Data Governance Policy

Introduction: The Brandeis Data Governance Program

The Brandeis Data Governance Program provides an organized framework (policies, procedures, guidelines, roles/responsibilities) for how people behave and make decisions about data in order to achieve the University’s goals and accomplish its mission. This policy document serves as the first foundational policy of the Brandeis Data Governance Program, providing an outline of the broader framework to be built and defining principles to which subsequent policies and protocols will align.

Effective data governance helps reduce risks associated with inappropriate or improper uses of data.  Data governance happens in every institution that uses data; levels of effectiveness vary.

The Brandeis Data Governance Program has been based on two fundamental philosophies: 1) University Data are not “owned” by particular departments or units; they are a valuable asset for the University as a whole; and 2) it is our collective responsibility to ensure that University Data can be used as effectively as possible to further our institutional mission, with availability of data to all individuals who have a legitimate need for it, consistent with the University’s responsibility to preserve and protect such information by all appropriate means.  

There are several elements that go into making this happen.  From an overarching perspective, it means overcoming, to the degree possible, the separation of units into “data silos,” in order to help all units accomplish their goals.  This also entails a recognition that viewing particular data from multiple perspectives rather than from the perspective of a single siloed unit can at times yield, for the University, value that transcends that one silo and can lead to smarter, more comprehensive, and more successful approaches to using data.

University Data needs to be accessible, as appropriate, and need to be accurate, complete, and consistent.  There should be only one “official” copy of each data element, and there need to be clearly understood rules as to how to access and use those data.  All those using particular University Data should understand the definitions of those data—what those data are and are not.  They should understand which unit(s) has responsibility for the management of which data, which may evolve for certain data elements over time, and who has decision-making authority around particular data.  Where differences of opinion arise as to who should be able to access certain data, there needs to be a clearly understood process by which decisions are made to resolve those differences.

The University is committed to establishing and maintaining data standards and quality, while adhering to all privacy and compliance requirements, including relevant information security concepts and constructs. The University determines levels of access according to principles drawn from various sources. State and federal laws provide clear descriptions of some types of information to which access must be restricted. Ethical, security, and privacy considerations are other important factors in determining access to University Data.

 Capitalized terms such as University Data are defined in the Definitions section. 

Everyone who uses data at Brandeis shares responsibility for proper behavior around data.  Within that large frame, there are various roles and associated responsibilities regarding data, defined within this document. New terminology is introduced to frame these roles, such as Data Trustees and Data Stewards, who have decision-making authorities and data management responsibilities for data within their areas, referred to as their Domains. 

Purpose

The Data Governance Program addresses the overall management of the accessibility, integrity, and security of data used at Brandeis, including a defined set of procedures and a plan to execute those procedures.

The primary purposes of this Data Governance Policy are:

             -Data Classification Standard
             -Data Access Policies and Procedures
             -Compliance and Privacy Policies and Procedures
             -Data Retention and Archiving Policies and Procedures
             -Information Security Policies and Procedures 
             -Others determined by the Council of Data Trustees

Context

This document serves as an initial framework for a Brandeis Data Governance Program. In order to have an operational program, an infrastructure must be built incrementally and iteratively. At the time of this writing, June 2021

Scope

This policy creates, under the authority of the Executive Council, a data governance framework to support the consistent and appropriate management of University Data.  This includes technical and behavioral standards and guidelines in creation and management of University Data, as related to data quality and consistency, security and privacy, compliance, retention and archiving, and access by individuals. 

This policy sets forth a standard for management of University Data and holds Data Trustees accountable for their Domain’s compliance with data management requirements, including this policy.

This policy establishes the rules, roles, and responsibilities related to the management, including acquisition, utilization, maintenance, access, and protection, of University Data.

This policy applies to University Data collected, stored, archived, maintained, or in any way under the management of Brandeis University, whether stored on campus or within a third-party service, and it applies to all those who use these data including Brandeis University faculty, staff, hired consultants, interns, and student employees.

Objectives

By having a comprehensive Data Governance Program, with clarity around data access and usage procedures, Brandeis will:

Guiding Principles

Foundational Policy Statements

The Council of Data Trustees will collectively oversee the development of policies, procedures, and processes for the management of data, as a resource for the entire University.
The following foundational policy statements reflect fundamental assumptions that will be used as these component policies and procedures are developed.

The Brandeis University Written Information Security Policy (“WISP”) sets forth the University’s procedure for evaluating its electronic and physical methods of accessing, collecting, storing, using, transmitting, and protecting Regulated, Restricted, and Confidential data. The WISP supersedes any data access policy statements or protocols established as part of the Data Governance Program.

-When units use University Data and/or create Shared Data Repositories, they take on the responsibility of ensuring that Brandeis University Data Governance policies and procedures are adhered to. 

-Units must work with Data Trustees and Data Stewards to ensure that they understand external regulatory and University policy compliance requirements, as well as the boundaries related to the appropriate uses for data stored within such repositories. 

-When data repositories are created through third party services, special care must be taken to ensure that contracts or service agreements include appropriate security and privacy requirements, as determined by Brandeis Legal Counsel and Chief Information Security Officer.

Roles and Responsibilities

Data Governance is a cooperative effort which depends on the collaboration between key University stakeholders, who provide critical expertise and perspectives related to specific aspects of data management.

The Executive Council sponsors the Data Governance Program and its role in managing, protecting, and ensuring the integrity of University Data. They resolve conflicts escalated by the Council of Data Trustees, when necessary.

Data Trustees, assigned by the Executive Council, provide a strategic perspective on data governance. They have decision-making authority regarding the data associated with particular business Domains.  They have the primary responsibility to ensure that the University is following its Data Governance Policy and is in compliance with federal and state laws and regulations. They identify the data classification (sensitivity) of data.  Data Trustees are responsible for engaging affected offices and the user community before formulating changes or additions to this Data Governance Policy.

The Council of Data Trustees is the collection of Data Trustees. It collectively advises the Executive Council. It defines, maintains, and publishes component policies, procedures, and processes to address data access and use, data definitions, data privacy, and data security. The Council works through consensus to resolve conflicts regarding access and data-quality controls where data overlap between multiple functional units. A member of ITS serves on the Council of Data Trustees ex officio.

Data Stewards, assigned by the Data Trustees of each of the Domains, provide an operational perspective on data governance. They oversee efforts to ensure and improve the informational quality, effectiveness, usability, strategic value, and security of data. They actively participate in processes that establish data quality as well as definitions and appropriate uses (metadata) for data elements.  They share in the responsibility to ensure that the University is following this Data Governance Policy.  Data Stewards advise the Data Trustee within their data Domain.  In cases where data pertain to multiple business Domains, Data Stewards are responsible for working with Data Stewards in other data Domains to ensure clarity and consistency in the use of data. If so delegated, particular Data Stewards may represent Data Trustees in policy discussions and in decision-making forums.

Data Custodians are all those who use University data to carry out their jobs. They, too, share in responsibility for managing and protecting data by understanding and following the policies of the University related to data use and data governance. Data Custodians have an additional obligation to report data-related problems, updates, and inaccuracies back to the appropriate Data Steward(s).

The Chief Information Officer (CIO) and Chief Information Security Officer (CISO) act as advisors to the Executive Council and to the Council of Data Trustees. 

Brandeis Domains and Data Trustees

Brandeis Domain Data Trustee Title
Applicants, Undergraduate Dean of Admissions and Financial Aid
Applicants, Graduate Director of Institutional Research
Campus Operations Vice President for Campus Planning and Operations
Employees Vice President of Human Resources
Faculty Director of Institutional Research
Finance Chief Financial Officer
Information Technology Chief Information Officer
Institutional Advancement Vice President of Development
Legal Affairs General Counsel
Library University Librarian
Research Administration Vice Provost for Research
Student Academics

Vice Provost for Academic Affairs

University Registrar

Student Administration

Assistant Vice President of Student Financial Services

Student Life

Assistant Vice President of Student Engagement and Campus Life

ex officio members:

Senior Vice President, Communications, Marketing, and External Relations

Chief Diversity Officer

Dean, Brandeis International Business School

Associate Vice President, Information Technology Services

Director, Data and Systems Integration

Roles and Responsibilities Diagram

 roles and responsibilities diagram

Definitions

Ensuring timely and reliable access to and use of University Data

Officially identified primary information that represents (typically) the original and sanctioned version and form of the information (sometimes called the “official” version). For example, the record of a student's degree program currently originates in the student information system and is the canonical record (sometimes called the “system of record”) of this information.

Preserving authorized restrictions on University information access and disclosure, including means for protecting personal privacy and proprietary information

Comprised of the Data Trustees, the CDT defines, maintains, and publishes policy and processes to address data access and use, data definitions, data privacy, and data security. The CDT advises the Executive Council.

Any member of the Brandeis community who uses or works with University data. This role was created to underscore that the responsibility for proper handling of University Data applies to all users of data.

Collection of information, physical or electronic. Examples include: databases that store information; collections of files stored in filing cabinets or in an electronic file server or within a cloud service.

Legally defined ownership of the information.

The individual with responsibility for the management of the data for a given business Domain, with responsibility assigned by the corresponding Data Trustee.  

An individual with decision-making authority regarding the data for a given business Domain. Data Trustees are given this authority by the Provost and Executive Vice President, identified in this document as the Executive Council.

A functional area containing one or more units that have primary responsibility for managing a core University mission or business function.

The senior-most decision-making body for data policy at Brandeis University.  Members of the Executive Council have the authority to set institutional policy and speak for the entire institution on these matters.  The EC appoints and is advised by the Council of Data Trustees.

Guarding against improper modification or destruction of University Data.

Metadata are data about data.  Metadata provide essential information for users to enable them to find the data they are seeking, to understand how to use those data (and how not to use them), and to know whom to ask if they have questions about the data.

Accurate, timely, accessible, relevant, complete, consistent, understandable, credible, unique; reflects the fitness of data for its intended University purposes

Quality Dimension Description
Accurate Free from error; conforms to truth or standard
Timely Current, early, or at the right time
Accessible Available and readily obtained
Relevant Applicable; useful; usable
Complete Has all necessary parts; comprehensible
Consistent Free from variation or contradiction
Understandable Clear and unambiguous
Credible Reliable without additional verification
Unique Not redundant or duplicated
A database or dataset created and maintained outside of the systems of record whose use results in data quality issues in the associated Canonical Data. Data extracted from systems of record, such as reports, distribution lists, and dashboards, are not classified as Shadow Systems. Shadow Systems contain extracted data that is manipulated, extended, and altered to the point where they cause data integrity issues in the corresponding system(s) of record.   .  A collection of University information to which multiple individuals or entities have access. Information collected, created, or maintained by Brandeis University in the course of any of its academic, administrative, or research activities. Note that this does not define “ownership”; information collected and maintained by the University is, in many cases, owned by individuals or other organizations.

Regulations

Relevant Policies

Policy Owner

Effective April 2022

Appendix A: Regulations

This list of Regulations is subject to change as new regulations emerge or as referenced website links change.

Federal and State Data Regulations https://www2.ed.gov/policy/gen/guid/fpco/ferpa/index.html https://www.hhs.gov/hipaa/index.html https://www.dhs.gov/fisma https://www.nist.gov/

https://www.irs.gov/privacy-disclosure/tax-code-regulations-and-official-guidance#irc

Massachusetts Data Regulations

https://www.mass.gov/regulations/940-CMR-1100-fair-information-practices-act

https://www.mass.gov/regulations/201-CMR-17-standards-for-the-protection-of-personal-information-of-residents-of-the

International Data Regulations

https://gdpr.eu/compliance-checklist-us-companies/