Data Governance

The policy covers university recordsUniversity recordAny form of recorded information, regardless of physical characteristics, that is created, received, maintained, or legally filed in the course of university business.  University record does not include: Materials preserved or appropriate for preservation because of the historical value of the materials; Library books, pamphlets, newspapers, or museum material made, acquired, or preserved for reference, historical, or exhibition purposes;  Private papers, manuscripts, letters, diaries, pictures, biographies, books, and maps, including materials and collections previously owned by persons other than the state or any political subdivision thereof and transferred by them to the university. Non-records (see definition in APS Glossary of Terms) , data where federal or state regulations exists, and data where external contract requirements exists regardless if the data is stored on a university owned or managed system or on a third party hosted service. Excluded from the scope of this policy is intellectual property that is educational materials.

The program shall be managed and monitored collaboratively by University Counsel, Chief Information Security Officer, and the data trustees, and Chief Information Officers. Roles and responsibilities for data governance are as follows:

• Data trusteesData TrusteeSee Section III. Definitions are accountable for managing, protecting, and ensuring the integrity and usefulness of university data. Data trustees have the primary responsibility to ensure the university is following its policies and is in compliance with federal and state laws and regulations. Data trustees, in consultation with the Council of Data Trustees, shall identify the criticality and sensitivity of data. Data trustees typically are associated with the business functions of an organization rather than technology functions. Data trustees are appointed by the President, chancellors or their delegates and are typically an administrative officer of the university or departmental director. The president, chancellor may choose to not identify a data trustee for certain data types given risk decisions or administrative, research, or academic needs.
• Data custodiansData CustodianSee Section III. Definitions typically have control over a data asset's disposition, whether stored (at rest), in transit, or during creation. Custodians will often have modification or distribution privileges. Data custodians carry a significant responsibility to protect data and prevent unauthorized use. Data custodians are often data providers to data usersData userSee Section III. Definitions. Data trustees or data stewardsData StewardSee Section III. Definitions may also exercise custodial roles and responsibilities. Data custodians typically are associated with IT units within the university, either central IT organizations or IT offices within academic and administrative units.
• Data stewards will often have data custodial responsibilities, but are distinguished from custodians by delegated decision-making authority regarding the data. Data stewards may represent data trustees in policy discussions, architectural discussions, or in decision-making forums. Data stewards actively participate in processes that establish business-context and quality definition for data elements. Data stewards are more likely to be associated with business functions than IT functions.
• To the degree that a data user creates university data and/or controls the disposition of university data, he or she has responsibility for the custodial care of that data. Data users share responsibility in helping data stewards and custodians manage and protect data by understanding and following the IT and information security policies of the university related to data use.

When university units create shared data repositories they take on responsibilities as data custodians. As such units must work with data stewards to ensure that they understand external regulatory and university policy compliance requirements. Data custodians may not extend the use of university data beyond the initial scope without additional review by the appropriate data steward. When shared data repositories are created on third party services, special care must be made to ensure that contracts or service agreements include appropriate security and privacy.

It is the responsibility of the data steward to understand business needs of the university unit and facilitate appropriate access to the required data. The data steward will also coordinate with the campus Information Security OfficerInformation security officerThe person who performs day-to-day management of and is the point of contact for the IT Security Program at the campus level. to ensure that adequate security controls are identified and implemented. Should the data steward have questions regarding the legitimacy of the university unit’s business need the data steward shall validate the need with the data trustee.

Data stewards, in consultation with the appropriate Campus Information Security Officer or the Office of Information Security shall publish processes for requesting and monitoring access to data and periodically audit access to data. Data stewards shall, at least annually, provide the data trustee with information regarding the management, protection, and effectiveness of efforts to ensure the integrity and usefulness of university data. For example, how data is being used, identify data quality issues, and report on compliance issues.

The Chief Information Security Officer shall maintain and publish a list of identified data trustees and data stewards for specific data types. The list will also identify the classification of specific data types. Where a single individual maintains multiple roles (e.g., data steward and data custodian) the CISO will provide notice to the Counsel of Data Trustees to ensure the roles do not pose a risk to the university.

Each campus or division Chief Information Officer shall be responsible for providing data management guidance to data trustees and establishing appropriate data governance structures. When data management issues or risks regarding data overlaps between multiple data domains are identified, the appropriate Chief Information Officer and data trustee shall present the issues and recommendations to the CU IT Governance Board for resolution.

Italicized terms used in this Administrative Policy Statement (APS) are defined in the APS Glossary of Terms or are defined in this section.

1. Data trustee is a party or entity identified with and widely recognized to have primary authority and decision responsibility over a particular collection of university data. The Council of Data Trustees list is included on this page.
2. Data custodian is any party charged with managing a data collection for a data trustee.
3. Data steward is a party or entity possessing delegated authority to act on a data trustee's behalf.​
4. Data user is any person or party that utilizes university data to perform his or her job responsibilities.

• Originally approved January 1, 2013.
• The title of “IT Security Principals” was replaced with the title of “Information Security Officers” effective May 1, 2014.
• July 1, 2018.
• July 9, 2018:  Removed reference to APS 2006 for the definition of university record.  That definition is now included in the APS Glossary of Terms.

Data, governance, information technology, compliance, risk, records, security