APS #6010


Data Governance

Brief Description

To ensure that data is managed as a material asset the University has established a data governance program with the goals of ensuring that data provides value, meets compliance requirements, and risks are managed appropriately.  Given that poor handing of data poses a risk to the University it is necessary to define roles and responsibilities for certain types of data.

Reason for Policy

Define roles and responsibilities to enable the University to exercise positive control over the processes and methods used to handle data and assure that university employees and administrative processes have appropriate access to reliable, authentic, accurate, and timely data. Data governance authority rests ultimately with the President and Chancellors; this policy defines roles and responsibilities to assist the President and Chancellors.  

Policy Profile

APS Policy Title: 
Data Governance
APS Number: 
Effective Date: 
January 17, 2013
Approved By: 
President Bruce D. Benson
Responsible University Officer: 
Vice President, Employee and Information Services
Responsible Office: 
Office of the Vice President of Employee and Information Services
Policy Contact: 
Chief Information Security Officer
Last Reviewed/Updated date: 
January 17, 2013
Applies to: 

I. Introduction

The policy covers university records, data where federal or state regulations exists, and data where external contract requirements exists regardless if the data is stored on a University owned or managed system or on a third party hosted service.  Excluded from the scope of this policy is intellectual property that is educational materials.

II. Policy Statement

The program shall be managed and monitored collaboratively by University Counsel, Chief Information Security Officer, and the Council of Data Owners.  Roles and responsibilities for data governance are as follows:

  • Data Stewards will often have data custodial responsibilities, but are distinguished from custodians by delegated decision-making authority regarding the data. Data stewards may represent data owners in policy discussions, architectural discussions, or in decision-making forums. Data stewards actively participate in processes that establish business-context and quality definition for data elements. Data stewards are more likely to be associated with business functions than IT functions.
  • To the degree that a data user creates university data and/or controls the disposition of university data, he or she has responsibility for the custodial care of that data. Data users share responsibility in helping data stewards and custodians manage and protect data by understanding and following the IT and information security policies of the university related to data use.

When University units create shared data repositories they take on responsibilities as data custodians. As such units must work with data stewards to ensure that they understand external regulatory and University policy compliance requirements.  Data custodians may not extend the use of University data beyond the initial scope without additional review by the appropriate data steward.  When shared data repositories are created on third party services special care must be made to ensure that contracts or service agreements include appropriate security and privacy.

It is the responsibility of the data steward to understand business needs of the University unit and facilitate appropriate access to the required data.  The data steward will also coordinate with the campus Information Security Officer to ensure that adequate security controls are identified and implemented.  Should the data steward have questions regarding the legitimacy of the University Unit’s business need the data steward shall validate the need with the data owner

Data stewards, in consultation with the appropriate Campus Information Security Officer or the Office of Information Security shall publish processes for requesting and monitoring access to data and periodically audit access to data.  Data stewards shall, at least annually, provide the data owner with information regarding the management, protection, and effectiveness of efforts to ensure the integrity and usefulness of university data.  For example, how data is being used, identify data quality issues, and report on compliance issues.

The Chief Information Security Officer shall maintain and publish a list of identified data owners and data stewards for specific data types.  The list will also identify the classification of specific data types. Where a single individual maintains multiple roles (e.g., data steward and data custodian) the CISO will provide notice to the Counsel of Data Owners to ensure the roles do not pose a risk to the University.

III. Definitions

  1. Data Owner is a party or entity identified with and widely recognized to have primary authority and decision responsibility over a particular collection of university data.  The Council of Data Owners list is included on this page.
  2. Data Custodian is any party charged with managing a data collection for a data owner.
  3. Data Steward is a party or entity possessing delegated authority to act on a data owner's behalf.
  4. Data User is any person or party that utilizes university data to perform his or her job responsibilities.

IV. History

  • Originally approved 1/1/13
  • The title of “IT Security Principals” was replaced with the title of “Information Security Officers” effective May 1, 2014.

V. Key Words

Data, governance, information technology, compliance, risk, records, security