IFM-PR-010: Managing Electronic Identities and Identity Management

Outlines factors that need to be considered when involved in identity management and the managing electronic identities of departmental employees, students and other users of the departmental network and/or systems; and implementing appropriate identity management access to ICTs.

Relevant legislation and policy

Legislation and/or regulations

Education (General Provisions) Act 2006 (new window) Sections 37 and 426 http://www.legislation.qld.gov.au/LEGISLTN/CURRENT/E/EducGenPrA06.pdf
Public Records Act 2002 Section 8(1) http://www.legislation.qld.gov.au/LEGISLTN/CURRENT/P/PublicRecA02.pdf
Freedom of Information Act 1992 (new window) Section 21 and 22 http://www.legislation.qld.gov.au/LEGISLTN/CURRENT/F/FreedomInfoA92.pdf
Financial Management Standard 1997 (new window) Sections 22 and 23 http://www.legislation.qld.gov.au/LEGISLTN/CURRENT/F/FinAdminAudSt97.pdf
Education (Queensland College of Teachers) Act 2005 (new window) Chapter 11 Part 2 http://www.legislation.qld.gov.au/LEGISLTN/CURRENT/E/EducQCTA05.pdf
Child Protection Act 1999 (new window) Part 4 http://www.legislation.qld.gov.au/LEGISLTN/CURRENT/C/ChildProtectA99.pdf

Substantive policy

Information Standard 18 (IS18): Information Security http://www.qgcio.qld.gov.au/qgcio/architectureandstandards/informationstandards/current/Pages/index.aspx
Information Standard 40 (IS40): Recordkeeping http://www.qgcio.qld.gov.au/qgcio/architectureandstandards/informationstandards/current/Pages/index.aspx
Information Standard 41 (IS41): Managing Technology Dependent Records http://www.qgcio.qld.gov.au/qgcio/architectureandstandards/informationstandards/current/Pages/index.aspx
Information Standard 42 (IS42): Information Privacy, Section 21 http://www.qgcio.qld.gov.au/qgcio/architectureandstandards/informationstandards/current/Pages/index.aspx
Information Risk Management Best Practice Guidelines (new window) http://www.qgcio.qld.gov.au/SiteCollectionDocuments/Architecture%20and%20Standards/Information%20Standards/Toolbox/Risk%20Management/Risk%20Management/riskmanagementbpg.pdf

Related procedures

IFM-PR-003: Classification and Handling of Information Assets /strategic/eppr/information/ifmpr003/
IFM-PR-006: Maintaining the Security of Department Information and Systems /strategic/eppr/information/ifmpr006/
IFM-PR-008: Records Management in Schools and Non-School Offices /strategic/eppr/information/ifmpr008/
SMS-PR-019: Mature aged students /strategic/eppr/students/smspr019/

Statement of intent

The Department encourages access to its information resources, provided security measures are in place to limit access to restricted (confidential, protected and highly protected) information to only authorised persons.

The Department will provide secure access to information in departmental ICT systems to authorised users through provision of electronic identities. Electronic identities may be provided to:

All correctly enrolled students
All staff members and contractors who are identified and appropriately authorised
All responsible adults who request an electronic identity and who have been appropriately identified, and who have one or more students enrolled in a state school
All external persons who have a legitimate role with the department
All external organisations who have a legitimate role with the department

Users will only be provided access to information required to meet their needs as authorised by ICT systems owners.

Access to restricted information is only to be provided to users to perform their functions as outlined in their position statement and will be monitored using access controls and logging.

The required level of access control to information is determined by its security classification. These requirements are detailed in IFM-PR-003: Classification and Handling of Information Assets.

Electronic identities will be:

Managed through their complete lifecycle from registration, through propagation and maintenance, to deactivation.
Registered and logged in accordance with the registration framework, departmental policies and legislative requirements to enable audits to be undertaken.
Will be maintained as a central store, but copies of these identities may also be stored in other locations as required.
Managed to ensure consistency and accuracy of identity data. Authorised users will be able to review and update defined attributes of electronic identities. Changes to an electronic identity will be logged and monitored.
Deactivated as required and all deactivations of electronic identities will be logged in accordance with departmental policies and legislative requirements.

Please refer to the Managing Electronic Identities and Identity Management Guidelines for further information in relation to identity registration, authentication, account review and management, third party access, logging and auditing, and privacy.

Student and staff safety will be maintained by ensuring personal and sensitive information is not accessed by unauthorised users.

Access to personal information is to comply with Information Standard 42 (IS42): Information Privacy. new window and departmental policy.

Contacts

For information about managing electronic identities, contact:

Manager, Policy Development
Information and Technologies

Phone:: (07) 3259 4568
Fax:: (07) 3259 4269

Document information

Approval record: TRIM 07/62012
Date of implementation: 2007-05-18
Date of publication: 2007-06-21
Date to be reviewed: 2009-05-18
This procedure replaces:

IFM-PR-001: Identity Management - Security - Version: 1.0
IFM-PR-004: Management of Electronic Identities - Version: 1.0

Uncontrolled copy. Please refer to Education Policy and Procedure Register at http://iwww.qed.qld.gov.au/strategic/eppr/ for latest version.

Uncontrolled copy. Please refer to Education Policy and Procedure Register at http://education.qld.gov.au/strategic/eppr/ for latest version.

^ Top of page