Responsibility for policy: Information Technology Auditor Approving authority: Managing Director Last reviewed: November 2015 Next review date: November 2023
- This policy applies to all staff and contractors of Microware Solutions Limited
- The purpose of this policy is to establish a framework of principles to be applied to the management, security and use of corporate data.
- This policy should be read in conjunction with the following documents:
- Personal Data Handling Policy
- Staff Code of Conduct / Employee Handbook
- In this policy: Corporate data means all data that is captured through the operation of the company, and includes, but is not restricted to:
- human resource data
- financial data
- facilities data
- customers data
- vendors data
- project data
- Company policies, procedures and manuals
Primary source means the official Company record for the relevant data, as identified by the data custodian in consultation with the Information Systems management team.
- The following principles apply with respect to this policy:
- Corporate data is an important resource in informing the strategy and management of the company.
- Corporate data should be readily accessible to inform decision-making.
- All elements of the Company’s corporate data systems should be integrated.
- New data systems developed or purchased by the Company should be interfaced with the current corporate data systems and not implemented as stand-alone systems.
- Corporate data should be accurate and verifiable.
- The value of corporate data is increased through widespread, timely and consistent use.
- Any change in primary source data should be reflected in secondary sources.
- Corporate data must not be used for an individual’s own or for others’ personal gain or profit, or to satisfy one’s own or another’s curiosity.
- The Information Systems team is responsible for:
- promoting the value of Company data for Company-wide purposes and facilitating data sharing and integration
- documenting and promoting the structure and logic of Company data
- identifying items of corporate data and distinguishing primary data sources
- providing advice and support for security administrators
- providing advice and support for data custodians
- managing the integration of current and new systems as part of the Company corporate database
- managing technological implementation of common standard codes and data definitions throughout the Company
- liaising with data custodians with respect to approved uses for corporate data
- managing the design and implementation of processes for maintaining the integrity, accuracy, precision, timeliness, consistency, standardization and value of data.
- The ICT Committee is responsible for establishing the organizational entity with responsibility for the custodianship of data contained within a particular corporate data source.
- Chiefs, Directors or equivalent must ensure (where appropriate) that relevant staff in their areas of responsibility are designated as:
- security administrators
- data custodians.
- Data custodians are responsible for:
- identifying and documenting authorities for access to data and levels of access
- authorizing downloads and uploads of corporate data
- authorizing access to corporate data
- monitoring and enforcing the consistent application of processes for maintaining the integrity, accuracy, precision, timeliness, consistency, standardization and value of data
- arranging appropriate training for staff and others to ensure data is captured and used accurately and competently
- implementing processes established by security administrators.
- Security administrators are responsible for:
- providing access to users as specified by data custodians
- ensuring that appropriate safeguards exist to protect data and that appropriate disaster recovery and business continuity procedures are in place
- providing appropriate procedural controls to protect data from unauthorized access.
- Data users:
- are responsible for ensuring that all access to data through their user account is relevant and appropriate to the work being undertaken
- are responsible for ensuring that subsequent use and distribution of data accessed through their user account is valid and appropriate
- must not disclose Company data to unauthorized persons without the consent of the relevant data custodian
- must not disclose their password to anyone
- must abide by the requirements of the Privacy Act 1993 and other relevant statutes.
- Line managers are responsible for ensuring that all data users within their area of responsibility are aware of their responsibilities as set out in this policy.
Responsibility for monitoring compliance
- The Manager of Information and Technology Services is responsible for monitoring compliance with this policy, and for reporting breaches to the Managing Director.
- Breaches of this policy may result in disciplinary action under the Staff Code of Conduct / Employee Handbook.