Purpose
This policy outlines the Skills Insight principles for information management, and references the controls, procedures and processes required to ensure efficient, effective, and compliant information management practices that will support operational business, service delivery and strategic outcomes.
The Policy also provides the principles related to Skills Insight cybersecurity.
This policy has been established on the foundation of Skills Insight values, behaviours and strategies and all actions must be consistent with them. In the event of any conflict between this policy and the values, behaviours and strategies of Skills Insight, we request that you promptly notify the CEO for resolution.
Scope
The Skills Insight Information Management Policy applies to all Skills Insight staff and contractors that create, store, share, use and dispose of information. It includes the management of all digital and/or physical information, as well as information created or stored outside the organisation that is subject to Skills Insight legal and regulatory obligations. This includes any information which is Commonwealth Government IP being collected, created, recorded or stored by Skills Insight.
This policy applies to all business systems, services or applications used to create, manage, and store information, including Skills Insight and Commonwealth Government endorsed information and records management systems, cloud services and email systems, internal and external websites, social media applications, collaboration applications and databases.
This policy does not override any legal, regulatory, or statutory requirements that Skills Insight are bound to comply with.
Roles and Responsibilities
The Skills Insight Governance Manual and Risk Management Policy detail the roles and responsibilities assigned at various levels across the organisation that outline the ownership, custodianship and stewardship of Skills Insight information and information assets, and the management of risk applied to information management.
Information Management Policy
Skills Insight recognises the high value of its information assets, and the information assets held on behalf of the Commonwealth Government, and is committed to providing appropriate controls, processes, and procedures to ensure our information is governed, managed and compliant in accordance with relevant legislation, regulations, and standards and with Skills Insight information management principles.
Effective implementation of this Policy:
Information Management Principles
The Skills Insight information management principles provide guidance for the management of information within our organisation. The principles outlined below, must be implemented in practice at all levels of the organisation to ensure an appropriate level of information maturity is reached.
Skills Insight ensures information is:
a. Business-enabling, aligned to business needs and client outcomes.
Skills Insight only collects, creates, and manages information that directly supports organisational strategy, business functions and operations, services and delivery, and the needs of our client and stakeholders.
The use of Skills Insight approved business systems, services, and repositories to create, store, use and share information, ensures the information we rely on for making insightful business decisions is readily available to those that need it. Information held in appropriate business systems can be effectively managed, protected and made accessible.
b. Secure, valued and managed as an asset.
Skills Insight recognises that its information is a core component of our services and operations, supporting and maintaining information as a secure, long-term business asset where required. This entails identifying corporate information assets, registering, and tracking assets, and assigning appropriate governance and management responsibilities to those assets throughout their lifecycle.
Skills Insight provides an information governance structure, outlining clear information management roles and responsibilities.
Skills Insight offers an onboarding and offboarding register for staff to document all office equipment they possess, both when they join and when they leave the organisation. Whilst all information is contained in company managed servers, computers allocated to staff may contain mirrored information or additional information that is surrendered during the offboarding process.
c. Trustworthy, used and re-used with confidence.
Well-managed information is critical to the effective and efficient operation of our organisation by ensuring staff have access to the right information at the right time.
Skills Insight share information appropriately, ensuring the correct controls are in place to manage access, security, and privacy of the information available.
Information of a sensitive nature will be identified and labelled with Skills Insight confidentiality warnings or disclaimers.
d. Managed across the full lifecycle, protected from unauthorised use and inappropriate deletion.
The use of Skills Insight approved business systems, services, and repositories to create, store, use and share information, ensures the information is appropriately managed, maintained, protected, and secured.
All staff must be aware of their responsibilities regarding making and keeping appropriate business records, and the retention and disposal of those records. Appropriate retention policies are applied to all information stored in enterprise information management systems.
e. Available and open to the community and Governments in line with related policies and as applicable to the user’s role.
Skills insight will comply with the Jobs and Skills Council Grant Agreement requirements and with any applicable Freedom of Information requirements.
f. Considered, planned, and designed to inform business operations and support systems design, architecture, and maintenance programs.
Information management needs including security and access, are consciously planned, and designed to meet business and governance requirements. Information management concepts and requirements are integrated into our internal procedures to ensure sound information management practices are undertaken across the organisation.
Information management principles are considered, planned, and integrated into business system design specifications and change management processes, and considered and planned at each stage of the development or release cycle to ensure new or existing systems meet the requirements of this Policy, as well as any legislative, regulatory, or statutory obligations.
Cybersecurity Policy
This policy is written with an understanding that cyber security and data fraud is a growing risk for all businesses with governance, insurance, operational, and reputational implications. It is also cognisant of the scale and characteristics of the Skills Insight’s operations, including a reliance on the sound understanding and management of cyber risk by multiple vendors of cloud-based services and outsourced IT management functions.
Additionally, the policy is cognisant of the requirements of the 2018 National Notifiable Data Breach Scheme (Australia), as updated.
Cybersecurity Management Requirements
Cybersecurity Responsibilities of the Board
Cybersecurity Responsibilities of the CEO
Relationship to Other Policies
This policy should be read in conjunction with the following codes, policies and guidelines: