Business Procedures Manual

Essential business procedural components for University System of Georgia institutions.

12.5 Compliance

(Last Modified on March 22, 2019)

Meeting the provisions of Section 12 on Data Governance and Management requires active measures by USG organizations to ensure ongoing compliance. These include ensuring compliance with external regulations in addition to the provisions in this section through regular training, monitoring and auditing.

12.5.1 Regulatory Compliance

(Last Modified on March 22, 2019)

Closely managing data content is necessary to ensure compliance with federal, state and local regulations as well as grants and contract specifications. Each USG organization is responsible for clearly understanding and managing data to ensure confidential data is appropriately classified and safeguarded. Each USG organization must have policies and procedures to ensure that appropriate organizational personnel has a working knowledge of:

  • Georgia’s Open Records Act OCGA § 50-18-70
  • Family Education Rights and Privacy Act (FERPA)
  • U.S. Department of Health and Human Services Health Information Probability and Accountability Act (HIPAA)
  • Gramm-Leach-Bliley Act (GLBA)
  • General Data Protection Regulation (GDPR)
  • Specific research data requirements
  • Other applicable regulations

12.5.2 Training

(Last Modified on March 22, 2019)

The purpose of this section is to ensure that appropriate individuals at each USG organization receive training on the data governance policies, procedures, and roles developed in compliance with preceding requirements in this Data Governance and Management section.

Organizations must:

  • Provide role specific training to all individuals within the data governance structure, including data users and all those subject to data governance policies;
  • Ensure individuals understand their roles and the larger governance structure, responsibilities, and applicable policies and procedures;
  • Provide training to individuals as they enter these roles, when there are substantive changes to training and at regular intervals over time to ensure up-to-date understanding;
  • Update training materials as changes to policy and procedure require;
  • Document participation in training and audit training participation at regular intervals;
  • Provide training materials in a permanent form (such as on a website) for individuals to reference as needed;
  • Specifically address in training materials for all individuals how data classified as public or protected is managed throughout its lifecycle; and,
  • Provide clear information about how an individual should proceed if he or she believes data policies or standards are not followed, or there has been a breach of data security.

12.5.3 Monitor

(Last Modified on March 22, 2019)

Each USG organization’s Data Governance Committee is responsible for assigning roles and responsibilities for data governance and management per Section 12.2.1. In addition to the development and implementation of policies and procedures, organizations must assign roles and responsibilities for active monitoring of these policies and procedures to ensure compliance.


12.5.4 Audit

(Last Modified on March 22, 2019)

Compliance with this Data Governance and Management section of the BPM can be a subject of institution, system or state audit. Institutions must maintain records not only of documentation explicitly referenced in this section but also general evidence that the organization is in compliance with its data governance and management policies and procedures.


↑ Top