IT Institutional Data Management Policy


This policy applies to all members of the University community whether at the University or elsewhere, and refers to all IT resources.


Institutional data is a key asset of the University. Successful management and protection of the institutional data under the care of the University is critical to the educational, research and administrative functions of the University.

This policy outlines responsibilities for the care of institutional data and serves to:

  • ensure the establishment, maintenance, and delivery of secure, confidential, trustworthy, stable, reliable, and accessible collections of institutional data for shared access by the University community
  • maximise the value received from the data asset by increasing the understanding and use of the data


  1. IT Users must take all reasonable care to protect institutional data from unlawful or unauthorised access, alteration or destruction and/or inappropriate disclosure or use
  2. Access to institutional data will be granted only with appropriate and lawful authorisation, based on the proposed user's role and the intended use of the data
  3. Authorisation and access to critical and sensitive data will be documented, reviewed, modified, and terminated as appropriate
  4. Each unit will develop and implement data management plans that address the quality, availability and accessibility of the data throughout its lifecycle
  5. Contingency plans will be developed and implemented. Disaster Recovery/Business Continuity plans and other methods of responding to an emergency or other occurrences of damage to systems containing institutional data will be developed, implemented, and maintained

Responsibilities for implementation

Each University Dean and Director and the CEO of UniServices is responsible for implementing and ensuring compliance with this policy within their unit.


The following definitions apply to this policy:

Critical data refers to the importance of the data to the operation of the University

Institutional data includes a data element which satisfies one or more of the following criteria, it is:

  • relevant to planning, managing, operating, controlling, internal or external accountability or auditing of the University
  • created, received, maintained, or transmitted as a result of educational, clinical, or research activities
  • generally referenced or required for use by more than one organisational unit
  • included in an official University academic or administrative report
  • data that the University is legally/ contractually obliged to hold
  • generated by an IT user using any of the above data

IT resources refers to any University owned or operated hardware or software and the data that is used or stored on it

IT user means any individual member of the University community using IT resources

Sensitive data refers to data whose unauthorised disclosure may have serious adverse effect on individuals or on the University’s reputation, resources, or services

Unit(s) refers to an organisational grouping across the University and includes a faculty, or research centre or service division or UniServices

University means the University of Auckland and includes all subsidiaries

University community includes all staff (whether permanent, temporary or part time), honorary staff, students (whether full time or part time), contractors, subcontractors, consultants, alumni, associates, business partners or official visitors or guests of members of the University or UniServices

Document managment and control

Prepared by: IT Risk Manager
Owned by: CIO
Approved by: The Vice Chancellor
Date approved: November 2013
Review date: November 2016