15.40 – Data Governance
Policy Details
Responsible Executive: Provost and Chief Academic Officer
Responsible Administrator: Privacy and IT Compliance Officer
Scope: NMSU System
Last Updated: 04/20/2020
PART 1: PURPOSE
Consistent with direction from the NMSU Board of Regents and applicable laws and regulations, this rule is adopted:
- To modify the framework of the university’s Data Governance Program, and facilitate timely access to accurate Data by NMSU users;
- To clarify the roles, responsibilities and accountability required of the Data Governance Committee, Data Trustees, Data Stewards, Data Custodians, and Data Users;
- To authorize the Data Stewards to establish, publish and implement Data Governance standards and associated implementing standards of operation (SOP’s) for their particular areas of operation, consistent with policy, law and best practices.
- To augment the university’s compliance with applicable laws and regulations; and
- To emphasize the importance of, and to require, effective Data audit capability.
PART 2: DEFINITIONS
Defined terms are capitalized to denote that the term is defined for purposes of this rule.
- Access: The ability to read, write, copy, query, download, delete or transmit Institutional Data.
- Data Custodian: An employee who has operational responsibility for the management of any of the systems that serve as sources of Institutional Data.
- Data Governance: Regulation and protection of Institutional Data through its full life cycle, from creation or acquisition, access and use, to final disposition. A data governance program includes:
- protection of sensitive data;
- vulnerability assessment and risk management;
- enforcement of legal, regulatory, contractual, and architectural compliance requirements;
- stakeholder identification with defined roles and responsibilities;
- access management; and
- data inventory, classification and definition
- Data Governance Committee: A university board (RPM 2.30) established by the president consisting of the university’s Data Trustees and other senior administrative officials assigned the responsibility to modify, formalize, and implement the university’s Data Governance Program in accordance with regents policies, applicable laws and regulations and this rule.
- Data Steward: An employee, typically a supervisor, designated by the relevant Data Trustee to oversee access and management of a particular subset of Institutional Data.
- Data Trustee: A senior administrator with significant responsibility for a major operational area, who utilizes systems and applications serving as authoritative sources of Data. (See Appendix ARP 15.40 – A for list of major operational areas).
- Data User: NMSU employees or agents whose job duties require access to Institutional Data.
- Institutional Data/Data: Institutional Data (or “Data”) refers to the university’s information resources and administrative records in any form, including but not limited to print, electronic, or audio-visual. Examples include:
- Data created, acquired and/or maintained by university employees through official job duties;
- Data created or updated via use of a university computer system;
- Data relevant to research, planning, managing, operating, or auditing;
- Data included in official university administrative reports and records;
- Data within the university’s purview, including records that the university may not own but that are governed by laws and regulations to which the university is held accountable; and
- Data that pertains to, or supports, the administration and mission of the university.
PART 3: ROLES, RESPONSIBILITIES AND ACCOUNTABILITY
The Data Governance Committee and other data officials listed below are collectively and individually responsible for implementing the NMSU Data Governance Program.
- Data Governance Committee: The Data Governance Committee develops and implements the Data Governance Program for the NMSU system, including the development of data governance policies and rules, as well as general oversight for publication of Data Governance standards and other standards of operation (SOPs) applicable primarily to the work of the Data Stewards and Data Users. The Data Governance Committee may establish subcommittees or assign related tasks to university units or employees.
- Data Trustee: Responsibilities of Data Trustees include:
- Serve on Data Governance Committee.
- Ensure access to and safeguard security, integrity and usefulness of their respective areas’ Institutional Data
- Identify the sensitivity and criticality of the Data.
- Ensure appropriate processes are in place to keep Data secure, maximize Data accuracy, and ensure responsible staff are trained regarding the Data Governance Program requirements.
- Oversee planning and governance to meet data needs of the institution and support Data- driven decision making. Work closely with members of the Data Trustee Council and members of the senior administration to ensure appropriate resources (staff, technical infrastructure, etc.) are dedicated to prioritizing Data needs and enforcing SOPs related to Data management and use.
- Implement Data Governance rules, as well as the standards and associated SOPs approved by the Data Governance Committee, for compliance with applicable laws and regulations.
- Serve as liaison to the president and/or Chancellor – NMSU System Community College for Data Governance issues.
- Designate and supervise Data Stewards within the Data Trustee’s major operational area.
- Data Steward: Responsibilities of Data Stewards include:
- Establish Standard Operations. Subject to review by the Data Trustees, Data Stewards establish, publish at https://inside.nmsu.edu/datagovernance/, and implement Data Governance standards and associated SOP’s.
- Train Staff. Ensure that staff who maintain Data are trained to follow the Data Governance standards and SOP’s.
- Maintain Data quality. Work with technical and operational staff to create a process to identify data entry errors and correct the Data and data entry processes to meet Data Governance standards. Report to the Data Trustee any issues that may require modifications or enhancements of Data Governance structures or standards.
- Control and Facilitate Access to Data. Develop appropriate SOPs to control and facilitate access to Data by authorized users to serve the Data needs of the institution.
- Respond to Inquiries about Data. Receive and respond to any inquiries related to Data they oversee.
- Monitor System Account Access. Conduct and document regular system account access reviews to Data and systems to meet audit and other requirements.
- Data Custodian: Responsibilities of Data Custodians include:
- Provide a secure infrastructure in support of the Data. This includes, but is not limited to, physical security, network security, system security, system logging, and secure transmission of the Data.
- Grant, modify, revoke and document authorization for, system access to Data Users based on established policies and rules, Data Governance standards and associated SOPs relating to access.
- Assist with implementation of university policies and rules, as well as Data Governance standards and associated SOPs relating to Data access.
- Ensure system availability and adequate response time. Monitor system availability, backup system Data and develop disaster recovery plans; install, configure, patch, and upgrade hardware and software used for Data management; make sure systems are maintained in accordance with policies and/or service level agreements.
- Participate in setting Data Governance priorities. Provide details on technical, systems, and staffing requirements related to Data Governance initiatives.
- Data User: Responsibilities of Data Users include:
- Attend training and follow university policies and rules, standards and associated SOPs related to Data management and protection, including those relating to the security, integrity, quality, consistency, handling, and dissemination of Data.
- Identify areas of need relating to Data management and protection.
- Report concerns related to Data management and protection to the appropriate NMSU administrator, including any observations or concerns about weaknesses in Data protection; failure to follow Data management policies; or specific issues of quality or integrity of NMSU data.
PART 4: NMSU DATA GOVERNANCE STANDARDS
The Data Governance Committee will work collaboratively with university officials, including the Chief Privacy Officer, Chief Information Security Officer, and Chief Information Officer to ensure the establishment of uniform university Data Governance rules, standards and associated SOPs, including, but not limited to:
- Data Inventory
- Data Classification;
- Data Safeguards;
- Data Sharing and Usage;
- Data Dictionary and Definitions;
- Data Entry and Reporting
- Identity and Access Management;
- Data Security; and
- Data Privacy and Regulatory Compliance.
PART 5: DATA GOVERNANCE TRAINING
- NMSU will train its employees on the NMSU system’s Data Governance Program, including all policies and rules, as well as the Data Governance standards and SOPs that apply within their major operational area. Each Data Trustee is responsible to ensure that each new hire, incumbent employee, or other person granted access to Institutional Data within their major operational area receive the appropriate training in a timely manner. After initial training, updates will be provided on a periodic or as needed basis.
- To ensure compliance with the data privacy regulatory training requirements, some NMSU employees will be required to participate in data privacy compliance training, which may be offered pursuant to Rule 3.19.25 – Mandatory Employee Training and Other Professional Development Opportunities.
- Official training logs and certificates will be maintained in the institutional training system maintained by Human Resource Services’ Center for Training and Professional Development.
Related
Cross-Reference:
RPM 15.30, Information Technology Governance
ARP 15.41 – Data Classification
RPM 15.50, Information Data Security
ARP 14.10 - Records Integrity and Retention
ARP 15.60 – Management of Health Information – HIPAA Compliance
ARP 15.62 – Protection of Federal Information – FISMA
ARP 16.01 – Criminal Justice Information Services Security (See Part 4)
ARP 18.40 – Inspection of Public Records
Revision History:
04/20/2020 Adopted by Chancellor