Information Services Data Governance Policy
Information and data constitute valuable Connecticut College assets. The purpose of data governance is to establish a culture that ensures institutional data is both secure and available to those who should have access to it. This policy establishes the methodology by which the college will manage its data and assign responsibilities for the control and appropriate stewardship of college data. College records exist for the purposes of the business of the college.
This policy applies to all Connecticut College faculty, staff, student, affiliates, and contractors. The policy should serve as useful guidance to data owners, data custodians, users and seekers alike. The policy governs the privacy, security, and confidentiality of College data especially highly sensitive data, and the responsibilities of institutional departments and individuals for such data. This may include data collected from students, faculty, staff, contractors, members of the community, or those who have no affiliation with the College.
3. Definitions and Authority
“Critical data elements” are defined as “the data that is critical to success” in a specific campus business area, or “the data required to get the job done.” Data elements are data attributes used in running the college business. Note that data that is critical in one business area may not be critical in another.
“Data dictionary” describes the meaning of a data element, i.e., metadata. Data element definitions are critical for external users of any data system.
“Data Owner” are college officials who have direct operational-level responsibility for the management of one or more types of institutional data. The delegation of this authority and responsibility is assigned by a Sr. Administrator and are generally deans, directors or managers.
“Data Custodian” - An individual who has been authorized to be in physical or logical possession of data by the Data Owner.
“Data Stewardship Committee” is a planning, procedures and oversight committee composed of campus Data Owners. They discuss, propose, advocate and review policies and standards surrounding the classification, access and use of data.
“Data User” are college departments or individuals who have been granted access to institutional data in order to perform their assigned duties.
“Encryption” Encryption is the conversion of data into a form that is unreadable by an unauthorized user or process. Encrypted data must be decrypted (converted back to original form) prior to use.
“Personally Identifiable Information (PII)” is any data that could potentially identify a specific individual. Any information that can be used to distinguish one person from another and can be used for de-anonymizing anonymous data can be considered PII.
“Enterprise and Technical Systems” ETS is responsible for the operation and maintenance of the College information technology systems. With respect to information technology security, ETS’s responsibilities include establishing security awareness and training, maintaining compliance with college, state and federal security policies and standards in all information technology system activities, and maintaining compliance with requirements specified by data owners for the handling of classified data processed by the system.
Responsible stewardship of Connecticut College data is critical to the work of the institution and required in order to ensure those with official educational or administrative responsibilities are able to access reliable and accurate data. This policy establishes key roles and responsibilities for protecting confidentiality, integrity, and availability of college data. In cases where college information is not stored in electronic form or, is used locally and takes forms other than those protected within central information systems, protection is the responsibility of the relevant business area data owner, data custodian and data users.
Individual units or departments that have stewardship responsibility for portions of protected college data must establish internal controls to ensure that college policies are enforced. All users, not just Data Owners, or Data Custodians are responsible for the security and privacy of the data they access or store, as prescribed in this policy.
Access to protected data, as defined by this policy, is granted to those with a legitimate educational or business need, upon approval of the appropriate data owner and may require the approval of a Sr. Administrator. Faculty and staff accessing institutional data must observe the requirements for privacy and confidentiality, comply with protection and control procedures, and accurately present the data used in any type of reporting function. Improper release, maintenance or disposal of college data may be damaging to the college and exposes Connecticut College to significant risk and possible legal action.
Those granted access to college data must agree to the following guidelines.
- Maintenance of data must strictly adhere to the policies and procedures of Connecticut College. Unauthorized use, disclosure, alteration or destruction of data is prohibited.
- Data owners, as defined in this policy, may grant access to data if it needs to be shared with others. Others seeking data access must seek approval from the relevant data owner before using that data.
- Data may not be released to a third-party or others at the college who do not have access to the data without the consent of the appropriate data owner.
- Data access must always be granted in compliance with all laws and regulations (e.g., FERPA, HIPAA, and GDPR). If uncertainty exists for releasing data, the decision will be elevated to the Sr. Administrator.
- The institutional need must be demonstrated in order for access to be granted to highly sensitive data.
- Access to and use of data is restricted to the scope of an individual’s responsibilities. Data should not be viewed or analyzed for purposes outside of official college business.
- Access is granted for specific purposes and durations, the data may not be used for other purposes or kept beyond its need.
- All data must be used, transmitted and stored according to the Data Classification Policy.
- Any actual or suspected loss, theft, or misuse of data must be reported to the data owner and the Information Security Office immediately.
Data Owner Responsibilities
1. Manage data set within their business responsibility including classifying the data and assigning the correct level of access to the data.
2. Ensure that access and protection requirements are consistent with college data security policies and the data classification are in place and responsive to business needs.
3. Developing internal controls to ensure data security, integrity, and privacy in their area.
4. Understand which applications consume the data within their area.
5. Ensure and monitor the accuracy and quality of data input and output within their area.
6. Communicate data protection requirements to the Information Security Office.
7. Annually review with appropriate data custodians the current set of highly sensitive data access authorizations and, as appropriate, update authority granted each user.
8. Ensure that authorized users of highly sensitive data are trained on their responsibilities associated with their approved access to that data.
9. Developing and maintaining metadata for critical data elements.
10. Establish policies and direction for the overall security and privacy of college data, particularly highly sensitive data, within their respective areas of responsibility.
11. Report any possible breach in computer security or illicit use of highly sensitive data to the Service Desk who will then notify the Information Security Office.
12. Review appeals to any decision to deny access to college data to individuals within their area of responsibility.
13. Work with the Data Custodians within their areas of responsibility.
14. Help to remediate data and data-related issues and problems.
Data Custodian Responsibilities
1. Protecting the data in their possession from unauthorized access, alteration, destruction, or usage.
2. Ensure that change management practices are applied in maintenance of the data for their business area
3. Guarantee that processes exist and are being followed for data quality issue resolution
4. Ensure Access to the data in your business area is authorized and controlled
5. Use information technology systems in a manner consistent with college policies and procedures.
Data Stewardship Committee Responsibilities
The Data Owners will serve on this Committee. The Director of Systems, Servers and Security will initially serve as chair of this Committee. The chairmanship of this Committee will rotate annually among its members
1. Create and maintain campus data dictionary.
2. Develop consistent data definitions.
3. Develop and adhere to data standards created by the institution.
4. Collaborate on data integration requirements.
5. Communicate critical uses of data on which other college departments depend.
Enterprise and Technical Systems Responsibilities
1. Provide all users of College systems required information technology security awareness training based on their role at the College and prior to, or as soon as practicable after, receiving access to the system in accordance with the Security Awareness Training Policy.
2. Manage system risk and develop any additional information security procedures required to protect the network and technology systems in a manner commensurate with risk.
3. Maintain compliance with the college information technology security policies and standards in all information technology system activities.
4. Maintain compliance with requirements specified by data owners for the handling of data processed by the system.
4.2 Requests For Protected Data
Requests by the public for protected data made through the Connecticut Freedom of Information Act or other applicable law will be reviewed by the Vice President of Communications prior to any release of data.
5.1.1 The college forbids the disclosure of protected data in any medium except as approved in advance by a data owner. The use of any protected college data for one’s own personal gain or profit, for the personal gain or profit of others, or to satisfy personal curiosity is strictly prohibited. Every user will be responsible for the consequence of any misuse of college data.
5.1.2 Should a security breach occur, the Information Security Incident Response Team will investigate and discuss with the Chief Information Security Officer, Associate VP of Enterprise and Technical Systems and the Vice President of Information Services whether or not to escalate the incident to the college cyber insurance provider. The Vice President for Human Resources will review all matters involving college employees. The Dean of Students will review all matters involving students. The Vice President of Information Services will review matters involving individuals not affiliated with the college.
5.1.3 All individuals accessing college data at Connecticut College are required to comply with federal and state laws and college policies and procedures regarding data security of highly sensitive data. Any college employee, student or non-college individual with access to college data who engages in unauthorized use, disclosure, alteration, or destruction of data is in violation of this policy and will be subject to appropriate disciplinary action, including possible dismissal and/or legal action.
5.1.4 The ETS/Information Services will verify compliance with this policy through various methods, including but not limited to, periodic walkthroughs, application tools reports, internal and external audits, and feedback.
5.1.5 Any exception to the policy must be approved by the Information Security Office in advance and documented in accordance with the Information Security Exceptions Tracking procedure.
5.1.6 Non-compliance of this policy and procedures may result in disciplinary action, following the disciplinary processes of the College for faculty and staff. The Vice President of the Administration Division will determine whether to initiate the disciplinary process.
This policy was approved on 05.14.2019.