Information Technology Services

Data Governance Policy

Introduction: The Brandeis Data Governance Program

The Brandeis Data Governance Program provides an organized framework (policies, procedures, guidelines, roles/responsibilities) for how people behave and make decisions about data to achieve the university’'s goals and accomplish its mission. This policy document serves as the first foundational policy of the Brandeis Data Governance Program, providing an outline of the broader framework to be built and defining principles to which subsequent policies and protocols will align.

Effective data governance helps reduce risks associated with inappropriate or improper uses of data. Data governance happens in every institution that uses data; levels of effectiveness vary.

The Brandeis Data Governance Program has been based on two fundamental philosophies: 1) University data are not "owned" by particular departments or units; they are a valuable asset for the university as a whole; and 2) it is our collective responsibility to ensure that university data can be used as effectively as possible to further our institutional mission, with availability of data to all individuals who have a legitimate need for it, consistent with the university's responsibility to preserve and protect such information by all appropriate means.

There are several elements that go into making this happen. From an overarching perspective, it means overcoming, to the degree possible, the separation of units into "data silos," to help all units accomplish their goals. This also entails a recognition that viewing particular data from multiple perspectives rather than from the perspective of a single siloed unit can at times yield, for the university, value that transcends that one silo and can lead to smarter, more comprehensive and more successful approaches to using data.

University data needs to be accessible, as appropriate, and need to be accurate, complete, and consistent. There should be only one "official" copy of each data element, and there need to be clearly understood rules as to how to access and use those data. All those using particular university data should understand the definitions of those data — what those data are and are not. They should understand which unit(s) has responsibility for the management of which data, which may evolve for certain data elements over time, and who has decision-making authority around particular data. Where differences of opinion arise as to who should be able to access certain data, there needs to be a clearly understood process by which decisions are made to resolve those differences.

The university is committed to establishing and maintaining data standards and quality, while adhering to all privacy and compliance requirements, including relevant information security concepts and constructs. The university determines levels of access according to principles drawn from various sources. State and federal laws provide clear descriptions of some types of information to which access must be restricted. Ethical, security and privacy considerations are other important factors in determining access to university data.

Everyone who uses data at Brandeis shares responsibility for proper behavior around data. Within that large frame, there are various roles and associated responsibilities regarding data, defined within this document. New terminology is introduced to frame these roles, such as data trustees and data stewards, who have decision-making authorities and data management responsibilities for data within their areas, referred to as their domains.

Purpose

The Data Governance Program addresses the overall management of the accessibility, integrity and security of data used at Brandeis, including a defined set of procedures and a plan to execute those procedures.

The primary purposes of this Data Governance Policy are:

• To define university data
• To establish the Brandeis Data Governance Program structure, including roles and responsibilities
• To define and communicate the set of component policies and procedures that will form the Brandeis Data Governance Program, including:
  • Data Classification Standard
  • Data Access Policies and Procedures
  • Compliance and Privacy Policies and Procedures
  • Data Retention and Archiving Policies and Procedures
  • Information Security Policies and Procedures
  • Others determined by the Council of Data Trustees

Context

This document serves as an initial framework for a Brandeis Data Governance Program. In order to have an operational program, an infrastructure must be built incrementally and iteratively.

• The Executive Council has identified individuals to serve as data trustees for the Brandeis business domains.
• The Council of Data Trustees is conducting a preliminary set of meetings from February to August 2021 to (i) finalize this policy document; (ii) identify canonical data sources; (iii) craft a baseline set of component policies and procedures for the management of data; and (iv) identify data stewards for their domains.
• The output of these preliminary meetings will be presented to the Executive Council for their review and approval.
• The Data Governance Program will then be launched with an approved policy, a set of baseline policies and procedures used as a resource for the university community, and a functional Council of Data Trustees who will convene regularly to resolve issues related to data access and use, data definitions, data privacy, data security, and data classifications. A formalized educational program will be developed and deployed as part of the program’s launch.

• A charter for the Council of Data Trustees will be formalized as part of the Data Governance Program launch.

Scope

This policy creates, under the authority of the Executive Council, a data governance framework to support the consistent and appropriate management of university dData. This includes technical and behavioral standards and guidelines in creation and management of university data, as related to data quality and consistency, security and privacy, compliance, retention and archiving, and access by individuals.

This policy sets forth a standard for management of university data and holds data trustees accountable for their domain's compliance with data management requirements, including this policy.

This policy establishes the rules, roles, and responsibilities related to the management, including acquisition, utilization, maintenance, access and protection, of university data.

This policy applies to university data collected, stored, archived, maintained or in any way under the management of Brandeis University, whether stored on campus or within a third-party service, and it applies to all those who use these data, including Brandeis University faculty, staff, hired consultants, interns and student employees.

Objectives

By having a comprehensive Data Governance Program, with clarity around data access and usage procedures, Brandeis will:

• Create operational efficiencies by minimizing the need for rework caused by data inaccuracies, different definitions of data and data redundancies.
• Enable better decision- making by building confidence that decisions are being made based on the right data.
• Improve data understanding by providing a comprehensive view of all data assets with assigned permissions for access and accountability for data decisions.
• Improve data quality by ensuring that everyone accessing and updating data have an understanding of the proper protocols to follow to avoid data loss.
• Increase confidence in data by clearly defining data sets and definitions, by educating the community on how to review and interpret data, and by defining parameters for data sharing.
• Ensure compliance with regulations and security protocols by developing procedures to ensure the community understands and complies with these regulations and protocols.
• Mitigate risk by minimizing exposure to security threats and costly errors.

Guiding Principles

• Brandeis University data are valuable assets, and their quality and consistency are critical and ongoing priorities.
• Timely and appropriate access to defined and accurate data is essential to informed decision-making across Brandeis.
• Usage, access, disclosure, distribution and retention protocols for data must be articulated, communicated, followed and monitored.
• Brandeis University data must be consistent in its vocabulary, definitions, and taxonomies.
• It is everyone's responsibility at Brandeis to protect the privacy, security and confidentiality of our data.
• Standards, policies and processes must be monitored to ensure ongoing compliance to applicable standards and regulations.

Foundational Policy Statements

The Council of Data Trustees will collectively oversee the development of policies, procedures, and processes for the management of data, as a resource for the entire university. The following foundational policy statements reflect fundamental assumptions that will be used as these component policies and procedures are developed:

• The Executive Council is the senior-most decision-making body for data policy at Brandeis University. They appoint and are advised by the Council of Data Trustees who have ultimate accountability for managing, protecting, and ensuring the integrity of university data.
• Accountability for Brandeis University data should be defined for each domain and across shared domains, with compliance policies and procedures defined articulating repercussions of violations to Data Governance Program policies.
• Data Access
  • University employees will be granted access to the data needed to do their jobs.
  • Access requests will be vetted in a manner that adheres to a publicly documented procedural statement (e.g., compliance with regulation, compliance with policy, appropriate security, for institutional purpose, etc.).
  • Access to data may not be provided by technology staff without authorization by an appropriate data trustee.
  • Data accessed under the authorization of the relevant data trustee, or if not available from the relevant Executive Council member, may not be shared without authorization.
• Data Use

The Brandeis University Written Information Security Policy (WISP) sets forth the university's procedure for evaluating its electronic and physical methods of accessing, collecting, storing, using, transmitting and protecting regulated, restricted and confidential data. The WISP supersedes any data access policy statements or protocols established as part of the Data Governance Program.

1. When units use university data and/or create shared data repositories, they take on the responsibility of ensuring that Brandeis University data governance policies and procedures are adhered to.
2. Units must work with data trustees and data stewards to ensure that they understand external regulatory and university policy compliance requirements, as well as the boundaries related to the appropriate uses for data stored within such repositories.
3. When data repositories are created through third party services, special care must be taken to ensure that contracts or service agreements include appropriate security and privacy requirements, as determined by Brandeis Legal Counsel and Chief Information Security Officer.

• Data under the purview of the Council of Data Trustees will be classified according to the risk classification schema detailed in the Brandeis University Data Classification Standard.
• Individuals may not disclose or distribute data except as required by one's job and with the permission of the relevant data trustee. The use of data for profit, personal curiosity, or personal gain is explicitly forbidden and individuals who do so may be sanctioned in accordance with Brandeis policy.
• University data governance practices comply with applicable laws and regulations. All individuals who have access to university data must manage it in a manner that is consistent with the university's need for privacy, analysis of strategic initiatives, security and reporting standards compliance.
• Security, privacy and access policies pertain to data wherever it is stored or shared.
• Canonical Data Source
  • Sources for canonical data should be identified and documented as key metadata elements.
  • Systems and services must use canonical data whenever technologically possible.
  • Additional metadata elements essential to effective and proper use of university data should be identified, documented and made available to those who use the relevant data.&
  • Creation and use of these metadata elements is a key element of data stewardship. This entails an iterative and evolutionary approach, coordinated across all functional areas. The Data Governance Program development is prioritizing the behavior and philosophies around data first, with metadata elements and definitions following as a second phase, potentially with an automated tool to support the process.
  • Shadow systems (defined in the Definitions section) which manipulate data extracted from canonical data sources and result in data quality issues in the canonical data sources should not be created or permitted.

Roles and Responsibilities

Data governance is a cooperative effort which depends on the collaboration between key university stakeholders, who provide critical expertise and perspectives related to specific aspects of data management.

• The Executive Council sponsors the Data Governance Program and its role in managing, protecting, and ensuring the integrity of university data. They resolve conflicts escalated by the Council of Data Trustees, when necessary.
• Data Trustees, assigned by the Executive Council, provide a strategic perspective on data governance. They have decision-making authority regarding the data associated with particular business domains. They have the primary responsibility to ensure that the University is following its Data Governance Policy and is in compliance with federal and state laws and regulations. They identify the data classification (sensitivity) of data. Data trustees are responsible for engaging affected offices and the user community before formulating changes or additions to this Data Governance Policy.
• The Council of Data Trustees is the collection of data trustees. It collectively advises the Executive Council. It defines, maintains and publishes component policies, procedures and processes to address data access and use, data definitions, data privacy and data security. The council works through consensus to resolve conflicts regarding access and data-quality controls where data overlap between multiple functional units. A member of ITS serves on the Council of Data Trustees ex officio.
• Data Stewards, assigned by the data trustees of each of the domains, provide an operational perspective on data governance. They oversee efforts to ensure and improve the informational quality, effectiveness, usability, strategic value and security of data. They actively participate in processes that establish data quality as well as definitions and appropriate uses (metadata) for data elements. They share in the responsibility to ensure that the university is following this Data Governance Policy. Data stewards advise the data trustee within their data domain. In cases where data pertain to multiple business domains, data stewards are responsible for working with data stewards in other data domains to ensure clarity and consistency in the use of data. If so delegated, particular data stewards may represent data trustees in policy discussions and in decision-making forums.
• Data Custodians are all those who use university data to carry out their jobs. They, too, share in responsibility for managing and protecting data by understanding and following the policies of the university related to data use and data governance. Data custodians have an additional obligation to report data-related problems, updates, and inaccuracies back to the appropriate data steward(s).
• The Chief Information Officer (CIO) and Chief Information Security Officer (CISO) act as advisors to the Executive Council and to the Council of Data Trustees.

Brandeis Domains and Data Trustees

Roles and Responsibilities Diagram

Definitions

• Availability: Ensuring timely and reliable access to and use of University Data

• Canonical Data: Officially identified primary information that represents (typically) the original and sanctioned version and form of the information (sometimes called the "official" version). For example, the record of a student's degree program currently originates in the student information system and is the canonical record (sometimes called the "system of record") of this information.

• Confidentiality: Preserving authorized restrictions on university information access and disclosure, including means for protecting personal privacy and proprietary information

• Council of Data Trustees: Comprised of the data trustees, the CDT defines, maintains and publishes policy and processes to address data access and use, data definitions, data privacy and data security. The CDT advises the Executive Council.

• Data Custodian: Any member of the Brandeis community who uses or works with university data. This role was created to underscore that the responsibility for proper handling of university data applies to all users of data.

• Data Repository: Collection of information, physical or electronic. Examples include databases that store information; collections of files stored in filing cabinets or in an electronic file server or within a cloud service.

• Data Ownership: Legally defined ownership of the information.

• Data Steward: The individual with responsibility for the management of the data for a given business domain with responsibility assigned by the corresponding data trustee.

• Data Trustee: An individual with decision-making authority regarding the data for a given business domain. Data trustees are given this authority by the Provost and Executive Vice President, identified in this document as the Executive Council.

• Domain: A functional area containing one or more units that have primary responsibility for managing a core university mission or business function.

• Executive Council: The senior-most decision-making body for data policy at Brandeis University. Members of the Executive Council have the authority to set institutional policy and speak for the entire institution on these matters. The EC appoints and is advised by the Council of Data Trustees.

• Integrity: Guarding against improper modification or destruction of university data.

• Metadata: Metadata are data about data. Metadata provide essential information for users to enable them to find the data they are seeking, to understand how to use those data (and how not to use them), and to know whom to ask if they have questions about the data.

• Quality Dimensions: Accurate, timely, accessible, relevant, complete, consistent, understandable, credible, unique; reflects the fitness of data for its intended university purposes

• Shadow System: A database or dataset created and maintained outside of the systems of record whose use results in data quality issues in the associated canonical data. Data extracted from systems of record, such as reports, distribution lists, and dashboards, are not classified as shadow systems. Shadow systems contain extracted data that is manipulated, extended and altered to the point where they cause data integrity issues in the corresponding system(s) of record.

• Shared Data Repository: A collection of university information to which multiple individuals or entities have access.

• University Data: Information collected, created or maintained by Brandeis University in the course of any of its academic, administrative or research activities. Note that this does not define "ownership" — information collected and maintained by the university is, in many cases, owned by individuals or other organizations.

Regulations

• Appendix: A contains data-related regulations that will be updated as new regulations emerge.

Relevant Policies

• Written Information Security Policy (WISP)
• Data Classification Standard

Policy Owner

• Information Technology Services

Appendix A: Regulations

This list of regulations is subject to change as new regulations emerge or as referenced website links change.

Federal and State Data Regulations

• Family Educational Rights and Privacy Act (FERPA)

• Health Insurance Portability and Accountability Act (HIPAA)

• Federal Information Security Management Act (FISMA)

• National Institute of Standards and Technology (NIST)
• Internal Revenue Code (IRC)

Massachusetts Data Regulations

• Fair Information Practices Act (FIPA)
• Standards for the Protection of Personal Information of Residents of the Commonwealth

International Data Regulations

• General Data Protection Regulation (GDPR)