University Policies

Page tree

Versions Compared

Old Version 16

changes.mady.by.user Nelson, Leonard

Saved on

compared with

New Version 17

changes.mady.by.user Nelson, Leonard

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Title: Data Governance Policy
Subject: Information Resources and Technology                                                  
Policy No: IRT:2013:02                                                                      
Applies: University-Wide
Issuing Authority: Senior Vice President for Information Resources and Technology and Chief Information Officer 
Responsible Officer: Senior Vice President for Information Resources and Technology and Chief Information Officer
Adopted: 09/01/2013
Last Revision: 03/18/2021
Last Reviewed: 03/18/2021


I. PURPOSE

To set policy for assigning and detailing responsibilities for managing different classifications of university data and to set forth a standard for custodianship of university data. This policy establishes the framework for standards and guidelines to be followed in creation of data storage, destruction, and access mechanisms including data architectures.

II. ACCOUNTABILITY

Under the President, the Vice President for Information Resources and Chief Information Officer (CIO) shall ensure compliance with this policy. The Provost, Executive Vice President for Administration and Strategic Advancement, Vice Presidents, Deans, IR Directors, and individual managers shall implement the policy. 

III. APPLICABILITY

  1. This policy applies to all individuals accessing University data, including students, faculty, visiting faculty, staff, volunteers, alumni, persons hired or retained to perform University work, external individuals and organizations, and any other person extended access and use privileges by the University under contractual agreements and obligations or otherwise.
  2. Data and records stored on University systems are presumed to be the property of Rowan University. Proper stewardship and custodianship of University data will facilitate access to data that supports the work of those with official educational or administrative responsibilities within the institution that is consistent with legal, ethical, competitive, and practical considerations, and will inform users of data of their responsibilities.
  3. Nothing in this policy precludes or addresses the release of University Data to external organizations, governmental agencies, or authorized individuals as required by legislation, regulation, or other legal vehicle.

IV. DEFINITIONS

  1. Access – the right to read, copy, or query data.
  2. Data – the representation of discrete facts; any information in electronic or audio- visual format, or any hardware or software that enables the storage and use of such information.
  3. Data Administration – the function of applying formal guidelines and tools to manage the University's data resources
  4. Data Consumers  – employees or agents of the University who access University Data in performance of their assigned duties.
  5. Data Custodians  – University officials and their staff who have operational-level responsibility for data capture, data maintenance, and data dissemination.
  6. Data Dictionary – a comprehensive repository that defines and categorizes University Data.
  7. Data Stewards – University officials who have policy-level responsibility for managing a segment of the University's data resource.
  8. Informationwherever possible, this document refers to data rather than information; Information is defined as a collection of data, ideas, thoughts, or memories.
  9. University Data – data that is created, acquired or maintained by University employees in performance of official administrative job duties.
  10. University Data Governance Committee (DGC) – the committee that establishes overall policy and guidelines for the management of and access to the University's University Data in accordance with existing University policies.
  11. University Data Model – a framework that documents the data entities that comprise the University Database and the relationships among those entities.
  12. Metadata – data about data that allows for the systematic definition of data and its elements.
  13. Metadata Management – the process of updating and utilizing the Meta Data to control data related processes and define data in an ever-changing environment.
  14. Recorddata or information in a fixed form that is created or received in the course of individual or University activity and set aside (preserved) as evidence of that activity for future reference
  15. Shared data – a subset of University Data; data that is maintained by more than one organizational unit.

V. POLICY

  1. Regulations, Statuses and Policies
    Responsibility for and access to correspondence and documents created or received by University personnel are governed by the following over-arching policies and legal statutes:
    1. NJ Public Records Law General Statutes
    2. Family Educational Rights and Privacy Act (FERPA)
    3. Health Insurance Portability and Accountability Act (HIPAA) Security Rule
    4. NJ Records Retention Schedule for Four Year College
    5. Americans with Disabilities Act of 1990
    6. The Electronic Communications Privacy Act of 1986 (ECPA)
    7. FTC Red Flags Rules
    8. Gramm Leach Bliley Act (GLBA)
    9. Payment Card Industry (PCI) Data Security Standard
    10. General Data Protection Regulation (EU) 2016/679 (GDPR)
    11. Policy And Procedures On Ethics In Research
    12. Rowan University Information Security Policy and Standards
    13. Rowan University Policy on the Privacy of Electronic Information
  2. University Data
    1. University Data is a valuable asset at the Rowan University. It involves all University constituencies (students, faculty, staff, etc.) and resources (funds, space, technology, etc.) that are captured and used in the operations of the University. It serves as the basis for internal and external reports.
    2. University Data enables administrators to assess the needs of the University community and modify services accordingly. It is vital not only in the day-to-day operations of the University but to short-term and long-term planning as well.
    3. Rowan University exercises control over and access to data even when it is technically open under the public records statutes and even though it requires effort and cost to create and maintain access controls. University data is available only on a need-to-know-basis and requires those individuals seeking access to submit a public records request.
    4. To support all aspects of University operations, University data in print and electronic form will be managed as a strategic asset according to “data governance” policies and procedures. University data is a subset of the university's information resources and administrative records, and includes any information in print, electronic or audio-visual format. This definition includes, but is not limited to, machine-readable data and data in electronic communication systems. It also includes back-up and archived data on all media, and any University data that resides on internal systems or systems hosted outside the control of the University.
    5. University data includes data, in any of the forms described above, that is:
      1. Acquired and/or maintained by university employees in performance of official administrative job duties;
      2. A public record according to the definition included in Federal and State laws;
      3. Relevant to planning, managing, operating, or auditing a major function at the University;
      4. Referenced or required for use by more than one organizational unit;
      5. Included in official university administrative reports.?
    6. Access to University data needs to be controlled by defining criteria for its governance and creating mechanisms for enforcing policies related to it. Rowan’s Data Governance Committee (DGC), chaired by Rowan’s Chief Information Officer (CIO), has policy oversight. Distribution of these and related policies, once approved, will be via the Rowan University Policies page on the RU website. ?This policy establishes the framework for standards and guidelines to be followed in creation of data storage, destruction, and access mechanisms including data architectures. ?
    7. These data architectures will drive physical implementation of databases and be governed according to the provisions of this document.
    8. Data and records stored on University systems  may include data from one or more the following areas within Rowan University AND ARE DESCRIBED IN Exhibit 1.
  3. Governance Roles
    1. No one person, department, division, school, or group “owns” the data used by the University, even though specific units bear the primary responsibility for some data. The University as an organization owns the data (or in some cases, such as with Social Security numbers, is the custodian of data), but a specific person in the role of the “Data Steward”, will be designated with the ultimate responsibility to define how the assigned data is managed within the scope of the legal and regulatory obligations.
    2. The roles and responsibilities assigned to the Data Governance Committee (DGC), Data Stewards, and Data Custodians are included in Exhibits X2, X3, and X4.
  4. Responsibilities of Users
    1. Controlling access to University Data is important to protecting the University and its constituency from liability and acts of malice. All public records requests are routed through University Counsel. University employees, faculty, students, and/or agents will be able to access data only after being granted access according to the procedures specified by the Data Steward.
    2. Permission to access University Data will be granted for legitimate University purposes according to the classification of the data being requested and person making the request. Method of delivery, including email and fax, should be carefully considered to ensure data security and compliance. Requests for University Data from an external source or a University employee for non-University purposes will be handled according to the appropriate Federal and New Jersey Public Records Request statues and case law. Users shall respect the confidentiality and privacy of individuals whose records they may access, observe the ethical restrictions that apply to data to which they have access and abide by applicable laws and University policies with respect to access, use, protection, proper disposal, and disclosure of data.
    3. To the extent that the law permits, as determined by the Office of University Counsel, the University reserves the right to deny University Data access to any person or organization that has demonstrated malicious intent or has violated any aspect of the Data Governance Policy.
  5. Data Retention and Disposition
    1. Rowan University is a state agency, and its offices and departments are obligated to follow the requirements of the Federal and New Jersey Public Records Law for retention and disposition of records. It should be noted here that University Data might not be destroyed without an approved records retention and disposition schedule that authorizes destruction.
    2. Decisions governing data retention are made based on the content of the data and in conjunction with the department’s approved records retention and disposition schedule. Some types of data may be retained for a long period of time by approved schedules, by policy, or by law. Other types must be purged or destroyed after a certain period of time, again for reasons of preference, policy, or statute. For any circumstance in which data retention is an issue, specific requirements should be clearly documented and should include, at a minimum, the following:
      1. The rationale for the retention rule
      2. The timeframe of the retention rule
      3. The method of either saving or disposing of the data according to the retention rule    

...