Enterprise Data Governance Standard

Title

University of North Carolina at Chapel Hill Standard on Enterprise Data Governance

Introduction

Purpose

This Standard to the Policy on Enterprise Data Governance describes each role that plays a part in governing University Data at the University of North Carolina at Chapel Hill ("University"). The roles are:

  • Enterprise Data Coordinating Committee (EDCC);
  • data trustees, data stewards, and data managers, who make up the Data Governance Oversight Group (DGOG); and
  • data liaisons in units across campus.

This Standard also defines what kind of data makes up the University’s "enterprise data."

Scope

This Standard applies to everyone at the University.

Standard

Roles

Everyone at the University has a role in protecting data. That is, we all need to follow the law and University policies when we use data. The Policy on Enterprise Data Governance creates other roles for governing enterprise data. This Standard describes those roles and what they do. Data trustees, DGOG, and their delegates may give the roles other responsibilities. 

Enterprise Data Coordinating Committee (EDCC) Responsibilities

  • Follow the official charter from the Chief Information Officer (CIO) to manage and protect Enterprise Data.
  • Support others when they work to improve policies, standards, or procedures that govern Enterprise Data.
  • Recommend ways to improve how we manage Enterprise Data. Run projects to make those changes.
  • Develop and watch over processes for how we give Enterprise Data to third parties. Make sure the right reviews and approvals are in place. Make sure we follow the right steps when we release data.
  • Support DGOG, which is a standing workgroup of data trustees, stewards, and managers. DGOG answers requests for information. DGOG also consults about Enterprise Data, classifies it, and approves the use of it. Make sure DGOG has enough resources.
    • Ensure DGOG works well.
    • Include subject matter experts who can address regulations and other requirements. Include all trustees and stewards in DGOG. Also include the managers who hold the positions listed below.
    • Make sure DGOG has access to EDCC members and other subject matter experts so it can respond to requests related to data.
    • Have DGOG act as "air-traffic control” for data requests. DGOG triages requests related to governing data. For example, requests could ask for information or ask to classify data. DGOG should be efficient and effective in resolving requests. For example, DGOG should use a ticketing system to track and manage requests.
    • Have DGOG keep records of where Enterprise Data is stored and decisions DGOG has made.
    • Have DGOG collaborate with other campus groups that also have responsibilities for data.
    • Ask data trustees to resolve "buck stops here" obstacles and questions.

Business Roles and Responsibilities

The people who manage data may delegate responsibilities if they need to. All roles have at least these responsibilities:

  • Follow the ethical duties that apply to Enterprise Data.
  • If someone violates University policy, regulations, or law, report it.
  • If the security of University data appears to be at risk, report it.
  • Guide others so that the way they use Enterprise Data is in the best interests of the University.
  • Respect individuals’ right to keep their data confidential.
  • Access Enterprise Data only for valid University purposes.
  • Complete the training that the CIO assigns to the role. Seek more information if needed to meet the responsibilities of the role.

Data Trustee Responsibilities

Of all the roles that govern Enterprise Data, data trustees have the most responsibility. Data trustees need to know the University policies, laws, and regulations that apply to the data they are responsible for. That way data trustees can follow them. They also need to:

  • Take part in the DGOG to define processes and classify data elements. Ensure the DGOG manages its processes well.
  • Resolve requests that DGOG members and stakeholders escalate. Work with DGOG and other trustees to decide how to handle requests for data. This is especially true for requests that are not clear cut or are high-risk.
  • Share knowledge of policy for the data the trustee is in charge of.
  • When managing and giving access to data, follow all:
    • federal laws and regulations;
    • state laws and regulations; and
    • University policies, standards, procedures, and guidelines.
  • Help classify data according to the Standard for Information Classification. 
  • Through the DGOG, help steward the data elements that more than one unit shares. Try not to store the same data in more than one place. 
  • Respond to those who ask to use data in new ways. For example, someone could ask to transfer Enterprise Data to a third-party repository or application. 
  • Help decide how to do approvals. Separate requests that need business approval from those that need technical or other approval. 
  • Choose data stewards and data managers.
  • Work with DGOG to:
    • identify the criteria used to choose liaisons;
    • define, document, and communicate what DGOG is responsible for;
    • define how much authority DGOG has;
    • define roles for accessing data; and
    • guidelines for delegations.
  • Document the names of the data stewards and data managers and give the names to the EDCC. 
  • Ensure staff have the time and resources they need to do data governance work. Make data governance a defined responsibility for the staff doing this work. 
  • No matter how much a data trustee delegates to others, the ultimate responsibility for Enterprise Data rests with them. 

Data Steward Responsibilities

Data stewards manage the day-to-day for critical sets of data or data that has the most regulatory risk. Data stewards are the primary subject matter experts of the DGOG for data that needs to be actively managed. Data stewards are responsible for:

  • Expertise: Know a data domain and understand how it should and shouldn’t be used.
  • Decision Making: Decide on review requests. Decide how to classify data. Make other decisions as needed.
  • Data Integrity and Quality: Improve the quality of the University’s data.
  • Resilience: Support a safe and available data environment at the University.
  • Access: Make sure those who need data for business purposes can access it. Prevent access by those who should not have it.
  • Operations: Support the DGOG’s day-to-day activities and emphasize effectiveness.

Data Manager Responsibilities

Data stewards or trustees appoint data managers, or a person’s position says they should be a data manager. Data managers take part in the DGOG as subject matter experts, and they are responsible for a data domain.  

  • Collaboration: Work with other DGOG members and campus stakeholders to fulfill requests for data.
  • Data Integrity and Quality: Work with stakeholders to manage data.
  • Training: Support faculty, staff, students, and affiliates in the proper care and tending of data:
    • Access: Provide access to data and manage access.
    • Compliance: Handle issues. Report it when someone does not follow regulations related to data. Report it if someone does not behave ethically related to data.
  • Managing Requests: Resolve requests or make sure they get to the right people on time.

Data Liaison Responsibilities

  • The Data Liaison is the main point of contact for data governance in a school, department, or unit. The Data Liaison oversees the work around governing data in the unit. These activities may include:
    • Controlling access;
    • training;
    • Maintaining data integrity;
    • keeping inventory of data; and
    • managing vendors.
  • The Data Liaison passes non-routine requests to the DGOG. The Data Liaison consults with the DGOG and other experts and authorities to make sure their unit follows all policies, laws, and regulations. The Data Liaison makes sure that everyone in their unit keeps data secure and uses it the right way.
  • Each school, department, and unit needs more than one Data Liaison to make sure there is a backup.

Technical Roles and Responsibilities

The Vice Chancellor (VC) for Information Technology and CIO Responsibilities

With the advice of the EDCC:

  • Develop and improve policies, standards, and procedures for governing Enterprise Data.
  • Take part in the DGOG as a trustee.
  • Choose members of the EDCC.
  • Give direction and priorities to the EDCC for:
    • what training the roles that govern data (business and technical) need to have;
    • data integrity;
    • making sure data management activities are effective and efficient;
    • fixing gaps or overlaps in governance;
    • finding areas that need to be coordinated with other campus stakeholders; and
    • what the University needs for data governance.
  • Choose IT guardians and decide how much authority they have.

IT Guardian Responsibilities

Information Technology (IT) staff use data in different ways than functional staff, so they may need different processes. Some differences are: 

  • Systems may touch all types of data.
  • Technical staff often have broad privilege in systems.
  • Technical staff often put in place the structures that functional staff use to do their work.

IT guardians are IT leaders who act as gatekeepers and who enforce rules. They also manage defined IT functions that use Enterprise Data. The CIO names these IT Guardians. IT Guardians may be central (like the Chief Information Security Officer) or on campus (like the IT directors in schools and departments).

All IT staff are responsible for managing data, just like all functional staff are responsible for the data they use. IT Guardians are responsible for even more. To meet their responsibilities, IT Guardians work with DGOG and the business roles in charge of data. They also follow all:

  • federal laws and regulations;
  • state laws and regulations; and
  • University policies, standards, procedures, and guidelines.

IT Guardians:

  • Establish safe, secure, accessible, and compliant environments for using and storing Enterprise Data. Environments may be on premises or supplied by vendors.
  • Prepare for business continuity and disaster recovery.
  • Establish and support approved access to data for University systems.
  • Manage technical projects related to Enterprise Data.
  • Work with DGOG to assess and mitigate risks to Enterprise Data.
  • Establish methods for how we keep, dispose of, and preserve Enterprise Data. Follow DGOG’s directions. Follow University policies and the General Records Retention and Disposition Schedule.
  • Review requests for elevated access (like administrator access) from technical staff. Make sure the requests follow the University Access Control Policy. Review that access on a regular schedule.
  • Help DGOG resolve conflicts relating to access to Enterprise Data.

IT Guardians who represent a school, department, or unit are technical custodians. These IT Guardians support good practices in their units. IT Guardians also make sure their units follow policies when the units put a new technical solution in place that involves data.

Coordination of Enterprise Data Governance

The list below specifies data trustees, stewards, and managers for each type of data. These positions make up the DGOG. (Each trustee can name more stewards and managers.) This set of trustees governs all types of Enterprise Data, but data types of particular concern are:

  • Person information for workforce members;
  • Personnel records;
  • Person information for students (including applicants);
  • Regulatory areas such as PHI (Protected Health Information), PCI-DSS, Export Controls, PII (Personal Identifying Information), SSN (Social Security Number), Red Flags, and so on;
  • Research study data and processes;
  • Access control;
  • IT change;
  • IT vendor management; and
  • Systems security.

Responsibilities for data overlap, so trustees, stewards, and managers need to work together. They use the EDCC and DGOG as their medium. To keep the process of managing data efficient and effective, the DGOG will create ways for responding to requests that:

  • involve the fewest people;
  • work in parallel and work together to do reviews; and
  • are smart about how customer service is done.

Trustees

  • Provost (Designee Executive Vice Provost);
  • Vice Chancellor for Human Resources and Equal Opportunity and Compliance;
  • Vice Chancellor for Institutional Integrity and Risk Management;
  • Vice Chancellor for Research;
  • CIO and Vice Chancellor for Information Technology; and
  • Assistant Provost for Institutional Research and Assessment (Ex Officio).

Data Stewards

  • Associate Vice Chancellor for Human Resources and Equal Opportunity and Compliance;
  • University Registrar;
  • Chief Privacy Officer;
  • Export Controls Officer; and
  • Institutional Review Board Representative.

IT Guardians

  • Chief Information Security Officer; and
  • IT Executive Council Representatives.

Data Managers

  • HR Business Analyst;
  • Admissions Representative;
  • Financial Aid Representative;
  • Student Affairs Representative;
  • Office of Institutional Research and Assessment Representative;
  • University Cashier;
  • Office of University Counsel Representative; and
  • Finance Business Analyst.

In addition, each trustee will choose a staff person who knows about governing data to take active part in the DGOG operations.

Definitions

  • Access: The right to read, enter, copy, query, download, or update data.
  • Data: The representation of discrete facts; any information in electronic or audiovisual format, and any hardware or software that enables the storage and use of such information. Facts, ideas, or discrete pieces of information, especially when in the form originally collected and unanalyzed.
  • Enterprise Data: Also called University Data. Enterprise Data is any data the University has responsibility to protect. Any data or records created or received by employees or other University Constituents in the performance or transaction of University business, except where excluded under the Policy or Standard on Enterprise Data Governance. Enterprise Data includes, but is not limited to, machine-readable data, data in electronic communication systems, data in print, and backup and archived data on all media.

Related Requirements

External Regulations and Consequences

University Policies, Standards, and Procedures

Contact Information

Primary Contact

Unit: ITS Policy Office

Phone: 919-962-HELP

Email: its_policy@unc.edu

100% helpful - 1 review

Details

Article ID: 131264
Created
Thu 4/8/21 9:05 PM
Modified
Thu 12/14/23 12:03 PM
Effective Date
If the date on which this document became/becomes enforceable differs from the Origination or Last Revision, this attribute reflects the date on which it is/was enforcable.
03/23/2021 8:24 AM
Issuing Officer
Name of the document Issuing Officer. This is the individual whose organizational authority covers the policy scope and who is primarily responsible for the policy.
Issuing Officer Title
Title of the person who is primarily responsible for issuing this policy.
Vice Chancellor for Information Technology and Chief Information Officer
Last Review
Date on which the most recent document review was completed.
12/13/2023 12:00 AM
Last Revised
Date on which the most recent changes to this document were approved.
10/31/2022 12:00 AM
Next Review
Date on which the next document review is due.
12/13/2026 12:00 AM
Origination
Date on which the original version of this document was first made official.
01/02/2018 11:00 PM
Responsible Unit
School, Department, or other organizational unit issuing this document.
Information Technology Services

Related Articles (3)

Information Classification Standard
The Information Classification Standard gives a structure for the University's information. This structure helps us recognize the types of University Information we handle. It makes it easier to keep the information safe. This Standard considers the University's academic culture, which values sharing information. Classifying information the right way gives everyone at the University, at every level, a structure that supports their University activities.
Information Technology Access Control Standard
To guide University Constituents in preserving the integrity, confidentiality, and availability of University information and information systems. Access controls are intended to minimize inappropriate exposure of University information by limiting system access to authorized individuals.
University Data Governance Policy
This policy sets up a framework for protecting University data. This framework: gives responsibilities to the stewards, managers, and custodians of University data; empowers the Enterprise Data Coordinating Committee (EDCC) to give advice about the best way to manage and protect enterprise data that still meets the University’s needs; and charges the EDCC with recommending standards and procedures for governing enterprise data.