Administrative Policies and Procedures Manual - Policy 2580: Data Governance
Date Originally Issued: 01-28-2016
Authorized by RPM 3.1 (“Responsibilities of the President”)
Process Owners: University President; Provost and Executive Vice President for Academic Affairs; Executive Vice President for Administration
The University’s enterprise computer systems house vast amounts of data related to finances, students, staff, faculty, and sponsored research. The data in these systems, such as Banner, are valuable institutional assets that support the University’s central missions of teaching, research, and service. Additionally, these data play an increasing role in developing and implementing the University’s strategic goals. To facilitate effective decision making, University data must be accessible, accurate, secure, and easily integrated across the University’s enterprise systems. This policy authorizes a framework for ensuring that University data meet these criteria. For the purposes of this policy, data housed in and retrieved from the University’s enterprise systems are referred to as “University data.”
Additional information about UNM data governance can be found at data.unm.edu.
2. Policy Scope
2.2. Data Governed by This Policy
The scope of this policy is limited to University data, the data housed in and retrieved from the University’s enterprise systems. University data may be used in University operations, institutional decision making, required reporting, official administrative reports, or may be shared with third parties.
2.3. Data Not Governed by This Policy
The following types of data are excluded from the scope of this policy:
- Data in systems managed by the Health Sciences Center, which has its own data governance structure, chief information officer, and information technology security infrastructure.
- Data provided to UNM by external entities for research and other purposes, which are governed by the terms of the applicable data-sharing agreements.
- Data that are created by individual employees or departments, for which supplemental information technology systems are created and managed by departments. These systems require the assigned data custodians to ensure compliance with relevant policies and Information Technology Standards (see Section 7).
3. Roles and Responsibilities
The governance of University data is guided by the Data Governance Committee, which operates under the authority of the President. Successful governance of University data requires the collaboration and contributions of individuals in various roles, including data owners, data custodians, data stewards, and data users. These roles and responsibilities are described below.
3.1. Data Owners
Data owners are appointed by the President, the Provost and Executive Vice President for Academic Affairs, and the Executive Vice President for Administration. They are typically senior administrators who have authority to determine business definitions of data, grant access to data, and approve the secure usage of those data, for the functional units within their delegations of authority. By understanding the information needs of the University, data owners are able to anticipate how University data can be used strategically to meet the University’s mission and goals.
Data owners have ultimate authority and responsibility for the access, accuracy, classification, and security of the data within their delegations of authority. Each owner appoints data stewards for specific subject area domains.
3.2. Data Stewards
Data stewards are appointed by data owners, and are University officials who have direct operational-level authority and responsibility for the management of one or more types of University data. Data stewards authorize and monitor the secure use of data within their functional areas to ensure appropriate access, accuracy, classification, and security. The current list of data stewards is available at data.unm.edu.
Data stewards shall maintain a log of completed requests for University data classified as confidential or higher. Logs will be provided to the appropriate data owner at the close of each fiscal year, and should include the date, name, title, and department of requestor, data requested, and business purpose of the request. Data stewards shall maintain copies of logs for a minimum of three years, and will be made available to the Data Governance Committee or individual committee members upon request.
Data stewards shall, at the close of each fiscal year, provide the Data Governance Committee with reports regarding the management, protection, and effectiveness of efforts to ensure the integrity and usefulness of University data. The contents of the reports should include how data are being used, data quality issues, data classification, and possible compliance concerns.
3.3. Data Custodians
Data custodians are responsible for the operation and management of technology, systems, and servers that collect, store, process, manage, and provide access to University data. Data custodians typically are associated with technical functions of the University, but may also include systems administrators within academic and administrative units. Information Technologies is the official data custodian for data in the University’s enterprise systems. In those cases where University data are stored or maintained on departmental systems, the department shall appoint a data custodian who is responsible for ensuring compliance with this policy, as well as other relevant policies and Information Technology Standards.
3.4. Data Users
Data users are authorized individuals who have been granted access to University data in order to perform assigned duties or functions within the University. When individuals become data users, they assume responsibility for the appropriate use, management, and application of security standards for the data they are authorized to use. As such, data users must work with data stewards and data custodians to ensure that they understand applicable contractual and regulatory requirements and University policies and standards. Any use of University data beyond the initial scope requires approval by the appropriate data steward.
3.5. Data Governance Committee
Under the authority of the President, the Data Governance Committee has responsibility for the strategic guidance of data governance at UNM. The Committee advises the President, Provost and Executive Vice President for Academic Affairs, and Executive Vice President for Administration on the use of University data. It will work to resolve conflicts and remove barriers related to the development, access, use, collection, or reporting of University data. It may issue guidelines or procedures to facilitate improved access, use, integrity, and usefulness of University data. Data owners may, at their discretion, ask the Data Governance Committee to evaluate data uses that span multiple ownership domains or involve atypical usage arrangements.
It is the responsibility of the Data Governance Committee to communicate with and reach out to relevant University committees and stakeholders concerning issues of data accessibility, accuracy, and security.
3.5.1. Committee Membership
The Data Governance Committee is appointed by the President and includes data owners from key administrative units of the University. The Chief Information Officer, the University Information Security and Privacy Officer, and the Director of Institutional Analytics shall also be members of the Committee. A representative from the Health Sciences Center will serve as an ex officio member of the committee. The Committee may, at its discretion, decide to add ex officio or advisory members. Voting members of the Committee may be added only with the approval of the President.
4. Collaborative Data Governance
The University shall maintain and publish a list of the designated data owners, data stewards, and data classifications for University data in the enterprise systems. As articulated in this policy, specific operational responsibilities are delegated to individual data owners, stewards, custodians, and users.
It is the responsibility of data stewards to understand the institution’s business needs and facilitate appropriate access to the required University data. Should the data steward have questions regarding the legitimacy of a data request or business need, the data steward shall validate the need with the data owner. Data stewards and data custodians will also coordinate with the campus Information Security and Privacy Officer to ensure that adequate security controls are identified, implemented, and functioning as designed and intended.
Data stewards, in consultation with the appropriate data custodians, shall publish processes for requesting and monitoring access to University data and periodically audit access to data. As it is being used in this context, “access to data” refers to both access to the University’s enterprise systems, as well as access to University data provided to users through data requests made of data owners, data stewards, or data custodians.
5. Classification and Use
All University data must be assessed and classified according to its business or economic value to the University and its security and confidentiality requirements. Once data are classified, the classification determines the appropriate administrative, physical, and technical safeguards and controls. Data owners are responsible for overseeing the classification of data within their functional areas. Data owners, in collaboration with the Information Security and Privacy Officer, data stewards, and data custodians, are responsible for ensuring that appropriate and effective safeguards are applied to those data. For additional information on data classification, refer to http://data.unm.edu/data-classification.html.
6. Sensitive and Protected Information
Nothing in this policy is intended to authorize inappropriate or unlawful access to sensitive and protected data or other information to which access is restricted under law, as referenced in such policies as UAP 2520 (“Computer Security Controls and Access to Sensitive and Protected Information”) and UAP 2550 (“Information Security”).
7. Related Policies and Guidelines
UAP 2500 (“Acceptable Computer Use”)
UAP 2520 (“Computer Security Controls and Access to Sensitive and Protected Information”)
UAP 2550 (“Information Security”)
UAP 2560 (“Information Technology Governance”)
Information Technology Standard for UNM Data Classification
UNM Sensitive Information Stewardship and Confidentiality Statement