records management network · raffaelladi maio& mary ... •notice provided to all university...
TRANSCRIPT
Agenda
1. Welcome and Records team updateLucy Davies, Acting Associate Director, Information Governance & Engagement, Legal & Risk
2. Privacy by Design @ UoM: Managing and Securing University RecordsMary Oppy, Education and Training Coordinator, Legal & Risk &Imogen Telfer, Records Officer, Records Services
3. Networking/Afternoon Tea
4. Records Online Project Update (previously Improved Recordkeeping)Narelle Moorhouse, Organisational Change & Communications Manager, Records Online, Project Services
5. Revised University Retention & Disposal Authority - ResourcesChris Stueven, Acting Records Analyst, Records Services, Legal & Risk
6. Thank you and notice for the next meetingLucy Davies, Acting Associate Director, Information Governance & Engagement, Legal & Risk
November, 2017
Welcome and Records Team Update
ucy Davies, Acting Associate Director, formation Governance & Engagement,
egal & Risk
November, 2017
Imogen Telfer & Mary Op& Risk
Bronwyn ThomasCoordinator Risk & CompliancePrivacy Impact Assessment (PIA) – Contact via PIA Review pia‐[email protected]
Susan MayePrivacy Coordinator
Legal and Risk
Sunil MundanSenior Analyst, It SecurityInfrastructure Services
Imogen TelferRecords OfficerLegal and Risk
Mary OppyEducation & Training Coordinator ‐ Legal & Risk
Introductions
Imogen Telfer & Mary Op& Risk
Topics
Privacy key terms Privacy impact assessments 7 Foundational Principles of Privacy by Design Questions
Imogen Telfer & Mary Op& Risk
What is Personal Information?
Recorded information or opinion whether true or not about an individual whose identity is pparent or can be reasonably ascertained
NameSignatureTelephone NumberEmail, Home or Work AddressEmployment PositionVoice Recordings, Photographs or VideosMedical RecordsAcademic Records
Imogen Telfer & Mary Op& Risk
What is a University Record?
l documents and information created, sent and received by University of Melbourne staff whcarrying out University business.
mailsinance documentsOH&S documentationtc. etc. etc.
staff are responsible for:creating, capturing, managing and disposing of records
of their University dutiesbeing aware of their responsibilities for protecting
personal and confidential information when accessingUniversity records”
ords Management Policy (MPF1106)
Imogen Telfer & Mary Op& Risk
Privacy impact assessments (PIAs)
PIAs are undertaken as part of a sound risk management strategy, to assess whether it is safe to proceed with any new project.
PIAs are living documents and are undertaken if changes are made to the way we collect, use, store or dispose of personal information.
Imogen Telfer & Mary Op& Risk
Privacy Impact Assessment
Records Management
IT Security
Privacy
Physical Location
Imogen Telfer & Mary Op& Risk
reventative not remedialstablish and monitor governance mechanisms for privacy esponsibility.romote an organisation‐wide ‘privacy‐culture’ to ensure that rivacy is integrated into your policies and programs.Operationalise’ privacy by establishing and implementing rivacy policies, conducting privacy awareness training, and eveloping data breach response protocols in the event that a reach does occur.
Audit and monitor your organisation’s information handling rocesses.
Proactive not reactive
Imogen Telfer & Mary Op& Risk
nsure that the necessary privacy controls are built into new systems during he design and procurement phases.Undertake privacy impact assessments for all projects and programs that nvolve personal information.
Privacy as the default setting
Imogen Telfer & Mary Op& Risk
nsure that a program’s overall risk assessment includes an obligation to consider potential privacy risks.nsure that programs are signed off with appropriate privacy protections in place prior t project’s commencement.
Privacy embedded into design
Imogen Telfer & Mary Op& Risk
Commit to finds workable solutions to chieve multiple objectives, rather than ompromising any interests that seem o be in competition
Full functionality: Positive‐sum not zero sum
Imogen Telfer & Mary Op& Risk
nsure University staff understand – and are able to dhere to – their privacy responsibilities at all times.
nsure that contractual agreements with third parties and vendors clearly set out obligations and esponsibilities, from the commencement of a program through to the point of data destruction.
Map a program’s data flows and ensure that security measures are in place at each stage, including user uthentication, encryption and destruction of data.
End–to–end security
Imogen Telfer & Mary Op& Risk
Commit to keeping the organisation’s practices transparent to the extent possible, without inviting risk.
eek independent verification for programs and procedures (processes) o ensure compliance with privacy obligations.
Visibility and transparency
Imogen Telfer & Mary Op& Risk
upport an approach to designing programs that considers privacy from a user’s point of view.
All seven foundational principles work together and need o be implemented holistically: Privacy by Design can’t be cherry picked.’
Respect for user privacy
Raffaella Di Maio & Mary
Imogen Telfer & Mary Op& Risk
Last Word & Questions
Promoting a workplace culture that values and respects ndividual privacy contributes to enhanced trust in mployers and creates a positive working environment.”
CPDP, 2016
mplementing strong records management leads to: improvement of business processes and decisions reduced information storage and application management costs compliance with freedom of information, privacy and security requirements
preservation of vital and historical records.PROV, 2017
Other logos may go here
Records Management Network meeting
Records Online update formerly Improved Recordkeeping project)
27 October, 2017
Rollout and Migration :13 business units of the University are now working with HPE CM
Records identified as retained across the 13 business units to date;• Documents – 27,266• Folders – 1,389• Captured email – 189,114(includes all units engaged, including Records & Compliance)
Other Related Activities completed to mitigate challenges:• Implementation of My UniApps enables Mac Users to now access HPE CM via the Citrix clie
HPE CM continues to be available for implementation
Project to date:
2
• HPE CM rollout thus far has been highly valuable in implementing best of breed for records management and helping shaping the next phase of the project
• Whilst HPE CM is widely embraced and loved by those in records/compliance roles and those with a passion for records management, the non‐records specialist finds HPE CM challenging
• Feedback provided by the 13 divisions and MGSE over the last 9 months has helped to identify the need foan enhanced user experience, to achieve success in the goal of improved recordkeeping and the benefits that provides
• Coinciding with the implementation of Office 365, the University has identified SharePoint Online as a suitable front end experience with HPE CM as back end. This integrated combination is seen as an easy annatural path for document collaboration, optimisation and improved records management
Lessons Learnt:
2
The project has recently completed user workshops which explored user requirements and needs which have informed the architecture of SharePoint Online templates.Workshops were run with representatives from:• Melbourne Veterinary School• Off‐Shore Recruitment• Chancellery Research• EA Network
The response was very positive, with a clear desire for improved records management across the University, anawareness that end user experience will influence success.
Recent activity:
2
• School of Biomedical Sciences• School of Chemistry• School of Physics
Responding to the next phase of the project and the integrated solution of SharePoint Online as the front end with HPE CM as the back end it was timely to align the project identity with the new direction & solution design
Records Online represents the integrated solution whilst maintaining the strong records management commitment and identity within the University. It also distinguishes the compliant integrated solution of SharePoint Online – HPE CM, from stand alone SharePoint sites, which will be vital when we roll‐out in 2018.
Take a look at the updated project webpage for more information https://staff.unimelb.edu.au/governance/projects/current‐projects/compliance/improved‐recordkeeping
Why Rebrand?
2
As the Records Online project progresses with the next phase, development of SharePoint Online – HPE CM integration (SPO‐HPECM) and pilot, there are beneficial actions your faculty/school/division can take that will heprepare for a smooth transition.
It is an ideal time to look at scheduling one or more of the workshops to enable optimal action plans which benethe business and help prepare for a smooth transition to either HPE CM or SPO‐HPECM in 2018.Please see the webpage for more information.
Next steps:
2
Getting Ready flyer
The next phase of the project is focused on:• Undertaking a “current state” analysis across selected areas• Development of:
– Governance Framework for SharePoint Online & O365– Templates for integrated SharePoint Online‐HPE CM rollout across UoM– Conceptual Solution Design incorporating the integration of HPE CM with SharePoint
Online– High level Security Architecture– Metadata model to support the integration of HPE CM with SharePoint online– Project implementation plan & timeline for UoM rollout– Change and communications analysis, strategy & plan for implementation
• Determine (high level) support requirements (Business & IT)• Undertake a pilot(s) of the solution• Implementation
Next steps:
2
Updated Retention & Disposal Authority
Summary and Key Resources
Chris Stueven, Acting Records Analyst, Legal & Risk
What is a Record?
‘…recorded information, in any format (e.g. electronic, paper, image) created or received by staff of the University
in the course of conducting their University duties.’Records Management Policy (MPF1106)
Why we retain information?
Maintain Effective Corporate Memory
Significant Impact on Individuals
Evidence of university business
Significant Contribution to Community Memory
Regulatory & Policy Requirements
Proof of Accountability (i.e. transparency)
Environmental Management & Change
Why we destroy information
Ensure available information at hand is relevant
Better retrieval rates of information required for business
Reduced risk of security or privacy breach
Reduce our physical and digital storage needs
Builds a healthy information culture
Documented destruction support transparency of practices
Ensures the university retains records only as long as required by law
Key Dates and Resources
Next week
• Formal notification to Faculty Executive Directors and senior university staff.• Notice provided to all university staff via Records Management Network, Staff News and other avenues.
November
• Revised RDA released on Wednesday 7 November.• Available resources:
• Information page on Records website• Mapping document• Drop-in times for questions and assistance
December• Records Services staff available to present in staff meetings.
Contact us
Chris Stueven, Acting Records Analyst, Information Governance & EngagementPh: 834 45210E: [email protected]