Enterprise Data Governance Standard

University Standard

University of North Carolina at Chapel Hill Standard on Enterprise Data Governance

Introduction

Purpose

This Standard to the Policy on Enterprise Data Governance describes the roles, responsibilities, and scope of authority of the Enterprise Data Coordinating Committee (EDCC), Data Trustees, Data Stewards, Data Managers (comprising the Data Governance Oversight Group (DGOG)), and Data Custodians in distributed Units. Further, this Standard defines data types that comprise University "Enterprise Data" and identifies the scope of authority for governance of each role and group.

Scope of Applicability

University Constituents with responsibility for Enterprise Data.

Standard

Roles

The Policy on Enterprise Data Governance establishes certain roles with responsibility for governing Enterprise Data. This Standard delineates both "business" and "technical" roles and accompanying responsibilities. All University Constituents have responsibilities for protecting and using Enterprise Data in conformance with applicable law and University Policy. Those in the roles described below have specific and additional governance responsibilities. Additional responsibilities may be assigned by Data Trustees, DGOG, and/or their delegates.

Enterprise Data Coordinating Committee (EDCC) Responsibilities

  • Provide guidance for the effective management and protection of all Enterprise Data according to an official Charter from the Chief Information Officer.
  • Support efforts to develop and improve Policies, Standards, or Procedures related to Enterprise Data governance.
  • Recommend and oversee initiatives that improve Enterprise Data management.
  • Develop and oversee processes by which University Constituents (schools, departments, Units, individuals) ensure that the appropriate reviews or approvals have been obtained or appropriate processes followed before Enterprise Data is disclosed to third parties.
  • Resource and support a standing workgroup (DGOG) of Data Trustees, Stewards, and Managers, to answer requests for information, consulting, classification, and approvals as needed regarding use of Enterprise Data.
    • Ensure the workgroup is functional;
    • Workgroup is comprised of subject matter experts able to address regulatory and other data requirements, and DGOG membership must include all Trustees, Stewards, and Managers designated by position in this Standard (see chart below)
    • DGOG must have access to EDCC members and other subject matter experts to sufficiently and efficiently respond to a full spectrum of data management requests;
    • Provides "air-traffic control," "clerk," and "triage" activities for all data governance questions, requests, receipt of information, data classification, and other needs sent to the DGOG to help requests move to resolution efficiently and effectively. A ticketing function is used to track and manage requests;
    • Collects and maintains records related to location of Enterprise Data and decisions of the DGOG;
    • Operates collaboratively with other campus groups with adjacent responsibilities; and
    • Uses Data Trustees to resolve "buck stops here" obstacles and questions.

Business Roles and Responsibilities

Individuals in designated data management roles may delegate their assigned responsibilities as appropriate. Fundamental responsibilities applicable to all roles include:

  • Observe ethical obligations applicable to Enterprise Data;
  • Report violations of University Policy, regulatory requirements, or law as appropriate;
  • Report instances of perceived risk to security of University Data;
  • Guide use of Enterprise Data in the best interests of the University;
  • Respect confidentiality and privacy rights of individuals;
  • Access and use Enterprise Data only for legitimate University purposes; and
  • Complete training designated by the CIO applicable to the role and seek any additional information needed to understand and perform the role and fulfill its responsibilities.

Data Trustee Responsibilities

Relative to other roles, Data Trustees have the highest responsibility for governing Enterprise Data in compliance with applicable University Policies and legal and regulatory requirements. Data Trustees should be knowledgeable of applicable laws and regulations relevant to the Enterprise Data over which they have responsibility. Additional responsibilities of Data Trustees include:

  • Participate as needed in the DGOG to define processes, classify data elements, come to decisions on ambiguous or high-risk requests, and ensure that the DGOG is managing governance and compliance processes efficiently and effectively;
  • Handle escalated requests from DGOG members and stakeholders. Evaluate and decide requests with DGOG and Trustee peers related to Enterprise Data, particularly high-risk and atypical requests;
  • Promulgate Policy within scope of responsibility relevant to Enterprise Data;
  • Oversee implementation of applicable federal and state laws and regulations and University Policies, Standards, Procedures, and guidelines with respect to data access and management;
  • Contribute to determination of appropriate classification level for data subsets in accordance with the Standard for Information Classification,
  • Through the DGOG, assist in managing stewardship of shared data elements that cross multiple Units or divisions and assist in efforts to minimize multiple repositories for the same data;
  • Review and respond to requests for new uses of Enterprise Data or collections of data within scope of responsibility (e.g., transfer of Enterprise Data to internal or third-party repositories, databases, or applications);
  • Participate in determining criteria and differentiate requests requiring business approval from those where technical roles or other approval is appropriate;
  • Select appropriate Data Stewards and Data Managers, and participate with DGOG in identifying criteria for designation of Custodians, data access roles, and related delegations. Document and communicate Data Steward and Data Manager selections to the EDCC;
  • Ensure staff have appropriate time and resources for data governance work; data governance should be a defined responsibility for appropriate staff; and
  • Designate Data Stewards and Managers and define, document, and communicate their scope of responsibility and authority.

Ultimate responsibility for Enterprise Data rests with the Data Trustees regardless of delegation of authority to others.

Data Steward Responsibilities

Data Stewards are the operational key point for critical sets of Enterprise Data or elements of greatest regulatory risk which require an active and engaged point of contact and authority.

  • Expertise: Knowledge of data domain and what uses are allowed and expected.
  • Decisionmaking: Where approvals, data classifications, and other determinations are needed, making those decisions effectively.
  • Data integrity and quality: Taking action to improve the quality of University data
  • Resilience: Working to ensure data is kept in an environment that prevents data loss or unavailability.
  • Access: Working to facilitate smooth and easy access by those who have business need for data, and prevent access by those who should not have it.
  • Oversight: Make sure that day-to-day activities of DGOG are well-supported and effective

Data Manager Responsibilities

Data managers, appointed by Data Stewards or Trustees or listed by position in this Standard, participate as subject matter experts in the DGOG with specific responsibility for a particular data domain. Responsibilities include:

  • Collaboration: Working closely with other DGOG members and campus stakeholders to fulfill requests related to data.
  • Integrity and Quality: Work directly with stakeholders on data management practices.
  • Training: Support Constituents in proper care and tending of data:
    • Access: Provide it and manage it.
    • Compliance: Handle or report (as appropriate) regulatory and ethical compliance issues related to data.
  • Request management: Resolve or make sure that requests get to the right people in a timely way.

Data Custodian Responsibilities

  • The Data Custodian serves as a primary point of contact for data governance within a school, department, or Unit. The Data Custodian oversees data governance activities (access control, training, data integrity, data inventory, vendor management, etc.) within the Unit, passes requests to the DGOG for non-routine situations, and consults with the DGOG and other experts and authorities to keep the Unit compliant and using data securely and appropriately.
  • More than one Data Custodian should be designated for each school, department, and Unit to ensure redundancy.

Technical Roles and Responsibilities

The Vice Chancellor (VC) for Information Technology and CIO Responsibilities

With the advice of the EDCC:

  • Develop and improve Policies, Standards, and/or Procedures related to Enterprise Data governance;
  • Participate in DGOG as a Trustee;
  • Designate members of EDCC and provide direction and priorities to EDCC related to training requirements for Enterprise Data governance roles (business and technical), data integrity, efficiency and effectiveness of data management activities, governance gaps or overlaps, areas needing coordination with other campus stakeholders, and needs of the University with respect to Data Governance; and
  • Designate IT Guardians and their scope of authority.

IT Guardian Responsibilities

Recognizing that "IT" use of data is fundamentally different from "functional" use, and may require different processes. Systems may touch many (or all) types of data, technical staff often have broad privilege in systems, and the work of technology is often to implement the structures in which functional use takes place. IT Guardians are IT Leaders who serve in gatekeeping and enforcement roles, as well as managing defined IT functions with respect to Enterprise Data. These leaders, designated by the CIO, may be central (like the Chief Information Security Officer (CISO)) or distributed (IT Directors in schools and departments). While all IT staff have significant data management responsibilities (as all functional staff are responsible for the data they use). IT Guardians have additional governance responsibilities. The following IT Guardian responsibilities are to be performed in collaboration with Enterprise Data management business roles, DGOG, and in accordance with applicable federal and state laws and regulations and University Policies, Standards, Procedures and guidelines with respect to data access and management:

  • Establish safe secure, accessible, and compliant environment(s) for the use and storage of Enterprise Data Environments on premises or vendor-supplied;
  • Ensure operational continuity by implementing business continuity and disaster recovery preparation measures appropriately;
  • Establish and maintain approved access to data for University systems;
  • Manage technical projects relevant to Enterprise Data management,
  • Advise and assist DGOG in assessing and mitigating risks to Enterprise Datat,
  • Establish processes and procedures for the retention, disposition, and preservation of Enterprise Data at the direction of DGOG and in compliance with University Policy and the General Records Retention and Disposition Schedule;
  • Authorize and periodically review administrator and other privileged or elevated access requests for users in technical roles in compliance with University Access Control requirements;
  • Assist DGOG in resolving conflicts relating to access to Enterprise Data;

IT Guardians who represent a School/Department/Unit are Technical Custodians. These IT Guardians support good practices and compliance for technical implementations and environments involving data.

Coordination of Enterprise Data Governance

The following table outlines positions that function as Data Trustees, Stewards, and Managers for each type and constitute the DGOG (additional Stewards and Managers may be designated by each Trustee). All types of Enterprise Data are intended to be governed by this set of Trustees. Data types of particular concern include: Person information for workforce members. Personnel records; Person information for Students (including applicants); Regulatory domains such as PHI, PCI-DSS, Export Controls, PII, SSN, Red Flags, etc.; Research study data and processes.; Access Control, IT Change, IT Vendor management, and systems security. Overlapping responsibilities for data require Trustees, Stewards, and Managers to govern collaboratively, using the EDCC and DGOG as their medium. For efficiency and effectiveness the DGOG will create operational practices for responding to requests that involve optimal/minimal sets of members, parallel and collaborative reviews, and keen customer service approaches.

Trustees

Provost (Designee Executive Vice Provost), Vice Chancellor for Human Resources and Equal Opportunity and Compliance, Vice Chancellor for Institutional Integrity and Risk Management, Vice Chancellor for Research, CIO and Vice Chancellor for Information Technology, Assistant Provost for Institutional Research and Assessment (Ex Officio).

Data Stewards

Associate Vice Chancellor for Human Resources and EOC, Registrar, Chief Privacy Officer, Export Controls Officer, IRB Representative

IT Guardians

Chief Information Security Officer, IT Executive Council Representative

Data Managers

HR Business Analyst, Admissions Representative, Financial Aid Representative, Student Affairs Representative, Office of Institutional Research and Assessment Representative, Cashier, Office of University Counsel Representative, Finance Business Analyst

In addition, each Trustee will designate an appropriate staff person with knowledge of data governance and management to participate in and facilitate operations of the DGOG

Definitions

Access: The right to read, enter, copy, query, download, or update data.

Data: The representation of discrete facts; any information in electronic or audiovisual format, and any hardware or software that enables the storage and use of such information. Facts, ideas, or discrete pieces of information, especially when in the form originally collected and unanalyzed.

Enterprise Data: Any Data or records created or received by UNC-Chapel Hill employees or other University Constituents in the performance or transaction of University business except where excluded under the Policy or Standard on Enterprise Data Governance. Enterprise Data includes, but is not limited to, machine-readable data, data in electronic communication systems, data in print, and backup and archived data on all media.

University Constituent: UNC-Chapel Hill faculty, staff, students, retirees, and other affiliates, contractors, distance learners, visiting scholars, and others who use or access UNC-Chapel Hill resources.

Related Requirements

External Regulations and Consequences

Americans with Disabilities Act of 1990

FTC Red Flags Rule

Family Educational Rights and Privacy Act (FERPA)

Gramm Leach Bliley Act (GLBA)

HIPAA Privacy Rule

HIPAA Security Rule

HIPAA Breach Notification Rule

North Carolina Identity Theft Protection Act of 2005

North Carolina Public Records Law General Statutes 121

North Carolina Public Records Law General Statutes 132

North Carolina General Statute 126 (State Human Resources Act)

North Carolina State Personnel Policies

Payment Card Industry (PCI) Data Security Standard (DSS)

The Electronic Communications Privacy Act of 1986 (ECPA)

University Policies, Standards, and Procedures 

Standard for Enterprise Data Governance

Data Classification Standard

Information Security Controls Standard

Privacy of Protected Health Information Policy

PHI Confidentiality Statement

University Records Retention and Disposition Schedule

Contact Information

Primary Contact(s)

ITS Policy Office: its_policy@unc.edu

 

Details

Article ID: 131264
Created
Thu 4/8/21 9:05 PM
Modified
Mon 4/26/21 9:27 AM
Effective Date
If the date on which this document became/becomes enforceable differs from the Origination or Last Revision, this attribute reflects the date on which it is/was enforcable.
03/23/2021 8:24 AM
Issuing Officer
Name of the document Issuing Officer. This is the individual whose organizational authority covers the policy scope and who is primarily responsible for the policy.
Issuing Officer Title
Title of the person who is primarily responsible for issuing this policy.
Vice Chancellor for IT and CIO
Last Review
Date on which the most recent document review was completed.
02/26/2020 8:24 AM
Last Revised
Date on which the most recent changes to this document were approved.
03/23/2021 12:00 PM
Origination
Date on which the original version of this document was first made official.
01/02/2018 11:00 PM
Responsible Unit
School, Department, or other organizational unit issuing this document.
Information Technology Services