Procedure for the Management of Information Assets – [DATE] Page 1 of 8
PROCEDURE
FOR
THE
MANAGEMENT
OF
INFORMATION
ASSETS
Procedure
Type:
Management
Initially
Approved:
Procedure
Sponsor:
General Counsel
and University
Secretary
Last Revised:
Primary
Contact:
Privacy, Access
and Information
Governance
Office
Review
Scheduled:
Approver:
Executive Leadership Team
A.
PROCEDURES
1.
ESTABLISHMENT OF PRACTICES, RULES AND GUIDELINES
1.1
Information management practices over specific Information Assets may be
developed and modified as outlined below. These practices will set out mandatory
rules or recommended guidelines under which those Information Assets are to be
managed.
1.2
Information management practices may be established as follows:
a) Department Leaders may establish and modify departmental information
management practices over Information Assets held within their department.
Employees within that department are responsible for adhering to these
departmental information management practices.
b) The designated Department Leader(s) responsible for an Official Record
category may establish and modify information management practices over
those Official Records. All Employees responsible for or using an Official Record
must adhere to any established information management practices with respect
to that Official Record.
c) The ELT may designate Department Leaders with the authority to establish and
modify institutional information management practices over specific types of
Information Assets.
i.
The Privacy, Access and Information Governance Office will maintain
records of all designations by the ELT.
ii.
The designated Department Leader is responsible for ensuring that
applicable institutional information management practices are
available to all Employees who may use or manage applicable
Information Assets.
iii.
All Employees are responsible for adhering to applicable institutional
information management practices established under this section.
Procedure for the Management of Information Assets – [DATE] Page 2 of 8
d) Where more than one information management practices may apply to an
Information Asset, Employees using or managing the Information Asset will
endeavor to adhere to all established practices. If all established practices
cannot all be adhered to, Employees will seek written direction from their
Department Leader.
2.
GENERAL PRINCIPLES FOR THE MANAGEMENT OF INFORMATION ASSETS
2.1
Information Assets should generally be created, received, maintained, protected and
destroyed in a way that aligns with the following Principles. This is particularly the
case where the Information Assets are categorized as an Official Record. The more
important the record is, the more closely these principles should be adhered to:
a)
Authentic: means where the information contained within the record must come
from an identifiable source (i.e. an individual, committee or other entity) who has
authority over that information. Records which identify their source and the
authority of that source will increase the record’s authenticity.
i.
To increase a record’s authenticity, the record should include
information in relation to the applicable operation or activity and how
the information was created or collected. This includes ensuring any
relevant decision maker is:
a. identifiable (i.e. where, their identity is reliably recorded within the
record or system), and;
b. authorized to make the decision or keep the record of decisions
as required on behalf of the University (including identifying the
source of this authority).
b)
Reliable: means that the information contained in the Information Asset is both
complete and accurate concerning the University activity it is about.
i.
To increase a record’s reliability, the University should be able to have
confidence the record is both complete and accurate concerning the
institutional activity the records are about.
ii.
Reliable records are created or received in a manner where the
contents of the record, and the records as a collection, can be relied
upon to accurately attest to the institutional activities that they are
about.
c)
Usable: means that the Information Asset is stored, filed, indexed or searchable
in a manner that allows for ease of being located, and retrieved, within a
reasonable time-frame to support efficient University operations.
i.
To increase a record’s usability, the record should be stored, filed,
indexed and searchable in a universal manner that facilitates an ease
of being searched, located and retrieved by any Employees with an
operational need for access within a reasonable time-frame to support
efficient University operations.
d)
Unaltered: means that the information contained in the Information Asset is
stored in a manner to reduce the risk of destruction, alteration or modification by
unauthorized individuals, processes or activities. Ideally, removals, deletions,
Procedure for the Management of Information Assets – [DATE] Page 3 of 8
alterations or edits by authorized employees should follow access controls and
should be systematic, auditable or traceable.
i.
To protect against a record being altered, the record can be secured
in a way that only those Employees authorized to access and alter the
record would be able to alter the contents of the record.
ii.
This can include digital controls (where possible) that audit the access
and modifications to a record.
e)
Comprehensive: means that the Information Asset contains sufficient
information about the University activity for the record to fully meet the current
and future needs of the University’s operations.
i.
To ensure there is sufficient operational context within a record, the
record should contain sufficient information about the applicable
institutional activity for the maintained record to fully meet the current
and future needs of University operations.
f)
Secure: means that the Information Asset is protected from unauthorized
access, use, disclosure, alteration or destruction through appropriate technical,
administrative, and physical controls.
i.
To ensure that a record is secure, the record should be managed and
stored in a way that reflects the sensitivity and confidentiality of the
information contained within the record. This includes ensuring
storage mechanisms have appropriate and approved security
measures in place.
(collectively these are referred to as the “Principles”)
2.2
The way in which Information Assets will adhere to the Principles will vary between
departments and records storage systems. While the University will strive for
common approaches to similar types of records where possible, the operational
needs for the Information Assets should take precedence over conformity in the
manner in which records are stored. The operations that Information Assets
supports may require different approaches to similar Information Assets in different
departments or records storage systems.
2.3
Not all Information Assets will be managed to the same standard of adherence to the
Principles. The way in which the University manages the Information Assets will vary
depending on the relative sensitivity, importance and value of the Information Asset
to the University. Where an Information Asset has greater sensitivity, importance or
value to the University, the record should be managed more closely to the Principles.
Official Records should be managed in close adherence to the Principles.
3.
THE CREATION OR COLLECTION OF INFORMATION ASSETS
3.1
Department Leaders are responsible for oversight of the creation or receipt of
Information Assets in their Department.
a) Department Leaders should establish appropriate information management
practices that facilitate appropriate processes taking place upon the creation or
receipt of new Information Assets. These processes should facilitate the
continued use of the Information Assets in support of the University’s operations.
Procedure for the Management of Information Assets – [DATE] Page 4 of 8
3.2
Upon creation or receipt of an Information Asset, the Employee who is responsible
for the record should take appropriate steps to ensure the authenticity and reliability
of the record.
3.3
Once the authenticity and reliability are confirmed, the Employee should ensure the
appropriate management of the Information Asset. This includes determining what
information management practices may apply to the records and following these
practices to incorporate the Information Asset into any applicable systems or
processes. This also includes correctly identifying the record as an Official Record
or Transitory Record, if applicable.
4.
THE ONGOING MAINTENANCE OF INFORMATION ASSETS
4.1
Department Leaders are responsible for oversight of the maintenance of any
Information Assets in their Department.
a) Department Leaders should develop appropriate information management
practices for the continued maintenance and secure storage of Information
Assets held in their Department. This should include ensuring that the
Information Assets are readily accessible when operationally needed and
continue to remain reliable and useable. This also includes developing practices
to ensure that the Information Assets are only accessed by Employees who have
a need to access them and are only altered or destroyed where authorized.
4.2
Employees are required to maintain the Information Assets for which they are
responsible in a manner that adheres to the relevant information practices applicable
to the record.
4.3
If an Employee discovers that a record may not be authentic or reliable, the
Employee may take steps to correct the Information Asset if authorized to do so. If
not authorized to do so, the Employee should, in writing, bring the concerns
regarding the authenticity or reliability of the record to an individual authorized to
change the record or, if none designated, the applicable Department Leader.
5.
THE PROTECTION OF INFORMATION ASSETS
5.1
In developing information practices, Department Leaders will consider and
implement practices which establish reasonable security measures to protect the
Information Assets.
a) Reasonable security measures will be informed by the classification of the
Information Assets under the Procedure for the Classification of Information
Security and the relevant sensitivity, importance and value of the information in
the Information Asset to the University.
b) Reasonable protection measures may include, but are not limited to, the
following:
i.
storing and retaining Information Assets in a manner that incorporates
administrative, physical and technological methods that limit the ability
for unauthorized individuals to destroy, access, edit, alter or corrupt
the records;
ii.
where functionality reasonably permits, the applicable system
facilitates the ability to reasonably mitigate, prevent, discourage and
Procedure for the Management of Information Assets – [DATE] Page 5 of 8
audit unauthorized access, edits or deletions of Information Assets,
and;
iii.
where applicable, ensuring that Contractors who will create, receive,
maintain or have access to Information Assets when providing
services to the University are aware of their requirement to take
reasonable steps to protect the Information Assets as outlined in their
contractual obligations.
5.2
All Employees are required to adhere to all information practices that support
reasonable security measures to protect Information Assets. Even where no specific
information practices with respect to information security are established, Employees
are expected to maintain the Information Assets they are responsible for in a manner
that ensures the reasonable security of the information contained in those records.
5.3
Employees may only access and disclose identifiable personal information contained
in Information Assets where the information is necessary for the performance of the
Employee’s duties or functions in accordance with the University’s Privacy Policy.
5.4
Oversight and management of Information Assets does not necessarily require direct
access to any individual Information Asset. Department Leaders and those they
delegate to support the management of Information Assets should not access, use
or disclose specific Information Assets within those systems unless they have an
operational need to do so.
6.
THE SECURE DESTRUCTION OF INFORMATION ASSETS
6.1
Department Leaders are responsible for creating information practices that ensure
the prompt destruction of Information Assets in their Department that are no longer
of operational use for the University and are not legally required to be held by the
University. This may include the establishment of retention periods for Information
Assets within the Department.
6.2
Employees who are responsible for the destruction of Information Assets must
consider the sensitivity of the information that is contained in the Information Asset
prior to destroying the record. Determining whether an Information Asset contains
sensitive information is informed by the Procedure for the Classification of
Information Security.
6.3
Employees must use reasonable measures, depending on the medium, to make the
sensitive information contained within the Information Asset unreadable to mitigate
against the risk of unauthorized access or disclosure of the information. This may
include, but is not limited to, the following methods:
a) using permanent deletion methods applicable for the digital record (including
deletion of backups where the record is highly sensitive);
b) making the digital record completely unreadable by the machine associated with
the applicable technology; or
c) shredding the physical paper record or utilizing confidential shred bins.
6.4
An Information Asset may have ongoing value as archival material. The Archives
and Special Collections selectively acquires archival records, materials and
publications that support teaching and research, or that relate to the history of Mount
Royal University in alignment with its Acquisition Guidelines.
Procedure for the Management of Information Assets – [DATE] Page 6 of 8
a) Employees should consider whether it may be appropriate to transfer the
Information Asset to the Archives and Special Collections department instead of
destroying the Information Asset.
b) In determining whether it may be appropriate to inquire about transferring the
Information Asset to Archives and Special Collections, the Employee should
consider the sensitivity of the information contained in the record, such as
personal or confidential information.
c) If the Employee believes there may be an interest in Archives and Special
Collections maintaining the Information Asset set for destruction, they should
contact the Archives and Special Collections office. The final determination of
what Information Assets may be added to the Archives and Special Collections
remains with that office.
6.5
Official Records must only be destroyed in accordance with the established
information retention periods outlined in the applicable Official Record category list.
6.6
Transitory Records may be destroyed when they are no longer operationally
required.
6.7
Information Assets which are not Official Records or Transitory Records should be
destroyed when the Information Asset is no longer operationally required and any
established retention periods have expired.
A.
DEFINITIONS
(1)
Contractor:
means an independent legal entity that is engaged in the
business of providing work in exchange for payment. An
independent legal entity includes and individual, sole
proprietorship, partnership or in a corporation.
(2)
Data:
means all recorded information in digital mediums, that is
collected, created or managed by the University in the course
of its operations.
(3)
Department:
means a faculty within the Academic Division or a department
outside of the Academic Division. This definition does not
include Academic Departments. For clarity, within non-
academic Divisions, several smaller Departments may form
part of a larger Department within the Division, with each of
these units each being individually considered a “Department”
for the purpose of this Policy.
(4)
Department Leader:
includes the leader of a Department or any other person
designated as a Departmental Leader by ELT. As an illustration
this includes Vice-Provosts, Deans, Vice-Deans, Associate
Vice-Presidents, Directors and Managers.
(5)
Division:
means a division of the University that is led by a Vice-
President or the President.
(6)
ELT:
means Executive Leadership Team.
Procedure for the Management of Information Assets – [DATE] Page 7 of 8
(7)
Employee:
means individuals who are engaged to work for the University
under an employment contract, including but not limited to,
faculty, staff, exempt, casual and management employees.
(8)
Executive Leader:
means a member of the ELT who manages a University
Division.
(9)
Faculty Member:
A person responsible for an academic or scholarly activity and
can include course instructor, faculty member, practicum
coordinator, work integrated supervisor, research associate
and others.
(10) Information Assets:
means Data or other record containing the University’s
information in any form or medium and includes, but is not
limited to, notes, emails, letters, images, audiovisual
recordings, documents, databases, maps, drawings,
photographs, invoices and any other materials that are written,
photographed, recorded, captured or stored in any manner, but
does not include the materials specifically excluded in the
Scope of this Policy. The definition includes Data itself, but
does not include software or any mechanism that stores,
produces or reads the Data.
(11) Official Records:
means an Information Asset that is categorized as an Official
Record in the Policy.
(12) Policy:
means the Information Governance Policy.
(13) Principles:
means the principles for the management of Information Assets
set out in the Procedure for the Management of Information
Assets.
(14) Transitory Records:
means an Information Assets that meets the description
articulated in the Policy.
(15) University:
means Mount Royal University.
B. RELATED POLICIES
● Information Governance Policy
● Access to Information Policy
● Privacy Policy
● Information Security Policy
C. RELATED LEGISLATION
● Access to Information Act, SA, 2024, c.A-1.4
● Protection of Privacy Act, SA, 2024, c P-28.5
D. RELATED DOCUMENTS
● Procedure for the Categorization of University Official Records
Procedure for the Management of Information Assets – [DATE] Page 8 of 8
● Procedure for the Classification of Information Security
● International Standard: ISO 24143 - Information Governance - Concepts and Principles
(2022)
E.
REVISION HISTORY
Date
(mm/dd/yyyy)
Description of
Change
Sections
Person who
Entered Revision
(Position Title)
Person who
Authorized
Revision
(Position Title)