Institutional Data Governance

Policy number: 8.6

Policy section: Information Technology

Revised Date: July 28, 2023

1.  Definitions

Definitions of capitalized terms are set forth in Appendix A.

2.  Policy Statement

Data Governance supports the University’s central mission of teaching, learning, and research. To support the needs of a modern community, institutional data must be accessible, accurate, and must be easily aggregated across the University’s information systems to support the organization’s strategic objectives. The University will maintain a Data Governance Committee on a perpetual basis, with the responsibility of maintaining this policy and the structure of data management at the University.

The responsible use of data means that the right people make the right decision at the right time using the right data. The University recognizes the importance of data-driven decision making and has developed this policy to ensure the greatest use of data while ensuring transparency and accountability. This policy recognizes that institutional data is a strategic asset of the University and promotes a philosophy of governance and stewardship throughout the entire lifecycle of data.

3.  Purpose

The purpose of this policy is to:

  1. Establish fundamental principles outlining the management, access, and use of data including creation, privacy, security, integrity, confidentiality, and quality;
  2. Improve the security of the data, including privacy and protection from loss;
  3. Establish common terms and definitions aiding in collaboration and clear ownership; and
  4. Provide a pathway to establish clear accountability and decision rights.

4.  Applicability

All faculty, students, staff, volunteers, contractors and visitors are expected to comply with University Policies, as applicable.

5.  Scope

The scope of this policy relates to:

  1. Data originating from any System of Record;
  2. Institutional Data managed by any SMU group that is used for academic, educational, or administrative purpose;
  3. Paper; and
  4. Electronic data.

This policy recognizes the legal responsibilities of all SMU faculty and staff to protect the security of the University’s data irrespective of the method it is collected or managed.

6.  Process

  1. The University, rather than any individual or group, is the owner of all data. The value of data as an institutional resource is increased through its widespread and appropriate use; its value is diminished through misuses, misinterpretation, inaccuracies, and unnecessary restrictions to its access.
  2. When accessing Southern Methodist University’s data, users must comply with the following principles:
  1. Data should be sourced from the System of Record where possible. The creation of alternate systems (or shadow systems) to track data causes security issues and potential for irreconcilable data issues.
  2. Do not duplicate data unnecessarily. Duplicated data increases risk and complexity by creating synchronization needs.
  3. Comply with all federal, Texas, and other applicable law. Users should collect or access University data for lawful purposes, and only for the intent to add value to the University. Data should never be used for commercial or personal gain.

7.  Classification

  1. It is the responsibility of all personnel at the University to ensure that institutional data are not misused, and are used ethically, according to any applicable law, and with due consideration for individual privacy. Use of data depends on the security levels assigned by the Data Steward. University personnel must access and use data only as required for the performance of their job functions, not for personal gain or for other inappropriate purposes; they must also access and use data according to the security levels assigned to the data.
  2. The institution will protect its data assets through security measures that assure the proper use of the data when accessed. Every data item will be classified by the relevant Data Steward to have an appropriate access level. OIT will provide the technology framework for data access to be provisioned.
  3. All institutional data should be classified into one of three sensitivity levels, or classifications:
    1. Restricted Data - Data should be classified as Restricted when the unauthorized disclosure, alteration or destruction of that data could cause a significant level of risk to the University or its affiliates. Examples of Restricted data include data protected by state or federal privacy regulations and data protected by confidentiality agreements. The highest level of security controls should be applied to Restricted data.
    2. Private Data - Data should be classified as Private when the unauthorized disclosure, alteration or destruction of that data could result in a moderate level of risk to the University or its affiliates. By default, all Institutional Data that is not explicitly classified as Restricted or Public data should be treated as Private data. A reasonable level of security controls should be applied to Private data.
    3. Public Data - Data should be classified as Public when the unauthorized disclosure, alteration or destruction of that data would result in little or no risk to the University and its affiliates. Examples of Public data include press releases, course information and research publications. While little or no controls are required to protect the confidentiality of Public data, some level of control is required to prevent unauthorized modification or destruction of Public data.

8.  Institutional Officer Responsibilities

Institutional officers have authority over policies and procedures regarding business definitions of data and the access and usage of that data within their delegations of authority. Institutional Officers appoint Data Stewards for specific subject area domains.

9.  Data Steward Responsibilities

  1. A Data Steward will be assigned for every possible data source and will be responsible for data integrity and data management within their unit. Access to institutional data is typically administered by the unit of the Data Steward. When possible, a role-based approach will be used to govern access to data. Approval by a Data Steward does not provide for a blanket allowance of data usage. Any additional uses must be approved by the Data Steward. Data Stewards are responsible for ensuring the access levels are appropriate. Read only access to administrative information may be provided to employees for the support of institutional business without unnecessary difficulties/restrictions. Any employee or non-employee denied access may appeal the denial to the Data Governance Committee.
  2. Approval by the Data Steward is specific to each request. Data granted for one purpose is not universally granted for all purposes. Each new use case must be approved by the Data Steward in a new request or an amendment to the original request, even if you already have the data.
  3. Data Stewards will:
    1. Assign information under their stewardship to one of three security classifications: restricted, private, or public based upon the information’s intended use and the expected impact if disclosed.
    2. Bear primary responsibility for decisions regarding data usage and handling for the data under their stewardship.
    3. Consistent with the guidelines set forth in this policy, cooperate as appropriate with requests to access data within their control.
    4. Identify and authorize delegates for acting as the Data Steward’s proxy for activities within the Data Steward’s stewardship.

10. Data Access

  1. Access to Institutional Data is granted on a need-to-know basis. Individuals who require access to Institutional Data should complete appropriate training before accessing the data. Appropriate training should align with the type of data individuals will be accessing and using, such as FERPA training for those accessing or using student data. Evidence of completed training should be provided before granting access to the requested data and shall be reviewed and approved by the Data Steward (see Section 9 for Data Steward Responsibilities).
  2. Access to Private or Restricted Institutional Data must be approved by the Data Steward, in coordination with their Institutional Officer for the specific set(s) of data sought.
  3. Cases where data is being sought or requested on behalf of any type of human subjects research, including data to be used in conference presentations, or publications, please consult SMU Policy 10.10 Human Subjects in Research. In the case that data is being requested from Development and External Affairs, please consult SMU Policy 5.1 Constituent Data in Support of Development and External Affairs Initiatives.
  4. In the case where access is denied by the Data Steward or associated Institutional Officer, an appeal can be made to the Data Governance Steering Committee (DGSC).
  5. Access to Institutional Data will be restricted based on the level of sensitivity of the data. Restricted Data (the most sensitive classification level), such as social security numbers and credit card information, will be restricted to only authorized individuals who require access to perform their job duties.

11. Data Protection

  1. All individuals who have access to Institutional Data are responsible for protecting the confidentiality, integrity, and availability of the data.
  2. Data must be stored and transmitted securely, following all applicable laws, regulations, and industry standards. This includes, but is not limited to, the use of strong passwords, encryption, and secure storage locations.
  3. In the event of a data breach, individuals who have access to Institutional Data must report the incident to the appropriate University authority immediately. See Policy 8.2 Information Security, Section 5, Paragraph d for more information on this topic

12. Data Use

Institutional Data may only be used for legitimate University business purposes. The use of institutional data for personal gain or for any illegal or unethical purposes is strictly prohibited. See Policy 8.1 Acceptable Use for more information on this topic.

13. Questions

The CIO, as the designated Responsible Officer, or designee shall be responsible for interpretation of this policy, resolution of problems and conflicts with University policies, departmental policies, and special situations. The CIO, in collaboration with the Data Governance Steering Committee, may grant exceptions to this policy and/or standards after a formal review as outlined above.

Appendix A: Definitions

“CIO” refers to the Chief Information Officer of the University.

“Data Governance” means a system of decision rights and accountabilities for information-related processes, executed according to agreed-upon models which describe who can take what actions with what information, and when, under what circumstances, using what methods.

“Data Integration” refers to the combination of data from multiple systems or applications. Additionally, there are circumstances where data can be used for analytics. In these cases, the Data Steward, University IT governance structure (including Data Governance, IT Leadership, and Enterprise Applications) will determine the appropriateness of the data use. Specific information about Data integration procedures resides within the Office of Information Technology.

“Electronic Data” refers to any information stored on a computer system generated either by manual entry or through an automated process.

“Institutional Data” refers to data elements that are aggregated into metrics relevant to operations, planning, or management of any unit at Southern Methodist University

“Institutional Officers” are elected by the Board of Trustees annually and include a President, several Vice Presidents, Secretary, Treasurer, and such other executive and administrative officers as the Board of Trustee may determine.

“Non-Public Information” is defined as any information that is classified as Private or Restricted Information according to the data classification scheme defined in this Guideline.

“Restricted Data” means data classified as Restricted, according to the data classification scheme defined in this policy. This term is often used interchangeably with confidential data or Personally Identifiable Information as defined in University Policy 8.2, Information Security.

“System of Record” holds official values of institutional data. An official value is the most accurate representation of data stored as a fact.

Revised: July 28, 2023

Adopted: January 2, 2019