Data is a vital institutional asset that must be used legally and ethically, and college records exist for the purposes of the business of the college. Therefore, requests for data are subject to many considerations, including:
- Sensitivity of data being requested
- Compelling institutional need
- Reputational risk associated with the release of the data
- Institutional Review Board Approval
- Staff resource availability
- Compliance (legal) restrictions
The purpose of data governance is to establish a culture that ensures that institutional data is both secure and available to those who should have access to it. This plan offers guidelines and procedures for those who collect, process, or store data, in addition to those who are requesting new access to data for any of those purposes.
3.0 Roles and Responsibilities
Several roles and responsibilities govern the management of, access to, and accountability for institutional data.
3.1 Data Governance Committee
The Data Governance Committee is comprised of the designated Data Stewards and Data Trustees from across all functions and departments of the College. Its primary purpose is to provide clear and consistent responses to data requests when needed. The committee will also assist in a yearly review and update of the Vassar College Data Governance Plan and Data Classification Policy.
3.2 Data Trustees
Data Trustees are senior college officials who have planning, policy-level and management responsibility for data within their functional areas. Data Trustees also approve recommendations for information asset Data Classification.
3.3 Data Stewards
Data Stewards are college officials who have direct operational-level responsibility for the management of one or more types of institutional data. Data Stewards are assigned by the Data Trustee and are generally associate vice presidents, directors or managers. Data Stewards review annually (minimum) who has access to the data for which they have responsibility.
Data Stewards evaluate information requests, bringing in others as needed to evaluate each request. The Data Governance Committee is a resource for advice. If there is not a clear answer, the Steward makes recommendations to the Data Trustee and Senior Staff.
Data Stewards are also responsible for recommending the appropriate Data Classification of any information asset and reporting violations of data handling procedures.
3.4 Data Managers
Data Managers are individuals who are responsible for data collection, quality control, processing, and management for their functional area.
3.5 Data Users
Data Users are college units or individual college community members who have been granted access to institutional data in order to perform assigned duties or in fulfillment of assigned roles or functions within the college; this access is granted solely for the conduct of college business.
3.6 Systems Administrator
Systems Administrators are Computing and Information Services (CIS) personnel or community members with privileged access to systems or services for the purpose of configuration, maintenance, and support. These users have access to institutional data as a byproduct of their primary job responsibility and are not authorized to grant access to data without permission from the appropriate Data Steward.
Responsible stewardship of Vassar College data is critical to the work of the college and required in order to ensure those with official educational or administrative responsibilities are able to access and rely on the accuracy and integrity of the data. Data Stewards are expected to comply with the following procedures and manage data within their care in a manner that is consistent with legal, ethical, and practical considerations.
4.1 Data Access
Data access is granted to those with legitimate educational or business interest in the data upon approval of the appropriate Data Steward and may require the approval of a Data Trustee. See Figure 1 for a flowchart representing the process.
Improper release, maintenance or disposal of college data may be damaging to the college community and exposes Vassar to significant risk and possible legal action. Those granted access to college data must agree to the following guidelines.
- Maintenance of data must strictly adhere to the policies and procedures of Vassar College. Unauthorized use, disclosure, alteration, or destruction of data is prohibited.
- Data Stewards may grant access to data if it needs to be shared with others. Others seeking data access, including Data Managers and users, must seek approval from the relevant Data Steward before using that data.
- Data may not be released to third parties or others at the college who do not have access to the data without the consent of the appropriate Data Steward and must always be done in compliance with all laws and regulations (e.g., FERPA, HIPAA, and GDPR). The institutional need must be demonstrated in order for access to be granted.
- If uncertainty or high risks exist for releasing data, the decision is elevated to the Data Trustee and Senior Team.
- Access to and use of data is restricted to the scope of an individual’s work. Data should not be viewed or analyzed for purposes outside of official Vassar business.
- Access is granted for specific purposes and durations, the data may not be used for other purposes or kept beyond its need.
- Personal Data for any individual is solely owned by that individual and Vassar College has no inherent or automatic right to collect, process, or store personal data beyond the purposes established by this process.
- Any actual or suspected loss, theft, or misuse of data must be reported to the Data Trustee, the Data Steward, and Information Security Officer immediately.
5.0 Request Flow
- NIST SP 800-53
- Data Stewards and Trustees
7.0 Related Policies
- Responsible Use Policy
- Information Security Policy
- Data Classification Policy
Publication date: January 11, 2021