University Data Stewardship Policy
|Policy:||University Data Stewardship|
|Effective Date:||November, 2006|
|Review Date:||November, 2009|
|Responsible Party:||Information Technology Center|
Introduction and Purpose
The information associated with administrative functions and research activity is a vital asset to the University. As such, maintaining the confidentiality, integrity, and availability of University data is critical to the success of the University. The University expects all stewards and custodians of its administrative and research data to manage, access, and utilize this data in a manner that is consistent with the University's need for security and confidentiality. This policy establishes the methodology by which the University will manage its data. In addition, the policy assigns responsibilities for the control and appropriate stewardship of University data.
MSU is required to establish and enforce this policy by state and federal laws such as the Family Educational Rights and Privacy Act (FERPA) and the US Privacy Act of 1974, in addition to Board of Regents policy 1300.1 and Montana State University Computing Policy 510.00 regarding data security.
- FERPA: http://www.ed.gov/policy/gen/guid/fpco/ferpa/index.html
- US Privacy Act: http://usgovinfo.about.com/library/weekly/aa121299a.htm
- MSU Computing Policies: http://www.montana.edu/wwwitc/manual/compute.html
- MUS Board of Regents Policies: http://mus.edu/borpol/bor1300/bor1300.asp
University Data Stewardship Guidelines: Procedures developed to support this Data Stewardship policy. These procedures are constructed by the University's data stewards and are consistent across all applications.
Data Stewards: The University unit heads (or their designates) who have planning and policy level responsibility for data within their areas and management responsibilities for defined segments of the institutional data.
Data Managers: University officials having direct operational level responsibility for information management related to the capture, maintenance, and dissemination of user data and for any data administration activities delegated by the data stewards.
All University information that is stored, processed or distributed is subject to the specific parameters of the University Data Stewardship Guidelines, Board of Regents policies, Montana state government policies, Montana State University policies, and state or federal laws as they may apply.
Certain types of data are protected by federal and state privacy legislation. Other data are specified as critical to the mission of the University, its colleges and departments and, as such, require that procedural controls protect confidentiality, integrity and availability. Data collected and/or produced under programs supported through external funds may also fall under requirements specific to the funding agency. These specific requirements as well as the general requirements for thoughtful data stewardship outlined in the Data Stewardship Guidelines extend to all forms of the data. Those data that are stored in printed or written reports, transmitted via facsimile, downloaded from the University's administrative or academic computers, and information stored in local office automation systems (including departmental computers and networks) are included.
This policy is not intended to address the release of institutional data to external entities as required by legislation, regulation, or other legal vehicle.
Information, in all forms, is a strategic asset to the University. Protection and appropriate distribution of critical computer and information assets is a fundamental responsibility of the data stewards, but it is also a responsibility of individuals and unit/system managers throughout the University as well. For example, in cases where University information is used locally, or takes forms other than that protected within central computing resources, protection is incumbent upon each individual user.
This policy establishes responsibilities for information availability, integrity and confidentiality. The University Data Stewardship Guidelines are based on two basic premises:
- That the greatest benefit of data is gained through its shared and thoughtful use but diminished through misuse, misinterpretation or unnecessary restrictions to its access; and
- That the University is the owner of all university data. Further, the data stewardship model is designed to achieve an appropriate mix of three core values-availability, integrity and confidentiality.
Per section 510.20 of the MSU System Security Policy 500.00, all data shall be classified in one of four categories:
- Restricted: All data which, if released in an uncontrolled fashion, could have substantial fiscal or legal impacts on the University. Examples include sensitive or proprietary research data, or personal data containing elements such as Social Security numbers, or student grades.
- External: All data belonging to an outside party or agency. Examples include data maintained by commercial account owners and certain researchers who have special data arrangements with public or personal agencies.
- Personal: All data equivalent to personal documents stored in desks or file cabinets. Examples include electronic mail, personal correspondence, and personal files, including some personal research files.
- Public: All data that is not restricted by one of the above classifications. Examples include campus directory information and matters of pubic record.
The definitions and specific requirements for these classifications are discussed in the University Data Stewardship Guidelines, and associated procedure.
All University employees and students are responsible for understanding the procedures and related terms and conditions under which they are to acquire, use, and store University data. The University Data Stewardship Guidelines, the University's policy on Appropriate Use of Information Technology Resources, and other policies and procedures related to information and information technology use are available on the MSU Policy and Procedure Web site available at http://www2.montana.edu/policy/ and shall be considered as appendices to this policy.
Responsibilities are also assigned to specific individuals and groups as part of the data stewardship effort. These include: data stewards and data managers. These specific responsibilities are detailed in the University Data Stewardship Guidelines.
As data are developed, the individual(s) responsible for the creation or collection of the data are responsible for identifying the data’s relationship to the University Data Stewardship Guidelines, to assure that storage and access of the data is appropriately managed. This shall include the classification of all views, reports and/or other forms of access in which these data are expressed.
Student Data (e.g. GIDs, grades, application info): Vice President of Student Affairs and Dean of Students (or approved delegate)
Instructional Data (e.g. faculty teaching loads, student credit hour production, promotion and tenure data): Provost and Vice President of Academic Affairs (or approved delegate)
Alumni Data (e.g. addresses, donor history): Director of Alumni Relations (or approved delegate)
Personnel and Payroll Data, Financial Data: Vice President of Administration and Finance (or approved delegate)
Research Data (e.g. Research Expenditures, Research Personnel and activity, Research Product): Vice President of Research, Technology Transfer, and Creativity (or approved delegate)
Sanctions will be levied in accordance with existing university policy, state and federal law, and commensurate with the severity and/or frequency of the offense and may include termination of employment. Review procedures will be defined in the associated Data Stewardship Guidelines.
The authority to interpret this policy rests with the president and is generally delegated to the CIO and Legal Counsel, in conjunction with the appropriate data stewards.
See University Data Stewardship Guidelines at http://www.montana.edu/itsecurity/guidelines/dsguidelines.pdf