12.5 Privacy and Security
Please refer to this section for all matters of Date Governance and Management.
Policies and procedures provide oversight and guidance of the various data governance and management processes which inform USG business operations, including but not limited to: definitions, collections, usage, reporting, protection, and preservation. The appropriate management of data is the responsibility of all USG employees and faculty members, but is of particular concern to the offices and/or positions responsible for the activities described above. Policies and procedures for the governance and management of data are required for all USG institutions and organizations.
Policy originates from the Board of Regents and is captured in the BOR Policy Manual. This policy, as well as procedures and guidelines from the USG Business Handbook and USG Information Technology Handbook, inform the governance and management of USG enterprise data. All USG organizations must comply with these policies and procedures. Individual USG institutions may develop additional procedures for the institution’s specific data governance and management processes, provided these procedures do not conflict with the policies described herein.
12.1.1 Overview of Data Governance and Management
The USG Data Governance Committee regularly consults with USO leadership to obtain information necessary to effectively discharge their decision-making responsibilities. The Data Governance Committee reviews these requests and identifies the information requirements and associated data necessary to satisfy said responsibilities.
The Office of Research and Policy Analysis (RPA) assists the committee by informing its members of existing data elements satisfying these requirements and informs the committee of those data elements necessary for compliance with internal and external reporting requirements.
RPA receives the committee’s requirements, and in conjunction with the expertise of the Administrative Committee for Institutional Research and Planning and other USG institution representatives, develops standardized definitions for specific data elements. RPA authors and maintains a data element dictionary for all standardized USG data elements, describing the purpose, origin, method of measurement, collection and reporting process, and ownership. RPA submits the data element dictionary and/or subsequent amendments, additions, or deletions to the Data Governance Committee for approval. The Data Governance Committee periodically reviews, updates, and adopts the data element dictionary.
The USG Chief Information Officer (CIO) implements the current data element dictionary as well as any subsequent amendments, revisions, or deletions, and the collection and reporting technologies necessary to fulfill the document’s informational needs. The CIO or designee may provide guidance to RPA in the development of data element definitions by providing technical expertise related to data management.
220.127.116.11 Data Governance Committee
The committee chair is the USG Chief Academic Officer. The Chief Academic Officer or designee will identify additional members consisting of representatives from other USG functional areas, including Research & Policy Analysis, Information Technology Services, Internal Audit & Compliance, Fiscal Affairs, Human Resources, Student Affairs, and Real Estate and Facilities.
The Data Governance Committee is responsible for implementation of data governance and management policies. Specific responsibilities include, but are not limited to, the following:
- Obtaining perspectives and input about information needs from USG leadership;
- Identification of other USG enterprise information and data needs;
- Approval of data element definitions;
- Designation of authority for data management processes; and
- Resolution of conflicts related to the development, use, collection, or reporting of data throughout the USG.
12.1.2 Data Owners
Individual USG campuses are responsible for the data created, updated, deleted, collected, read, and reported by the institution. The president of a USG institution is the owner of all respective institutional data. At other USG organizations, the respective chief executive officer is the owner of the organization’s data.
Data owners are responsible for identifying, appointing, and holding data trustees accountable. Data owners will inform the Data Governance Committee of trustee appointments, including the name, title, office, and contact information for all data trustees. Data owners are the final approvers of data governance and management procedures unique to that organization.
The institution’s Chief Information Officer is responsible for managing the necessary technical infrastructure so that information and data needs are adequately satisfied, including availability, delivery, access, and security of data throughout the entity.
12.1.3 Data Governance and Management Responsibilities
Data owners may assign the responsibilities for all or some specific portion of the institution’s data to designees. These designees (or Data Trustees) act as advisors to the data owner, and typically have responsibility for data management and administration in their respective functional areas. USG institutions and organizations are expected, to the extent possible, to leverage existing roles in assigning the duties related to data governance and management.
Responsibilities to be assigned include, but are not limited to, the following:
- Establishing procedures to fulfill the requirements of USG data governance and management policies. These procedures will provide guidance for access, completeness, accuracy, integrity, privacy, and security of the data for which the designee is responsible
- Ensuring satisfactory standardization of data element definitions
- Cataloging data generated by the organization, including the following:
- The functional data owner;
- The purpose of the data;
- Current uses;
- The manner in which the data are generated, maintained, and reported;
- Data security and/or privacy requirements and needs; and,
- Classification of the data as unrestricted, sensitive, or confidential.
- Assessing data quality and communicating concerns about data quality and/or the use of data to the functional data owner.
- Ensuring that data will be used and reported in a manner consistent with the mission of the office, institution, or organization.
- Participating, as needed, as a member of the Data Governance Committee.
- Leading or serving as a member of institutional data committees and/or subgroups on an as-needed basis.
12.1.4 Data Users
Data users are any USG faculty or staff, authorized by the appropriate institutional authority, to access USG enterprise data or data related to their respective institutions. This authorization should be for specific usages and purposes, and designed solely for conducting institutional business.
All data users are responsible for the following:
- Compliance with the policies and procedures related to the appropriate use of USG data;
- Using institutional data only as required to conduct assigned business activities;
- Ensuring and maintaining compliance with privacy laws, regulations, and policies;
- Maintaining a secure environment for the use of USG data; and,
- Ensuring the accuracy and timeliness of USG data.
12.1.5 Data Governance Training
An essential factor in helping to ensure the quality of data governance is a sound and effective data governance training plan. The responsibility for planning, providing, and assessing the effectiveness of data governance training is the responsibility of the committee as a whole, as well as the designated leadership within each individual participating organization of the USG.
The CIO or the CIO’s designee will be responsible for providing and assessing training in the use of the technical environments and systems used to collect, store, and protect the data.
RPA will be responsible for providing and assessing training for the business processes associated with data governance.
The data owners at the USG organizations will be responsible for providing and assessing training to the institutional users on how to enter the data.