
____________________________________________________
____________________________________________________ Information Management Governance Policy 42
APPENDIX 3
A. Acronyms
Term Definition
AIHW Australian Institute of Health and Welfare
DOH Department of Health
ICT Information and Communications Technology
IMG Information Management Governance
PHN Primary Health Network
RACI Responsible, Accountable, Consulted, Informed
WAPHA Western Australian Primary Health Alliance
B. Glossary of Terms
Term Definition
Authorised User A user that is granted access to data or information based on functional needs and are responsible for ensuring the appropriate use in accordance with the accompanying agreements, policies and guidelines.
Data Raw or processed facts and statistics collected into a single repository. Interchangeable with ‘information’ in most circumstances.
Data Breach A data breach is an incident, in which information is compromised, disclosed, copied, transmitted, accessed, removed, destroyed, stolen or used by unauthorised individuals, whether accidentally or intentionally.
Data Classification Categorises the data according to confidentiality and security required.
Data Collection The process of acquiring data from a source, or reference to the collected data itself.
Data Custodian The Data Custodian is responsible for the day-to-day management of a data source/collection.
Data Steward Data Stewards are responsible for a data source/collection to be developed, maintained and utilised in accordance with the strategic priorities of the organisation.
Derivative information
Information which has been created or generated through the extraction, combination, paraphrasing or restatement of another information source(s)
Governance Refers to WAPHA’s rules, responsibility, accountability and structure over information management.
Information Data that has been processed in a meaningful way to enable users to make decisions.
____________________________________________________
____________________________________________________ Information Management Governance Policy 43
Term Definition
Information Access Refers to the process of requesting authorisation, facilitating use, and the review of permissions.
Information Archival The process of moving information which is no longer actively used to a separate storage area for long-term retention
Information Classification
Categorises the information according to the confidentiality and security.
Information Collection
Individual sets of data may be called ‘data collections’, ‘data assets’ or ‘data holdings’. Data comprising an information collection may come from various sources.
Information Disclosure
The process of sharing information outside of WAPHA.
Information Disposal
The means by which information should be disposed, based on its classification.
Information Management
The process of collection, classification, access, storage, retention and disposal of data or information.
Information Retention
The period for which information is legally allowed to be kept. Post the retention period, information must be disposed of according to policy.
Information Use The handling, access, and analysis of information over its lifetime.
Publication Release of data externally in hard or soft copy through any media to parties outside of WAPHA.
Risk A possible event that would negatively impact the organisation. It has an associated likelihood and impact.
Risk Assessment The process of assessing a risk for the likelihood of its occurrence, the impact of its consequence, and appropriate procedures.
Risk Authority The owner of a risk who is responsible for monitoring and mitigation
Risk Management The objective of the governing body to manage the risks to the organisation, to minimise their negative impact if they were to occur.
Sanitisation A method of data destruction which renders target data unrecoverable through the process of multiple overwrites.
____________________________________________________
____________________________________________________ Information Management Governance Policy 44
APPENDIX 4
A. Template response to organisations inappropriately submitting data to WAPHA
Note: This template should be used in the event a commissioned service provider provides WAPHA with identifiable data. In the event identifiable data is submitted via tender process, modify [entries] accordingly. Subject: Data Breach: Data Inappropriately Provided to WAPHA Body: This email contains Personal Information which is a data breach in accordance with Clause [insert clause no as applicable] of the [agreement name] Agreement. As a result of this breach WAPHA requests that [provider name], as a matter of priority:
1. Review the circumstances and identify the cause of the breach and any other persons or organisations to whom the Personal Information has been provided (who are not lawfully permitted to receive the Personal Information);
2. Ensure that any other persons or organisations to whom this Personal Information has been provided identified in 1 above are advised to destroy the Personal Information;
3. Ensure any individuals, in the event serious harm is likely, have been notified and dealt with appropriately;
4. Ensure subcontractors or service providers effected by the breach have been notified and dealt with appropriately;
5. Identify and put in place, mitigating strategies to prevent a breach from occurring again; and
6. Provide WAPHA a report containing the above information, including time frames in which each action will be completed.
WAPHA has endeavoured to destroy all copies of the reports submitted with Personal Information from its systems. As such, it would be most appreciated if the invoice could be re-submitted without the Personal Information. WAPHA further encourages review of the OAIC webpage to determine whether this breach requires formal reporting: https://www.oaic.gov.au/privacy/notifiable-data-breaches/report-a-data-breach/.