Institutional Data Stewardship Model

INTRODUCTION
The following Institutional Data Stewardship Model recognizes data as a university asset which, like other resources, must be managed with overall utility and cost/benefit in mind. Based on the philosophy that the greatest benefit of data is gained through its shared and thoughtful use but diminished through misuse, misinterpretation and unnecessary restrictions to its access, the model establishes requirements for the management and protection of institutional data as provided in University Policy 1205: Institutional Data Stewardship. It is designed to achieve an appropriate mix of three core values - availability, integrity and sensitivity - which are described below along with the associated assumptions under which James Madison University's data repositories shall be administered and used.

• Availability. The University is the owner of all information captured using University resources and assets. As such, the University is responsible for providing guidelines and procedures which will support ease of use and access to data according to the authorized and legitimate needs of members of the University community.
  
  
• Integrity. The university community has a right to expect the integrity of institutional data. Data should be collected and maintained, therefore, to guarantee its consistency, reliability, timeliness and accuracy and to avoid duplication and disparity across databases. Appropriate security measures should be provided which will protect institutional data from compromise or unauthorized access, modification, destruction or disclosure. Individuals share responsibility and are accountable for their use and access of the university's data repository, requiring on-going education on the part of those who use and care for it.
  
  
• Sensitivity. University data should be available to meet the legitimate needs of members of the University community including personal access to the information stored about them in University data repositories. It is understood, however, that some data may be subject to legal and ethical considerations which define and regulate its responsible use. Provisions to not only increase the University community's understanding of the data itself but also to maximize sensitivity to appropriate uses of all information, especially information that is considered "confidential," should be central to the university's data stewardship model. For purposes of this document, legitimate access is further defined as access which provides information necessary for users to carry out assigned duties or to fulfill a role or function.
  
  

DATA STEWARDSHIP ROLES AND RESPONSIBILITIES
The University is considered the DATA OWNER of all university data; individual units within the institution may have stewardship responsibilities for portions of the data.

DATA STEWARDS are senior University officials (or their designates) who have planning and policy-level responsibility for data within their functional areas and management responsibilities for defined segments of the institutional database. Data Stewards as a group (the Data Stewardship Committee or DSC) are responsible for:

• establishing and maintaining the university-wide
• Institutional Data Stewardship Model
• establishing policies and direction for overall institutional data management.

DATA MANAGERS are university officials having direct operational level responsibility for information management related to the capture, maintenance, dissemination and use of data and for any data administration activities delegated to them by the data stewards. Data Managers are responsible for data access, security, integrity and documentation of data contained in the University Database (UDB) as described below. Data Managers as a group (the Data Access and Policy Implementation Committee or DAPI) are responsible for policy implementation, defining and classifying data, training, and addressing data access and policy implementation issues.

DATA USERS are individuals, including faculty, staff, administrators and students, who need and use University data as part of their assigned duties or in fulfillment of their roles or functions within the University community.

DATA ADMINISTRATION is the function of applying formal guidelines and tools to manage the university's information resource. Responsibility for activities of data administration is shared among the data stewards, data managers, data users, and Information Technology (IT).

COMPUTER SYSTEM ADMINISTRATION is the function of maintaining and operating hardware and software platforms (system environments). Responsibility for the activities of computer system administration may belong to Information Technology or to other divisions or departments within the University.

UNIVERSITY DATABASE
Data may reside in different automated systems and in different physical locations, but in aggregate these data may be thought of as forming a single, shared, logical database or UNIVERSITY DATABASE (UDB). The university database consists of information represented in "data elements" and "data views" necessary to the functioning of the University, regardless of whether the data is used or maintained by administrative or academic units.

Data Elements
A data element is considered institutional data and part of the UDB if it satisfies one or more of the following criteria:

It is relevant to planning, managing, operating, controlling, or auditing administrative functions of an administrative or academic unit of the University.

It is part of a University sensitive information system.

It is generally referenced or required for use by more than one organizational unit. Data elements used internally by a single department or office typically are not part of the University's UDB.

It is used to derive an element that meets the criteria above.

Data elements which meet the criteria for inclusion in the UDB may be identified as such by a data steward, data manager, IT, a data user or user group.

Data Views
A data view is a logical collection of data elements, assembled and presented according to a prescribed set of rules. The data stewards will work with data managers and data users to define standard views of administrative data.

A data extract, which captures data at a fixed point in time and often moves it physically to a secondary storage location, is not a data view. A data view typically assembles the most current or recent data from their primary storage location at the time they are requested.

Data views may be established in order to combine data from multiple sources, separate data into smaller and more manageable subsets, or isolate data according to confidentiality or restriction characteristics, so that access to the resulting subset may be more widely distributed.

DATA ACCESS
The capability to view and/or update data contained in the UDB should be granted to data users according to their role and function within the University community for legitimate University purposes only, subject to confidentiality rules and relevant state/federal laws. The data stewards are ultimately responsible for the security and integrity of the data maintained within their functional areas. All levels of management, however, are responsible for ensuring that all data users within their areas of accountability are aware of their responsibilities as defined in this model.

The extent of access privileges will be defined and established according to the role and function of each user's university position or classification rather than on an individual basis. If a user is promoted or changes positions within the university, that individual's privileges will also change depending upon the new role or position.

Data Collection and Maintenance
The data steward is ultimately responsible for complete, valid, reliable, and timely institutional data collection. Operational responsibility for data collection, maintenance and dissemination is a function of the data managers and can be delegated to specific individuals. Further delegation and decentralization of data collection and maintenance responsibility may occur to ensure that: electronic data are collected and maintained as close as possible to the source or creation point of the data as identified by the data manager, independent of what office or individual within the University needs the data, and each manual or computer process through which data are passed adds some value to the data.

Data Classification for Viewing and Reporting Permission to view or query data contained in the University database should be granted to all data users for all legitimate university purposes. As part of the data definition process, data managers will assign groupings of data or data views in the University database to one of three categories: public, internal general, and internal restricted.

PUBLIC DATA are data which have no access restrictions whatsoever and which may be released to the general public, such as information designated as " Directory Information" under University policy pertaining to the Family Educational Rights and Privacy Act.

INTERNAL GENERAL DATA are data which are not legally restricted and which may be accessed, without restriction, by university employees in the performance of official University business.

INTERNAL RESTRICTED DATA are data subject to access restrictions under the law or through internally or externally imposed constraints which may not be accessed without specific authorization or to which only limited access may be granted. The designation of data as internal restricted will include: specific reference to the legal, ethical, or other compelling reason which requires the restriction; a description of what categories of data users are typically given access to the data; a description of the conditions or limitations under which access is permitted.

To the extent possible, data managers through the Data Access and Policy Implementation Committee will work together to define a single set of procedures for requesting permission to access internal restricted data elements in the UDB and will be jointly responsible for documenting these common data access request procedures. Each data manager will be individually responsible for documenting data access procedures that are unique to a specific information resource or set of data elements. These procedures will ensure ease of access and data security.

Any data user may request that a data steward, or the Committee of Data Stewards, review the restrictions or lack of restrictions placed on a data element or data view, or review a decision to deny access to internal restricted data.

DATA SECURITY
The data managers will be responsible for assigning data access classifications and determining rules for validation and maintenance of institutional data. In addition, data managers are responsible for developing, monitoring and reviewing security controls and data access procedures.

The data stewards will be ultimately responsible for defining and implementing policies and procedures to ensure that data are backed up and recoverable in response to events that compromise data integrity. The Database Administration staff of IT may assist in this effort.

DATA INTEGRITY
Applications that capture and update UDB data should incorporate edit, validation, and completeness checks to assure the accuracy and integrity of the data.

The accuracy of any element can be questioned by any authorized user. The data user has the responsibility to help correct the problem by supplying as much detailed information as available, sufficient to permit understanding and diagnosis of the problem. The data manager is responsible for data integrity and should respond to questions about the accuracy of data and correct inconsistencies if necessary. Upon written identification and notification of erroneous data, corrective measures should be taken as soon as possible to: correct the cause of the erroneous data; correct the data in the official storage location; notify users who have received or accessed erroneous data.

DATA DOCUMENTATION
Documentation of data elements is the ultimate responsibility of the data steward although some or all of these responsibilities may be delegated to the data managers. The University will provide a mechanism for documenting data contained in the UDB. The documentation will include information sufficient to relay the definition and use of the data element to the data user.

DATA AVAILABILITY AND INTEGRATION
Data stewards are responsible for providing accessible, meaningful, and timely institutional data in machine-readable format for access by users for University use.

Data stewards and IT share the responsibility for data compatibility, accessibility and interfaces among institutional data elements residing in various segments of the UDB.

Data stewards, IT and the database administrator will work together toward unification of the various data element coding structures and data storage formats which exist in various segments of the UDB.

Data users will be responsible for following the standards in their use and interpretation of the data resulting from their integration with other institutional and department data.

USER RESPONSIBILITY AND TRAINING
User Responsibility - All users having access to restricted portions of the UDB should formally acknowledge, in writing, their understanding of the level of access provided to them and their responsibility to maintain the confidentiality of the data. Formal acknowledgment should be included as part of their orientation to the University Community and should occur before user ID's and passwords are granted. Data users are responsible for all transactions occurring during the use of their passwords and ID's.

Users will respect the confidentiality and privacy of individuals who records they access, observe any ethical restrictions that apply to data to which they have access, and abide by applicable laws and policies with respect to access, use, or release of information.

User Support and Training - The data stewards and data managers responsible for each major segment of UDB will define, in consultation with the data users, the extent of support for data access and interpretation which is to be made available to users of these data.

Data stewards will provide user support through training, documentation and consulting services to assist data users in the interpretation and appropriate use of data elements in the UDB as well as the use of information access tools and technologies. This responsibility may be delegated to the data managers who may be assisted through other University offices such as Information Technology.

The data users will be held responsible for following the standards for the use and interpretation of data which they access as part of the Performance Planning and Evaluation process.

SUMMARY OF DEFINITIONS
Computer System Administration - The function of maintaining and operating hardware and software platforms or system environments.

Data Access - Refers to permission to view, query or report data contained in the University Database.

Data Access and Policy Implementation Committee (DAPI) - A group comprised of data managers which has responsibility for implementing data management policy, defining and classifying data, training, and addressing data access and policy implementation issues.

Data Administration - The function of applying formal guidelines and tools to manage the university's information resource.

Data, Internal General - Data which are not legally restricted and which may be accessed without restriction, by university employees in performance of official University business.

Data, Internal Restricted - Data which are subject to access restrictions under the law or through internally or externally imposed constraints. Access to Internal Restricted Data may be limited or require specific authorization.

Data Managers - University officials having direct operational level responsibilities for information management related to the capture, maintenance, dissemination and use of data.

Data Owner - The University is owner of all university data.

Data, Public - Data which have no access restrictions and which may be released to the general public.

Data Stewards - Senior university officials or designates having planning and policy-level responsibilities for data within their functional areas and management responsibilities for defined segments of the institutional database.

Data Stewardship Committee - A group comprised of data stewards which has responsibility for establishing and maintaining the university-wide University Database Model and establishing policies and direction for overall institutional data maintenance.

Data Users - Individuals who need and use university data as part of their assigned duties or in fulfillment of assigned roles or functions within the university community.

Institutional Data - Data that qualifies for inclusion in the University Database as defined below and on page 2 of the Data Stewardship Model.

Institutional Data Stewardship Model - A construct which establishes guidelines for the management and protection of institutional data.

University Database (UDB) - A term used to identify that body of data necessary to university planning, management and business operations of both administrative and academic units.