Policy Title | Data Governance Policy |
---|---|
Policy Category | Information Technology |
Original Policy Approval Date | October 21, 2021 |
Policies Superseded | Interim Information Technology Policy, Section H (Data Classification) |
Responsible Office | Information Technology and Institutional Research and Effectiveness |
Related Policies | Information Technology Policy; Acceptable Use Policy; FERPA Compliance Policy; Notice of Privacy Policy; Records Management Policy |
Frequency of Review | 5 Years |
Date of Next Review | October 2026 |
I. Scope
This Data Governance Policy (“Policy”) applies to all faculty, staff, and students of Arcadia University (the “University”), as well as contractors, consultants, and all personnel affiliated with third parties with access to or use of University Data (“University Community of Practice”). This Policy applies to all University data, regardless of form or location, and the hardware and software resources used to electronically store, process, or transmit that information. This includes data processed or stored and applications used by the University in hosted environments in which the University does not operate the technology infrastructure.
II. Policy Statement
The purpose of this Policy is to establish a framework for managing the University’s institutional data resources.
III. Policy
The University’s administrative and academic data are valuable institutional assets. All members of the University Community of Practice, as defined in the Scope above, are required to use University data in alignment with the administrative, educational, and institutional research functions of the University, regardless of where University data is used or maintained. All members of the University Community of Practice are required to comply with the responsibilities, standards and procedures outlined in this Data Governance Policy. Some individuals will have additional responsibilities based on role. This is explained further in Section III(B), below. Failure to comply with this Policy including, but not limited to, failing to meet role-based responsibilities; using University data for impermissible purposes or in violation of law, regulation, or University policy; failing to report breaches; and/or improperly handling University data could result in an individual being subject to disciplinary action, up to and including separation from the University.
A. Data Governance Program
A Data Governance Program shall be established to guide the strategic use, management, and reporting of University data and to manage the quality, consistency, usability, accessibility, availability, and protection of University data throughout its lifecycle. The Data Governance Program shall ensure that University data is used in compliance with international, federal, state, and local laws and regulations, University policies, and relevant contractual obligations.
The Data Governance Program shall be established by a charter that lays out the objectives of the program, program structure, and program metrics.
B. Roles and Responsibilities
All members of the University community, as defined in the Scope above, are responsible for supporting data governance. This includes not only individuals with management and oversight roles defined by the Data Governance Program, but any user of the University’s institutional data resources. Roles included in the Data Governance Program are set forth here.
Data Trustees are Arcadia University Cabinet members and executive level sponsors who are responsible for overseeing and approving data governance policy, setting overall program direction, and setting priorities for the Data Governance Program. Data Trustees have the following broad responsibilities:
- Management and compliance responsibility for designated institutional data sets within their functional unit and area of responsibility.
- Appointing CORE Team members
- Appointing a Data Steward(s) for their designated institutional data set(s).
- Provide oversight of the Data Stewards, and with guidance from the Office of General Counsel as appropriate, classify University data within their designated institutional data set(s).
- Support the objectives of the Data Governance Program, including ensuring that appropriate resources are available.
- Promote an institutional culture that embraces the responsible use of data to meet operational and information needs and achieve institutional goals.
CORE Team members are responsible for meeting the objectives of the Data Governance Program charter and addressing issues related to institutional data management at the University. CORE Team members are appointed by the Data Trustees and have the following broad responsibilities:
- Create an annual plan for the strategic direction of the Data Governance Program that includes assessment, analysis, and planning for future improvements.
- Present the annual plan to the Data Trustees to obtain approval of the plan and request associated budget needs.
- Report yearly on the results of the annual plan, to include a report on the overall progression of the Data Governance Program.
- Where necessary, name interim Data Guardians for designated institutional data set(s), until the Data Guardian is named by the Data Steward for the respective area.
- Promote an institutional culture that embraces the responsible use of data to meet operational and information needs and achieve institutional goals.
Data Stewards are key stakeholders who not only work with the data they manage, but also understand its use deeply. Data Stewards are responsible for a designated institutional data set. Data Stewards are appointed by Data Trustees and have the following broad responsibilities:
- Classify University data within their designated institutional data set(s).
- Create functional definitions and usage guidelines for University data.
- Create standards and guidelines to support appropriate data use, data quality, and management procedures across the University.
- Where necessary, name Data Guardians for designated institutional data set(s).
- Share knowledge of University data practices and processes across Arcadia University.
- Communicate process changes that may affect systems or analytics relating to specific data elements.
- Promote appropriate data use, data quality, and management procedures across Arcadia University.
Data Guardians are University employees who are assigned specific data management responsibilities by the CORE Team or a Data Steward. Data Guardians have the following broad responsibilities:
- Manage access and modification requests as authorized by appropriate Data Stewards and/or the CORE Team.
- Implement, update, monitor, and document University Data use, operational standards, and procedures, as well as changes to institutional data sets or data elements.
- Follow appropriate data use, data quality, and management procedures across the University.
University Community of Practice have the following responsibilities:
- Use University data only to conduct official University business within the scope of the user’s employment, affiliation with the University, or enrollment as a student.
- Use University Data in accordance with international, federal, state, and local laws and laws and regulations, as well as in accordance with University policies, standards, and procedures associated with the use of University data.
- Complete all required University data-related training.
- Report to their supervisor, University sponsor or partner any engaged or observed activities involving the usage of University data in a manner that violates University policies, standards, and procedures associated with the use of University data.
Chief Information Officer is a University official who, in conjunction with the CORE Team and with guidance from the Office of General Counsel, as appropriate, shall establish and maintain a process for reviewing and affirming that University data elements have appropriate classification and are in compliance with relevant laws and laws and regulations.
C. Data Classification
Identification and classification of University data are essential for ensuring that the appropriate degree of protection is applied to University data. Protecting University data is driven by a variety of considerations including legal, academic, financial, and other business requirements.
All University data must be classified and can have only one (1) classification. Any data element that is not classified will be assumed to be of the highest classification level until another classification level is otherwise determined. All University records prepared for archival and business purposes will be classified based on the data element in the record that has the most restrictive classification level.
Classification levels descend from highest risk and most restricted access to least risk and least restricted access, as follows:
- Level 1, Restricted: University data that is protected by international, federal, state, or local laws and laws and regulations, industry laws and regulations, or provisions in government research grants or other contractual arrangements, which impose legal and technical restrictions on the appropriate use of institutional information. Examples of restricted data include but are not limited to: Personally Identifiable Information or Personal Data (PII), non-Directory Information student educational records, Social Security numbers, credit card numbers, health records, and some combinations of personal information (e.g. the combination of name and financial account information).
- Level 2, Sensitive: University data that may not be protected by law, regulation, or contract, but which is considered private and is subject to special treatment. Examples of Level 2 data include but are not limited to: any information that the University has agreed or decided to keep private.
- Level 3, Internal: University data that is proprietary or produced only for use by Data Users who have a legitimate purpose to access such data. Examples of Level 3 data include but are not limited to: financial and budget information of the University prior to publication.
- Level 4, Public: University data and institutional information that has few restrictions and/or is intended for public use. An example of public data includes the University’s website.
D. Data Handling
Improper use of University data can result in risk to the University. The following table provides high-level guidance for how to use and handle University data. Additional guidance may be issued by the Data Governance Program.
Risk of Improper Handling | Access | Sharing | Storage | |
---|---|---|---|---|
Level 1 | Improper handling results in severe risk to the institution. | Access limited to those permitted under law, regulation, and University policies. Data Steward approval required. | Encryption is required when transmitting through a network (including transmission over wired and wireless networks, and via email). | Must be stored on University resources, encryption required. |
Level 2 | Improper handling results in high risk to the institution. | Access limited to those with a need to know. Data Steward approval required. | Encryption is strongly recommended when transmitting through a network (including transmission over wired and wireless networks, and via email). | Must be stored on University resources, encryption is strongly recommended. |
Level 3 | Improper handling results in moderate risk to the institution. | Access limited to members of the University community. Data Steward approval required. | Encryption is not required when transmitting through a network (including transmission over wired and wireless networks, and via email). | Must be stored on University resources, encryption is not required. |
Level 4 | Improper handling results in low or no risk to the institution. | Open access / public information. | Encryption is not required during transmission. | No encryption required. |
IV. Definitions
Community of Practice (Data Users): University employees, students, and third-party affiliates authorized to access University data within the scope of the user’s employment, affiliation with the University, or enrollment as a student.
CORE Team: University employees responsible for meeting the objectives of the Arcadia University Data Governance Program Charter and addressing issues related to institutional data management at Arcadia University.
Data Guardians: University employees who are assigned specific data management responsibilities by the CORE team or a Data Steward.
Data Stewards: University employees responsible for a designated institutional data set and define the appropriate data use, data quality, and management procedures for that data set.
Data Trustees: University employees with planning and policy-level responsibility for University data and management responsibility for a designated institutional data set.
Personally Identifiable Information or Personal Data (PII) is any information that relates to an identified or identifiable living individual. Different pieces of information, which collected together can lead to the identification of a particular person, also constitute personal data. (Reference Notice of Privacy Policy)
University means Arcadia University, its colleges, schools, affiliates, divisions, and subsidiaries. For the avoidance of doubt, this includes all affiliates of The College of Global Studies and programs under its purview.
University Community of Practice: all faculty, staff, and students of Arcadia University, as well as contractors, consultants, and all personnel affiliated with third parties with which the University is associated.
University Data: any and all data and information acquired, generated, used or stored by the University.
V. Effective Date
The Effective Date of this Policy is the date that it is signed by the President.
VI. Date of Approval
October 21, 2021