Skip to main content
10.4 Information Governance

10.4 Information Governance

Print | PDF

This online version is for convenience; the official version of this policy is housed in the University Secretariat. In case of discrepancy between the online version and the official version held by the Secretariat, the official version shall prevail.

Approving Authority: Board of Governors

Original Approval Date: November 30, 2017

Date of Most Recent Review/Revision: November 14, 2024

Office of Accountability: Office of the President

Administrative Responsibility: Legal Services & Fair Practices Office

1.00 Purpose

1.01 This policy provides direction to units about their role in Information Governance, establishes common terminology, provides guidance and outlines shared responsibilities about the management of University Information throughout its lifecycle.

1.02 University Information is a vital asset to Laurier and its proper management is essential for effective decision making, legislative compliance, the preservation of institutional memory, and the mitigation of risk.

2.00 Definitions

2.01 Analytics: The process of discovering, interpreting, and communicating patterns and insights from information. Can be done by a person or a machine.

2.02 Anonymization: The process of removing personally identifiable information. Once completed, it is not possible to connect information to a specific individual.

2.03 Archival Information: A subset of permanent information; University Information of enduring legal, evidential, or historic value. Archival Information is retained permanently in the university archives.

2.04 Classes of Information

2.04.01 Open Information (Type 1): Information that is readily available to any Member of the University Community or to the general public, either by request or by virtue of being posted or published by the university through proper administrative procedures. This type of information has no restrictions on access or usage. It may include Personal Information collected for the express purpose of public release with the knowledge and consent of the individuals the information is about, or records created for public circulation.

2.04.02 Internal Information (Type 2): Information whose unauthorized release could reasonably be expected to cause minor, short-term harm to individuals or to the university. Internal Information must be guarded due to proprietary, ethical, or privacy considerations, and must be protected from unauthorized access, modification, distribution, storage or other use. Protection of such information may be required by university policy and/or provincial or federal legislation. Access to Internal Information is limited to those who have a legitimate purpose for accessing such information. It is important to note that Internal Information in the aggregate or when combined with other information may migrate to Restricted Information, particularly with respect to Personal Information about an individual.

2.04.03 Restricted Information (Type 3): Information that, if compromised, could reasonably be expected to result in significant and/or lasting harm to an individual or the university such as identity theft or reputational risk. This type of information is strictly protected by provincial or federal statutes or regulations, university policy, or contractual agreement(s) and must be protected from unauthorized access, modification, distribution, storage, destruction, or use. Access to Restricted Information is limited to those who have a legitimate purpose for accessing such information.

2.05 Commentary: Words, narrative, and notes that describe and explain.

2.06 Data: Facts and figures.

2.07 De-identification: A privacy-preserving technique that can be applied to Personal Information to support deriving additional value from information, while also protecting individual privacy.

2.08 Disposition: The final stage in the lifecycle of information. This includes destruction (e.g., shredding or full deletion of the information from where it is stored), permanent retention within a unit, transfer to the university archives, or transfer to another institution where appropriate.

2.09 Governance: The authority to govern; a set of standards and processes that are followed by all Members of the University Community that ensures the confidentiality, accuracy, integrity, and accessibility of information.

2.10 Information: Part or all of any University Record, whether it contains Quantitative or Qualitative content. It includes Commentary, Data, and Analytics that have been processed, organized, interpreted, or presented meaningfully.

2.11 Information Custodians: Information and Communication Technologies (ICT) or system administrators responsible for the operation and management of systems and servers which collect, manage, and provide access to Information. Information Custodians must be authorized by the appropriate Information Steward and ICT. Information Custodian responsibilities include:

  1. Maintaining physical and electronic system security and safeguards appropriate to the classification level of the Information in their custody.
  2. Complying with applicable university computer security standards.
  3. Managing Information User access as authorized by appropriate Information Stewards
  4. Following Information handling and protection policies and procedures established by Information Stewards, ICT and/or system administrators, (see Procedures for Handling Information Classes).

2.12 Information Lifecycle: The different stages information follows. The Information Lifecycle includes creation, use/sharing, retention, and disposition,

2.13 Information Steward: A university employee who is the manager responsible for the direction of a functional unit that is responsible for creating and/or managing a group of Records throughout its lifecycle. This typically will be a director or senior administrative officer (SAO) for the unit, depending on the structure of the department. The Information Steward may not be the authority for determining access to a University Record, Data, or Analytics.

2.14 Information User: The individual Member of the University Community or guest user who has been granted access to Information to perform assigned duties or in fulfillment of assigned roles or functions at the university. This access is granted solely for the conduct of university business.

2.15 Member(s) of the University Community: Persons who currently live, work or study (in person or online) at any Laurier campus or location. Members include students (including student groups), employees, adjunct and visiting faculty, and volunteers at Laurier.

2.16 Original Information: Information held in the office that has the primary responsibility for the Information (see Information Steward).

2.17 Permanent Information: University Information requiring permanent retention. Unless required for legislative compliance, the determination will be made by the Head, Archives and Special Collections to retain information permanently.

2.18 Personal Information: Recorded information about an identifiable individual.

2.19 Qualitative: In non-numerical format such as words, images, or observations.

2.20 Quantitative: Can be quantified and is amenable to statistical manipulation.

2.21 Record: Any recorded Information, however recorded, whether in printed form, on film, or by electronic means.

2.22 Record Hold: A written notice to suspend the disposition of specific Information. A records hold may be placed by the university’s Chief Legal Officer, designate, or external counsel retained on behalf of the university for legal reasons, or by a unit for audit or other operational needs.

2.23 Records Management Program: The management and administration of University Records at Laurier.

2.24 Retention Period: The length of time a Record must be retained before Disposition.

2.25 University Archives (the Archives): The official repository of Archival Records.

2.26 University or Institutional Information: Information that is in the custody and control of the University. University Information is made up of Records that can include Qualitative and/or Quantitative material.

3.00 Jurisdiction/Scope

3.01 This policy and associated procedures apply to all University Information as defined above. This policy pertains to all Members of the University Community that create, collect, modify or make use of University Information. It shall not apply to professors or researchers creating or using Information for pedagogical or research purposes.

4.00 Policy

4.01 Information Governance

4.01.01 The management, curation, and use of University Information is a shared responsibility involving and affecting academic and administrative stakeholders across the university. All University Information is the property of the university and is to remain in the custody and control of the university.

4.01.02 University Information shall be collected, recorded, stored, safeguarded, and maintained in a consistent and systematic manner that maintains its accuracy, integrity and accessibility.

4.01.03 University Information shall be constructed from the relevant physical or electronic systems in which it is created, collected, and stored.

4.01.04 University Information shall be accessible to Members of the University Community with a legitimate need, having regard to their organizational responsibility and position consistent with the University’s mission and in accordance with applicable University policies and procedures.

4.01.05 Institutional Information shall be shared appropriately in the pursuit of legitimate university activities and in light of the security and the sensitivity of their contents.

4.01.06 Noncompliance with this policy may result in access restriction to University Information or other consequences as noted in applicable collective agreements or employee manuals.

4.02 Records Management

4.02.01 Laurier is committed to the proper management of University Records. The integrity and security of University Records is essential, and the university shall create, use, retain, and dispose of University Records in compliance with legal and operational requirements.

4.02.02 Authority and Responsibilities of the Records Management Program

  1. Functional responsibilities for the Records Management Program include ongoing oversight of records management at the university to ensure enterprise-wide legislative and program compliance, creating new retention schedules when required, and ensuring any changes in legislated retention periods are reflected in the retention schedules.
  2. Reviews and changes to the Records Management Program and records retention schedules will be done in collaboration with key Information Stewards, Legal Services and Fair Practices Office, and the Head, Archives and Special Collections to ensure that the policy, retention schedule, and related procedures meet both legislative and operational requirements.

4.02.03 Responsibility for University Records

  1. Information Stewards are responsible for ensuring the University Records in their unit are accurate, reliable, and authentic, and that they are created, used, retained, and disposed of in accordance with the applicable records retention schedule. Information Stewards are responsible for securing University Records to protect personal, confidential, and privileged information from unauthorized access and use. (See 9.4 Information Security Policy Statement and the 10.1 Privacy Protection and Information Access Policy).
4.02.04 Responsibilities for Archival Records
  1. The Archives will be responsible for identifying, acquiring, preserving, and making accessible Archival Records.
4.02.05 Records Classification and Retention
  1. The university shall maintain a records classification system and a records retention schedule to help manage the lifecycle of University Records. The classification system will consist of a comprehensive list of the groups of University Records by work function. The records retention schedule will provide rules for each University Record group including a retention period, security requirements, Disposition method, and citation of legislation where applicable. This is recorded in the University’s Records Retention Schedules.
4.02.06 Disposition of University Records
  1. Unless a Records Hold has been placed, the university shall dispose of University Records in accordance with the University’s Records Retention Schedules and procedures for the disposition of records. Disposition of University Records may include destruction or permanent retention.
4.02.07 Records Hold
  1. Legal requirements supersede all university policies and procedures authorizing the destruction of University Records. Holds begin from the moment an employee becomes aware of or gains knowledge that legal action or an investigation is reasonably foreseeable, or when notice of a Records Hold has been provided by the university’s Chief Legal Officer, designate, or external counsel retained on behalf of the university.
  2. Requests for a Records Hold for audit or other operational purposes should be made to the Legal Services and Fair Practices Office. The Records Hold remains in effect until explicitly removed by notice, in writing, by the Legal Services and Fair Practices Office. Once the Records Hold is lifted, Records which have surpassed their retention period will be disposed of according to the retention schedule, and short-term retention Records deemed no longer useful will also be destroyed.

Relevant Legislation

Related Policies, Procedures and Documents

×