Data Stewardship Policy
Date of Current Revision: December, 2010
Responsible Officer: Assistant Vice President for Information Technology
This policy establishes the methodology by which the university will manage its data and assigns responsibilities for the control and appropriate stewardship of university data.
The Board of Visitors has been authorized by the Commonwealth of Virginia to govern James Madison University. See Code of Virginia section 12-164.6;23-9.2:3. The board has delegated the authority to manage the university to the president.
Individuals or organizations in physical or logical possession of data for the university (data owner).
University officials having direct operational level responsibility for information management related to the capture, maintenance, dissemination and use of data and for any data administration activities delegated by the data stewards.
The university is the owner of all data collected, stored and/or managed by university employees or using university resources. Collectively all data owned and/or managed by or on behalf of the university is referred to as the University Data Resource.
The university vice presidents (or their designees) who have planning and policy level responsibility for data within their areas and management responsibilities for defined segments of the university data resource.
Data Stewardship Standards:
Procedural requirements developed to support the Data Stewardship policy. The Data Stewardship Standard was developed by the university's data managers in cooperation with Information Technology and approved by the data stewards. To provide consistent control and security relative to a particular data item, these standards apply across all information systems and uses of the data.
Highly Confidential Data:
University data which, because of its associated legal restrictions or potential security ramifications, is authorized for use only on a very limited basis and only with special security precautions.
Personal data and/or other information worthy of protection and discretion in its distribution and use; this type of university data is individually requested and approved by a data manager for a specific business use and is subject to the general provisions associated with university information security.
University data which can be shared without restriction to the general public (e.g. university course listings, publicity and news articles, directory listings, etc.)
The university manager responsible for implementation and operation of a university system at the direction of the System Owner and appropriate Data Steward/Data Manager. The System Manager oversees the System Administrator who provides day-to-day administration and implements security controls and other capabilities as assigned.
The university individual/organization responsible for working in cooperation with Information Technology to define requirements, select an IT system, and direct its operation to assure functional outcomes in keeping with university objectives and mission.
University Data Resource:
Data owned by the university may reside in different automated systems and in different physical locations, but in aggregate these data may be thought of as forming a single, shared resource. This resource consists of information represented in a variety of data elements, types and forms maintained by individuals, administrative/academic units or business partners to provide functionality to the university. All such data owned and managed by or on behalf of the university is considered part of the University Data Resource.
All university information that is stored, processed or distributed is subject to this policy and the more specific provisions of the Data Stewardship Standard. Other university policies and state or federal laws may also apply.
Certain types of data are public. Others types of data have usage restrictions, are protected by federal and state privacy legislation, or are critical to the mission of the university or the functioning of its colleges, departments, or programs. The latter data types require controls that protect confidentiality, integrity and availability. General instructions as well as specific requirements for thoughtful data stewardship are outlined in the Data Stewardship Standard and extend to all forms of the data. For example, those data stored in printed or written reports, transmitted via facsimile, downloaded from the university's various administrative or academic systems, and information processed or stored using local systems (including but not limited to departmental servers, networks or individual-use devices) are included.
Information, in all forms, is a strategic asset of the university. Distribution and appropriate protection of computer and information resources is a fundamental responsibility of Information Technology. This policy establishes key roles and responsibilities for protecting confidentiality, integrity and availability of university data. However, individuals and unit/system managers throughout the university share this responsibility. For example, in cases where university information is not stored in electronic form or is used locally and takes forms other than that protected within central computing systems managed by IT, protection is incumbent on the relevant unit/system manager and the individual user.
This policy is based on four basic premises:
All data shall be classified in one of three categories:
Requirements for each classification (public, protected, highly confidential) are included in the Data Stewardship Standard. Several of these requirements are worthy of specific note and are considered university policy:
The Data Stewardship Standard shall include a list of authorized data managers along with their scope of data management responsibility. Data items classified as highly confidential shall also be listed along with the additional procedures required for their use.
All university employees, students, affiliates and others granted access to university data or information systems are responsible for understanding the terms and conditions under which they are to acquire and use university data. The Data Stewardship Standard, the Appropriate Use of Information Technology Resources policy (1207), the Information Security policy (1204) and other policies and procedures related to data and information technology use are available on the Information Technology policy website and shall be considered as appendices to this policy.
Responsibilities are also assigned to specific individuals and groups as part of the data stewardship effort. Primary among these are Data Stewards, Data Managers, and System Owners. Specific responsibilities are detailed in the Data Stewardship Standard and related policies and procedures.
As new data items are developed, the individual(s) responsible for the creation or collection of the data are responsible for identifying its relationship to the Data Stewardship Policy and Standards to assure that storage and access of the data is appropriately managed. This shall include working with Information Technology to identify the appropriate data manager.
Data managers shall ensure appropriate classification of university data and work with Information Technology to establish necessary security and access controls for data in electronic form.
Data managers are also responsible for providing guidance to departments and individuals regarding collection, processing, storage and retention of university data using manual or electronic information systems.
Sanctions will be commensurate with the severity and/or frequency of the offense and may include termination of employment
The authority to interpret this policy rests with the president and is generally delegated to the Assistant Vice President for Information Technology, in conjunction with the appropriate Data Stewards
Previous version: February, 2009
Approved by the President: February, 2009