/Institutions/Centre-College/json/catalog-and-handbooks/Staff-Handbook-local.json

/Institutions/Centre-College/json/catalog-and-handbooks/Staff-Handbook.json

624 Data Governance Policy

 

 

1. Purpose

   College Data is an asset to all constituencies at Centre College. (students, faculty, staff) and requires the coordinated use of significant resources (funds, space, technology, etc.) involving all operations of the College. College Data enables the institution to assess the needs of the College community and to manage and modify its services and operations accordingly. It is vital not only in the day-to-day operations of the College but to short-term and long-term planning, and it serves as the basis for internal and external reports.

    

   Appropriate and timely access to College Data is critical for the efficient and effective operation of the College. Controlling access to College Data and keeping data confidential is also important to protect the College from accidental loss or destruction of data, liability, and acts of malice.

    

   The objectives of this policy are to:

   • Detail responsibilities for managing College Data.
   • Establish a framework for standards and guidelines to be followed in the creation of data storage, destruction, and access mechanisms.
   • Develop and implement data management policies and standards, and ensuring they are consistently applied by college data uses
   • Educate the college community on how data enables strategic decision-making – linking data to strategic outcomes
   • In partnership with Privacy and Information Security Management practices, support proactive monitoring and mitigation of privacy and information security risks while facilitating data accessibility
   • Develop a culture of sharing data and a collective understanding of the value of data to measure progress and inform plans
   • Foster automation of business processes by ensuring trustworthy and usable data is available
   • Establish the foundation for an analytics program for Teaching and Learning, Research and Administration that enables data driven decision-making
   • Lead the development of standard definitions needed to ensure data quality
2. Scope 

   This policy is applicable to all individuals accessing College Data (Users of College Data). This policy deals primarily with electronic data which is stored in a college system, vendor system or electronic media (both on and off-line). This policy falls under the overall Center College Records Management Policy.

   Nothing in this policy precludes or addresses the release of College Data to external organizations, governmental agencies, or authorized individuals as may be required by legislation, regulation, or other legal obligation.

3. Definitions

For purposes of this policy, the following definitions apply:

Access – the ability to read, copy, modify, delete, or query data.

College Data – Data that is created, acquired, or maintained by the College. College Data includes, but is not limited to, Data that is: (a) acquired and/or maintained by College employees in the performance of administrative job duties; (b) relevant to planning, managing, operating, or auditing a major function at the College; or (c) referenced or required for use by more than one organizational unit. College Data may reside on College-owned systems or systems owned by third parties.

Users of College Data - any person extended access and use privileges to College Data. Includes students, faculty, visiting faculty, staff, volunteers, alumni, persons hired or retained to perform work for the College, and any other person extended access and use privileges by the College under contractual agreements or otherwise.

Data Custodians – College officials and their staff who have operational-level responsibility for data capture, data maintenance, and data dissemination.

Data Owners – College officials who have policy-level responsibility for managing a segment of College Data.

Health Information – health data created, received, stored, or transmitted in relation to the provision of healthcare, healthcare operations and payment for healthcare services.

4.         Statement of Policy

Responsibility for and access to College Data is governed by the following policies and legal statutes:

Family Educational Rights and Privacy Act (FERPA)

Health Insurance Portability and Accountability Act (HIPAA)

Gramm Leach Bliley Act (GLBA)

European Union General Data Protection Regulation (GDPR)

Payment Card Industry (PCI) Data Security Standard

Centre College Information Security Policy

     Centre College Records Management Policy

        5.         Roles and Responsibilities

Data Owners

The College as an organization owns its data (or with Social Security numbers or other personal data, is the custodian of data), and specific departments and positions in the roles of Data        Owners are responsible for different segments of that data. Those departments and Data Owners shall define how the assigned data is managed within the scope of the legal and regulatory obligations. Data Owners are listed in the Records Retention Schedule.

Data Owners are responsible for:

• Assigning Data Custodians in their respective area(s), the status of which is documented in Exhibit 2.
• Enforcing the requirements of this policy.
• Setting additional/internal standards, procedures, and expectations for how Data Custodians manage College Data. Data Owners are empowered to determine if their data was overseen appropriately by their designated Data Custodians.

Data Custodianship

Data Custodians will authorize access to College Data only on a need-to-know-basis. Individuals seeking access will submit a request for approval to the appropriate Data Custodian that has responsibility for the data at issue.

Data Custodians will grant access to College Data for legitimate College purposes according to the classification of the data being requested and the internal expectations set by their Data Steward. The method of transmittal of any College Data must follow the College's security standards shown in Attachment 3. Data Custodians are listed in the Records Retention Schedule.

Data Handling

Users of College Data shall respect the confidentiality and privacy of individuals whose records they may access and shall abide by applicable laws and College policies (listed in Section 4) with respect to access, use, protection, proper disposal, and disclosure of data.

To the extent that the law permits, as determined by the Office of General Counsel, Data Owners reserve the right to deny access to any person or organization to College Data for any reason.

Data Retention and Destruction

Data retention and destruction is covered by the Centre College Records Management Policy and includes data retention requirements, schedules, and practices.

Compliance

The Executive Director, Information Technology Services shall ensure compliance with this policy. Data Owners and Data Custodians shall implement the policy as described above.

Violations of this policy may result in disciplinary action, in accordance with Centre College's Human Resources and/or Student Conduct policies and any additional collective bargaining agreements. Please review the applicable Acceptable Use Policy for details.

6. Data Sharing and Governance

Governance

There are four main functions managing college data to ensure it is properly secured and is available for use by approved individuals and organizations.

            Data Strategy Committee (Attachment 1) is the senior group responsible for the overall management system.

            Data Governance Committee (Attachment 2) manages the implementation of the policy and monitors its execution across the campus.

            ITS Department ensures college systems and data are properly secured, monitored, and maintained. ITS also manages user permissions and access based upon decisions made by the     committees.

            Data Custodians manage the day-to-day process of maintaining data in the various systems and sites used by the college.

Reporting and Analytics

Data Governance strives to ensure the college will have reliable and consistent data to assess performance and support decision-making. This is achieved by having data that is available, accurate, complete, secure, and trustworthy. To this end, data ownership, roles and responsibilities, processes, standards, and policies as defined within the Data Governance program underpin the foundation of any successful Reporting and Analytics initiative. Furthermore, governance over reporting, including having a set of standards and guidelines, is required to promote clear communication about data to users. In addition, standard definitions and approved sources of data will guard against inconsistencies or misinterpretations of the data reported. Knowing that the data can be relied on, the college can trust the delivered reports and confidently base their business decisions on them to optimize operations and strategies

Data Principles and Key Definitions

Centre College, its faculty, staff, and students retain ownership of the data and subsequent computational transformations of the data they produce. Individual data owners have the right to determine how their data will be used. Centre College acts as Owners of data on behalf of its faculty, staff, and students. Decision to share and use data by will be governed by the following principles:

Ethical Use: Data collection and use are governed by institutional concerns, with an aim toward student success through prescriptive, descriptive, or predictive methodologies. As with grades and other sensitive data, uses of learning analytics should be pursued on a “need to know” basis.

Transparency: Data owners have a right to understand the specific methods and purposes for which their data are collected, used, and transformed, including what data are being transmitted to third-party service providers (and their affiliated partners.

Protection: Custodians, on behalf of data owners, will ensure data is secure and protected in alignment with all federal, state, and university regulations regarding secure disposition.

Access and Control: Data owners have the right to access their data and the data Owners act on their behalf. Data retention access and control practices will be governed under Centre College policies and supplier contractual agreements.

Service Provider Security: All service provider platforms on which student learning data are stored will conform with Centre College mandated security procedures governing the reporting of unexpected incidents and corrections that may occur.

Information Security: Data Owners will ensure that all faculty, staff, and student data is stored securely in conformance with the College’s security policy. Data Owners will report any data security incidents to the ITS department and the Data Privacy Officer as soon as possible for remediation and reporting. Data use will be viewed through the prism of the intended audience and the risk of disclosure to the institutional operations, assets, or reputation:

Public: Intended for disclosure – no risk to the college

Internal:  Used in the day-to-day operations of the campus – minimal risk

            Examples: Executive Directory data, non-public policy documents

Restricted:  Restricted internal use to specific functions or offices – potential for serious risk to the college

            Examples: SSN, Birth Dates, Financial Information, Information Covered by confidentiality agreements.

 

Exhibits

Exhibit 1: Data Strategy Committee

Exhibit 2: Data Governance Committee

Exhibit 3: Data Classification Guideline and Data Transmittal and Storage Requirements

 

Exhibit 1:  Data Strategy Committee

 

Data Strategy Committee

Senior decision-making body for the college and is responsible for setting policy and provides strategic oversight for all college data. This covers storage, collection, management, use, sharing and proper destruction. The committee sets the vision and priorities for the program and ensures data initiatives are aligned with institutional goals. The committee is also the final approval body for data polices, monitors progress to meeting goals and resolves any conflicts raised by the Data Governance Committee.

The Data Strategy Committee will meet as needed and will consist of the following members who are owners of the key data sets used by the college:

            Vice President Academic Affairs (Faculty and Student Data)

            Vice President, Human Resources (Employee Data)

Vice President, Finance (Financial Data)

Vice President, Admissions (Applicant Data)

Executive Director of Strategic Initiatives and External Relations

            Director of Research (IRB Data) (Ex Officio)

            Executive Director of ITS (Data Storage and Security) (Ex Officio)

 

Exhibit 2:  Data Governance Committee

 

The Data Governance Committee manages the implementation of Data Strategy Committee decisions, policies, and processes as it pertains to college data. The committee is staffed by functional leaders who are knowledgeable about data use across the campus and is primarily comprised of the lead Data Custodians from the college’s core business units.

The functions of the Data Governance Committee are:

•  Drafts and manages the Data Management and Records Retention Policy/Inventory
• Enforces data retention and ensures proper removal and destruction
• Manages data stewardship structures
• Drafts policy recommendations
• Arbitrates requests for access to data and works with the ITS Data Analyst to ensure proper storage and availability of key dashboards, reports, and data sets.
• Sets access rules

The Data Governance Committee will meet as needed and will consist of the following members/representatives who are stewards of the key data sets used by the college:

            Director of Research (Chair)

            Associate Director of ITS, Database Systems

            Data Analyst, ITS

            Digital Transformation Specialist

            Academic Affairs (Registrar, Library, CCPD, CG)

            Human Resources

            Diversity Affairs

            Finance

            Admissions

            Financial Aid

            Student Life

            Student Success

            Athletics

    Alumni

 

Exhibit 3: Data Classification Guideline and Data Transmittal and Storage Requirements

 

The table below lists the categories of data and examples. Any data that falls into multiple categories is managed in accordance with the higher security category for protection purposes. If you have questions about the classification of data, contact your Department Records Officer or the Executive Director of Information Security and IT Infrastructure.

 

Data Classification Guideline and Data Transmittal and Storage Requirements

DATA CLASSIFICATION

High Risk (PII, GLBA, PCI, and PHI Data) Data whose loss, corruption, or unauthorized access would pose an extreme identity or financial risk to the College, a school partner, or the public and may require notification of a governmental regulator and/or affected users.     

• Social Security Number
• Credit/Debit Card Number
• Bank/Financial Account Numbers
• HIPAA or medical records
• Passwords or Biometric data
• Driver's License or State ID number
• FERPA records

Moderate Risk:  Data whose loss, corruption, or unauthorized access would impair the academic, research, or business functions of the College or is not available to the public.       

• Student ID
• Employee ID
• HR Documents
• College Proprietary Data or Intellectual Property
• Copyrighted College or Student material
• Board meeting minutes
• Expense reports
• Litigation materials
• Software license numbers
• College infrastructure plans
• System configuration/log files
• Training data

Low Risk: Data to which the public has access        

• Any data found publicly on www.Centre.edu
• Policies
• Publications
• Academic Calendar

• Campus Maps

DATA TRANSMITTAL AND STORAGE

  All members of the Centre College community and its working partners are responsible for the proper handling, transmittal, and storage of College Data. All individuals and departments must follow the policies and procedures of the College to ensure proper data protection and usage. Any partner, consultant, or vendor that needs access to or shares any non-public College Data must sign a Third-Party Data Security Agreement.

Below is the Data Transmission and Storage Table by which all members of the Centre College community, all working partners, vendors and consultants must abide when transmitting and storing College Data.

Data Transmittal and Storage

DATA CLASSIFICATION   DATA TRANSMISSION      DATA STORAGE

High Risk (PII, GLBA, PCI, and PHI Data)

Centre College IT Dept. approved encryption is REQUIRED when transmitting any information over a network. Third party email or file transfer services are prohibited when transmitting High Risk information. High Risk numbers/data may be redacted instead of encrypted.

High Risk data is PROHIBITED from being stored on local computing hard drives or storage equipment. All High-Risk data should be stored and/or transmitted via Centre College's approved file storage system (Alfresco), encrypted Centre Email, approved contractual partners, or IT maintained databases. If given approval for local storage, Centre College IT Dept. approved encryption MUST be used for all data. Data may be redacted instead of encrypted if on Centre College owned equipment. Data stored by external partners MUST be always encrypted. Printing of High-Risk data is strongly discouraged. Printed data must be stored in a secure and locked area. Printed data may also be redacted to prevent unauthorized access. All high-risk data, whether printed or electronic, must be securely destroyed when no longer in use or required for retention by the College.

Moderate Risk

Centre College IT Department approved encryption is REQUIRED when transmitting any information over a network. Third party email or file transfer services are prohibited when transmitting Moderate Risk information. Moderate Risk numbers/data may be redacted instead of encrypted.

Moderate Risk data is PROHIBITED from being stored on local computing hard drives or storage equipment. All Moderate Risk data should be stored and/or transmitted via Centre College's approved file storage system (Alfresco), encrypted Centre Email, approved contractual partners, or IT maintained databases. If given approval for local storage, Centre College IT Dept. approved encryption MUST be used for all data. Data may be redacted instead of encrypted if on Centre College owned equipment. Data stored by external partners MUST be always encrypted. Printing of Moderate Risk data is discouraged. Printed data must be stored in a secure and locked area. Printed data may also be redacted to prevent unauthorized access. All moderate risk data, whether printed or electronic, must be securely destroyed when no longer in use or required for retention by the College.