Back to Top
Skip to Content
Home :: Policies :: Data Governance and Access

Data Governance and Access

Responsible Department
University Wide
Effective Date
12/18/2019
  1. .

    Policy Purpose

    1. This policy establishes the data governance infrastructure and provides a structured and consistent process to obtain necessary data access for conducting University operations (including administration, research, and instruction), defines the relevant mechanisms for delegating authority to accommodate this process at the unit level while adhering to segregation of duties and other best practices, as well as defines data classification and related safeguards.

    2. This is a new policy.
  2. .

    Definitions

    This policy contains several definitions, which are identified in bold throughout the document.  The defined terms have not been identified in this section to avoid redundancy.

  3. .

    Policy Statement

    The University will utilize the governance and organization structure set out in Section 12 of the University System of Georgia Business Procedure Manual (“BPM”).

    1. Roles and Responsibilities

      1. The President is the Data Owner and has the responsibility for the identification, appointment and accountability of Data Trustees and will inform the USG’s Data Governance and Management Committee of their Data Trustee appointments including office, name and contact information of the incumbent.

      2. Data Trustees, designated by the Data Owner, are executives of the University who have the responsibility for the data read, created, collected, reported, updated or deleted in their data area(s).  Data Trustees have overall responsibility for accuracy and timeliness of submission of data to the USG.  These positions/offices would normally be cabinet-level positions reporting directly to the Data Owner.  Responsibilities of the Data Trustees include, but are not necessarily limited to:

        1. Ensuring that data accessed and used by units reporting to them is done so in ways consistent with the mission of the office and the University;

        2. Appointing Data Stewards within each functional area for which they are responsible. The Data Trustees will inform the University’s Data Governance and Management Committee of their Data Stewards’ appointments, including office, name and contact information of the incumbent;

        3. Participating as a member of the Data Trustee Steering Committee; and

        4. Communicating unresolved concerns about data (such as data quality, security, access, etc.) to the Data Owner.

      3. Data Stewards, designated by the Data Trustees, are personnel responsible for the data read, used, created, collected, reported, updated or deleted, and the technology used to do so if applicable, in their data area(s).  Data Stewards recommend policies to the Data Trustees and establish procedures and guidelines concerning the access to, completeness, accuracy, privacy, and integrity of the data for which they are responsible.  Individually, Data Stewards act as advisors to the Data Trustees and have management responsibilities for data administration issues in their functional areas.  Data Stewards have responsibility for accuracy and timeliness of submission of data to the USG system office in their area.  Depending on the size and complexity of a functional department/division, it may be necessary, and beneficial, for a designated data steward to identify Associate Data Stewards to manage and implement the stewardship process.  Responsibilities of Data Stewards include, but are not necessarily limited to:

        1. Developing standard definitions for data elements created and/or used within the functional unit. The data definition will extend to include metadata definitions as well as the root data element definition.

        2. Ensuring data quality standards are in place and met.

        3. Identifying the privacy level for the functional data within their area(s) of supervision/direction and communicate it to those responsible for ensuring data is handled according to its appropriate classification. (See 12.4.2 Classification)

        4. Establishing authorization procedures with the University’s Data Governance and Management Committee and/or chief information officer (CIO) to facilitate appropriate data access as defined by institutional/office data policy and ensuring security for that data. Authorization documentation must be maintained.

        5. Working with the University’s Data Governance and Management Committee, identifying and resolving issues related to stewardship of data elements, when used individually or collectively, that cross multiple units or divisions. For example, the individual data element “Social Security Number” may have more than one data steward since it is collected or used in multiple systems.

        6. Educating authorized users on responsibilities associated with data access.

        7. Participating as a member of the Functional Data Working Group(s) as appointed by the data trustee.

        8. Communicating concerns about data (such as data quality, security, access, etc.) to the data trustees.

        9. Data Stewards will designate individuals to coordinate University Data access for each functional data grouping.

      4. Associate Data Stewards are designated by Data Trustees or Stewards and manage and implement the stewardship process at the unit or departmental level.

      5. Data Custodians are University personnel that house University data and ensure applicable access restrictions to data residing in these systems.  Procedures for requesting data access will be provided by the Data Custodian(s).  Documentation of data elements and their appropriate use is the responsibility of the Data Stewards, Data Coordinators and Data Custodian(s).

      6. Data Coordinators are identified by Data Stewards and maintain records of authorized Data Users and serve as a contact point for the Data Custodians.  The Data Coordinator will inform the appropriate Data Custodian(s) on a timely basis of any changes that affect data access.

      7. Data Users are University personnel who have approved access to data housed in University systems, based upon least privilege necessary to perform job duties.

      8. Authorized Requesters are University personnel approved by Data Stewards to submit requests to Data Custodians for system access for Data Users.

    2. Strategic Planning, Coordination, and Implementation

      1. The President shall appoint a Data Trustee Steering Committee to serve in an advisory capacity.  The Data Trustee Steering Committee is responsible for development of long-term strategy related to the governance and management of University data.  This committee meets semi-annually or as otherwise required.

      2. The President (or designee) shall appoint a Data Governance and Management Committee for the University, which is responsible for defining, implementing, and managing policies and procedures for data governance and data management functions.  Specific responsibilities of the Data Governance and Management Committee include, but are not necessarily limited to the following:

        1. Defining data management roles and responsibilities contained in this section and other policy and procedure documentation;

        2. Maintaining documentation pertaining to data governance and management policy and procedure in a centralized and accessible location;

        3. Identifying the Data Governance and Management Committee structure and membership;

        4. Ensuring that cybersecurity control processes are developed and operational; and,

        5. Assisting the chairs of the Functional Working Groups to ensure effectiveness.

      3. Closely managing data content is necessary to ensure compliance with many federal, state and local regulations as well as grants and contract specifications. The University is responsible for clearly understanding and managing data to ensure confidential data is appropriately classified and safeguarded. To ensure the University has policies and procedures sufficient to ensure that appropriate organizational personnel has a working knowledge of regulatory requirements, the Data Governance and Management Committee will establish Functional Data Working Groups related to the following regulations:

          • Georgia’s Open Records Act OCGA § 50-18-70
          • Family Education Rights and Privacy Act (FERPA)
          • U.S. Department of Health and Human Services Health Information Probability and Accountability Act (HIPAA)
          • Gramm-Leach-Bliley Act (GLBA)
          • General Data Protection Regulation (GDPR)
          • Specific research data requirements
          • Other applicable regulations

            It is the role of the Functional Data Working Groups to identify the threshold for decisions that require group consideration.

    3. Data Categories

      University data shall be classified into three major categories that are defined as described in this section.  The Data Stewards, in consultation with the Data Coordinators and Data Administrators, are responsible for defining which data elements and data views fall into each data category.

      1. Unrestricted Information:  Information maintained by the University that is not exempt from disclosure under the provisions of the Open Records Act or other applicable state or federal laws.  Some level of control is required to prevent unauthorized modification or destruction of public information.  This category typically involves information subject to two types of use:

        1. Public Use:  This information is targeted for general public use.  Examples include Internet website contents for general viewing and press releases.

        2. Internal Use:  Information not generally available to parties outside the University community, such as minutes from non-confidential meetings, and internal (intranet) websites.  Public disclosure of this information would cause minimal disruption for the University.  This category is the default data classification category.

      2. Controlled Unclassified Information:  Any information that law, regulation, or University Policy requires to have safeguarding or disseminating controls, excluding information that is classified under Executive Order 13526, Classified National Security Information, December 29, 2009, or any predecessor or successor order, or the Atomic Energy Act of 1954, as amended.  It typically includes both Sensitive Information and Confidential Information (as defined below).

        1. Sensitive Information:  Information maintained by the University that requires special precautions to protect it from authorized use, access and disclosure guarding against improper information modification, loss or destruction.  Sensitive information is not exempt from disclosure under the provisions of the Open Records Act or other applicable state or federal laws but is not necessarily intended for public consumption.

        2. Confidential Information:  Information maintained by a USG organization that is subject to authorized restrictions on information access and disclosure, including means for protecting personal privacy and propriety information (44 USC § 3542).  Confidential classified documents are exempt from disclosure under the provisions of the Open Records Act or other applicable state or federal laws.

      3. Controlled Classified Information:  Information that is classified under Executive Order 13526, Classified National Security Information, December 29, 2009, or any predecessor or successor order, or the Atomic Energy Act of 1954, as amended.

      4. In addition, personal information may occur in all categories of information.  It is information that identifies or describes an individual and must be considered in the classification structure.

    4. Guiding Principles

      The University has established the following guiding principles governing access to University Data by any individual conducting University operations:

      • Inquiry-type access to official university data will be as open as possible to individuals who require access in the performance of University operations within legal, federal, or State restrictions. Compelling justification is required to limit inquiry access to any data element.

      • Data Users granted “create” and/or “update” privileges are responsible for their actions while using these privileges. That is, all campus units are responsible for the university data they create, update, and/or delete.

      • Any individual granted access to University Data is responsible for the ethical usage of that data. It will be used only in accordance with the authority delegated to the individual to conduct University operations.

    5. It is the express responsibility of authorized users and their respective business units to safeguard the data they are entrusted with, ensuring compliance with all aspects of this policy and related procedures.

    6. Segregation and Separation of Duties

      1. In addition to having a well-organized and defined data governance structure, USG organizations must ensure that its organizational structure, job duties, and business processes include an adequate system of separation of duties (SOD) taking into account a cost-benefit and risk analysis. SOD is fundamental to reducing the risk of loss of confidentiality, integrity and availability of information. To accomplish SOD, duties are divided among different individuals to reduce the risk of error or inappropriate action. For example, the employee or office responsible for safeguarding an asset should be someone other than the employee or office that maintains accounting records for that asset. In general, responsibility for related transactions should be divided among employees so that one employee’s work serves as a check on the work of other employees. When duties are separated, there must be collusion between employees for assets/data to be used inappropriately without detection.

      2. While electronic processes enhance accuracy and efficiency, they also can blur SOD. USG organizations must evaluate and establish well-documented controls to deter an individual or an office from having the authority (or the ability) to perform conflicting functions both outside and within technology information systems.

    7. Training

      Each Trustee should articulate training for the data they manage and expectations for each user role.  The University must take the following steps as it relates to training:

      1. Provide role-specific training to all individuals within the data governance structure, including data users and all those subject to data governance policies;

      2. Ensure individuals understand their roles and the larger governance structure, responsibilities, and applicable policies and procedures;

      3. Provide training to individuals as they enter these roles, when there are substantive changes to training and at regular intervals over time to ensure up-to-date understanding;

      4. Update training materials as changes to policy and procedure require;

      5. Document participation in training and audit training participation at regular intervals;

      6. Provide training materials in a permanent form (such as on a website) for individuals to reference as needed;

      7. Specifically address in training materials for all individuals how data classified as public or protected is managed throughout its lifecycle; and,

      8. Provide clear information about how an individual should proceed if he or she believes data policies or standards are not followed, or there has been a breach of data security.

    8. Monitor

      The University’s Data Governance and Management Committee is responsible for assigning roles and responsibilities for data governance and management per Section 12.2.1. In addition to the development and implementation of policies and procedures, organizations must assign roles and responsibilities for active monitoring of these policies and procedures to ensure compliance.

    9. The mobile devices, computers, networks, application software and data repositories of the University are critical resources that must be protected against inappropriate access and/or disruption of service.  Active measures are necessary to ensure data integrity and reduce the risk of system compromise, especially for Controlled Unclassified and Classified Data may be at risk.  Established procedures for the protection and release of Controlled Unclassified and Classified Data must be followed regardless of the platform used to store that data.  The data protection safeguards are a comprehensive set of technical (IT), administrative (procedural), and physical safeguards which need to be put in place in order to ensure adequate protection for each category of data, as described in the data categories above.  Any deviation from mandatory requirements must be documented and covered by adequate compensating control(s).

    10. Audit

      Compliance with the Data Governance and Management section of the BPM can be a subject of institution, system or state audit. The University must maintain records not only of documentation explicitly referenced in this section but also general evidence that the organization is in compliance with its data governance and management policies and procedures.
  4. .

    Procedures

    Any related operating procedures must comply with and should reference this policy.

UNG follows Section 508 Standards and WCAG 2.0 for web accessibility. If you require the content on this web page in another format, please contact the ADA Coordinator.


Back to Top