Responsibility for policy: Chief Information Officer
Approving authority: Vice-Chancellor
Last reviewed: August 2023
Next review date: August 2028

Print version


  1. This policy applies to all staff and contractors of the University of Waikato.


  1. The purpose of this policy is to establish a framework of principles to be applied to the management, security and use of corporate data.

Related Documents

  1. This policy should be read in conjunction with the following documents:


  1. In this policy:
    contractor means a person or organisation engaged by the University through a contract for goods or services
    corporate data
     means all data that is captured through the operation of the University, and includes, but is not restricted to:
    • human resource data
    • health and safety data
    • financial data
    • facilities data
    • student data
    • timetabling data
    • paper and programme data
    • data about research
    • paper evaluation data
    • library data
    • schools data
    • learning management system (LMS) data
    • security data
    • customer relationship management (CRM) data
    • identity management data.
    enterprise master data means the core and essential data that is fundamental to the operations of the University. Master data serves as a single source of truth for the organisation, providing a standardised and consistent view of critical data across various systems and processes
    primary source
     means the official University record for the relevant data, as identified by the data owner, i.e. where data is 'mastered'
    restricted data means data that is protected by legislation or policy and that requires the highest level of access control and storage protection
    secondary source means a source of data that has been copied from a primary source.


  1. The following principles apply with respect to this policy:
    1. Corporate data is an essential component of effective strategy development and management of the University.
    2. All elements of the University's enterprise master data must be integrated to ensure accuracy and consistency, and to inform decision making.
    3. New data systems mastering or referencing enterprise master data, whether developed or purchased by the University, must be interfaced with the current corporate data systems and not implemented as stand-alone systems.
    4. Corporate data, especially primary source data, must be accurate and verifiable.
    5. Data must be maintained solely in the primary source; any change in primary source data must be reflected immediately in secondary sources without modification.
    6. The value of corporate data is increased through widespread, timely and consistent use.
    7. Corporate data must not be used for an individual's own or for others' personal gain or profit, or to satisfy one's own or another's curiosity.
    8. Restricted data must be protected with appropriate levels of security so that the risk of the unauthorised disclosure, alteration or destruction of restricted data is minimalised.


  1. Information and Technology Services is responsible for:
    1. facilitating data sharing and integration
    2. documenting and promoting the structure and logic of corporate data
    3. identifying items of corporate data, distinguishing primary data sources and defining Enterprise Master Data
    4. providing advice and support for the data owners, data stewards and system administrators designated under clause 7(k) of this policy
    5. managing the integration of current and new systems as part of the corporate information architecture
    6. managing technological implementation of common data definitions and data classifications throughout the University
    7. liaising with data owners with respect to approved uses for corporate data, including restricted data
    8. managing the design and implementation of processes for maintaining the integrity, accuracy, precision, timeliness, consistency, standardisation and value of data
    9. defining and managing the corporate information architecture
    10. maintaining a register of corporate systems and associated Enterprise Master Data
    11. maintaining a register of restricted data against the corporate information architecture tables and fields.
  2. Data owners (as listed in the Appendix to this policy) are responsible for:
    1. decision-making on the corporate data in their area of responsibility
    2. ensuring that corporate data is governed in accordance with this policy, the ICT Data Framework and the Information Security Standards
    3. managing corporate data in their area of responsibility, including data provided to or by contractors or third parties
    4. the establishment of validation rules for data entry and data correction in their area of responsibility
    5. collaborating with ITS  with respect to the establishment of processes, technical solutions and governance with respect to data in their area of responsibility
    6. identifying and documenting authorities for access to data and levels of access
    7. authorising downloads and uploads of corporate data
    8. authorising appropriate access to corporate data, including to restricted data
    9. monitoring and enforcing the consistent application of processes for maintaining the integrity, accuracy, precision, timeliness, consistency, standardisation and value of data
    10. arranging appropriate training for staff and others to ensure data is captured and used accurately and competently
    11. ensuring (where appropriate) that relevant staff in their area of responsibility are designated as:
      • data stewards
      • system administrators
      • data users.
  3. Data stewards are responsible for:
    1. defining validation rules for data entry and exit to ensure the integrity of primary data sources
    2. fixing data that does not meet the primary data source conditions.
  4. System administrators are responsible for:
    1. providing and removing access to data users as specified by data owners
    2. ensuring that data systems are operating efficiently
    3. monitoring the transfer of data from primary to secondary sources, notifying data owners of any matters arising from that process and resolving associated issues
    4. ensuring that appropriate safeguards exist to protect data and that appropriate disaster recovery and business continuity procedures are in place
    5. providing appropriate procedural controls to protect data from unauthorised access
    6. ensuring that data users’ devices are able to access the system.
  5. Data users:
    1. are responsible for accessing, entering, maintaining and using data in accordance with rules set by data owners
    2. are responsible for ensuring that all access to data through their user account is relevant and appropriate to the work being undertaken
    3. are responsible for ensuring that subsequent use and distribution of data accessed through their user account is valid and appropriate
    4. must not disclose corporate data to unauthorised persons without the consent of the relevant data owner
    5. must not disclose their password to anyone.
  6. Line managers are responsible for ensuring that all data users within their area of responsibility are aware of their responsibilities as set out in this policy.

Personal information and privacy

  1. All staff and contractors are reminded of their obligations under the Personal Information and Privacy Policy, the Privacy Act 2020 and other relevant statutes, and the University's guidance on what to do in the event of a privacy breach.

Responsibility for monitoring compliance

  1. The Chief Information Officer is responsible for monitoring compliance with this policy, and for reporting breaches to the Vice-Chancellor.
  2. Breaches of this policy may result in disciplinary action under the Staff Code of Conduct.


The term ‘School’ in this policy includes Faculties and the term ‘Head of School’ includes Deans.