Responsibility for policy: Information Technology Auditor Approving authority: Managing Director Last reviewed: November 2015 Next review date: November 2023
Application
- This policy applies to all staff and contractors of Microware Solutions Limited
Purpose
- The purpose of this policy is to establish a framework of principles to be applied to the management, security and use of corporate data.
Related Documents
- This policy should be read in conjunction with the following documents:
- Personal Data Handling Policy
- Personal Information and Privacy Policy
- Staff Code of Conduct / Employee Handbook
Definitions
- In this policy: Corporate data means all data that is captured through the operation of the company, and includes, but is not restricted to:
- human resource data
- financial data
- facilities data
- customers data
- vendors data
- project data
- Company policies, procedures and manuals
Primary source means the official Company record for the relevant data, as identified by the data custodian in consultation with the Information Systems management team.
Principles
- The following principles apply with respect to this policy:
- Corporate data is an important resource in informing the strategy and management of the company.
- Corporate data should be readily accessible to inform decision-making.
- All elements of the Company’s corporate data systems should be integrated.
- New data systems developed or purchased by the Company should be interfaced with the current corporate data systems and not implemented as stand-alone systems.
- Corporate data should be accurate and verifiable.
- The value of corporate data is increased through widespread, timely and consistent use.
- Any change in primary source data should be reflected in secondary sources.
- Corporate data must not be used for an individual’s own or for others’ personal gain or profit, or to satisfy one’s own or another’s curiosity.
Responsibilities
- The Information Systems team is responsible for:
- promoting the value of Company data for Company-wide purposes and facilitating data sharing and integration
- documenting and promoting the structure and logic of Company data
- identifying items of corporate data and distinguishing primary data sources
- providing advice and support for security administrators
- providing advice and support for data custodians
- managing the integration of current and new systems as part of the Company corporate database
- managing technological implementation of common standard codes and data definitions throughout the Company
- liaising with data custodians with respect to approved uses for corporate data
- managing the design and implementation of processes for maintaining the integrity, accuracy, precision, timeliness, consistency, standardization and value of data.
- The ICT Committee is responsible for establishing the organizational entity with responsibility for the custodianship of data contained within a particular corporate data source.
- Chiefs, Directors or equivalent must ensure (where appropriate) that relevant staff in their areas of responsibility are designated as:
- security administrators
- data custodians.
- Data custodians are responsible for:
- identifying and documenting authorities for access to data and levels of access
- authorizing downloads and uploads of corporate data
- authorizing access to corporate data
- monitoring and enforcing the consistent application of processes for maintaining the integrity, accuracy, precision, timeliness, consistency, standardization and value of data
- arranging appropriate training for staff and others to ensure data is captured and used accurately and competently
- implementing processes established by security administrators.
- Security administrators are responsible for:
- providing access to users as specified by data custodians
- ensuring that appropriate safeguards exist to protect data and that appropriate disaster recovery and business continuity procedures are in place
- providing appropriate procedural controls to protect data from unauthorized access.
- Data users:
- are responsible for ensuring that all access to data through their user account is relevant and appropriate to the work being undertaken
- are responsible for ensuring that subsequent use and distribution of data accessed through their user account is valid and appropriate
- must not disclose Company data to unauthorized persons without the consent of the relevant data custodian
- must not disclose their password to anyone
- must abide by the requirements of the Privacy Act 1993 and other relevant statutes.
- Line managers are responsible for ensuring that all data users within their area of responsibility are aware of their responsibilities as set out in this policy.
Responsibility for monitoring compliance
- The Manager of Information and Technology Services is responsible for monitoring compliance with this policy, and for reporting breaches to the Managing Director.
- Breaches of this policy may result in disciplinary action under the Staff Code of Conduct / Employee Handbook.