Data Governance

Policy Information
Policy TitleData Governance
Responsible OfficeOffice of the Chief Information Officer (ITS)
Policy TypeInformation Technology
Policy Number300
Last Revision Date2/2/2020

Philosophy

The value of data as an institutional resource is increased through its widespread and appropriate use; its value is diminished through misuse, misinterpretation, unnecessary restrictions to its access, or failure to maintain quality. Most importantly, wide access to data will enable consumers to identify new relationships in data and new information previously unknown or unavailable. This is the domain of data mining and to some degree what-if analysis. Binghamton University endorses and supports this within the appropriate security and privacy constraints.

Information maintained by Binghamton University is a vital asset that is available to all employees who have a legitimate need for it, consistent with the University's responsibility to preserve and protect such information by all appropriate means. The University is the owner of all institutional data, including administrative and student data; individual units or departments may have stewardship responsibilities for portions of that data.

The University determines levels of access to institutional data according to principles drawn from various sources. State and federal law provides a clear description of some types of information to which access must be restricted. In an academic community, ethical, security, and privacy considerations are other important factors in determining access to institutional data.

The University is committed to establishing and maintaining data standards and quality, while adhering to all privacy and compliance requirements, including relevant information security concepts and constructs.

Purpose

Data Governance is the overall management of the availability, integrity, and security of data used in the enterprise, including a defined set of procedures and a plan to execute those procedures.

The primary purposes of this policy are:

  • To establish and define the Institutional Data
  • To establish the governance structure, including the responsibility and authority
  • To define and communicate the institutional data architecture, framework, and standards, including:
    • Data Standards
    • Data Classifications
    • Data Quality
    • Data Access
    • Data Compliance and Privacy
    • Data Retention and Archiving
    • Information Security
  • To monitor and enforce compliance with the framework and standards
  • To define the primary operational roles for execution of data governance, including identification of responsible parties

Definitions

Data Access

The right to read, enter, copy, query, download, or update data, which is potentially different for different sets of data for each person, role, etc.

Role-Based Access Control

Role-based access control (RBAC) is a method of restricting access to data based on the roles of individual users within an enterprise. RBAC lets employees have access rights only to the information they need to do their jobs and prevents them from accessing information that doesn't pertain to them.

Data

Facts, ideas, or discrete pieces of information, especially when in the form originally collected and unanalyzed.

Institutional Data

Institutional Data is a large subset of the totality of the University's records and includes any information in print, electronic, or audio-visual format that meets the following criteria:

  • Acquired and/or maintained by University employees in the performance of official administrative job duties;
  • Created or updated via the use of a University enterprise system or used to update data in an enterprise system;
  • Relevant to planning, managing, operating, or auditing a major function at the University;
  • Referenced or required for use by more than one organizational unit; and
  • Included in official University administrative reports or official University records.

Most importantly, institutional data is a strategic asset to the University. When coupled with and processed through business intelligence, institutional data allows the University to make best possible strategic decisions quickly, correctly, and without bias.

Institutional Data Governance Council, Data Trustees

The standing University Committee which prepares, compiles, creates, and recommends policies and procedures to the President for his or her approval on institutional data standards, guidelines, protocols on the collection, management, revision, and access to such data. The Council is appointed and charged by the President. The Data Trustees are comprised of the President and the Institutional Data Governance Council.

Data Stewards

Senior University officials who have the responsibility for managing at least a segment of the Institutional Data.

Data Custodians

University officials who have operational level responsibility for the capture, maintenance, dissemination, and storage of Institutional Data.

Data Guardians

Information Technology staff who has responsibility for configuring and maintaining the infrastructure for the Institutional Data as well as implementing the security and access framework.

Data Consumers

University employees, agents, or other properly authorized individuals who access the Institutional Data in performance of their assigned duties on behalf of the University.

Framework

Ease of access to data by properly authorized individuals securely in performing their job responsibilities is the desired outcome of the policy and the framework. Please see Figure 1 for a pictorial depiction of the framework. As such it is supported by the across-the-board baseline technology and the five pillars.

The five pillars of this framework are:

  • Quality and consistency
  • Policies and standards
  • Security and privacy
  • Compliance
  • Retention and archiving

Scope

This policy establishes the framework for technical and behavioral standards and guidelines in creation and management of institutional data, especially as related to data quality and consistency, security and privacy, compliance, retention and archiving, and access by individuals. It assigns responsibilities to offices and individuals regarding management of data.

This policy covers all institutional data, including but not limited to machine-readable data and printed data on all media, principal copies, backup copies, and archival copies.

The policies and procedures of this document are applicable to and binding for all Binghamton University constituents, including but not limited to all students, faculty, staff, affiliates, guests, contractors, vendors, and others who are on-campus and off-`campus. Specifically, the policies and procedures of this document are applicable and binding for all providers who host Binghamton University data in their off-site systems, unless specifically excluded or subjected to revised policy and contract provisions after due consideration by Information Security staff and University Attorney, followed by Institutional Data Governance Council endorsement. To the maximum degree possible provisions of this policy and procedures must be made part of the contract with outside providers who host Binghamton University data in their off-site systems.

Policy Statement

Institutional Data Governance Council will prepare and recommend relevant data governance policies. The President will review and approve those policies as appropriate. Additionally, Institutional Data Governance Council will establish the necessary control and enforcement mechanisms.

Institutional Data is owned by the University. The access to data, reports, and other related output is governed according to the University policies and guidelines. Individuals and/or departments function as the stewards of the data and are responsible for proper application of the University policies and guidelines.

As of the current revision of this policy Institutional Data includes:

  • Student Data: All information in the Student Information System and its related auxiliary systems: Admissions, Student Success, Co-Curricular, Residence Hall, etc.
  • Administrative Research Data
  • Financial Data
  • Human Resources Data
  • Library Data
  • Information Technology Data: Identity and Access Management Data, E-mail, Shared Documents
  • Physical Facilities Data

The University expressly forbids the use of Institutional Data for anything but the conduct of University business. Those accessing data must observe requirements for confidentiality and privacy, must comply with protection and control procedures, must accurately present the data in any use, and must comply with applicable University policies, state and federal laws and regulations.

Data Administration Roles

Data Trustees

The Data Trustees will establish and enforce the University Data Governance framework and policies regarding data classification, data standards, data quality, data access, data compliance and privacy, data retention and archiving, and information security. In doing so the Data Trustees may establish sub-committees or working groups with external membership.  Additionally, Data Trustees will address any procedural issues and address appeals. Finally, Data Trustees will appoint Data Stewards.

Data Stewards

The Data Stewards are responsible for implementation and enforcement of the Data Governance Policies and Procedures in their units and/or for Institutional Data which is in their purview.

Specific responsibilities:

  • Compliance: Responsible for compliance with all University policies and external relevant laws and regulations related to the portion of Institutional Data within their purview.
  • Access: Review and approve or deny access requests for the portion of Institutional Data within their purview subject to University policies and guidelines.
  • Data Definition and Classification: Approve Data Definition and Classification recommendations from Data Custodians.
  • Data Quality and Integrity: Responsible for developing procedures and protocols to make sure that Institutional Data within their purview meets the quality and integrity expectations for the University.
  • Data Retention and Archiving: Responsible to assure that Institutional Data within their purview is properly retained and archived according to Data Governance and other University retention policies.
  • Information Security: Responsible for implementing and disseminating the Information Security protocols, processes, and safeguards for Institutional Data within their purview.
  • Business Intelligence: Responsible for approving/developing standard, parametric, and ad hoc Institutional reports for Institutional Data within their purview working in collaboration with Data Custodians and Office of Institutional Research.
  • Appoint Data Custodians.

Data Custodians

Data Custodians assist Data Stewards with all the necessary tasks for the successful implementation and enforcement of the Data Governance policies and procedures within their domain. Generally, Data Custodians have responsibility for the day-to-day maintenance and security of the Institutional Data.

Specific responsibilities:

  • Compliance: Implement day-to-day aspects of the compliance requirements established by Data Stewards.
  • Data Collection and Maintenance: Make sure that data collected and entered is complete, accurate, valid, and timely.
  • Data Definition and Classification: Develop and recommend Data Definition and Classification to the Data Stewards.
  • Data Quality and Integrity: Implement quality and integrity procedures and protocols developed by Data Stewards.
  • Information Security: Monitor access to data and address inappropriate access timely.
  • Business Intelligence: Assist Data Stewards with developing standard, parametric, and ad hoc Institutional reports for Institutional Data in collaboration with the Office of Institutional Research & Assessment.

Data Guardians

Data Guardians are Information Technology staff who has responsibility for configuring and maintaining the infrastructure for the Institutional Data as well as implementing the security and access framework.

Specific responsibilities:

  • Assist in development of Data Standards, Data Dictionary, and Data Quality.
  • Assist in development of Information Security standards to provide safeguards for the data.
  • Develop and implement data access and security controls, and audit tools.
  • Design, implement, and maintain the infrastructure for the systems in which the data is housed.

Data Consumers

Data Consumers are University employees, agents, or other properly authorized individuals who access the Institutional Data in performance of their assigned duties on behalf of the University. There are three basic types of access:

  • View/Read access to select or all standard and parametric reports
  • Full View/Read access to the data or parts of data
  • Transaction/Write access to the data or parts of data

Specific responsibilities:

  • Respecting the confidentiality and privacy of the data as defined by University policies, State and Federal laws and regulations.
  • Adhering all policies and regulations in use, disseminations, disclosure, and disposal of data.
  • Accessing and using Institutional Data only in the performance of their University duties and for no other purpose.

Data Standards & Data Dictionary

The University Data Standards & Data Dictionary policy (Policy 300.1) is established in a separate document as a subordinate policy, which is incorporated into this policy by reference.

This document is under development.

Data Classification

The University Data Classification policy (Policy 300.2) is established in a separate document as a subordinate policy, which is incorporated into this policy by reference.

This document is under development.

Data Quality & Integrity

The University Data Quality & Integrity policy (Policy 300.3) is established in a separate document as a subordinate policy, which is incorporated into this policy by reference.

This document is under development.

Data Access

The University Data Access policy (Policy 300.4) is established in a separate document as a subordinate policy, which is incorporated into this policy by reference.

Data Compliance & Privacy

The University Data Compliance & Privacy policy (Policy 300.5) is established in a separate document as a subordinate policy, which is incorporated into this policy by reference.

This document is under development.

Data Retention & Archiving

The University Data Retention & Archiving policy (Policy 300.6) is established in a separate document as a subordinate policy, which is incorporated into this policy by reference.

This document is under development.

Information Security

The University Information Security policy (Policy 300.7) is established in a separate document as a subordinate policy, which is incorporated into this policy by reference.

This document is under development.

Review

This policy will be reviewed every 12 months.

Procedures

Institutional Data Governance Council will review and if necessary revise the Institutional Data Governance Policy in all of its components once a year. Even if it is deemed no revision is necessary, it will be re-certified once a year.

Institutional Data Governance Council will present the progress and status of Data Governance to SOG+ once a year.

Revision and Approval History

Date Description of Change Reviewer
2/11/2020 Approved by SOG SOG
12/17/2019 Endorsed by Institutional Data Governance Council IDGC
12/10/2019 Initial write-up, endorsed by ITS ITS