Policy and Procedures Frequently Asked Questions
-
What is the Information Management Policy suite?
The Information Management Policy suite sets out how information assets should be responsibly and ethically managed across their entire lifespan. It ensures information is handled with transparency, security, privacy, and data protection in mind, and in accordance with regulatory, legal, and contractual obligations.
The suite reflects Monash’s commitment to protecting the trust and dignity of individuals whose information it holds. It also addresses key risks, such as over-retention of information, and provides staff with clear guidance on their responsibilities for managing, storing, and securely disposing of information in a timely and appropriate way.Who does the policy apply to?
The Information Management Policy applies across the Monash Group, including all Monash entities: Monash University Australia, Monash College, Monash University Indonesia, Monash University Malaysia, Monash Suzhou, the Monash University Prato Centre, and the World Mosquito Program Ltd (and its subsidiaries). It applies to all staff, students, associates and visitors who handle information assets, regardless of their role or location.
While the policy is Group-wide, the supporting procedures and schedule have more specific scopes and apply to certain Monash entities.What is information management?
Information management refers to the way an organisation collects, stores, organises, and shares information to ensure it is used effectively, securely, and efficiently.
At Monash, information management includes the entire lifespan of information assets — from their creation or receipt, through to access, use, storage, retention, governance, disclosure, and disposal. This applies to all formats and systems, including records, data, and information managed across IT systems, software, and platforms such as databases, email, voice and messaging services, images, videos, websites, and social media applications.
It also covers information managed both within Monash systems and externally — including cloud-based platforms or unmanaged environments outside Monash’s IT infrastructure.Why is information management important at Monash?
Good information management ensures Monash meets legal, ethical, and operational responsibilities. It promotes transparency, protects privacy, reduces risk, and supports efficient and accountable decision-making.
What is the Monash IT environment?
The Monash IT environment refers to all Monash-owned or controlled IT systems, devices, networks, software, and cloud platforms. It supports everything from local files (e.g. emails or documents) to central systems (e.g. student management or HR) and data generated by AI tools.
What are data silos?
Data silos occur when data is isolated within different departments, systems, or teams within Monash, making it difficult to share and integrate information and resulting in replicated material across Monash and its IT environment.
Why is research data management not captured in this policy suite?
Research data is governed by the Research Data Management Policy and its supporting procedures.
-
What is the difference between information governance and records management?
Information governance is the overarching approach Monash uses to manage its information assets responsibly — covering everything from data quality and privacy to security, compliance and ethical use.
Records management is a subset of information governance. It focuses specifically on how records are created, maintained, accessed, stored, and ultimately disposed of, ensuring they remain reliable and usable throughout their lifespan.What is a record, and how do I know if I need to keep it?
A record is information that documents a Monash decision, action, or obligation. If the information supports legal, business, audit, or historical needs, it must be retained.
Not all documents are records. Drafts, duplicates and transitory notes may be disposed of under Normal Administrative Practice (NAP).
View the NAP guidanceWhat is the lifespan of a record?
A record’s lifespan spans from its creation to lawful disposal or permanent preservation. During that time, it may serve multiple uses, e.g. student admission data may later be reused for reporting. Monash ensures records are securely stored, accessed only by authorised staff, and properly disposed of or archived when required.
What is an information asset?
An information asset is any recorded information that has value to Monash, including documents, databases, emails, images, and other formats – whether digital or physical.
What are my obligations when I initially capture, collect or create information? The capture, collection or creation of information by or on behalf of Monash must:
- accurately reflect the context and entirety of the activity that it records;
- consider the primary purpose and potential secondary uses for the information, within the limitations set out by any applicable legislation;
- comply with applicable confidentiality, data protection and privacy, and security requirements; and
- ensure the accuracy and quality of the information at the time of recording.
How should I store information to meet Monash’s requirements?
All records and data must be stored in approved Monash systems and follow classification rules set out in the Information Classification and Handling Standard.
Do not use personal USBs, external drives, or non-Monash cloud services.When can I dispose of information, and how should I do it?
Information, records and data that is managed locally or in collaborative spaces, like email, file shares, etc, should be reviewed against the disposal criteria outlined under Normal Administrative Practice (NAP) as a first step.
Where NAP does not apply, it is important to refer to the Information and Records Management team for additional advice.
For straight forward matters regarding retention and disposal advice, the Retention and Disposal Authority website can be referred to as a next step. However, for information, records and data held in systems and/or information assets which may contain evidence of key University decisions, actions of obligations, advice should be obtained by completing an Information and Data Assessment (IDA) form. This assessment helps confirm retention requirements and provides tailored advice to:
- Confirm the record is no longer needed for legal, audit, or business purposes; and
- Ensure disposal is done securely using approved methods (e.g. confidential waste for paper records or secure deletion protocols for digital content).
Who is responsible for information governance and recordkeeping at Monash?
Under the Information Governance and Recordkeeping Procedure, all Monash staff and associates have a role to play in managing information and records responsibly. Key responsibilities are distributed across the University as follows:
All staff and associatesEveryone is responsible for:
- Creating and managing records and information ethically and transparently;
- Storing information in approved Monash systems;
- Following classification, security and disposal requirements; and
- Ensuring records are accessible to those with a legitimate business need and protected from unauthorised access or loss.
Information Governors
Senior staff accountable for specific information assets or systems. They ensure:
- Records are compliant with Monash policies and legal obligations;
- Relevant assessments (e.g. Privacy Impact Assessments, Information Security Risk Assessments, IDAs) are completed;
- Information is accurate, current, and fit for use;
- Access is appropriately controlled; and
- Permanent records are identified and preserved.
Information Stewards
Appointed by Information Governors to manage information on a day-to-day basis. They ensure:
- Records and data remain accurate, reliable and secure;
- Policies and assessments are implemented;
- System-generated information is trustworthy and usable over time.
Group Information and Records ManagementThis team leads operational implementation and oversight. They:
- Develop and maintain the Retention and Disposal Authority;
- Approve Notices to Delete and support archiving;
- Provide training, tools, and assessments (including the Information and Data Assessment); and
- Offer expert guidance on compliance and best practice.
-
What does ‘data protection’ mean at Monash?
Data protection refers to the systems, safeguards and practices Monash uses to prevent unauthorised access, loss, or misuse of information. It ensures that data remains secure, accurate, and available when needed, including through backup, recovery, and compliance with legal obligations.
What is data privacy, and why does it matter?
Data privacy is about individuals' rights to control their personal information — how it is collected, used, stored, and shared. It ensures people are informed, can give consent, and have access to their own data. Privacy is essential for building trust and respecting the dignity of individuals.
How do data protection and data privacy work together?
Think of it this way:
- Privacy is about the right to control your personal information.
- Protection is about the means to secure that information.
Both are essential. Monash is committed to upholding privacy rights and protecting personal data through secure systems and responsible practices.
What documents guide how Monash handles personal data?
Monash does not have a standalone “privacy policy.” Instead:
- The Information Management Policy sets the overarching governance.
- The Data Protection and Privacy Procedure outlines how Monash meets privacy and data handling obligations in practice.
- The Data Protection and Privacy Schedule – Monash University Indonesia supports compliance with local Indonesian laws.
These policy documents are supported by Collection Notices/Statements, which are provided to individuals when personal data is collected.
What is a Collection Statement, and when should I see one?
A Collection Statement (also referred to as a privacy notice or, in some jurisdictions, a Personal Data Protection and Collection Notice) explains how Monash handles your personal information. It is provided when Monash collects personal data — or as soon as practicable after — and includes:
- Why the information is being collected;
- Whether its provision is required or optional;
- Who it may be shared with;
- Your rights to access or correct your data; and
- Who to contact for privacy-related questions.
Collection Statements vary depending on your relationship with Monash (e.g. student, staff, alumni, research participant) and the Monash entity you are engaging with. The content and terminology may differ slightly across the Monash Group to reflect local legal and operational requirements.
To view all current Collection Statements and related notices, visit: Monash Data Protection and Privacy Collection Statements
-
Will there be training or other guidance on the Information Management Policy suite?
The Director, Information and Records Management will host, with the support of the Office of the General Counsel and Office of Quality and Group Policy, online information sessions to communicate staff requirements and address questions.
The Information Governance webpage provides additional guidance and resources.
An Information Management and Recordkeeping training module has been developed for Monash staff.
Where do I go if I still have questions?
Contact the Monash Group Information Management team via groupinformationmanagement@monash.edu