Records Management Network

October 27

November, 2017

Agenda

1. Welcome and Records team updateLucy Davies, Acting Associate Director, Information Governance & Engagement, Legal & Risk

2. Privacy by Design @ UoM: Managing and Securing University RecordsMary Oppy, Education and Training Coordinator, Legal & Risk &Imogen Telfer, Records Officer, Records Services

3. Networking/Afternoon Tea

4. Records Online Project Update (previously Improved Recordkeeping)Narelle Moorhouse, Organisational Change & Communications Manager, Records Online, Project Services

5. Revised University Retention & Disposal Authority - ResourcesChris Stueven, Acting Records Analyst, Records Services, Legal & Risk

6. Thank you and notice for the next meetingLucy Davies, Acting Associate Director, Information Governance & Engagement, Legal & Risk

November, 2017

Welcome and Records Team Update

ucy Davies, Acting Associate Director, formation Governance & Engagement,

egal & Risk

November, 2017

Privacy by Design @ UoMManaging & Securing University Records  

Records Management Network

Imogen Telfer & Mary Op& Risk

Bronwyn ThomasCoordinator Risk & CompliancePrivacy Impact Assessment (PIA) – Contact via PIA Review pia‐review@unimelb.edu.au

Susan MayePrivacy Coordinator

Legal and Risk

Sunil MundanSenior Analyst, It SecurityInfrastructure Services

Imogen TelferRecords OfficerLegal and Risk

Mary OppyEducation & Training Coordinator ‐ Legal & Risk

Introductions

Imogen Telfer & Mary Op& Risk

Topics

Privacy key terms Privacy impact assessments 7 Foundational Principles of Privacy by Design Questions

Imogen Telfer & Mary Op& Risk

What is Personal Information?

Recorded information or opinion whether true or not about an individual whose identity is pparent or can be reasonably ascertained

NameSignatureTelephone NumberEmail, Home or Work AddressEmployment PositionVoice Recordings, Photographs or VideosMedical RecordsAcademic Records

Imogen Telfer & Mary Op& Risk

What is a University Record?

l documents and information created, sent and received by University of Melbourne staff whcarrying out University business. 

mailsinance documentsOH&S documentationtc. etc. etc.

staff are responsible for:creating, capturing, managing and disposing of records

of their University dutiesbeing aware of their responsibilities for protecting 

personal and confidential information when accessingUniversity records”

ords Management Policy (MPF1106)

Imogen Telfer & Mary Op& Risk

Privacy impact assessments (PIAs)

PIAs are undertaken as part of a sound risk management strategy, to assess whether it is safe to proceed with any new project.

PIAs are living documents and are undertaken if changes are made to the way we collect, use, store or dispose of personal information.

Imogen Telfer & Mary Op& Risk

Privacy Impact Assessment

Records Management

IT Security

Privacy

Physical Location

Imogen Telfer & Mary Op& Risk

reventative not remedialstablish and monitor governance mechanisms for privacy esponsibility.romote an organisation‐wide ‘privacy‐culture’ to ensure that rivacy is integrated into your policies and programs.Operationalise’ privacy by establishing and implementing rivacy policies, conducting privacy awareness training, and eveloping data breach response protocols in the event that a reach does occur.

Audit and monitor your organisation’s information handling rocesses.

Proactive not reactive 

Imogen Telfer & Mary Op& Risk

nsure that the necessary privacy controls are built into new systems during he design and procurement phases.Undertake privacy impact assessments for all projects and programs that nvolve personal information.

Privacy as the default setting 

Imogen Telfer & Mary Op& Risk

nsure that a program’s overall risk assessment includes an obligation to consider potential privacy risks.nsure that programs are signed off with appropriate privacy protections in place prior t project’s commencement.

Privacy embedded into design 

Imogen Telfer & Mary Op& Risk

Commit to finds workable solutions to chieve multiple objectives, rather than ompromising any interests that seem o be in competition

Full functionality: Positive‐sum not zero sum

Imogen Telfer & Mary Op& Risk

nsure University staff understand – and are able to dhere to – their privacy responsibilities at all times.

nsure that contractual agreements with third parties and vendors clearly set out obligations and esponsibilities, from the commencement of a program through to the point of data destruction.

Map a program’s data flows and ensure that security measures are in place at each stage, including user uthentication, encryption and destruction of data.

End–to–end security 

Imogen Telfer & Mary Op& Risk

Commit to keeping the organisation’s practices transparent to the extent possible, without inviting risk.

eek independent verification for programs and procedures (processes) o ensure compliance with privacy obligations.

Visibility and transparency 

Imogen Telfer & Mary Op& Risk

upport an approach to designing programs that considers privacy from a user’s point of view.

All seven foundational principles work together and need o be implemented holistically: Privacy by Design can’t be cherry picked.’

Respect for user privacy 

Raffaella Di Maio & Mary 

Imogen Telfer & Mary Op& Risk

Last Word & Questions

Promoting a workplace culture that values and respects ndividual privacy contributes to enhanced trust in mployers and creates a positive working environment.” 

CPDP, 2016

mplementing strong records management leads to: improvement of business processes and decisions reduced information storage and application management costs compliance with freedom of information, privacy and security requirements

preservation of vital and historical records.PROV, 2017

Networking/Afternoon Tea

upported by Legal & Risk and Dr Dax Kitchen

November, 2017 1

Other logos may go here

Records Management Network meeting 

Records Online update formerly Improved Recordkeeping project)

27 October, 2017

Rollout and Migration :13 business units of the University are now working with HPE CM

Records identified as retained across the 13 business units to date;• Documents – 27,266• Folders – 1,389• Captured email – 189,114(includes all units engaged, including Records & Compliance)

Other Related Activities completed to mitigate challenges:• Implementation of My UniApps enables Mac Users to now access HPE CM via the Citrix clie

HPE CM continues to be available for implementation 

Project to date:

2

• HPE CM rollout thus far has been highly valuable in implementing best of breed for records management and helping shaping the next phase of the project

• Whilst HPE CM is widely embraced and loved by those in records/compliance roles and those with a passion for records management, the non‐records specialist finds HPE CM challenging

• Feedback provided by the 13 divisions and MGSE over the last 9 months has helped to identify the need foan enhanced user experience, to achieve success in the goal of improved recordkeeping and the benefits that provides

• Coinciding with the implementation of Office 365, the University has identified SharePoint Online as a suitable front end experience with HPE CM as back end.  This integrated combination is seen as an easy annatural path for document collaboration, optimisation and improved records management

Lessons Learnt:

2

The project has recently completed user workshops which explored user requirements and needs which have informed the architecture of SharePoint Online templates.Workshops were run with representatives from:• Melbourne Veterinary School• Off‐Shore Recruitment• Chancellery Research• EA Network

The response was very positive, with a clear desire for improved records management across the University, anawareness that end user experience will influence success.

Recent activity:

2

• School of Biomedical Sciences• School of Chemistry• School of Physics

Responding to the next phase of the project and the integrated solution of SharePoint Online as the front end with HPE CM as the back end it was timely to align the project identity with the new direction & solution design

Records Online represents the integrated solution whilst maintaining the strong records management commitment and identity within the University.  It also distinguishes the compliant integrated solution of SharePoint Online – HPE CM, from stand alone SharePoint sites, which will be vital when we roll‐out in 2018.  

Take a look at the updated project webpage for more information https://staff.unimelb.edu.au/governance/projects/current‐projects/compliance/improved‐recordkeeping

Why Rebrand?

2

As the Records Online project progresses with the next phase, development of SharePoint Online – HPE CM integration (SPO‐HPECM) and pilot, there are beneficial actions your faculty/school/division can take that will heprepare for a smooth transition.

It is an ideal time to look at scheduling one or more of the workshops to enable optimal action plans which benethe business and help prepare for a smooth transition to either HPE CM or SPO‐HPECM in 2018.Please see the webpage for more information.

Next steps:

2

Getting Ready flyer

The next phase of the project is focused on:• Undertaking a “current state” analysis across selected areas• Development of:

– Governance Framework for SharePoint Online & O365– Templates for integrated SharePoint Online‐HPE CM rollout across UoM– Conceptual Solution Design incorporating the integration of HPE CM with SharePoint

Online– High level Security Architecture– Metadata model to support the integration of HPE CM with SharePoint online– Project implementation plan & timeline for UoM rollout– Change and communications analysis, strategy & plan for implementation

• Determine (high level) support requirements (Business & IT)• Undertake a pilot(s) of the solution• Implementation 

Next steps:

2

Thank you

Updated Retention & Disposal Authority

Summary and Key Resources

Chris Stueven, Acting Records Analyst, Legal & Risk

What is a Record?

‘…recorded information, in any format (e.g. electronic, paper, image) created or received by staff of the University 

in the course of conducting their University duties.’Records Management Policy (MPF1106)

University Records

Spreadsheets Data

Paper Email

Social Media

Why we retain information?

Maintain Effective Corporate Memory

Significant Impact on Individuals

Evidence of university business

Significant Contribution to Community Memory

Regulatory & Policy Requirements

Proof of Accountability (i.e. transparency)

Environmental Management & Change

Why we destroy information

Ensure available information at hand is relevant

Better retrieval rates of information required for business

Reduced risk of security or privacy breach

Reduce our physical and digital storage needs

Builds a healthy information culture

Documented destruction support transparency of practices

Ensures the university retains records only as long as required by law

Why the changes?

Legislative and business expectations.

Key Dates and Resources

Next week

• Formal notification to Faculty Executive Directors and senior university staff.• Notice provided to all university staff via Records Management Network, Staff News and other avenues.

November

• Revised RDA released on Wednesday 7 November.• Available resources:

• Information page on Records website• Mapping document• Drop-in times for questions and assistance

December• Records Services staff available to present in staff meetings.

Contact us

Chris Stueven, Acting Records Analyst, Information Governance & EngagementPh: 834 45210E: cstueven@unimelb.edu.au

Thank youNext meeting: Friday 16 February

10:00 – 11:30am