Body
Title
University of North Carolina at Chapel Hill Policy on University Data Governance
(Formerly University of North Carolina at Chapel Hill Policy on Enterprise Data Governance)
Introduction
Purpose
Being a good caretaker of University of North Carolina at Chapel Hill ("University" or "UNC-Chapel Hill") data helps faculty and staff access the data they need. This policy and the Standard for University Data Governance explain how to be a good caretaker of data. They contain instructions on the best ways to classify, use, protect, and manage data.
This policy sets up a framework for protecting University data. This framework:
- gives responsibilities to the trustees, stewards, managers, and liaisons of University data.
- empowers the Enterprise Data Coordinating Committee (EDCC) to give advice about the best way to manage and protect enterprise data to meet the University’s needs.
- charges the EDCC with recommending standards and procedures for governing University data.
Scope
This policy applies to everyone connected with the University who manages University data.
Policy
Policy Statement
Data is one of the University’s strategic assets. This means we need to follow sound practices and procedures to manage it. To learn more about the data this policy applies to see the Standard for University Data Governance. Some examples include information about students, employees, and finances.
It’s important to follow the UNC-Chapel Hill Information Classification Standard. It’s especially important to protect sensitive information, which the standard calls Tier 2 or 3 data.
The Chief Information Officer (CIO) has worked with other University officials to define other policies and standards that apply to enterprise data. Be sure to follow them as well.
University data should be available to those who need it because they have responsibilities at the University, as long as:
- the way they access and manage data follows the law and other policies and standards, and
- access the data to support the mission of the University and help it run well.
This policy works with other policies and laws that apply to University data. It does not replace them. These laws include:
- HIPAA (Health Insurance Portability and Accountability);
- FERPA; and
- North Carolina Public Records Law.
Roles and Responsibilities
Offices that interpret and apply the laws that govern data include the:
- Public Records Office;
- Institutional Privacy Office;
- Internal Audit; and
- the Office of University Counsel.
The EDCC helps govern the University's information technology. It develops the University Data Governance Policy and the related Standard. If needed, it recommends new standards for governing University data. The EDCC reports to the CIO, and the CIO appoints its members. Members include representatives from:
- the Office of University Counsel;
- University Archives;
- Institutional Research and Assessment;
- Information Technology Services;
- Information Security Office;
- Institutional Privacy Office;
- senior University managers.
The CIO and the EDCC may create working groups to carry out their responsibilities. The Standard for Enterprise Data Governance defines the responsibilities of the EDCC.
University data is any data the University has a responsibility to protect or share. Departments, units, schools, and individuals are also responsible for some subsets of it. This policy defines five roles for working with University data:
- data trustees;
- data stewards;
- data managers;
- data liaisons;
- those in technical roles.
The paragraphs below describe the five roles. You can learn more about them in the Standard for Enterprise Data Governance.
Data Trustees
Data trustees are advisors to the EDCC. Their authority comes from their position in the University. (See the Standard for University Data Governance for a list of data trustee positions.) Each data trustee oversees a broad segment of enterprise data at the University. They guide policy and strategic planning for that data. They also set up procedures and communicate policies for that data.
Of the roles in this policy, data trustees have the most responsibility. They make sure that access to the data in their segment is handled the right way. They also make sure the data is correct, secure, and available. Data trustees protect the privacy of data and support its integrity. Data trustees give authority to data stewards, managers, and liaisons, and they are responsible for what they do. The Standard for Enterprise Data Governance defines what data trustees do.
Data Stewards
Data stewards oversee the data in a functional area and guide strategic planning for that data. Data stewards have authority because of their position at the University or because a data trustee gives it to them. If someone asks for data from their area, the data steward decides whether to give it to them. They also recommend policies, standards, and procedures to make sure the data in their area is:
- accessed the right way;
- correct;
- secure; and
- available.
They also protect the privacy of the data and maintain its integrity. Data stewards give authority for subsets of data to data managers and liaisons. They are still responsible for all data in their area. The Standard for Enterprise Data Governance defines what the data stewards do.
Data Managers
Data managers are subject matter experts for the data in a subject area. Data trustees or stewards choose data managers for their expert knowledge in a subject. Data managers manage the day-to-day work for the data in their subject. They also set up business rules for that data. If someone outside their unit asks to use this data, they decide whether to let them. They also set constraints on how the data is used. Data managers are accountable for the data they manage. This is true whether they collect and maintain the data themselves or whether others do. The Standard for Enterprise data Governance defines what data managers do.
Data Liaisons
Designated by Deans or Department Heads at the request of Data Trustees, Liaisons are University employees who have administrative and/or operational responsibilities for data within their unit. Specific responsibilities of Data Liaisons are defined in the Standard for University Data Governance.
Technical Roles
The CIO gives authority to the technical staff who manage our systems and keep them secure. Technical staff help enforce policies and standards by building rules into our networks and systems. They work with those responsible for University data to make sure the right people have the right access. They act as gatekeepers. They make sure the tools that grant access follow needs and rules set by the business units. Technical staff also:
- develop and support systems;
- supply security and monitoring services;
- advise the EDCC when the security of enterprise data is at risk;
- do the technical work needed to manage enterprise data.
The Standard for Enterprise Data Governance defines what technical staff do.
Definitions
- Access: The right to read, enter, copy, query, upload, download, or update data.
- Data: The representation of discrete facts, ideas, or pieces of information. Any information in electronic or audiovisual format, and any hardware or software that enables the storage and use of such information.
- University Data: Also called Enterprise Data. University Data is any data the University has responsibility to protect. Any data or records created or received by employees or other University Constituents in the performance or transaction of University business, except where excluded under the Policy or Standard on University Data Governance. University Data includes, but is not limited to, machine-readable data, data in electronic communication systems, data in print, and backup and archived data on all media.
Related Requirements
External Regulations and Consequences
University Policies, Standards, and Procedures
Contact Information
Policy Contact
Unit: ITS Policy Office
Phone: 919-962-HELP
Email: its_policy@unc.edu
Important Dates
- Effective Date and title of Approver:
- Effective Date: December 12, 2010 (Formerly "Institutional Data Governance Policy")
- Approver: Chief Information Officer
- Revision and Review Dates, Change notes, title of Reviewer or Approver:
- Last Revised Date: January 2, 2018
- Revised by: Revised by the Enterprise Data Coordinating Committee to reflect current Data Governance best practices, to adhere to the new University Policy on Policies. Approved by the Vice Chancellor for Information Technology & CIO.
- Substantive Revisions:
- Complete revision. Moved from three-tier to four-tier governance model, added and defined technical roles, clarified roles and responsibilities.
- Revised by the Enterprise Data Coordinating Committee to reflect current Data Governance best practices, separated into Policy and Standard to adhere to the new University Policy on Policies.