University Policy

.

Information Management

Approval Date: 2026-04-29

Effective Date: 2026-04-29

Review Date: 2031-04-29

View Amendment History

Authority:

Vice-President (Finance and Administration)

Save as Word Document

Purpose

  • To manage and protect University Records created in the conduct of University activities in accordance with relevant legislation, University policy, standards, guidelines and procedures; and,
  • To provide a framework for the University’s Information Management and Protection Program; and,
  • To support information access and privacy and enterprise risk management services throughout the University.

Scope

All Units and all Official and Transitory University Records.

Exclusions:

  • Materials acquired for the purpose of creating or augmenting the University’s library collections;
  • Archival or published materials collected as reference material to support teaching and research programs;
  • Personal Health Information that is subject to the Personal Health Information Act, SNL 2008, C P-7.01as amended;
  • Teaching materials; and,
  • Research data and materials, including unpublished data and manuscripts.

Definitions

ATIPP Request — A request made under the Access to Information and Protection of Privacy Act, 2015, SNL 2015, C A-1.2, as amended, for access to a record, including a record containing personal information about the applicant, or correction of personal information.

Cloud — Internet-based computing provided by a third party for computer processing resources and/or data storage.

Information Management and Protection Program — A program of policies, procedures, standards, schedules, guidelines and practices that provides an efficient system for the management and protection of information, in compliance with relevant legislative, regulatory and policy requirements.

Information Risk Assessments — A risk-based approach to classifying University information and identifying the appropriate controls required to ensure the information's confidentiality, integrity and availability throughout its Life Cycle.

Life Cycle — The stages through which information is managed. Information must be managed and protected in a manner that addresses requirements for confidentiality, integrity and availability throughout all Life Cycle stages, including the creation, use, storage, and disposal or preservation of information.

Member of the University Community — An employee or other individual acting at the request of and on behalf of the University.

OCIO — Office of the Chief Information Officer.

Official University Records — University Records created, received or held as evidence of the University's organization, policies, decisions and operations.

Retention and Disposal Schedule — An approved Retention and Disposal Schedule prescribes retention periods and requirements for the legal disposal of Official University Records. It provides direction to ensure that Official University Records are retained for as long as necessary based on their operational, fiscal, legal and historical value. It also prescribes the appropriate disposition of Official University Records either destruction or preservation.

Transitory University Records — University Records that are of temporary usefulness having no ongoing value beyond an immediate and minor transaction, as convenience copies, or as draft for subsequent University Records. Transitory University Records may be securely disposed of without a Retention and Disposal Schedule.

Unit — Academic or administrative unit, as defined in the University Calendar, or any board or other body appointed or elected to carry out University business.

Unit Head — Refers to Dean, Director and other senior administrators at a comparable level or above, including the President, Vice-Presidents and Associate Vice-Presidents.

University — Memorial University of Newfoundland.

University Archives — Refers to the archives designated as per The Rooms Act, SNL 2005, C R-15.1, as amended, as the repository for Official University Records of archival value.

University Records — All recorded information, regardless of physical characteristics or format. For the purposes of this policy, University Records are categorized as either Transitory University Records or Official University Records.

Policy

  1. The University is subject to legislation which relates to its Information Management and Protection Program including: the Management of Information Act, SNL 2008, C M-1.01, as amended, The Rooms Act, SNL 2005, C R-15.1, as amended, and the Information and Protection of Privacy Act, 2015, SNL 2015, C A-1.2, as amended. The Information Management Policy provides direction for legislative compliance.

  2. Information is a vital asset, supporting academic and research excellence, and efficient management of services and resources.  Effective management of information enables achievement of the University's strateic objectives by:
    a) increasing transparency and accountability by documenting Important Decisions while protecting the rights and provacy of individuals,
    b) enhancing the efficiency of programs and services,
    c) enabling optimal decision-making and,
    d) managing risk to the University by protecting its Information Assets and encuring compliance with legislation, University policy, standards, guidelines and procedures.

  3. Information management is a shared responsibility:
    a) Members of the University Community are responsible for the University Records they create or that are in their custody.
    b) The OCIO is responsible for the Information Management and Protection Program of the University.
    c) Each Unit Head shall be responsible to ensure adherence to this policy.
    d) Each Unit Head shall designate an Information Management and Protection Lead.

  4. University Records are the sole property of the University and must be managed throughout their Life Cycle by Members of the University Community who create or receive them.
    a) University Records must be protected in accordance with the Security Measures section of the Procedure for Administering Privacy Measures within a Unit and the Electronic Data Security policy.
    b) Official University Records must be created in a manner and format that is accessible and must be retained only in University-approved repositories as required to support the University’s compliance with relevant legislation and policies.
    c) Official University Records may not be removed from the control of the University, destroyed or otherwise disposed of except in accordance with a Retention and Disposal Schedule as outlined in the Procedure for Retention and Disposal Schedules.
    d) Transitory University Records may not be removed from the control of the University, but when no longer required, must be securely disposed in accordance with the Procedure for Secure Disposal of Transitory University Records.

  5. The University may use external services, such as commercial record storage and Cloud storage and services, in accordance with related University policy. When considering the use of such external services to store Official University Records, Information Risk Assessments must be completed.

  6. An Official University Email Account is provided to eligible Members of the University Community to support the academic and administrative activities of the University. An Official University Email Account is a service that supports the creation and receipt of University Records.
    1. Eligible Members of the University Community, as determined by the CIO and defined here (link), are provided with an Official University Email Account, which they are required to use to conduct all official University email correspondence. A person conducts official University email correspondence where they send or receive emails in the course of their employment with the University, by virtue of their position within the University, or when otherwise acting at the request of or on behalf of the University.
    2. Eligible Members of the University Community are provided with an Official University Email account for the duration of their employment or while acting at the request of and on behalf of the University. Access to the Official University Email Account will be terminated when they are no longer employed or acting at the request of and on behalf of the University.
      1. Information/University Records stored in an Official University Email Account where access is terminated will be retained based on the official email retention schedule found in MUNCLASS.
      2. Notwithstanding Section 6(b), Members of the University Community who have departed or retired from the university on or before <> and who continued to have access to their Official University Email Account on <>, may continue to access and use their Official University Email Account on an ongoing basis, provided they access their Official University Email Account no less than once a year. This legacy access remains subject to all relevant University policies and applicable laws, as they exist from time to time. The University reserves the right to modify, replace, discontinue, or deny this legacy access, including on a case-by-case basis, and will provide notice of any such changes.
        Effective << insert the effective date of the updated policy >>, ASMs, Instructors, and Research Scientists can elect to retain their Official University Email Account upon departure or retirement from the University as defined in the Procedure for Managing Exiting Employees. Official University Email Accounts are not intended for personal use.
    3. Official University Email Accounts are not intended for personal use.
    4. The University retains the right to temporarily or permanently disable access to an Official University Email Account for reasons including but not limited to cyber security risks, inappropriate use, and legal requirements.
    5. The University reserves the right to access, examine and disclose any information transmitted or stored in an Official University Email Account where the University has reasonable grounds to believe such actions are necessary for safety, security, or operational purposes or to comply with the University’s legal obligations. Such access will be compliant with all federal and provincial legislation and University policies and procedures. Any personal information not related to the issue will be protected to the extent reasonably possible.
    6. Official University Email Accounts are subject to ATIPPA. The University may be required to provide email correspondence in response to an ATIPP Request. Official University Email Account holders shall comply, promptly and completely, with any request from the University to deliver to the University any records in their custody and control that are potentially responsive to an ATIPP Request.
    7. Email sent or received in the conduct of University business is subject to all policies, procedures, guidelines and standards governing University data and information. It is the responsibility of Members of the University Community to retain, manage, dispose and/or archive email in accordance with the MUNCLASS classification and retention plan, and unit directives and practices.

  7. Members of the University Community shall not use AI technology with University Records unless it has been approved by the OCIO and is used in compliance with the University's policies and Procedures.

  8. In the event of any of the following circumstances, disposal of relevant University Records must be suspended:
    a) Notice of litigation or criminal investigation,
    b) Notice of an audit,
    c) Receipt of an ATIPP Request,
    d) When there is reasonable belief that litigation or criminal investigation may occur, and
    e) Initiation of a grievance or investigation pursuant to a University policy or collective agreement.

  9. Members of the University Community leaving the University, changing positions within the University, or transitioning from one Unit to another shall manage all University Records in accordance with the Procedure for Managing University Records of Exiting Employees.

  10. If, as a result of developing Retention and Disposal Schedules, records are identified as having archival value, they should be transferred to the University Archives.

NON-COMPLIANCE:

Failure to comply with this policy and related procedures may result in prosecution as outlined in Section 8 of the Management of Information Act, SNL 2008, C M-1.01, as amended.

Related Documents

Information and Protection of Privacy Act, 2015, SNL 2015, C A-1.2
Electronic Data Security policy
Management of Information Act, SNL 2008, C M-1.01
Personal Health Information Act, SNL 2008, C P-7.01
Privacy policy
The Rooms Act, SNL 2005, C R-15.1

 

Procedures:

Procedure for Administering Privacy Measures Within a Unit
Procedure for Data Removal - Electronic Devices
Procedure for Managing University Records of Exiting Employees
Procedure for Retention and Disposal Schedules
Procedure for Secure Disposal of Transitory University Records
Procedure for Shredding and Disposal of Confidential Materials - St. John's Campus
For inquiries related to this policy:

Vice-President (Finance and Administration)

Sponsor:

Vice President (Finance and Administration)

Category:

Operations

Previous Versions:

There is at least one previous version of this policy. Contact the Policy Office to view earlier version(s)

Approval Date: 2016-07-07
Effective Date: 2016-07-07
Policy Amendment History

There are past amendments for this policy:

Action: PUBLISHED
Date: 2026-05-06 15:26:59
This policy was published as a replacement of a previous version with an ID of 299. Comment provided: Updated as a result of review as approved by the Board of Regents on April 29, 2026
Action: REPLACED
Date: 2026-05-06 15:33:16
This policy was replaced with a new version. Comment provided: updated to repair broken weblink