Data Governance: Difference between revisions

From Appalachian State University Policy Manual
Line 104: Line 104:
:[[Information Security Policy|Appalachian Policy 903 - Information Security Policy]]
:[[Information Security Policy|Appalachian Policy 903 - Information Security Policy]]
:[[Records Retention Policy|Appalachian Policy 105.1 - Record Retention Policy]]
:[[Records Retention Policy|Appalachian Policy 105.1 - Record Retention Policy]]
:[[Policy Statement on the Family Educational Rights and Privacy Act of 1974, as Amended|Policy Statement on the Family Educational Rights and Privacy Act of 1974, as Amended - Appalachian State University Policy Manual Policy]]
:[[Policy Statement on the Family Educational Rights and Privacy Act of 1974, as Amended|Appalachian Policy 105.3 - Policy Statement on the Family Educational Rights and Privacy Act of 1974, as Amended - Appalachian State University Policy Manual Policy]]
:[[University Archives|Appalachian Policy 105.2 - University Archives Policy]]
:[[University Archives|Appalachian Policy 105.2 - University Archives Policy]]



Revision as of 17:25, 11 December 2020

Policy 902

Introduction

The purpose of this policy is to outline a Data Governance program to preserve and nurture the open, information-sharing requirements of Appalachian State University’s (“Appalachian”) academic culture, while protecting Appalachian’s Institutional Data from unauthorized access or damage and meeting compliance requirements.

Scope

This policy applies to all Appalachian faculty, staff, students, vendors and visitors who access Institutional Data. This policy is not meant to address the release of Institutional Data under public records laws or other legal requirements, such as in response to subpoenas or court orders.

Definitions

Institutional Data

All data, regardless of physical form or characteristic, made or received in connection with the transaction of University business that is in the possession or control of the University (same meaning as defined in Appalachian Policy 901 – IT Governance Policy).

Data Element

A unit of Institutional Data that has precise meaning or precise semantics.

Data Governance

A framework of standards, principles, requirements, authorities, roles, and guidance to provide optimal and secure Institutional Data management to support and advance the University mission.

Data Trustees

Executive officers of the University, designated by the Chancellor, who are responsible for data-related strategic planning and have oversight authority of Institutional Data for all organizational units and employees, under their charge, that manage and receive Institutional Data.

Data Steward

A University employee who reports to, and is designated by, a Data Trustee and has the responsibility for protecting Institutional Data in accordance with IT Standards and University policies, and consistent with directions provided by a Data Trustee.

Data Security Officer

A University employee, designated by a Data Steward, who has been assigned operational responsibilities for maintaining technical solutions and enforcing access procedures and IT Standards related to Institutional Data.

Information Technology (IT) Standards

Same meaning as defined in Appalachian Policy 901 – IT Governance Policy.

Data Classification

A common category of Data Elements that specifies their availability, access requirements, and requisite protection levels.

System of Record

Information Technology (IT) that is identified as the authoritative data source by Appalachian for a subset of Institutional Data or a given Data Element.


Policy and Procedure Statements

Data Governance Program

The Chancellor is the Data Custodian of Institutional Data at Appalachian. The Chancellor has delegated authority and oversight for the administration and implementation of Data Governance to the Chief Information Officer. The Chief Information Officer is responsible for developing and overseeing a Data Governance Program (the “Program”) that includes:

  1. a data management IT Standard that defines Institutional Data Classification levels and processes associated with Data Classifications;
  2. a secure data handling IT Standard that defines approved methods for storing and sharing Institutional Data by Data Classification, and
  3. a Data Trustees Council and a Data Stewards Council to assist the Chief Information Officer with carrying out its duties of administering the Data Governance Program, as well as recommend and review Data Governance standards as determined by the Chief Information Officer.

Data Trustees

4.2.1 Data Trustee Oversight

Each Data Trustee has oversight authority and responsibility for the subset of Institutional Data and System of Records that is managed and administered by the organizational units and personnel the Data Trustee oversees. Data Trustees include the following executive officers:

  1. Executive Vice Chancellor and Provost
  2. Vice Chancellor of Business Affairs
  3. Vice Chancellor of Student Affairs
  4. Vice Chancellor of University Advancement
  5. Vice Chancellor and Chief of Staff
  6. General Counsel
  7. Chief Information Officer
  8. Director of Human Resources
  9. Director of Institutional Research Assessment and Planning

4.2.2 Data Trustees' Responsibilities

Data Trustees are responsible for:

  1. providing oversight of compliance with IT Standards for data management in their organizational units;
  2. promoting appropriate data use, data quality and management procedures to advance the University’s mission; and
  3. assigning one or more Data Stewards within a Data Trustees organizational unit.

Data Stewards

Data Stewards are responsible for the confidentiality, integrity, and availability of Institutional Data assigned to them by their Data Trustee. Responsibilities include:

  1. ensuring security and protection measures are implemented in accordance with relevant IT Standards;
  2. designating the System of Record and data definitions for critical Data Elements;
  3. designating Data Security Officers, as applicable; and
  4. reviewing and approving access requests and access levels in accordance with IT Standards, or delegating approval to the designated Data Security Officer.

Data Governance Groups

Data Groups are responsible for providing recommendations and assisting with Data Governance as identified below. The Data Governance Groups consist of the Data Trustees Council and the Data Stewards Council.

4.4.1 Data Trustees Council

To promote optimal data management and support consistency across the University, Data Trustees meet periodically in the Data Trustees Council to review Data Governance IT Standards, review the effectiveness of the University’s data management practices, and resolve any Data Stewardship disputes from the Data Stewards Council. All disputes not resolved at this level will be sent to the Chancellor for a final decision.

4.4.2 Data Stewards Council

Each Data Trustee will appoint one or two Data Stewards to serve on a Data Stewards Council. The Chief Information Officer, or delegate, and General Counsel, or delegate, will serve on the Data Stewards Council to provide consultation and advisement. The Data Stewards Council is responsible for:

  1. classifying Institutional Data in accordance with the Data Management IT Standard, and ensuring consistent terms and definitions are used for key Data Elements that are used across organizational units;
  2. reviewing Data Governance IT Standards to ensure consistent treatment and optimal use of Institutional Data;
  3. identifying the System of Record for a subset of Institutional Data or a given Data Element;
  4. reviewing and reporting the effectiveness of Institutional Data management practices to Data Trustees; and
  5. coordinating and resolving Data Stewardship issues that cross multiple functional units, and escalate compliance and risk issues to the Data Trustees Council.

Additional References

Appalachian Policy 906 - Acceptable Use Policy
Appalachian Policy 901 - Information Technology Governance Policy
Appalachian Policy 903 - Information Security Policy
Appalachian Policy 105.1 - Record Retention Policy
Appalachian Policy 105.3 - Policy Statement on the Family Educational Rights and Privacy Act of 1974, as Amended - Appalachian State University Policy Manual Policy
Appalachian Policy 105.2 - University Archives Policy

Authority

Data Management Standard
Secure Data Handling Standard
Information Security Risk Management Standard
IT Policy, Standards and Guidelines Website

Contact Information

Office of the Chief Information Officer (828-262-6278)

Original Effective Date

December 11, 2020

Revision Dates