Data Governance Framework
Overview
Cubiko’s data governance framework involves organisational policies, procedures and clear responsibilities that maintain the integrity and security of all information assets. This framework guides Cubiko in our role as data custodians and ensures that data is understood, trusted, and appropriately used. It ensures that we understand our responsibilities for the collection, management, and use of data, specifically the value it provides to our customers.
What is data governance
A set of principles and guidelines applied through our operating model to maintain accountability when exercising control and decision making over the management of data assets.
Our data governance principles
1) Data is business enabling, aligned to business needs and customer outcomes. Data is ingested and managed so that it directly supports business and customer requirements. Data is integral to Cubiko’s operations and effectiveness.
2) Data is secure, valued and managed as an asset. Data is recognised as a core component of Cubiko services and operations, and is supported and maintained as a secure, long-term business asset wherever required.
3) Data is trustworthy, used and reused with confidence. Data is accurate, authentic, and trusted, allowing its ongoing use and reuse by customers.
4) Data quality and accuracy is reflective of practice data ingested. Quality data is of value to customer, business, and strategic objectives, and enables improved services planning, delivery, and business insights.
5) Data is managed across the full data management lifecycle, protected from unauthorised use and inappropriate deletion. Data is appropriately managed from ingestion to final disposition. This management includes the protection of personal, health and sensitive information, and prevention of deletion until enabled by legal destruction and authorisation.
Our data governance guidelines
Security: We use industry-leading encryption technologies to protect data during communication/transit and at rest. We use access controls and audit records (among other security tools and technologies) to protect the data held and processed by us.
Data: Data uploaded to Cubiko remains under the control of the providing medical practice, and its use is strictly limited to being an input into the analysis services we supply as an information technology provider. Where medical practices choose to participate in de-identified aggregated metrics, this data will be presented as unidentified aggregated analysis.
Privacy: Customer data is stored within Australian data centres and is subject to Australia’s rigorous privacy laws. We take significant additional measures in respect to personal information shared with us by our medical practice clients for the purpose of providing our analysis services to them
Compliance: Customer data relating to the operation of practices is deleted within 60 days of end of Cubiko subscription, which includes ceasing system and practice data ingestion to any aggregated benchmarking metrics. Historical ingestion to aggregated benchmarking metrics is unidentifiable and unable to be deleted. We strive to conform to OWASP and ACSC guidelines for security operations, including frequent comprehensive security audits
Our data definitions and information classification
Data managed by Cubiko adheres to clear data definitions as per our information classification and handling policy.
The classification of information assets is applied according to their confidentiality, integrity, and availability requirements.
| Classification | Description |
|---|---|
|
Strictly Confidential |
Information is highly sensitive. |
|
Confidential |
Information is sensitive. |
|
General |
Information is for internal business use only, or for sharing with trusted partners. |
|
Public |
Information can be shared freely outside the organisation. |
Data Management Lifecycle
Where data governance sets the rules of engagement for how data-related decisions are made within Cubiko policies and processes, data management refers to the planning, execution and operation of these policies and processes.
Cubiko’s data management lifecycle stages involves:
| Lifecycle Stage | Collect & Ingest | Store & Secure | Process | Use | Destroy |
|---|---|---|---|---|---|
|
Description |
Data uploaded to Cubiko remains under the control of the providing practice. Cubiko ingests data from Practice management systems through secure transfer protocols. Cubiko takes steps to only extract data which is needed and exclude unnecessary data points. |
Cubiko utilises tier-one Australian-based cloud technology providers whose infrastructure is designed to adhere to security and availability best practices. All practice data is stored within Australian data centres and is subject to Australia’s rigorous privacy laws. Access to the data is controlled with secure credentials and mandatory use of encryption in transit and rest. |
Access to perform analytical processing internally granted using the principle of ‘least privilege’. This means that each application, service, and Cubiko user operates using the least set of privileges necessary to perform their functions. |
Analytical results of transformed data is made available as read-only to customers through Cubiko’s practice intelligence platform, with platform access managed directly by practices.
Cubiko does not share any of the de-identified aggregated indexed performance metrics for commercial reasons with 3rd Parties. Some de-identified data sets are available to 3rd Party community members, and certified partners of Cubiko for research and content generation purposes for the community.
|
Disposition of practice data from master data store, data processing platform and Cubiko business intelligence platform. |
|
Role |
Data Owner |
Data Custodian |
Data Custodian |
Data Custodian, Data Owner, Data User, Data Contributor, Data Public Viewer |
Data Custodian |
Data roles explained
Data Owner: Cubiko customers who are accountable for the state of their practice management data as an asset and manage Data User access to Cubiko’s business intelligence platform, within their own practice.
Data Custodian: Cubiko staff responsible for the collection, management, and release of data. We have a legal and ethical obligation to keep our customers information entrusted with confidence and ensure data policies and standards are adhered.
Data User: Cubiko customers who have been provided access by their practice to view practice management analytics.
Data Contributor: Cubiko customers who have opted into the Cubiko community for benchmarking.
Data Public Viewer: Cubiko public website visitors who can view product features and use case material agreed for promotional purposes only.