University Policies

Page tree

Versions Compared

Old Version 2

changes.mady.by.user Raghu, Rachana

Saved on

compared with

New Version 3

changes.mady.by.user Raghu, Rachana

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

                 Example Data Classification Matrix

Area

Classification

Steward

Custodian

Donations

Clinical

Student

Employee

Financial

Curriculum

 

Highly Sensitive

Highly Sensitive

Sensitive

Sensitive

Sensitive

Public

 

University Foundation

Rowan/SOM

Registrar

HR

Finance

Academic Affairs

 

IRT

IRT

IRT

IRT

IRT

IRT

 

ATTACHMENT 2

ROWAN UNIVERSITY DATA AND RECORDS

Data and records stored on University systems may include data from one or more the following areas within Rowan University:

  1. Alumni Affairs and Development Data—supports all aspects of alumni and development data. This includes personal data, demographic data, income, and giving data.
  2. Clinical or Medical Data—supports the management of personal medical information within the University. This data includes patient medical records, benefits, and other related clinical information. Note that HIPAA applies to all personal medical data and patient records of students, faculty, employees, or patients regardless where it is collected or stored.  This includes the University’s student wellness center(s), health clinics, or related research activities.
  3. Facilities Data—supports the facilities and services resource of the University including space planning data, construction, maintenance and operational data, reservations, energy consumption data, and physical descriptive data.
  4. Financial Data—supports the management of fiscal resources of the University and includes accounting, accounts payable, accounts receivable, budgeting, capital assets, investments, inventory, loans, payroll information purchasing, risk management, and treasury.
  5. Human Resources Data—supports the management of employee resources of the University. This data includes employee demographics, benefits, retirement and EEO data, vitas, employee evaluations, promotion and disciplinary data. Note that FERPA applies to the HR records of students whose enrollment is a contingency of their employment (TA’s, work study awards, etc.) While student data is always student data; Human Resources Data can be both part of the student record and the Human Resources record.
  6. Information Technology Data—supports the provisioning and management of the technology infrastructure provided by Information Technology Services.
  7. Library and Information Resource Data—supports the management activities and information resource collection activities of the University libraries, including databases of purchased and locally produced information and digitized files of University archives and other special collections.
  8. Personal Registry Data—supports the management of identity and authentication for individuals associated with the University, including the creation of unique data elements (such as Banner ID and Student Cards) that provide unambiguous identification and resolution for merging of identity records. Personal registry data can be used to provision other applications that are managing privileges to authorized individuals or groups.
  9. Student Data—supports all phases of a student’s relationship with the University from application through alumni status except as noted elsewhere. This includes, but is not restricted to, demographic data, academic records, disciplinary and medical records, course information, admissions data, housing, and financial aid, as well as employment with the University, which is dependent on student status. Storage, retrieval, destruction, back-up, and data access, among others, to student records are an important part of this policy.

ATTACHMENT 3

DATA GOVERNANCE COMMITTEE

The Data Governance Committee (DGC) is an official University committee that reports to the President of the University and is chair by the University CIO. The DGC will advise the President on the development and enforcement of the University’s Data Governance Policy. While the DGC will operate in an advisory role, only the CIO retains the authority to approve and enforce data governance policies, procedures, and standards.

...

  1. Access – Defining a single set of procedures for requesting permission to access data elements in University databases, and, in cooperation with Data Stewards, documenting these common data access request procedures.
  2. Conflict Resolution – Resolving conflicts in the definition of centrally-used administrative data attributes, data policy, and levels of access.
  3. Data Governance – Establishing policies that manage University Data as a University resource and communicating the policy to the University community.
    • Overseeing the administration and management of all University Data.
    • Resolving issues with regard to standard definitions for data elements that cross stewardship boundaries.
    • Establishing specific goals, objectives, and action plans to implement the policy and monitor progress in its implementation.
    • Identifying data entities and data sources that comprise University Data. As this is an on-going process, the committee will add data entities and sources to the scope of University Data, as circumstances require.
    • Prioritizing the management of University Data. This includes identifying which data is most critical and assigning management priorities to all data entities and sources.
    • Consideration of delivery modes for transmitting University data.

    The DGC, in consultation with University Counsel and the Information Security Office, will also advise on policies related to contracts with vendors whose products or services may process, store, or exchange data with University systems, including third party contracts for secondary systems that share data housed in the University’s primary systems such as Banner.

  4. University Data Model – Overseeing the establishment and maintenance of the University Data Model and Data Architecture, which includes defining the standards for documentation of data elements. ?
  5. Shared Data Management – Defining attributes and assigning maintenance responsibilities for data accuracy, retention, disposition, and preservation. Note that oversight of University data, which is a public record, should be managed according to the Public Records Law and the approved records retention and disposition schedules that are created in University Archives and Records Management Services. 

ATTACHMENT 4

DATA STEWARDS

University staffs designated as “Data Stewards” have the primary administrative and management responsibilities for University Data within their functional area. Data Stewards have that role by virtue of their positions. For example, the Sr. Vice President for Human Resources has stewardship responsibility for HR data.

...

  1. Access – Approving requests for access to data, specifying the appropriate access procedure, ensuring appropriate access rights and permissions according to classification of data.
  2. Communication – Ensuring that consumers of the data for which the Data Stewards are responsible are aware of information handling procedures.
  3. Compliance – The Data Steward is ultimately responsible for compliance with applicable University policies, legal and regulatory requirements. Stewards must be knowledgeable about applicable laws and regulations to the extent necessary to carry out the stewardship role. Furthermore, Stewards must take appropriate action if incidents violating any of the above policies or requirements occur.
  4. Consultation – Providing consulting services as needed to assist data users in the interpretation and use of data elements for which they are responsible, including the Data Custodian.
  5. Coordination – Ensuring that, where required, Information Security Liaisons are designated for their respective business unit; specifying data management and protections requirements to Data Custodians.
  6. Data Classification – Classifying each data element according to University definition: Highly Sensitive (high risk), Sensitive (medium risk) and Public (low risk).
  7. Documentation – Ensuring that documentation exists for each data element to include, at a minimum, the following: data source, data provenance, data element business name, and data element definition.
  8. Data manipulation, extracting, and reporting – Ensuring proper use of Data and recommending appropriate policies regarding the manipulation or reporting of University Data elements and implementing business unit procedures to carry out these policies.
  9. Data quality, integrity, and correction – Ensuring the accuracy and quality of data (access and logging controls, backup, etc.) and implementing programs for data quality improvement.
    • Developing procedures for standardizing code values and coordinating maintenance of look-up tables used for University Data.
    • Determining update precedence when multiple sources for data exist.
    • Determining the most reliable source for data. ?
  10. Data lifecycle and retention – Ensuring appropriate generation, use, retention and disposal, etc. of data and information consistent with University Policies, among them Information Security Policy and standards for disposal. ?
  11. Data stewardship – Other responsibilities as necessary, including exercise of due care in the selection of Data Custodians to ensure these responsibilities are adequately and consistently executed. ?
  12. Data storage – Documenting official storage locations and determining archiving and retention requirements for data elements.
  13. Education – Ensuring that education to employees responsible for managing the data is provided in data retention, data handling and data security.
  14. Policy implementation – Establishing specific goals, objectives, and procedures to implement the policy and monitor progress toward implementation. 

ATTACHMENT 5

DATA CUSTODIANS

Data Stewards may appoint Data Custodians who will assist Stewards with data administration activities. The Data Custodian is given specified responsibilities and receives guidance for appropriate and secure data handling from the Data Stewards. A Data Custodian has the responsibility for the day-to-day maintenance and protection of data.

...