UNIVERSITY STANDARD. Title UNIVERSITY OF NORTH CAROLINA AT CHAPEL HILL STANDARD ON ENTERPRISE DATA GOVERNANCE. Introduction

Transcription

1 UNIVERSITY STANDARD Issuing Office Responsible University Title UNIVERSITY OF NORTH CAROLINA AT CHAPEL HILL STANDARD ON ENTERPRISE DATA GOVERNANCE PURPOSE Introduction This Standard to the Policy on Enterprise Data Governance describes the roles, responsibilities, and scope of authority of the Enterprise Data Coordinating Committee (EDCC), Data Trustees, Data Stewards, Data Managers, and Data Custodians. Further, this Standard defines data types that comprise University Enterprise Data and identifies the Data Trustees responsible for each type. SCOPE OF APPLICABILITY University Constituents with responsibility for management of Enterprise Data. Standard ROLES The Policy on Enterprise Data Governance establishes certain roles with responsibility for Enterprise Data. This Standard delineates both business and technical roles and accompanying responsibilities. This Standard also describes the roles and responsibilities of the Enterprise Data Coordinating Committee. All University Constituents have responsibilities for protecting Enterprise Data in conformance with applicable law and University Policy. Those in the roles described below have specific and additional responsibilities. Additional responsibilities may be assigned by Data Trustees and/or their delegates. Page 1 of 14

2 Responsible University Enterprise Data Coordinating Committee (EDCC) Responsibilities Provide guidance for the effective management and protection of all Enterprise Data Support efforts to develop and improve Policies, Standards, or Procedures related to Enterprise Data governance Provide guidance regarding proper management of Enterprise Data that cross stewardship boundaries Communicate with the University community regarding Enterprise Data management and applicable Policies, Procedures, and Standards Advise the University s Chief Information (CIO) regarding issues related to Enterprise Data governance Recommend and oversee initiatives that improve Enterprise Data management Define functions and responsibilities of individuals with designated data management roles and maintain list of individuals assigned to those roles within the University Classify new or existing data elements that comprise Enterprise Data and identify applicable sources of authority for each type Develop and oversee processes by which University constituents (schools, departments, units, individuals) consult with appropriate Data Trustees or Data Stewards to ensure that the appropriate approvals have been obtained before Enterprise Data is disclosed to third parties Business Roles and Responsibilities Individuals in designated data management roles may delegate their assigned responsibilities as appropriate. Fundamental responsibilities applicable to all roles include: Observe ethical obligations applicable to Enterprise Data Report violations of University policy or law or Report instances of perceived risk to security of Enterprise Data Ensure use of Enterprise Data in the best interests of the University Respect confidentiality and privacy rights of individuals Access and use Enterprise Data only for legitimate University purposes Complete training designated by the CIO applicable to the role and seek any additional information needed to understand and perform the role and fulfill its responsibilities Page 2 of 14

3 Responsible University Data Trustee Role Relative to other roles, Data Trustee have the highest responsibility for managing Enterprise Data in compliance with applicable University policies and legal and regulatory requirements. Data Trustees should be knowledgeable of applicable laws and regulations relevant to the Enterprise Data over which they have responsibility. Additional responsibilities of Data Trustees include: Promulgate Policy within scope of responsibility relevant to Enterprise Data Oversee implementation of applicable federal and state laws and regulations and University Policies, Standards, Procedures and guidelines with respect to data access and management Determine the appropriate classification level for data subsets in accordance with the Standard for Information Classification Assist in managing stewardship of shared data elements that cross multiple units or divisions and assist in efforts to minimize multiple repositories for the same data. For example, Person ID (PID) may have more than one Data Trustee since it is collected and/or used in multiple systems, such as financial, human resources, and student systems Evaluate and decide requests, particularly high-risk and atypical requests, for access to Enterprise Data within scope of responsibility. Review and decide requests for new uses of Enterprise Data or collections of data within scope of responsibility (e.g., transfer of Enterprise Data to internal or third-party repositories, databases, or applications). Determine criteria and differentiate requests requiring business approval from those where technical role or other approval is appropriate. Select appropriate Data Stewards, Data Managers, and Custodians, document and communicate those selections to the EDCC Designate above roles and define, document, and communicate their scope of responsibility and authority. Ultimate responsibility for the relevant Enterprise Data segment rests with the Data Trustee regardless of delegation of authority to others. Page 3 of 14

4 Responsible University Data Steward Responsibilities Adhere to and implement applicable federal and state laws and regulations and University policies, standards, procedures and guidelines with respect to data access and management. Ensure that applicable data quality and data definition standards are met. In cooperation with Technical Data Stewards and Managers, establish authorization procedures to facilitate appropriate data access and ensure security for that data. Develop standard definitions for data elements within scope of authority, including those that cross multiple units or divisions. For example, establish a uniform definition of full-time employee or unique definitions as appropriate for each data element. Perform appropriate review and recertification of user access for information systems that work with sensitive information (classified as Tier 2 or Tier 3 under the Information Classification Standard). Decide requests for access to Enterprise Data within the Data Steward s functional area, specifying the appropriate access procedure, and ensuring appropriate access rights and permissions according to data classification. Consult Data Trustee for atypical or high-risk requests for access. Ensure that any appropriate Memoranda or other document is in place for the access. Ensure that necessary training and support is in place for Users of the data for which Stewards are responsible. Support efforts to educate users about best practices in data management and information handling. Consult with Data Managers, Custodians, and Users as appropriate to promote effective Enterprise Data management and protection. Ensure that Information Security Liaisons are designated for their respective business unit(s) in accordance with the Information Security Liaison Policy. Ensure that documentation exists for each data element, including at a minimum: data source, data provenance, data element business name, and data element definition. Recommend appropriate Policies related to the management of Enterprise Data. Oversee data accuracy and integrity. Implement programs for data quality improvement. Evaluate risk for specific uses of data. Ensure appropriate generation, use, retention, and disposal, etc. of data and Page 4 of 14

5 Responsible University information consistent with University Policies. Determine archiving and retention requirements for data elements and ensure that storage and backup is occurring as appropriate. Ensure that employees are properly trained in the management of data, including retention, data handling, and data security. Define Standards for documentation of data elements. Select and oversee Data Managers and/or Custodians and ensure their assigned responsibilities are adequately and consistently fulfilled. Determine content and organization of official University reports and assist in preparing reports as needed. Coordinate with Technical Data management roles with respect to data retention, disposition, preservation. Define the scope of responsibilities for all Data Managers and Data Custodians appointed by the Steward, communicate that scope of authority Ensure separation-of-duties structures are present, effective, and verified where required. Resolve issues in data element definitions across data segments. Prioritize data management activities. Work with appropriate University contracting unit to ensure that obligations for data management are incorporated as in agreements with third parties to which the University grants access or rights to Enterprise Data. Consult with Office of University Counsel and/or contracting unit as needed. Ensure that obligations of other University units who use or access Enterprise Data within Data Steward s scope of responsibility are defined and appropriately documented. Authorize privileged access for users in business roles. Establish action plans to implement data Policy. Ensure appropriate data lifecycle and retention Standards. Identify data entities and data sources comprising Enterprise Data. Evaluate security of delivery modes for transmission of data. Maintain knowledge of legal and regulatory requirements for one data segment. Exercise due care and supervision in delegation of responsibilities. Ensure that employees are educated in their roles and responsibilities for data retention. Establish specific goals, objectives for data management and monitor Page 5 of 14

6 Responsible University progress toward implementation. Data Manager Responsibilities Data Managers are appointed by Stewards (or Trustees) and assigned a specific scope of authority and responsibility. Data Managers often have subject matter expertise for Enterprise Data for which they have responsibility or access. Responsibilities of Data Managers include the following: Decide requests for use or access to Enterprise Data for University business purposes (as opposed to technical support/management purposes). Apply the principle of least privilege (granting only the access needed to perform the required tasks) and work with technical staff to understand and implement security controls governing systems under their control. Comply with applicable federal and state laws and University policies, standards, procedures and guidelines with respect to data access and management. Instruct University users in proper handling of Enterprise Data within Data Manager s scope of authority. Document data definitions for each data element within the domain of Data Manager s operational unit(s). Communicate data definitions and/or recommended changes to existing definitions to the appropriate Data Custodian(s). Identify overlapping domains of authority with Data Manager s area of responsibility and coordinate or escalate to Data Steward when clarification is needed or operational changes should be considered. Assist Data Steward in determining content and organization of official University reports and assist in preparing reports as needed. Create processes and procedures to ensure the accuracy, privacy and integrity of the Enterprise Data they manage. Assist in the design of data warehouse structures that contain Enterprise Data from their subject matter areas of responsibility. Implement business unit procedures in accordance with University policies. Review and monitor compliance with administrative procedures and processes Resolve conflicts in data attributes. Consult as needed with data users and other University constituents Recommend policies or modifications to polices to Stewards and Trustees Communicate material changes to applicable policies and procedures to Data Custodians, users, and other University Constituents. Page 6 of 14

7 Responsible University Determine update precedence when multiple data sources exist, in cooperation with Technical Data roles. Data Custodian Responsibilities Understand and report on Enterprise Data storage, processing and transmission of Enterprise Data within the University and by third-party vendors and agents (including cloud providers). Deliver data or data-feeds as authorized. Facilitate approved access to Enterprise Data based on standard procedures. Report security and privacy risks. Recommend procedures to satisfy privacy, security, and compliance requirements. Collect, capture, and maintain accurate, valid, and timely data along with necessary components for understanding that data (e.g. source, provenance, business name, definition). Technical Roles and Responsibilities The Vice Chancellor (VC) for Information Technology and CIO Responsibilities With the advice of the Enterprise Data Coordinating Committee: Develop and improve Policies, Standards, and/or Procedures related to Enterprise Data governance. Resolve conflicts arising under Enterprise Data governance and management policy in collaboration with Data Trustees and Stewards. As needed, designate training requirements for Enterprise Data governance roles (business and technical). Determine the scope of Enterprise Data. IT Guardian Responsibilities IT Leader who serves in a gatekeeping and enforcement role, as well as managing defined IT functions with respect to Enterprise Data. The following IT Guardian responsibilities are to be performed in collaboration with Enterprise Data management business roles, and in accordance with applicable federal and state laws and Page 7 of 14

8 Responsible University regulations and University policies, standards, procedures and guidelines with respect to data access and management: Establish a safe and secure environment for the storage of Enterprise Data. Ensure operational continuity by backing up Enterprise Data according to schedules determined in collaboration with Enterprise Data roles, and establishing data restoration protocols. Establish technical procedures and processes for granting, revoking, and monitoring of access to Enterprise Data. Assign technical tasks and responsibilities including through documented delegations of responsibility. Provide staffing and systems to execute data management activities. Oversee activities of technical staff. Establish and maintain approved and prioritized data feed requests based on rules provided by Enterprise Data management business roles. Manage technical projects relevant to Enterprise Data management, including, as necessary in the discretion of the IT Guardian, in collaboration with data management roles and in consultation with appropriate University constituents. Advise and assist Data Trustee/Steward in assessing and mitigating risks to Enterprise Data management. Establish processes and procedures for the retention, disposition, and preservation of Enterprise Data at the direction of Enterprise Data Trustees/Stewards and in compliance with University policy. Authorize and periodically review administrator and other privileged or elevated access requests for users in technical roles. Assist Data Trustees and Stewards in resolving conflicts relating to access to Enterprise Data. Enterprise Data Types and Trustee Positions The following table outlines the common types of Enterprise Data and the corresponding positions that function as Data Trustees for each type. Some types of Enterprise Data may not fall into any of the categories below, and are still subject to related policies. Some types of Enterprise Data may fall into more than one of the categories below and may therefore have more than one responsible Data Trustee. Conflicts concerning Enterprise Data classification are managed and resolved according to the responsibilities and authority of the management roles described above. Page 8 of 14

9 Responsible University Type Trustee Description/notes Development VC for Development Includes all aspects of development data Financial information related to alumni, clubs, other fundraising, demographic information. Academic (Organizational and Administrative) Facilities Financial Human Resources Information Technology Executive VC and Provost VC for Finance & Administration VC for Finance & Administration VC for Workforce Strategy Equity and Engagement VC for Information Technology and CIO Accreditation reports, schedules, and similar. Inventory of programs. Degree, certificate, or other offerings. Student outcome reports. Required courses. Instructional administration. Includes the facilities services data of the University, including space-planning data, construction, maintenance, real estate management, operational data, reservations and physical-descriptive data. Data related to the management of fiscal resources of the University including accounting, accounts payable, accounts receivable, budgeting, capital assets, investments, inventory, loans, payroll information, purchasing, risk management, and treasury. Data and records relating to University employees, including employee demographics, benefits, retirement, and EEO data, vitas, employee evaluations, faculty accomplishments and awards, training records, and promotion and disciplinary data. Student employee data may be part of both the student record and Human Resources record. Data and records relating to Information Technology Services provisioning and management of the technology infrastructure. Page 9 of 14

10 Library and Information Resources Organizational Person Registry Associate Provost & University Librarian Executive VC and Provost Joint Responsibility shared by: Executive VC and Provost as well as VC for Workforce Strategy, Equity, and Engagement Responsible University Data and records related to management activities and information-resource-collection activities of the University libraries including databases of purchased and locally-produced information and all files of University archives and other special collections. Data and records regarding the internal organizational structure of the University and identifies hierarchical relationships among individual entities. Supports the ability to organize and aggregate/disaggregate various kinds of institutional data using standard reporting structures adopted to meet business or functional needs. Data may include responsible position or unit (vice chancellor, division, department, etc.), intra-university relationships, official names of University units, reporting abbreviations, codes and account numbers, type of organization (academic vs. administrative, health vs. academic affairs, etc.), and status (active/inactive). Data and records related to the management of identity and authentication for individuals associated with the University including the creation of unique data elements (e.g., PID and UNC OneCard) that provide identification and resolution for merging of identity records. Personregistry data can be used to provision other applications that are managing privileges to authorized individuals or groups. Page 10 of 14

11 Student and Instruction Athletics administration Clinical Data in HIPAA Covered Units Public Web/Social- Media Content Research Administration Audit Executive VC and Provost Executive VC and Provost and Director of Athletics Dean or equivalent of each Unit VC for Communications VC for Research Director of Internal Audit Responsible University Data and records regarding all phases of a student s relationship with the University from expression of interest through alumni status except as noted elsewhere. This includes, but is not restricted to, demographic data, academic, disciplinary, and medical records, course information, admissions data, housing, financial aid, and employment with the University which is dependent on student status. Financial aid, Admissions, Student Athlete, International Student, Instruction, Institutional Research, Distance Learning, Continuing Education. Recruiting, scheduling, and other Athletics administration. Dentistry, Nursing, Psychology clinics. Campus Health Services, ITS, and other units with responsibility for patient records and related Protected Health Information. Web and social-media content on University sites or representing the University and sourced or maintained by University Constituents. Includes records that represent grants & contracts (proposals and awards) the University has received and executed including dates, amounts, responsible units, project teams, percent effort, and others as appropriate. Research and grant proposals and research results are excluded. Information collected or maintained by Internal Audit as a function of their auditing role. Page 11 of 14

12 Legal VC and General Counsel Responsible University Records relating to University legal matters. Definitions Access: The right to read, enter, copy, query, download, or update data. Data: The representation of discrete facts; any information in electronic or audiovisual format, and any hardware or software that enables the storage and use of such information. The SAA Glossary of Archival and Records Terminology ( Facts, ideas, or discrete pieces of information, especially when in the form originally collected and unanalyzed. Enterprise Data: Any data or records created or received by UNC-Chapel Hill employees or other constituents in the performance or transaction of University business except where excluded under the Policy or Standard on Enterprise Data Governance. Enterprise Data includes, but is not limited to, machine-readable data, data in electronic communication systems, data in print, and backup and archived data on all media. University Constituents: UNC-Chapel Hill faculty, staff, students, retirees and other affiliates, contractors, distance learners, visiting scholars and others who use or access UNC-Chapel Hill resources. Page 12 of 14

13 Responsible University Related Requirements EXTERNAL REGULATIONS AND CONSEQUENCES Americans with Disabilities Act of 1990 FTC Red Flags Rule Family Educational Rights and Privacy Act (FERPA) Gramm Leach Bliley Act (GLBA) HIPAA Privacy Rule HIPAA Security Rule HIPAA Breach Notification Rule North Carolina Identity Theft Protection Act of 2005 North Carolina Public Records Law General Statutes 121 North Carolina Public Records Law General Statutes 132 North Carolina State Personnel Policies Payment Card Industry (PCI) Data Security Standard (DSS) The Electronic Communications Privacy Act of 1986 (ECPA) UNIVERSITY POLICIES, STANDARDS, AND PROCEDURES Standard for Enterprise Data Governance Data Classification Standard Information Security Controls Standard Privacy of Protected Health Information Policy PHI Confidentiality Statement University Records and Disposition Schedule PRIMARY CONTACT ITS Policy Office: Contact Information Page 13 of 14

14 Responsible University Effective Date and title of Approver: a. Effective Date: 01/02/2018 b. Approver: Chief Information Important Dates Revision and Review Dates, Change notes, title of Reviewer or Approver: a. Last Revised Date: N/A b. Revised by: c. Substantive Revisions: Page 14 of 14