This downloaded copy is unofficial. Check www.mun.ca/policy for the official version.

Memorial University of Newfoundland

  Memorial University of Newfoundland

Information Management

Approval Date: 2016-07-07

Effective Date: 2016-07-07

Review Date: 2020-07-07

Authority:

Vice-President (Administration & Finance)

Purpose

Scope

All Units and all Official and Transitory University Records.

Exclusions:

Definitions

ATIPP Request — A request made under the Access to Information and Protection of Privacy Act, 2015, SNL 2015, C A-1.2, as amended, for access to a record, including a record containing personal information about the applicant, or correction of personal information.

Cloud — Internet-based computing provided by a third party for computer processing resources and/or data storage.

Information Management and Protection Program — A program of policies, procedures, standards, schedules, guidelines and practices that provides an efficient system for the management and protection of information, in compliance with relevant legislative, regulatory and policy requirements.

Information Risk Assessments — A risk-based approach to classifying University information and identifying the appropriate controls required to ensure the information's confidentiality, integrity and availability throughout its Life Cycle.

Life Cycle — The stages through which information is managed. Information must be managed and protected in a manner that addresses requirements for confidentiality, integrity and availability throughout all Life Cycle stages, including the creation, use, storage, and disposal or preservation of information.

Member of the University Community — An employee or other individual acting at the request of and on behalf of the University.

OCIO — Office of the Chief Information Officer.

Official University Records — University Records created, received or held as evidence of the University's organization, policies, decisions and operations.

Retention and Disposal Schedule — An approved Retention and Disposal Schedule prescribes retention periods and requirements for the legal disposal of Official University Records. It provides direction to ensure that Official University Records are retained for as long as necessary based on their operational, fiscal, legal and historical value. It also prescribes the appropriate disposition of Official University Records either destruction or preservation.

Transitory University Records — University Records that are of temporary usefulness having no ongoing value beyond an immediate and minor transaction, as convenience copies, or as draft for subsequent University Records. Transitory University Records may be securely disposed of without a Retention and Disposal Schedule.

Unit — Academic or administrative unit, as defined in the University Calendar, or any board or other body appointed or elected to carry out University business.

Unit Head — Refers to Dean, Director and other senior administrators at a comparable level or above, including the President, Vice-Presidents and Associate Vice-Presidents.

University — Memorial University of Newfoundland.

University Archives — Refers to the archives designated as per The Rooms Act, SNL 2005, C R-15.1, as amended, as the repository for Official University Records of archival value.

University Records — All recorded information, regardless of physical characteristics or format. For the purposes of this policy, University Records are categorized as either Transitory University Records or Official University Records.

Policy

  1. The University is subject to legislation which relates to its Information Management and Protection Program including: the Management of Information Act, SNL 2008, C M-1.01as amended, The Rooms Act, SNL 2005, C R-15.1, as amended, and the Information and Protection of Privacy Act, 2015, SNL 2015, C A-1.2as amended. The Information Management Policy provides direction for legislative compliance.

  2. Information management is a shared responsibility:
    a) Members of the University Community are responsible for the University Records they create or that are in their custody.
    b) The OCIO is responsible for the Information Management and Protection Program of the University.
    c) Each Unit Head shall be responsible to ensure adherence to this policy.
    d) Each Unit Head shall designate an information management and protection lead to oversee operational matters and to liaise with the OCIO in matters related to implementation of and compliance with the policy. 

  3. University Records are the sole property of the University and must be managed throughout their Life Cycle by Members of the University Community who create or receive them.
    a) University Records must be protected in accordance with the Security Measures section of the Procedure for Administering Privacy Measures within a Unit and the Electronic Data Security policy.
    b) Official University Records must be created in a manner and format that is accessible and must be retained as required to support the University’s compliance with relevant legislation and policies.
    c) Official University Records may not be removed from the control of the University, destroyed or otherwise disposed of except in accordance with a Retention and Disposal Schedule as outlined in the Procedure for Retention and Disposal Schedules.
    d) Transitory University Records may not be removed from the control of the University, but when no longer required, must be securely disposed in accordance with the Procedure for Secure Disposal of Transitory University Records.

  4. The University may use external services, such as commercial record storage and Cloud storage and services, in accordance with related University policy. When considering the use of such external services to store Official University Records, Information Risk Assessments must be completed.

  5. In the event of any of the following circumstances, disposal of relevant University Records must be suspended:
    a) Notice of litigation or criminal investigation,
    b) Notice of an audit,
    c) Receipt of an ATIPP Request,
    d) When there is reasonable belief that litigation or criminal investigation may occur, and
    e) Initiation of a grievance or investigation pursuant to a University policy or collective agreement.

  6. Members of the University Community leaving the University, changing positions within the University, or transitioning from one Unit to another shall manage all University Records in accordance with the Procedure for Managing University Records of Exiting Employees.

  7. If, as a result of developing Retention and Disposal Schedules, records are identified as having archival value, they should be transferred to the University Archives.

NON-COMPLIANCE:

Failure to comply with this policy and related procedures may result in prosecution as outlined in Section 8 of the Management of Information Act, SNL 2008, C M-1.01as amended.

Related Documents

Information and Protection of Privacy Act, 2015, SNL 2015, C A-1.2
Electronic Data Security policy
Information Request policy
Management of Information Act, SNL 2008, C M-1.01
Personal Health Information Act, SNL 2008, C P-7.01
Privacy policy
The Rooms Act, SNL 2005, C R-15.1

 

Procedures

For inquiries related to this policy:

Office of the Chief Information Officer, 709-864-2733

Sponsor: Chief Information Officer

Category: Operations


Procedure for Administering Privacy Measures Within a Unit

Approval Date: 2013-04-09

Responsible Unit: Information Access and Privacy Office

Unit heads (who for purposes of the procedure and the Privacy policy include Deans, Divisions Heads, Heads of Schools, Directors, Executive Directors, the University Librarian, the University Registrar, Associate Vice-Presidents and Vice-Presidents, as applicable) are responsible for ensuring privacy measures are established, in consultation with the University Privacy Officer, and administered within their respective units, in accordance with the following:

Unit Privacy Officer

Privacy Notices and Consent

Security Measures

Staff/contractor obligations

General

 


Procedure for Data Removal - Computer Systems

Approval Date: 2015-03-27

Responsible Unit: Information Technology Services

Once computer equipment containing data has been deemed to be surplus, the following should occur to erase the data:

Replaced computer systems are often recycled within a University unit. This is a consideration noted on the IT Information for Surplus Property Form  supplied by MUN IT-classified employees when de-commissioning a computer system. Other than intra or inter-unit equipment transfers, there are three standard options for handling old or obsolete computer systems, and these are covered on the IT Information for Surplus Property Form. They are, depending on the classification of the computer, to:

(1) declare the equipment as surplus,

(2) donate the equipment to the Computers for Schools (CFS) Program or

(3) provide the equipment to the Computer Purchasing Centre (CPC) under its Re-distribution Program for a credit 

These options are outlined in more detail on the IT Information for Surplus Property Form. This form may be provided by IT-classified staff, as part of the computer system replacement process. If provided, this completed form is to be passed, for informational purposes, to staff in your unit who are responsible for asset tracking and financial transfers.

Qualifying Computers for Schools (CFS) Program donations require completion of the corresponding section on the Surplus Property form. CFS systems are signed for by CFS staff on the Surplus Property form. The program ensures appropriate data removal processes before re-deployment.

Qualifying Computer Purchasing Centre (CPC) Re-distribution Program systems are removed from Fixed Assets through the return process. The CPC ensures appropriate data removal processes before re-deployment and issues credit to the supplied FOAPAL for qualifying systems.

Once a unit has identified computer property to be disposed of, or transferred, approval from the appropriate Unit Head or his or her designate is required prior to requesting data removal by IT-classified staff. Erasure of any records from computer components and media must be completed in consultation with the respective Institutional Technology Services units. For the Marine Institute – Information and Communications Technologies (ICT), Grenfell campus – Computing and Communications (C&C), Harlow campus – Systems, St. John’s campus – Information Technology Services (ITS). Verification of the removal of data for computer systems must be provided by the Administrative Signing Authority on the Surplus Property form, prior to designated IT-classified staff permanently removing data from storage devices. Data on computers designated for transfer, surplus or disposal must be erased or otherwise destroyed after data necessary to be retained is backed up or transferred to an alternate storage device. Staff with administrative signing authority will ensure that necessary data retention has been accomplished and will verify this by signing the Surplus Property form prior to making requests for data removal.

Computer systems and storage devices known to contain confidential information are to indicate so on the Surplus Property form. Those responsible for Administrative approval are to check confidentiality status as part of their review of the form. A more thorough data removal procedure will be employed for systems known to contain confidential information, otherwise, a basic data removal procedure will be employed. Computers containing confidential information are to be stored in a secure location while awaiting data removal procedures.

Instructions for IT-classified staff for data removal are available at http://www.mun.ca/cc/services/servicecatalogue/DataRemoval.php

 


Procedure for Managing University Records of Exiting Employees

Approval Date: 2016-07-07

Responsible Unit: Office of the Chief Information Officer

Units must develop a process to ensure that University Records always remain in the custody and control of the University, and that access to University Records is managed when employees leave positions or transition from one Unit to another. When an employee leaves the University, changes positions within the University, or transitions from one Unit to another within the University the following questions should be answered by the exiting employee:

What University Records in paper format are under your control?

What University Records in electronic format are under your control?

Once the questions above have been answered and an inventory of University Records has been established, the Unit must ensure that if any University Records are currently not accessible by the University (e.g. on personal DropBox account) they are moved to an accessible location such as a shared drive.

What types of University access do you have?

The Unit Head or Designate must immediately notify Information Technology Services (709-864-4595 or help@mun.ca) at the St. John’s campus; Information Technology Services (709-639-2049 or its@grenfell.mun.ca) at Grenfell campus; or Information and Communications Technologies (709-778-0489 or helpdesk@mi.mun.ca) at the Marine Institute of the exit of an employee from the University or the transition of an employee from one Unit to another to ensure University network and system access is deactivated or changed in a timely manner.

In cases where social media sites were being managed by an exiting employee on behalf of the University, the Unit Head or Designate must ensure the individual’s account has been deactivated (if it is a named account) or the username and password has been provided to the Unit (if it is a generic University Account). In the case of a generic University account, the password must be changed.

In the case of Cloud solutions being used by an exiting employee for the delivery of University services, it is the Unit Head or Designate’s responsibility to terminate any access.


Procedure for Retention and Disposal Schedules

Approval Date: 2016-07-07

Responsible Unit: Office of the Chief Information Officer

The information management and protection lead, as designated by each Unit, is responsible for ensuring that Retention and Disposal Schedules are established for the Unit. The Retention and Disposal Schedule prescribes retention periods and requirements for the legal disposal of Official University Records. It provides direction to ensure that Official University Records are retained for as long as necessary based on their operational, fiscal, legal and historical value. It also prescribes the appropriate disposition of Official University Records – either destruction or archival preservation.

The Office of the Chief Information Officer (OCIO) shall provide advice and support to Units in establishing and using Retention and Disposal Schedules. A Unit must contact the OCIO (im@mun.ca) to initiate the process of creating and implementing a Retention and Disposal Schedule.

Once the Retention and Disposal Schedule is established, the Unit is responsible for adhering to it by maintaining the records for their entire retention period and disposing of them when required.


Procedure for Secure Disposal of Transitory University Records

Approval Date: 2016-07-07

Responsible Unit: Office of the Chief Information Officer

Units must develop and document a process for the identification and disposal of Transitory University Records as part of their Unit’s overall information management operations. Unlike Official University Records, the destruction of Transitory University Records does not require creation and application of a Retention and Disposal Schedule.

In the event of any of the following circumstances, disposal of relevant Transitory University Records must be suspended and they are treated no differently than Official University Records in that they have to be produced:

A copy of an Official University Record is usually transitory. Such a copy should not be retained longer than the approved retention period for the Official University Record.

Transitory University Records may contain personal or confidential information. In such cases, secure destruction practices must be followed by Units when disposing of Transitory University Records. At the St. John’s campus, see the Procedure for Shredding and Disposal of Confidential Materials – St. John’s Campus.


Procedure for Shredding and Disposal of Confidential Materials - St. John's Campus

Approval Date: 2016-05-26

Responsible Unit: Department of Facilities Management

The University, through the Department of Facilities Management, contracts a service provider for the shredding and disposal of confidential materials, on site and off site, for the St. John's Campus. Materials include: records, video, diskettes, compact discs, hard drives

Units with their own shredding equipment, capable of achieving a maximum cut size of 15-16 mm. in width, should use that equipment for small amounts of shredding. The central service should be used for larger quantities or for multimedia that cannot be shred with the unit's equipment.

The preferred method for the central service of shredding and disposal is off site.

The on-site method should only be requested if you wish to observe the shredding process; otherwise, the off-site method should be used. The cost per box may differ for on-site and off-site shredding.  Units must contact the Procurement Officer before requesting any on-site shredding as the operation and/or noise levels of the shredding equipment may affect personnel working in various locations.

Units requesting shredding must:

  1. Complete the Facilities Management "Service/Material Authorization" form and indicate which service you are using (“on-site” or “off-site”). If you select the “on-site” service and wish to observe the actual shredding process please inform the service provider when you contact them to schedule the service. 
  2. Contact the service provider directly and arrange with them to collect the materials to be shredded. 
    1. The current service provider for “On-site” service is Access Corp: 709-237-2237
    2. The current service provider for “off-site” service is Avalon Recycling Services Ltd.: 368-0416. 
  3. Provide the service provider with the building location, room number and contact person/phone number along with the RR number from the Facilities Management "Service/Material Authorization" form. The service provider will confirm an appointment.
  4. When the materials have been collected for shredding, the service provider will issue a “Certificate of Destruction.” Forward the completed "Service/Material Authorization" form and the "Certificate of Destruction” to the attention of: 

    Bernard Doyle
    Procurement Officer
    Facilities Management
    Room FM-2029