Purpose

This policy outlines the Skills Insight principles for information management, and references the controls, procedures and processes required to ensure efficient, effective, and compliant information management practices that will support operational business, service delivery and strategic outcomes.

The Policy also provides the principles related to Skills Insight cybersecurity.

This policy has been established on the foundation of Skills Insight values, behaviours and strategies and all actions must be consistent with them. In the event of any conflict between this policy and the values, behaviours and strategies of Skills Insight, we request that you promptly notify the CEO for resolution.

Scope

The Skills Insight Information Management Policy applies to all Skills Insight staff and contractors that create, store, share, use and dispose of information. It includes the management of all digital and/or physical information, as well as information created or stored outside the organisation that is subject to Skills Insight legal and regulatory obligations. This includes any information which is Commonwealth Government IP being collected, created, recorded or stored by Skills Insight.

This policy applies to all business systems, services or applications used to create, manage, and store information, including Skills Insight and Commonwealth Government endorsed information and records management systems, cloud services and email systems, internal and external websites, social media applications, collaboration applications and databases.

This policy does not override any legal, regulatory, or statutory requirements that Skills Insight are bound to comply with.

Roles and Responsibilities

The Skills Insight Governance Manual and Risk Management Policy detail the roles and responsibilities assigned at various levels across the organisation that outline the ownership, custodianship and stewardship of Skills Insight information and information assets, and the management of risk applied to information management.

Information Management Policy

Skills Insight recognises the high value of its information assets, and the information assets held on behalf of the Commonwealth Government, and is committed to providing appropriate controls, processes, and procedures to ensure our information is governed, managed and compliant in accordance with relevant legislation, regulations, and standards and with Skills Insight information management principles.

Effective implementation of this Policy:

  • aligns information management initiatives to the strategic direction of Skills Insight
  • supports planning to provide appropriate and necessary resources for the effective execution of information management are available
  • supports staff in contributing to the effectiveness and implementation of information management practices
  • enables continuous improvement through monitoring and reporting on information management practices
  • assists senior management in demonstrating best practice while supporting staff in information management initiatives within their areas of responsibility
  • supports the implementation of appropriate governance structures, roles and responsibilities.

Information Management Principles

The Skills Insight information management principles provide guidance for the management of information within our organisation. The principles outlined below, must be implemented in practice at all levels of the organisation to ensure an appropriate level of information maturity is reached.

Skills Insight ensures information is:

a. Business-enabling, aligned to business needs and client outcomes.

Skills Insight only collects, creates, and manages information that directly supports organisational strategy, business functions and operations, services and delivery, and the needs of our client and stakeholders.

The use of Skills Insight approved business systems, services, and repositories to create, store, use and share information, ensures the information we rely on for making insightful business decisions is readily available to those that need it. Information held in appropriate business systems can be effectively managed, protected and made accessible.

b. Secure, valued and managed as an asset.

Skills Insight recognises that its information is a core component of our services and operations, supporting and maintaining information as a secure, long-term business asset where required. This entails identifying corporate information assets, registering, and tracking assets, and assigning appropriate governance and management responsibilities to those assets throughout their lifecycle.

Skills Insight provides an information governance structure, outlining clear information management roles and responsibilities.

Skills Insight offers an onboarding and offboarding register for staff to document all office equipment they possess, both when they join and when they leave the organisation. Whilst all information is contained in company managed servers, computers allocated to staff may contain mirrored information or additional information that is surrendered during the offboarding process.

c. Trustworthy, used and re-used with confidence.

Well-managed information is critical to the effective and efficient operation of our organisation by ensuring staff have access to the right information at the right time.

Skills Insight share information appropriately, ensuring the correct controls are in place to manage access, security, and privacy of the information available.

Information of a sensitive nature will be identified and labelled with Skills Insight confidentiality warnings or disclaimers.

d. Managed across the full lifecycle, protected from unauthorised use and inappropriate deletion.

The use of Skills Insight approved business systems, services, and repositories to create, store, use and share information, ensures the information is appropriately managed, maintained, protected, and secured.

All staff must be aware of their responsibilities regarding making and keeping appropriate business records, and the retention and disposal of those records. Appropriate retention policies are applied to all information stored in enterprise information management systems.

e. Available and open to the community and Governments in line with related policies and as applicable to the user’s role.

Skills insight will comply with the Jobs and Skills Council Grant Agreement requirements and with any applicable Freedom of Information requirements.

f. Considered, planned, and designed to inform business operations and support systems design, architecture, and maintenance programs.

Information management needs including security and access, are consciously planned, and designed to meet business and governance requirements. Information management concepts and requirements are integrated into our internal procedures to ensure sound information management practices are undertaken across the organisation.

Information management principles are considered, planned, and integrated into business system design specifications and change management processes, and considered and planned at each stage of the development or release cycle to ensure new or existing systems meet the requirements of this Policy, as well as any legislative, regulatory, or statutory obligations.

Cybersecurity Policy

This policy is written with an understanding that cyber security and data fraud is a growing risk for all businesses with governance, insurance, operational, and reputational implications. It is also cognisant of the scale and characteristics of the Skills Insight’s operations, including a reliance on the sound understanding and management of cyber risk by multiple vendors of cloud-based services and outsourced IT management functions.

Additionally, the policy is cognisant of the requirements of the 2018 National Notifiable Data Breach Scheme (Australia), as updated.

Cybersecurity Management Requirements

  • Skills Insight recognises the need to have a clear understanding of the cyber risk to which it is exposed and to prepare, plan, and train in a manner commensurate with the risks identified.
  • Skills Insight recognises the need to have a clear understanding of:
  • the value of its data;
  • who has access to its data,
  • an accurate understanding of how data is held and managed in the private cloud systems it uses; and
  • how and how well data is being protected.
  • Skills Insight recognises the importance of preparing for cyber events rather than reacting under duress, and that preparation includes Board discussion and staff readiness (such as simulation) activities.
  • Skills Insight recognises that short term technical cyber breaches may also have other longer- term impacts on individuals and company reputation and that these potential impacts should be considered in preparation, planning and training.

Cybersecurity Responsibilities of the Board

  • It is the responsibility of Skills Insight Board to understand what data Skills Insight systems hold, how it is protected, and whether the organisation has adequate arrangements in place to ensure business continuity and cyber remediation.
  • The Board will delegate its role in the response to any cyber breach that may occur to the CEO to ensure that a remediation process is in place, ready to be activated; and at the time of a cyber breach, have sufficient trust in the process – preparation, planning and training – undertaken by staff and third-party vendors to manage cyber incidents.
  • The Board, through the CEO requires that all staff monitor and report on the cyber security measures put in place by its vendors on an annual basis or as otherwise required by the organisation.
  • The Board will ensure that, should a breach occur, communication made by the CEO to members, other persons in the JSC program, stakeholders and regulators is open, transparent and honest.

Cybersecurity Responsibilities of the CEO

  • Accountability for achievement of all responsibilities listed above is delegated to the Skills Insight CEO.
  • In addition to the annual reporting mechanism specified above, the CEO shall ensure that the occurrence of any cyber breach is noted in Skills Insight Board Agenda papers.
  • Cyber breaches will also be recorded in a Register of Cyber Events that can be viewed by the Board at any time.

Relationship to Other Policies

This policy should be read in conjunction with the following codes, policies and guidelines:

  • Skills Insight Privacy Policy
  • Skills Insight Responsible Procurement and Resource Management Policy
  • Skills Insight Fraud, Corruption & Prohibited Dealings Policy
  • Skills Insight Delegations
  • Business Continuity Plan