8.2.1.17 Data Governance Policy - Pending President Approval

Purpose

The University of Oklahoma (OU) recognizes that Institutional Data is an asset and critically important to effectively supporting OU’s mission. The value of data as an institutional resource is increased through its widespread and appropriate use; its value is diminished through misuse, misinterpretation, or unnecessary restrictions to its access. The university has an obligation to protect the integrity and quality of Institutional Data, privacy of data subjects, and security of Institutional Data while also maximizing its effective and efficient use. This policy establishes the minimum requirements for the management and stewardship of Institutional Data resources.  

Definitions

See Information Technology and Security Definitions 

Scope

This policy applies to: 

  • All Institutional Data and Institutional Data products regardless of where they reside.   
  • All information technology systems and applications that generate, collect, store, maintain, transmit, or record Institutional Data; regardless of system and application manager, owner, or location.  
  • All individuals who develop, manage, administer, or support information technology systems and applications that generate, collect, store, maintain, transmit, or record Institutional Data. 
  • All individuals who handle, use, process, store, or manage Institutional Data.  

Responsible Office

The Chief Information Officer (CIO), with assistance/support from the Office of Compliance, is responsible for administering this policy and ensuring compliance.  Internal Audit or other departments may periodically assess compliance with this policy and report violations to the Board of Regents. 

Web Address For This Policy

To Be Determined

Policy Statement

Institutional Data shall be accessible, accurate, easily integrated across system(s), and utilized to support the operations of OU by establishing data definitions and a community of data stewards to enable OU’s institutional reporting efforts in support of strategic planning. 

Roles and Responsibilities

Data governance shall be a core capability that is an integral part of OU's culture.  Clear delineation of roles and responsibilities in data governance allows the University to ensure controls are being appropriately followed and enforced and to create a set of checks and balances.  The following roles and responsibilities are established by this policy.

  1. Data Owner:  A senior university administrator (Vice President, Dean, or above) accountable for the creating and maintenance of one or more Authoritative Sources of data relied upon for key university operations.  See University Leadership.
    1. Data Owners have authority over and are responsible for strategic planning and setting policy for their data domain(s).
    2. Data Owners are responsible for understanding the value, purpose, and usage of their respective data assets.The Data Owner(s) will ensure compliance with Data Governance policies, standards, and processes.
    3. Data Owners appoint Data Steward(s) over specific data domains and are responsible for the activities of the Data Steward(s).
    4. Data Owners have the authority to make decisions regarding data access, permissions, retention, and expunction, ensuring that data is used appropriately and in alignment with goals and regulatory requirements.
    5. Data Owner(s) will also work with Data Steward(s) to address data related issues and advance Data Quality initiatives.
    6. Data Owner(s) play an indispensable role by promoting data stewardship, tending data-driven decision making, and ensuring the integrity, availability, and reliability of their data assets.  
    7. Data Owner(s) are responsible for ensuring the Data Program implements and enforces data governance policies and appropriate use guidelines.  See Data Protection Standards.
  2. Data Steward:  An individual, or group, appointed by a Data Owner who is primarily responsible for implementing rules and procedures needed to ensure data and security policies set by the Data Owner are enforced.  Data Steward(s) are high-level functional end user(s) within an operational area who is deemed an expert in using data managed by the area or system.  Any individual who creates an Authoritative Source or SOR is responsible for performing the duties of a Data Steward.  The Data Owner and the Data Steward may not be the same person.
    1. Data Steward(s) act as custodians of data, working closely with business units and IT teams to establish and enforce data governance policies and processes.
    2. Data Steward(s) play a crucial role in ensuring the accuracy, integrity, and availability of data throughout its lifecycle.
    3. Data Steward(s) are accountable for various tasks including data profiling, data quality assessment, data classification, data privacy, and regulatory compliance.
    4. Data Steward(s) are also responsible for Metadata management, maintaining data dictionaries, Data Lineage, and other essential information about data assets.
    5. Data Steward(s) serve as the subject matter experts on data governance matters, provide guidance on data-related inquires, and ensure that data governance principles are understood and followed across their data domain.  See OU Data Owners and Stewards.
    6. Data Steward(s), based on policies set by Data Owners, control and monitor access to data within their scope of responsibility in accordance with the Identity and Access Management Policy.
    7. Data Steward(s) provide documentation and training for Data Users to support Institutional Data needs.
  3. Data User:  An individual or group using data input for processing or analysis.  Access to Institutional Data is contingent on following all applicable policies and procedures and can be revoked by the Data Owner in cases of inappropriate use.
    1. Data User(s) are expected to access, use, and release data in an intentional and controlled manner that permits an appropriate level of disclosure, ensures the timely receipt of accurate data by interested parties, enables accurate and meaningful interpretation and use of the data, and protects the confidentiality of individuals.  See Data Protection Standards.
    2. Data User(s) are responsible for using data and information appropriately and using the most accurate and current data and information available.  
    3. Data User(s) who have been granted access to sensitive data (e.g., personal information, social security number, date of birth, gender, address, StudentID, EmployeeID, medical record number) must respect all individual privacy rights and guarantees of confidentiality consistent with applicable laws and policies regarding the collection, use, and disclosure of personal information.  Examples of sensitive data that must be safeguarded are data protected by federal and state laws, including without limitation, the Family Educational Rights and Privacy Act (FERPA), the Children’s Online Privacy Protection Act (COPPA), the Health Insurance Portability and Accountability Act (HIPAA), and the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009, as well as any retained personal financial and regulated research data such as Controlled Unclassified Information (CUI).
  4. Data Protection Officer (DPO):  The DPO is an individual who provides professional knowledge in data protection law and IT security, and is responsible for:
    1. Maintaining compliance with all relevant data protection laws
    2. Monitoring data processes (e.g., privacy impact assessments)
    3. Educating all users involved in data processing
    4. Conducting regular security audits
    5. Collaborating with supervisory authorities
  5. Office of Information Technology (OU IT): The Office of Information Technology is responsible for:
    1. Maintain the Data Governance Program defining roles, responsibilities, and expectations to be reviewed annually.  
    2. Maintain Data Governance Policies, Standards, and Procedures.
    3. Maintain Data Warehouse and Data Catalog processes and tools.
  6. Asset Administrator:  An individual or group, with principal responsibility for: the installation, configuration, security, and ongoing maintenance of assets.  The administrator role is usually performed by personnel with a central or departmental Information Technology job title.  The Asset Administrator is responsible for:
    1. Asset Administrator(s) are responsible for infrastructure security, understanding and enforcing data access policies, and creation and maintenance of any Data Program-specific data definitions and/or appropriate use guidelines.
    2. Asset Administrator(s) are responsible for obtaining Data Owner or Data Steward approval prior to releasing or granting access to data.
    3. Asset Administrator(s) collaborate with Data Owner(s) and Data Steward(s) to ensure policies and standards properly protect data assets.

Data Governance Framework

Governance, generally, includes the people, processes, and technology necessary to guide decision making around technology issues.  This policy establishes the following decision making and advisory bodies needed for successful Data Governance.

    Information Technology Executive Steering Committee:  The IT Executive Steering Committee (ITESC) members serve as Executive Sponsors of the Data Governance Program and have approved the creation of the University’s IT Governance framework.  ITESC is responsible for:
    1. Aligning system-wide IT strategies, projects, and capabilities with OU strategy.
    2. Prioritizing initiatives to maximize the value and efficiency of distributed and central IT.
    3. Committing to business transformations that support system-wide technology efficiencies.
    4. Facilitating two-way communication about IT initiatives with stakeholders.
    5. Ensuring appropriate OU IT policies are in place.
    6. Supporting key IT initiatives within the broader OU community.
    7. Overseeing and coordinating IT Governance framework committees.
  2. Administrative Systems Advisory Committee:  The Data Governance Committee reports through the Administrative Systems Advisory Committee (ASAC) which is comprised of senior managers or directors who may be Data Owners or Stewards accountable for the data within their domains.  ASAC is responsible for:
    1. Identifying and aligning needs and opportunities across the system to maximize the return on investment for administrative technologies.
    2. Reviewing existing technologies, services, policies, inventories, and project plans in the context of value and positive impact.
    3. Recommending and prioritizing projects, enhancements, pilots, and investments to facilitate continuous quality improvement.
  3. Data Governance Committee:  The Data Governance Committee (DGC) will consist of operational Data Stewards and Subject Matter Experts with organizational knowledge about OU’s data and will develop, implement, operate, and support the tools, processes and practices that enable and support quality, data-driven decision making while protecting OU’s data assets.  DGC will take direction and align their activities in support of all relevant university policies.  See Data Governance Committee
    1. DGC are responsible for defining methods to ensure data is accurate and complete, at the appropriate quality for its primary purpose and all other known legitimate uses.  See Data Quality Guideline.
    2. DGC are responsible for working with the Data Stewards and define methods to ensure data can be trusted.  DGC have the role of accountability and oversight to assure this trust, with decisions and actions recorded at an appropriate level of detail.
    3. DGC are responsible for measuring, tracking, and monitoring compliance with progress towards Data Governance goals.
    4. DGC are responsible for maintaining a record of committee decisions.

Data Stewardship

Data governance requires a community of Data Stewards with first-hand knowledge of the data and a clear understanding of expectations before they are engaged in Data Governance processes. 

  1. Data shall be collected and maintained to guarantee its consistency, reliability, timeliness, and accuracy in accordance with the Data Protection Standards.
  2. Data Stewards have the authority to make decisions regarding data access, permissions, retention, and expunction, ensuring that data is used appropriately and in alignment with goals and regulatory requirements.
    1. Access to protected institutional data shall be authorized and managed to protect individual privacy, maintain promised confidentiality, and ensure appropriate access and use in accordance with the Data Protection Standards.
    2. Access will be granted based on authorization provided by the applicable Institutional Data Owner(s) or Steward(s) based on appropriateness of an individual’s role and the intended use in accordance with the Data Protection Standards.
    3. Authorization and access will be documented, reviewed, modified, and terminated in accordance with applicable laws and university policies, procedures, and standards.
    4. Protected Institutional Data may only be accessed for business purposes within the scope of an individual’s university duties in accordance with the Data Protection Standards.
  3. Data Steward(s) shoulder the vital duty of upholding the trustworthiness and reliability of our Institutional Data through meticulous supervision of enforcement of data security policies and for their decisions and actions. It is imperative that all decisions and actions related to data management are thoroughly documented, ensuring they contain sufficient information to comprehend the context and reasoning behind each choice. This documentation process serves as a critical element in maintaining data trustworthiness and transparency.

Data Classification

Classification of University Information will aid in identifying baseline security controls for the protection of the Information.

  1. Institutional Data must be classified in accordance with OU's Information Classification Standard and be documented by the Data Steward(s).  Data classification must be a factor considered in authorization and access procedures.
  2. Institutional Data must be associated with appropriate data domains and sub-domains along with additional applicable categorizations to further assist with proper data management. See Institutional Data Categorization Standard.

Data Usage

A key element of Data Governance is ensuring that Institutional Data are used ethically, with due consideration for individual privacy, and in accordance with applicable laws.

  1. All data usage requests must undergo a Privacy Impact Assessment to be completed by OU IT Governance, Risk, and Compliance (GRC) in accordance with the Risk Assessment Standard.
  2. Data privacy risks must be treated and managed in accordance with the Risk Assessment Standard.
  3. Data Stewards have the authority to create pre-approved datasets from both Authoritative sources as well as Systems of Record.  All pre-approved datasets must have a specific purpose and use-case that aligns with institutional goals and complies with the Data Protection Standards.  Pre-approved datasets will be created, managed, and maintained in the university’s data catalog and may not be used for any other purpose or use-case.  
  4. All requests, regardless of risk, must be approved by the Data Owner(s) or Data Steward(s), in accordance with the Identity and Access Management Policy.
  5. Privileged access to data may only be authorized in accordance with the Privileged Access Management Policy.

Data Integrity

Data standards promote data integrity and security of Institutional Data, which is necessary to ensure successful integration between functional units and/or institutional systems.  

  1. DGC shall determine a list of critical data elements (CDEs) that are vital to the success of the Data Governance Program.
  2. DGC shall catalog data sources containing CDEs in the OU Data Catalog.  See OU Data Warehouse and Catalog.
  3. DGC shall consistently profile data sources (interpret, document, and maintain) by collecting data statistics.  Data Steward(s) and business analysts, with oversight from DGC, shall create and maintain both data definitions for CDEs, as well as a business glossary to standardize common business and technical terms across the enterprise.  Both shall be maintained in the OU Data Catalog which greatly improves the consistency and reliability of our Institutional Data.  

Data Protection Standards

Data protection involves creating a balance between security and data usability and refers to the practices, policies, and procedures that OU puts into place to protect data from unauthorized access, theft, modification, or deletion.  Data protection includes classifying data, based on its level of sensitivity, value, and criticality to the university, and protecting it, as required by federal and/or state laws and regulations.  The OU Data Protection Standards ("Standards") define the minimum standard for protection requirements for each category of data when being used or handled in a specific context.  The protection standards are not intended to supersede any regulatory or contractual requirements for handling data.  Some specific data sets, such as student records data, credit/debit card data, healthcare data, and financial account data, may have stricter requirements in addition to the minimum standard requirements listed.  Data Owners and Data Stewards must adhere to these Standards when authorizing, using, or approving access to data.  

  1. See Category A Data Protection Standard
  2. See Category B Data Protection Standard
  3. See Category C Data Protection Standard
  4. See Category D1 Data Protection Standard
  5. See Category D2 Data Protection Standard
  6. See Category E Data Protection Standard
  7. See Category F Data Protection Standard

Data Integration

OU’s operational processes often require systems to exchange information. System-to-system interfaces are a standard way to streamline the movement of data from one system to another, facilitating efficient and effective information exchange.

  1. Successful use of Data Integration depends on data integrity and sound data models.  Integrations between systems must follow the terms of this policy, must be documented by OU IT Data Services using the Data Governance Request Form, and must adhere to policy requirements concerning Data Owners and Data Stewards.
  2. Institutional Data products shall source Institutional Data from systems of record. Institutional Data resources and products published, distributed, shared, or otherwise made accessible to others will source Institutional Data from designated systems of record. To the extent possible unnecessary duplication or storage of Institutional Data shall be avoided and university standards for integrations shall be followed.
  3. Data integrations or interfaces must be inventoried in the IT Asset Inventory, in accordance with the IT Asset Management Policy.

System Management and System Administration

System management and administration are the functions of managing, maintaining, and operating hardware and software platforms (system environments).  Responsibility for system management and the various activities of computer system administration shall belong to the Office of Information Technology or to department Information Technology employees.

  1. Any system holding Institutional Data shall be purposefully planned, inventoried, and implemented to manage data throughout the entire data lifecycle in compliance with all applicable laws and university policies, standards, and procedures. 
  2. Any individual or department selecting or operating a information technology must complete or schedule an IT Security Assessment prior to purchase or implementation to identify the person(s) designated to perform data stewardship, system management/administration, and information security functions relative to the system.  See Risk Assessment Standard.
  3. For each new system, the specific responsibilities for system ownership and data/system management and administration shall be identified and documented as part of the IT Security Assessment.
  4. Data Owners or their Stewards shall coordinate with OU IT to place and maintain a copy of all System of Record data used for Institutional Reporting in the OU Data Warehouse to streamline access to data and decision making.
  5. Each System of Record shall have a Data Steward to ensure appropriate resources are made available for Data Governance processes. In the event a Data Steward is unavailable to complete Data Governance tasks, authority and responsibility shall transfer to an alternate Data Steward or the Data Owner.

Data Governance Training

Data Governance training shall be provided based on the person’s role and responsibilities.

  1. Data Owners and members of ITESC shall receive annual program updates on Data Governance principles, regulatory compliance, strategic value and alignment of organizational goals.  This shall be used to direct annual updates to the Data Governance program.
  2. All Data Stewards shall complete the Data Management Fundamentals course within 90 days of being named a Data Steward.
  3. All Data Stewards shall complete the Data Quality Management course within 365 days of being named a Data Steward.
  4. All Data Stewards shall complete the Data Governance and Policy course within 30 days of being named a Data Steward.
  5. All Data Stewards shall complete university assigned privacy and security training annually.
  6. All OUHSC and OU-Tulsa HSC workforce members must take online HIPAA Privacy and Security training within 5 days of employment, enrollment, or appointment.
  7. All Data Users shall complete FERPA training within the first 30 days of employment or before an employee can be given access to any student record systems.  This training shall be completed every 24 months after the initial training is complete. 
  8. Asset Administrators shall receive annual training focused on the responsibilities described in 2.h above.
  9. Data Users shall receive training annually that covers the basics of Data Governance.
  10. Data Owners and Data Stewards shall acknowledge the Data Governance Policy annually.

Data Warehouse and Catalog

The goal of the OU Data Governance Program is to deliver easily accessible pre-authorized sets of non-sensitive data as well as making the discovery of data much simpler. 

  1. All OU Authoritative Sources of data must have a named Data Owner, Data Steward, and Asset Administrator.
  2. A Data Catalog provides an easy way for staff or faculty to discover data available for analysis from Systems of Record and Authoritative Sources.  In accordance with the IT Asset Management Policy and Standard, OU IT Governance, Risk, and Compliance (GRC) must maintain a centralized data catalog of all Data Assets. 
  3. A Data Warehouse provides a stable, centralized repository for large amounts of historical data.  A warehouse allows OU to improve business processes and decision-making with actionable insights and aids in improving Data Quality.  Data Owner(s) or Steward(s) shall coordinate with OU IT to place System of Record data, used for Institutional Reporting in the OU IT Data Warehouse.
  4. Metadata shall be managed through a Metadata Repository that is maintained in the Data Catalog by OU IT GRC.  Metadata is crucial in a data catalog because it enhances data discovery, understanding, supports research efforts, ensures data quality and security, and aids in regulatory compliance.

Oversight

Penalties for deliberate violation of this policy will be determined in accordance with applicable disciplinary policies and procedures, outlined in the appropriate employee, faculty, or student handbook or code of conduct.  Regular audits and assessments will be conducted to identify areas of improvement.

References

  1. Identity and Access Management Policy
  2. IT Asset Management Policy
  3. IT Asset Management Standard
  4. Privileged Access Management Policy
  5. NIST Glossary
  6. Data Governance Committee

Revision, Review, and Approval History

  • June 2022: Institutional Reporting: Baseline drafted.
  • August 2023: OU IT Governance, Risk, and Compliance: Responsible Office updated.  Policy revisions made.  Opened for comments.
  • October 2023: OU IT Governance, Risk, and Compliance:  Revisions committed.  See OU IT PSP Comment Summary.
  • December 2023: Cybersecurity and Infrastructure Advisory Committee: Policy reviewed and recommended to President.
  • March 2024: Office of Legal Counsel.  Policy reviewed, revisions made.
14% helpful - 7 reviews
Print Article

Details

Article ID: 3008
Created
Wed 8/2/23 4:01 PM
Modified
Wed 4/10/24 10:43 AM

Related Articles (8)

8.2.2.1 Information (Data) Classification Standard
The University of Oklahoma (OU) recognizes that institutional information is an asset, critically important to effectively supporting OU’s mission of excellence in teaching, research and creative activity, and service. OU also recognizes the need for appropriate data protections, to ensure student and employee privacy is respected and the University complies with applicable laws.
8.2.2.15 Category A Data Protection Standard
This standard defines the minimum data protection practices for Category A - Healthcare data.
8.2.2.16 Category B Data Protection Standard
This standard defines the minimum data protection practices for Category B - Payment Card or Credit Card data.
8.2.2.17 Category C Data Protection Standard
This standard defines the minimum data protection practices for Category C - Student data.
8.2.2.18 Category D1 Data Protection Standard
This standard defines the minimum data protection practices for Category D1 - Controlled Unclassified Information (CUI)
8.2.2.19 Category D2 Data Protection Standard
This standard defines the minimum data protection practices for Category D2 - Research data.
8.2.2.20 Category E Data Protection Standard
This standard defines the minimum data protection practices for Category E - University Administrative and Financial data.
8.2.2.21 Category F Data Protection Standard
This standard defines the minimum data protection practices for Category F - Public data.