Policy 23

Policy on Information Management

Adoption

Date: 2007-03-28
Instance of approval: Administration Committee

Modifications

Date: 2019-12-11
Instance of approval: Administration committee

Originating/Responsible Department: Office of the Secretary General

1. PURPOSE:

This policy provides direction on the management of information. It outlines the principles and responsibilities for an effective information management practice at the University of Ottawa.

2. POLICY STATEMENT:

Information is a strategic asset for the University of Ottawa. By practicing strong information stewardship, the University shall maintain reliable, authentic, trustworthy, timely and accessible information in support of the University's strategic and operational objectives.

This policy must be read in conjunction with:

• Policy 90 – Access to Information and Protection of Privacy
• Policy 116 – Use and Security of Information Technology Assets
• Policy 117 – Information Classification and Handling
• Policy 118 – Electronic Mail (Email) Policy
• Policy 119 - Accessibility
• Information Management Handbook (coming soon)
• Archives Management Procedure (coming soon)
• Procedure 20-4 - Disposition of Information

3. APPLICATION:

3.1 This policy applies to all information, regardless of medium or format; that is in the custody and control of the University.

3.2 Institutions that are affiliated with the University are excluded from this policy unless otherwise agreed to in writing between the University and the institution.

4 PRINCIPLES:

The following principles govern the information management practice and are the framework for effective information management at the University as well as drive decision-making for its information assets:

4.1 Accountability: Governance structures must be established as well as clear and documented roles and responsibilities.

4.2 Transparency: The processes and activities related to information assets must be documented and shared in an understandable manner and be available to all employees.

4.3 Quality: Information assets must have a guarantee of integrity, authenticity and reliability.

4.4 Protection: The University must ensure an appropriate level of protection to its information assets.

4.5 Compliance: Compliance with applicable laws, other binding authorities such as standards, accreditations, professional orders, as well as University policies and procedures.

4.6 Availability: Information assets must be maintained in a manner that ensures their timely, efficient, and accurate retrieval.

4.7 Compliant retention: Information assets must be retained for a specific period of time or for long-term preservation in accordance with legal, regulatory, fiscal, historical and other institutional requirements.

4.8 Compliant disposition: Information assets that are no longer required must be disposed of in a secure manner and in accordance with legal, regulatory, fiscal, historic purposes and other institutional requirements to ensure compliance with applicable laws and University policies and procedures.

5 ROLES AND RESPONSIBILITIES:

5.1 Secretary General: The Secretary General is the designated authority for information management and is responsible for its overall management. This includes:

• a) Promoting compliance with this policy.
• b) Delegating responsibility for the operational management to the Director, Information Management.
• c) Recommending to the University the allocation of appropriate resources to ensure the success of all information management activities.

5.2 University Information Governance Council: The University Information Governance Council (UIGC) and its subcommittees will guide the success of information management decisions and priorities. The role of the Council include:

• a) Making relevant and timely decisions or recommendations in order to create and stimulate the critical dialogue that will lead to better and more informed decisions.
• b) Ensuring transparency, an increased level of collaboration within the institution, that the investment in information management aligns with the strategic direction of the University, and that the appropriate prioritizations are made.
• Information on the UIGC and its sub-committees can be found here.

5.3 Director, Information Management: The Director, Information Management, in collaboration with the Records and Archives Management Service, is responsible for overseeing the management of information consistent with the requirements described in this policy. This includes:

• a) Establishing and maintaining an information management governance structure.
• b) Documenting and communicating information management roles and responsibilities.
• c) Establishing and maintaining a University-wide information management program to manage information assets throughout its life cycle.
• d) Developing and implementing strategies to enable sound information management practices, monitoring compliance with relevant University policies and procedures and advising senior management of any risks associated with non-compliance.
• e) Providing the employees with best-practices, and tools required for successful information management practices.
• f) Developing and maintaining procedures and tools such as an information architecture, to ensure the organisation and description of information assets to facilitate storage, search, retrieval, retention and disposition.
• g) Establishing and maintaining a retention schedule for all information assets, based on legal, regulatory, fiscal, operational, archival, evidential and historical requirements.
• h) Establishing and maintaining a disposition schedule and process for information assets, no longer required for legal, regulatory, fiscal, operational, archival, evidential and historical purposes.
• i) Preserving the University’s historical records in perpetuity in all formats.
• j) Providing information management advice, awareness and training sessions to employees to ensure they are equipped to successfully carry out their responsibilities described in this policy or in related procedures.
• k) Designating and integrating information systems as the preferred means for creating, collecting, using, managing, sharing, storing and retrieving information.
• l) Collaborating with subject matter experts in areas such as legal, access to information and protection of personal information and IT security in the application and implementation of this policy and its related procedures.

5.4 Chief Information Officer (CIO): The CIO is responsible for:

• a) Developing and implementing IT strategies, policies and practices to support the University of Ottawa academic, research and administrative objectives taking into account information management best practices.
• b) Providing recommendation to the Secretary General on the implementation of this policy taking into consideration security and infrastructure requirements.
• c) Ensuring that information technology and information management staff have an important joint role in ensuring that systems support accountable and effective information management across the institution.

5.5 Heads of Unit: Heads of Units are responsible for managing information as a strategic information asset and as an integral part of their Unit, program, service and operational activities. This includes:

• a) Supporting, and adhering to, this policy by promoting a culture of efficient information management and contributing to the development of information management strategic documents, when required.
• b) Ensuring that their staff are aware of, and are provided the support needed to carry out, their information management responsibilities defined in this policy. They should advise the Director, Information Management of any gaps to complying with this policy.
• c) Identifying and applying the appropriate safeguards to information assets, under their control.
• d) Cooperating with and assisting the Access to Information and Privacy Office as required, in the fulfillment of the University’s obligations under Policy 90, related procedures, and applicable Access and Privacy Legislation.
• e) Cooperating with and assisting the Security Architect as required in the development of safeguards in order to appropriately handle and protect information in their unit as stated in Policy 117.

5.6 Employees: All employees, at all levels, are responsible for managing the information they collect, create and use in support of the University’s operational needs, accountabilities, and program and service outcomes by:

• a) Applying information management policies, procedures, and best practices, in managing the information assets they create, collect or receive during the course of business and social activities.
• b) Properly documenting their activities, processes and decisions.
• c) Organizing and saving their information according to the classification plan.
• d) Disposing of transitory records when their operational use has ended unless otherwise required by law.
• e) Providing and bringing to their manager's and, when appropriate, to the Director, Information Management’s attention, any information requirements and issues.
• f) Treating information assets in a manner that enables access while still meeting privacy and security requirements.
• g) Providing all relevant information to the Director, Compliance, Access to Information and Privacy when required to conduct a search for records responsive to an access to information request.
• h) Immediately reporting to their manager, any suspicions that someone is engaged in, or directing someone to engage in, the destruction, alteration, falsification, or concealment of information or records.
• i) Immediately reporting to their manager, the loss of any hard copies of information or equipment that may contain information (laptop, mobile device, USB key, etc.).

6 DEFINITIONS

For the purposes of this policy and of any procedures adopted pursuant to it, the following words and expressions shall have the corresponding meanings set out below:

Authenticity
An authentic record is one that can be proven:

• To be what it purports to be;
• To have been created or sent by the person purported to have created or sent it;
• To have been created or sent at the time purported.

Classification plan
A classification plan is the systematic identification and arrangement of business activities and/or records into categories according to logically structured conventions, methods and procedural rules and represented in a classification system.

Employees
“Employees” means any person employed by the University, including all unionized and non-unionized academic and administrative staff, as well as those whose salary is paid through sources other than the University’s operating funds, such as grants, research grants and external contracts.

Heads of unit
“Head of Unit” means the University employee holding a position (regardless of the position title) with the decision-making authority for a Unit.

Information
Information means all information on any format including but not limited to hard-copy textual and electronic documents, structured data, graphic images, sound and video recordings, books, maps, drawings, photographs, and any other information that is written, photographed, recorded or stored in any manner.

Information assets
An information asset is information that is generated or managed by the University and has value to the University.

Information management
Information management is the ability to capture, manage, keep, store and deliver the right information to the right people at the right time.

Information management systems
Information management system is a general term for an information system used to facilitate the storage, organization and retrieval of information.

Integrity
Integrity refers to the reliability of information content, processes and systems as to its completeness, accuracy, consistency and authenticity

Reliability
Reliability refers to the degree to which the quality of information content, processes and systems can be depended upon to be trustworthy, complete, accurate and authentic.

Retention and disposition schedule
A records retention and disposal schedule is a University document that guides the management of a record. It dictates how long the records need to be retained to meet operational and legislative requirements and authorizes the disposal of information either by secure destruction or transfer to Records and Archives Management.

Transitory record
A transitory record is a record of temporary usefulness in any format or medium having no ongoing value beyond an immediate and minor transaction or the preparation of a subsequent record. Transitory records can be securely destroyed when no longer needed.

Unit
Unit means a faculty, school, institute, administrative service or other academic or administrative office of the University.

7 IMPLEMENTATION, REVIEW AND AMENDMENT

7.1 The Secretary General is responsible for the periodic review of this Policy as necessary or every 3 years.

7.2 Amendments to this Policy shall require the approval of the President.

7.3 The Secretary General may amend this Policy in order to update the following, as applicable, and must inform the Director, Information Management of such amendment:

• a) The designation, title or identity of officials, offices, or departments and contact information within the University;
• b) The title or citation of legislation, regulations, policies or procedures.

7.4 The Secretary General may establish, amend, abrogate or make exceptions to procedures under this policy for purposes of the effective implementation of this Policy, provided that such procedures or exceptions are consistent with the provisions of this Policy. The Secretary General must inform the Director, Information Management of any exceptions to this policy or its procedures.