Institutional Data Policy

Statement and Purpose


This policy presents the principles of data management that are to be applied in the collection, management, storage, usage, and protection of Institutional Data by the University in the fulfillment of its mission and business practices.

This policy provides a structure for a formal system of data governance and data management. This policy will establish roles and responsibilities for the management of Institutional Data, standards for data management, strategies for data quality and integrity, appropriate security and access controls as identified by our data security standards, and creating a culture of skillful and responsible data utilization.

*Note: This policy does not outline the specific requirements for the archiving, retention, destruction, or preservation of institutional data records. Information specific to these processes will be outlined in a separate data retention policy


Entities Affected By This Policy

All departments, employees, and others who have access to Institutional Data.

Institutional Data Definition

Institutional Data is any information created, collected, maintained, transmitted, or stored by or for the university to conduct university business. Institutional Data is:

  • Data used for planning, managing, operating, controlling, or auditing university functions, operations, and mission.
  • Data collected, created, and maintained for external reporting to outside entities (State of Washington, Department of Educations, other governmental agencies, etc..).
  • Data created by departments or individuals in the performance of employment duties or contracted services.
  • Data that is stored in university owned, operated, maintained, or provided systems – whether maintained in on-campus or in cloud-based systems and resources.
  • Data that is stored outside of university owned and maintained systems – but was collected, created, or maintained in the performance of employment duties or contracted services.
  • Including, but not limited to, information in paper, electronic, audio, or visual/graphic formats.

Reason for the Policy

The purpose of this policy is to protect the university’s Institutional Data while cultivating a collaborative, information-sharing culture. The university classifies Institutional Data in accordance with legal, regulatory, administrative, contractual, intellectual property, ethical considerations, strategic or proprietary value, and/or operational use. This policy will:

  • Declare data to be a strategic asset to improve the quality of service to students, faculty, staff, alumni and friends of the University.
  • Create data standards to ensure data is consistent, reliable and accessible to meet institutional requirements, maximizing the efficiency and effectiveness of business processes.
  • Describe common principles and standards ensuring data integrity, confidentiality, and accessibility.

Table of Contents


Policy Version: 1.1

Responsible Office: Computer and Information Systems
Responsible Executive:
 
AVP for Information Technology
Vice Provost for Academic Affairs

Effective Date: November 7, 2016 
Last Updated:  
November 21, 2016 

 

Roles and Responsibilities


This section defines the roles and responsibilities for the management of Institutional Data. For more details on the division of responsibilities, see the Roles & Responsibilities Chart.

 

Office of Institutional Research (OIR)

The Office of Institutional Research (OIR) provides expertise on Institutional Data essential for reporting and analysis.  Responsibilities Include:

  • Management of metadata, setting data standards, the data dictionary, data definitions and metrics.
  • Definition of data management policies for meeting external reporting requirements.
  • Procedures for how data is stored and recorded for institution-wide use.
  • Communicating and coordinating the calendar for quarterly census and "freezing data" for reporting purposes.
  • Education and training on data best practices, data policies, and procedures.
  • Education and training on the use of data management and reporting tools.

Systems and Data Management Group (SDMG)

The SDMG committee is responsible for inter-business unit communication and decision making regarding data and data systems. SDMG will review data or process changes impacting Institutional Data in advance of implementation to ensure upstream and downstream business operations across the organization will be coordinated. Responsibilities Include:

  • Dissemination of information regarding current issues, changes, and security related to institutional data and systems.
  • Assisting and coordinating the business processes affecting institutional data.
  • Recommendation of business practices and policies that help utilize and align institutional data and systems for organizational success.
  • Identification and resolution of data integrity issues.

Computer and Information Systems (CIS)

Computer and Information Systems (CIS) is responsible for the enterprise software and systems that maintain and store institutional data. CIS provides expertise on system integration, business analysis, software programming, data security, systems design, and server software/hardware, and storage systems.  Responsibilities include:

  • Evaluation, purchase, implementation, and management of data systems.
  • Data security measures to protect data and minimize the risk of data breaches.
  • Integration and synchronization between data systems.
  • Data systems backup and disaster recovery.
  • Resolution of issues with data integrity in and between systems.

Business Unit Data Steward

Every university Data Steward/Manager/Custodian is responsible for implementing and ensuring compliance with this policy in their business units. Responsibilities Include:

  • Development and maintenance of departmental procedures to use systems effectively and protect institutional data.
  • Education and training departmental employees on sound data management principles related to access, use, maintenance, law, and policy of Institutional Data.
  • Establishing accountability for data integrity and resolutions of issues within their business unit and in data hand-offs with other units.
  • Communication and coordination of institutional policies relevant to their respective business unit(s) and initiating corrective action when needed.
  • Communication of data or operational changes to SDMG/CIS/OIR and any related or impacted parties.

Any issues unable to be resolved by these groups or the responsible executives will be raised through existing organizational hierarchy to the Senior Leadership Team.

Definition of Terms


TermDefinition

Data Stewards

Data Stewards are designated university officials whose functional areas of responsibility include the creation or origination of institutional data. They have overall responsibility for managing and maintaining such data.

Data Managers and Custodians

Data Managers and Custodians are individuals assigned specific data management responsibilities by the data steward(s). They typically have operational level responsibility for the management of institutional data in their functional area including methods to create, store, process, transmit, or provide access to institutional data..

Data User

Data Users are individuals that have access to institutional data to conduct university business and operations.

Institutional Data

Institutional Data is any information created, collected, maintained, transmitted, or stored by or for the university to conduct university business. See full definition above.

Personal (Individual) Data

Personal (individual) data is information created, collected, maintained, or transmitted by an individual on university or personally owned systems in the performance of employment duties. Examples of personal data are email communications, personal documents, contacts, tasks, appointments – whether maintained in on-campus or in cloud-based systems and resources. This data is "personal" or "individual" in nature in that it is not shared or used by other departments or employees.

Personal Data includes, but is not limited to, information in paper, electronic, audio, or graphic/visual formats.

Confidential Data

Confidential Data is information that could by itself, or in combination with other such data, be used for identity theft or related crimes; whose public disclosure is restricted by law, contract, University policy, professional code, or practice within the applicable unit, discipline, or profession; or whose value would be lost or reduced by unauthorized disclosure or by disclosure in advance of the time prescribed for its authorized public release. Confidential Data also includes sensitive business information who's disclosure would cause damage the the University's public image or ability to conduct business. See Data Classification Levels for more information

System of Record (SOR)A system of record (SOR) is an information storage system (Banner, Raiser's Edge, etc.) that is the authoritative data source for a given data element or piece of information.

University Purposes

University purposes are the fulfillment of employment responsibilities at Seattle Pacific University, and/or participation in Seattle Pacific University governance processes, which includes participation in University boards, bodies, governing groups, and committees through which members of the University contribute to the operation of the University as it carries out its mission.

Responsible Use Requirements



Quality data is critical to Seattle Pacific University’s organizational success. To be kept and valuable the data must also be both accessible and secured. Members of the university community must comply with the following requirements for responsible use of Institutional Data. They are responsible to protect their credentials (ID card, computer login, etc.) that allow them to access Institutional Data from usage by anyone other than themselves and in accordance with the Computer Acceptable Use policy. 


A: Members of the Seattle Pacific University community may access and use Institutional Data only for University purposes

  1. Members of the University community may not use or disclose Institutional Data to obtain or provide others with a private benefit that is inconsistent with the University’s interests.
  2. Members of the University community may alter, store, and distribute Institutional Data only for University purposes.
  3. Each member of the University community may access Institutional Data only if, and then only to the extent that, he or she needs to do so for a University purpose.

B. Institutional Data must be used, stored, transferred, disseminated, and disposed of in ways that minimize the potential for improper disclosure or misuse.

  1. Members of the University community must comply with all laws (see Data Laws and Regulations), University policies, and contracts that govern the use and release of Institutional Data, especially Confidential Data.
  2. Records that contain Confidential Data shall be properly secured to minimize the risk that the Confidential Data will be accessed, either intentionally or inadvertently, by individuals who are not authorized to see or use the Confidential Data for University purposes.
  3. Records that contain Confidential Data and are no longer needed for University purposes should be disposed of promptly and properly. 

C. Members of the Seattle Pacific University community are individually responsible for the security and integrity of Institutional Data in their possession or control, including their proper storage and disposal.

  1. Members of the University community shall not knowingly create inaccurate or misleading Institutional Data, or deliberately alter or delete accurate Institutional Data to make those Institutional Data, or other Institutional Data, inaccurate or misleading.
  2. Members of the University community may share Institutional Data only with individuals who need to access those Data for a University purpose.
  3. Members of the University community are individually responsible for their own use, storage, dissemination, and disposal of the Institutional Data to which they have access.
  4. All Institutional Data will have a system of record (SOR), which will be the authoritative source for the organization. This data may be duplicated to other university systems for reporting or operational purposes, however it is not considered authoritative outside of the system of record.
  5. Members of the University community who, for University purposes, make Institutional Data available to individuals who are not subject to this Policy should take appropriate action to provide for the proper use, storage, and disposal of those Institutional Data by those individuals, including, when necessary, contractual limitations on the further dissemination of the Institutional Data by those individuals.

Data Quality


The availability to high quality data ensures effective operational decision-making and strategic planning in support of the institutional mission. Dimensions of data quality include integrity, integration, relevance, and timeliness.

  • Data Integrity refers to the accuracy and consistency of data. The overall integrity of data starts with physical and logical integrity of the databases that house them. Users of Institutional Data are responsible for protecting information systems from data corruption, establishing data collection standards and mechanisms for data validation, data synchronization, and error detection to ensure the accuracy of institutional data.
  • Data Integration is the process of combining data from different sources. Data integration promotes conservation of resources, economy, efficiency, and effectiveness. Duplication or redundancy of data in multiple systems should be minimized. Along with the integration and synchronization of critical data elements across source systems, large-scale data integration must occur within an EDW (Enterprise Data Warehouse) which serves as a central repository for historical data preserved from numerous source systems across the university.
  • Data relevance refers to consistency between the data content and the area of interest of the user. To improve business processes and deliver quality services, data users must have access to data that inform them about key dimensions of their work and outcomes of their efforts.
  • Data timeliness is the availability of data at the time they need to be utilized. To be of value, data must be available on a timely basis and on the expected schedule. Data stewards bear responsibility to coordinate with each other and with managers in their functional units to ensure that data are up to date

Data Systems and Integration


All systems and services containing or consuming institutional data must respect, maintain, or enhance the accessibility, integrity, and confidentiality of institutional data.

  • New systems generating or consuming institutional data require evaluation (and/or approval) by CIS prior to purchase or implementation. See the Enterprise Software Acquisition policy for more information. 
  • Data integration between systems or services will be evaluated for compliance with this policy. This may include evaluation and reconciliation of any conflicting business policies or procedures that may differ between these systems or services. 
  • Usage of institutional data by a particular business unit requires informing and obtaining approval from the Data Steward/Manager/Custodian.

Training and Oversight


Unit supervisors/unit administrators or directors are responsible for implementing training and oversight procedures consistent with this Policy for their own units. Links to resources for effective practices for managing confidential data are provided on the Data Classification Levels page.

Institutional Data shall be made accessible or inaccessible according to defined needs and roles.  Institutional Data and Metadata shall be accessible to all in accordance with defined access and use policies and procedures determined by the Data Stewards/Managers/Custodians and the Systems and Data Management Group (SDMG).  Data Stewards/Managers/Custodians will provide agreed upon and appropriate access to other business units with a stated need.
 

Policy Violations 


Violations of this policy may result in disciplinary action, up to and including:

  • the individual's use of information technology resources (such as suspension or termination of access, or removal of online material)
  • the individual's employment (up to and including immediate termination of employment)
  • civil or criminal liability
  • or any combination of the above.

Appropriate sanctions will be determined on a case by case basis by leadership and will depend on the severity and level of negligence involved.


SPU Related Policies and Procedures:


Outgoing links from this page