Storage and Transmission of Personal/Private
Information Policy
Version
1.1
TRIM file number
Short description
As Above
Relevant to
All employees of CSU
Authority
This Policy has been approved by [Executive
Director, Division of Information Technology] in
accordance with the Policy on Delegations and
Authorisations - Delegation Schedule 1, GOV.
Responsible officer
Administrative Assistant, Division of Information
Technology
Responsible office
Office of Executive Director of the Division
Information Technology
Date introduced
26 Nov 2011
Date(s) modified
26 Feb 2013
Next scheduled review date
26 Feb 2015
Related University documents
Related legislation
Privacy Act 1998
Key words
policy …
Storage and Transmission of Personal/Private Information Policy
1.0 – February 2013
Page 1
1.
PURPOSE
1.1
This document sets out Charles Sturt University’s (CSU’s) policy on Storage and
Transmission of Personal/Private Information.
1.2
The objective of this policy is to ensure CSU staff are aware that substantial
legal implications exist for the inappropriate storage and transmission of
personal/private information, and that before undertaking any agreement or
process that leads to the storage and/or transfer of personal/private information,
appropriate advice is sought to ensure the most appropriate security and other
mechanisms are enabled to reduce the inherent risk.
a) CSU is bound by the NSW Privacy and Personal Information Act (1988), and
as such needs to take appropriate action so that personal and private
information of its students and staff is the most appropriate way to achieve
the least chance of inappropriate exposure.
b) Whilst this is reasonably straight forward for Enterprise Information Systems
(EIS), guidance is required where personal/private information is promoted or
used outside the confines of these systems.
c) CSU staff are required to be particularly aware of their responsibilities when
they have CSU personal/private information, in their possession, or intend to
transmit such information to a 3rd party or point external to CSU.
d) Examples of areas where staff may have access to personal/private
information where they need to consider its security are: P: drive, S: Drive,
email, departmental and Enterprise Information Systems.
e) Together with the increasing use of “Cloud Computing”, and the possibility
that CSU ICT services will continue to use such services, it is imperative that
the most appropriate solutions are implemented to reduce the risk of
personal information exposure. Whilst it is not entirely possible to comply with
components of the legislation, as most providers are off-shore, and
potentially bound by privacy legislation relevant to the country, every effort
has to be made to ensure the security of personal information and alignment
of CSU practices to legislation where relevant and possible.
f)
2.
Each area and personal/private information set has its own unique
requirements that need to be considered when stored or transmitted.
SCOPE
2.1
This policy covers the storage and transmission of any personal and/or private
information within and outside CSU’s network.
Definition:

CSU personal/private information is defined as any single or grouped
information that could be used to identify a CSU staff member,
student or other individual, past or present.

Personal information can comprise as little as an identification
number and last name.
Storage and Transmission of Personal/Private Information Policy
1.0 – February 2013
Page 2
Further definition may be found within the NSW Privacy and Personal Information Protection
Act
3.
REFERENCES
This policy should be read in conjunction with:
Privacy Act and any other related legislation
CSU Privacy Statement
CSU Private Management Plan
DIT Privacy Statement
DIT Enterprise Architecture and Liaison Standards and Principles
DIT Enterprise Architecture and Liaison Master Data Governance Framework
Delegations – IT & Records
CSU Records Policy
CSU Information Security Policy
Cloud Computing Policy
CSU Data Governance Committee
4.
TIMING
This policy should be applied prior to any agreement or process that will enable the
storage and transfer of any personal/private information, internal or external to CSU
networks.
5.
6.
RESPONSIBILITIES
5.1
Any CSU staff member with delegated authority, who intends to store or transmit
personal/private information, or approve storage or transmission of CSU
students, staff, or other associated body, should, engage the services of DIT
who will provide advice appropriate to the requirement (with assistance from
CSU Legal and the CSU Ombudsman).
5.2
DIT, through the Executive Director, (or nominee) will engage the services of
CSU Legal and the CSU Ombudsman, as appropriate to assist in the formation
of any agreement required to support the storage and/or transport of
information.
5.3
Any staff member who does not appropriately engage the services of DIT
potentially place themselves at risk of litigation by individuals, irrespective
of whether the information is exposed inappropriately.
METHOD
6.1
DIT, assisted by CSU Legal, the custodian(s) of the information and The CSU
Ombudsman will provide advice appropriate and support to the staff member(s)
as requested.
6.2
Whilst DIT are not the custodians of any personal or private information, that is
the role of the custodians, DIT are well placed to co-ordinate the activity so that
Storage and Transmission of Personal/Private Information Policy
1.0 – February 2013
Page 3
the custodian is confident information is secured appropriately, and the
consumer (of the information) has appropriate access to the required
information.
6.3
No agreement, storage or transfer of personal/private information is to occur
prior to any written approval from DIT.
Table of amendments
Version
number
1.0
1.1
Date
2 Nov 2011
26 Feb 2013
Short description of amendment
Creation of Policy
Reviewed by Policy Review Team
Storage and Transmission of Personal/Private Information Policy
1.0 – February 2013
Page 4