Post on 25-Dec-2015
1
UH DATA GOVERNANCE
IT All-Campus WorkshopJune 19, 2015
Sandra Furuto UH System Office of the Vice President for Academic Affairs
What is Data Governance and Issues Around it
2
OVPAA|June 2015 3
What is Data Governance (1)
“The formal orchestration of people, process, and technology to enable an organization to leverage data as an enterprise asset.”
— The MDM Institutehttp://0046c64.netsolhost.com/whatIsDataGovernance.html
OVPAA|June 2015 4
What is Data Governance (2)
DG is a framework that enables us to effectively manage data Defines how data are collected, stored, and used Defines who can access data, when, and under what
conditions Establishes decision rights Establishes clear lines of accountability Gives a voice to all appropriate parties Provides a mechanism for conflict resolutions
involving data
OVPAA|June 2015 5
UH Data Governance Issues
Lack of clarity on access and data requests (where to go, who to ask, etc.)
No clear lines of accountability Reliance on local solutions Unnecessary duplication of University data No defined escalation procedures Insufficient education and training on handling sensitive
data Lack of compliance with government and industry
regulations (FERPA, HIPAA, HRS 92F, HRS 487N, PCI-DSS)
OVPAA|June 2015 6
Impact of Non-Compliance Loss of federal financial aid funding (FERPA) Financial fines (HIPAA, PCI-DSS) Class action law suits Misdemeanor charges Financial expenses Loss of reputation Additional legislative scrutiny Unfavorable publicity
UH Data Governance Program
7
OVPAA|June 2015 8
UH DG Vision Statement
Data governance at the University of Hawai‘i fosters a culture of shared responsibility and active participation among members of the University community in the stewardship of data and information entrusted to the University. UH’s institutional data governance philosophy is
grounded in the University’s core values of institutional integrity, service, collaboration, and respect, and its commitment to excellence and accountability.
Scope of UH Data Governance
Examples: Student (student name, ID number, grades); Employee (name, job title, payroll information)
Examples:Banner (System with Student Data)PeopleSoft (System with HR Data)KFS (System with Financial Data)
“Institutional Data”
refers to
data created, received, maintained, and/or
transmitted by UH in the course of meeting its
administrative and academic requirements.
“Institutional Data System ”
refers to
any data repository owned/maintained by UH that collects and stores Institutional Data. These repositories house
transactional and analytical (decision support) types of
Institutional Data.
9
OVPAA|June 2015
DG Scope and Structure
10
Senior Executives/Chancellors
BANNER(Students)
Data Governance Committee (DGC)
Data Sharing Requests
Data Classification
Categories
Records Management
Data System Authorizations
Strategic Procurement
KFS(Finance)
OTHERDATA
SYSTEMS
PEOPLESOFT(Human
Resources)
Users
OVPAA|June 2015
UH Data Governance Goals
Protect the privacy and security of Institutional data
Produce higher quality data for informed decision making
Promote efficient use of resources Increase transparency and accountability
UH Policies/Procedures and Key Regulations
12
13
Institutional Data Governance
EP2.215
System and Campus Wide Electronic Channels for
Communicating with StudentsEP2.213 Specialized
Purchasing AP8.265
Data Sharing Request Process
(in progress)
FERPAAP7.022
Security and Protection of Sensitive Information
EP2.214
Institutional Records Management and
Electronic Approvals / Signatures
EP2.216
Records Retention Schedule
(TBD)
Open Records Requests
(TBD)
HIPAA (TBD)
Data Classification Categories
(in progress)
Data System Authorizations
(TBD)
Data-Related APs Procurement-Related APs
Data-Related EPs
OVPAA|June 2015 14
UH Data-Related Executive PoliciesNumber Title Description
EP2.215 Institutional Data Governance
Establishes the vision, goals, principles, best practices, roles and responsibilities, and definitions of UH’s data governance program.
EP2.213 System and Campus Wide Electronic Channels for Communicating with Students
Establishes the use of electronic channels for system and campus wide communications with students.
EP2.214 Security & Protection of Sensitive Information
Establishes guidelines for the identification and proper maintenance of sensitive information.
EP2.216 Institutional Records Management and Electronic Approvals/ Signatures
Establishes institutional requirements for the responsible management of University records which includes meeting legal and institutional requirements, optimizing space usage, and minimizing the cost of record retention.
OVPAA|June 2015 15
UH Data-Related Admin Procedures (1)Number Title Description
AP7.022 Procedures Relating to Protection of the Educational Rights and Privacy of Students
Establishes procedures that protect the educational rights and privacy of students (UH’s FERPA policy).
TBD UH Data Classification Categories (in progress)
Organizes UH Institutional Data into categories based on different levels of security risk and penalties and specifies security requirements for each category.
TBD Data Sharing Requests (in progress)
Establishes a process for the release of UH Institutional Data and ensures the data is being appropriately used and is properly secured.
TBD Data System Authorizations (in progress)
Establishes procedures for granting an individual online access to Institutional Data Systems based on that individual’s roles and responsibilities.
OVPAA|June 2015 16
UH Data-Related Admin Procedures (2)Number Title Description
TBD Records Retention Schedule (not yet started)
Document each type of University record, the official repository/office for that record, the retention period, disposition action, and data classification category.
TBD Open Records Requests (not yet started)
Provide recipients of Uniform Information Practices Act (UIPA) requests with instructions on how/when to respond.
TBD HIPAA (not yet started) Provide standards and guidelines that align with the Health Insurance Portability and Accountability Act for those who work with health records.
AP8.265 Specialized Purchasing Provide guidelines on software related purchases, especially for 3rd party hosted services in the Cloud.
OVPAA|June 2015 17
Student Directory Information (AP7.022) Name of student Major field of study Class (i.e., freshman, sophomore, etc.) Past and present participation in officially recognized sports
and activities Weight and height of members of athletic teams Dates of attendance Previous institution(s) attended Full or part-time status Degree(s) conferred (including dates) Honors and awards (including dean's list)
OVPAA|June 2015 18
Key Regulations and Penalties (1)Regulation Description Penalty
Hawai‘i Revised Statutes (HRS) §487N
• State law that requires a breach notification to the legislature if there is an inadvertent disclosure or inappropriate access of data
Data subject to regulation:• First Name or First Initial/Last Name combined with:
• Social Security Number (SSN)• Driver license or state ID #• Info to access a person’s financial account
(account #, access codes, passwords, etc.)• Health information covered by HIPAA• PCI-DSS information
Family Educational Rights and Privacy Act (FERPA)
• Federal law that protects the privacy of student education records
• UH’s FERPA document is AP7.022
Data subject to regulation:• All student data EXCEPT directory information• Student Personally Identifiable Information (PII)
Potential loss of federal funding
OVPAA|June 2015 19
Key Regulations and Penalties (2)Regulation Description Penalty
Health Insurance Portability and Accountability Act(HIPAA)
• Federal law that protects the privacy of individually identifiable health information
Data subject to regulation:• Health
Financial fines;also requires a breach notification in accordance with HRS §487N
Hawai‘i Revised Statute (HRS) Chapter 92F
• State law also known as the Uniform Information Practices Act (UIPA) which requires open access to government records
• 92F-12 specifically refers government employee data that must be made available for public inspection and duplication during regular business hours
Data subject to regulation 92F-12:• Employee
If data is intentionally revealed that should not be, could be convicted of a misdemeanor unless a greater penalty is provided for by law.
OVPAA|June 2015 20
Key Regulations and Penalties (3)Regulation Description Penalty
Payment Card Industry Data Security Standard (PCI-DSS) information
• A widely accepted set of policies and procedures intended to optimize the security of credit, debit, and cash card transactions and protect cardholders against misuse of their personal information
Data subject to regulation:• Credit Card
Financial fines;also requires a breach notification in accordance with HRS §487N
Stewardship and UH Data Governance Roles and Responsibilities
21
OVPAA|June 2015 22
What is Stewardship
“The careful, responsible management of something entrusted to one’s care on behalf of others.”
— The DAMA Dictionary of Data Management, 2nd Edition
OVPAA|June 2015 23
Data Governance Program
Role Lead the University’s data governance program
Sandra Furuto, Director of Data Governance and Operations
Responsibilities Set the DG agenda with oversight by the Data Governance
Committee (DGC) to resolve data issues and support DG goals in support of UH’s mission
Create an organized and coordinated strategy and a formal, structured approach to carrying out the University’s DG goals
Develop system-wide policies, processes, and standards with guidance from the DGC
Increase knowledge and awareness of DG initiatives and DG goals throughout the UH community
DGP
OVPAA|June 2015 24
Data Governance Committee
RoleAn executive decision making body that focuses on
the resolution of system-wide data related issues Responsibilities
Establish policies, processes, and standards that govern the University’s data management practices
Articulate data issues to UH senior leadership involving disputes around Institutional Data
Increase knowledge and awareness of DG initiatives and DG goals throughout the UH community
DGC
25
UH Data Governance Roles
Roles are reflective of what people already do in their day-to-day jobs.
Naming of DG roles formalizes responsibilities and provides structure and support.
A person can fulfill multiple roles.
Executive Data Steward• Campus• System
Functional Data Steward
Data Custodian
OVPAA|June 2015 26
Executive Data Stewards: Role
EDS are accountable for the use and management of Institutional Data at their respective campus or within the Institutional Data System under their purview.• Campus EDS – vice chancellors or appropriate
administrators responsible for the major functional areas within a campus including, but not limited to, student affairs, academic affairs, and administration
• System EDS – executives with functional responsibility for Institutional Data Systems
OVPAA|June 2015 27
Executive Data Stewards: Responsibilities
Authorize the release of Institutional Data in the course of improving University programs and services, meeting compliance and reporting requirements, and supporting research related studies
Approve login access of employees and others to Institutional Data Systems
OVPAA|June 2015 28
Functional Data Stewards: Role
Use and manage Institutional Data on a daily basis as part of their job duties and responsibilities and are subject matter experts in their functional area• Exists among all levels and across all units within the
University
• Includes registrars, financial aid officers, fiscal administrators, human resources specialists, and institutional researchers
• Lead FDS – Primary FDS that works along with Data Custodians to manage the Institutional Data Systems
OVPAA|June 2015 29
Functional Data Steward Responsibilities
Ensure Institutional Data is managed appropriately, according to policies and procedures
Input Institutional Data and ensure the accuracy of the data
Recommend enhancements for their respective program areas to improve data quality, access, security, performance, and reporting
Serve as a conduit between EDS and DC to promote communication and a shared understanding of requirements
Fulfill data sharing requests according to administrative procedures
OVPAA|June 2015 30
Data Custodians: Role
Manage and/or administer systems or media on which sensitive information resides:• PCs, laptops, PDAs, smartphones, departmental
servers, enterprise databases, storage systems, magnetic tapes, CDs/DVDs, USB drives, paper files, cloud storage or services, etc.
Note : IT personnel are commonly regarded as Data Custodians, however, any authorized individual who downloads or stores sensitive information onto a computer or other storage device becomes a Data Custodian through that act.
OVPAA|June 2015 31
Data Custodian Responsibilities
Responsible for the technical safeguarding of sensitive information
Implement and administer controls that ensure the transmission of Institutional Data is secure and access controls are in place to the prevent inappropriate disclosure of that information
Work with FDS, as needed, to fulfill data sharing requests that involve additional technical requirements
Clarify with the appropriate EDS if a request is unclear or raises security concerns not addressed
Data Governance Conceptual Framework at UH
32
Business Area Institutional Data SystemFinance Kuali Financial System – KFS
eThorityeTravelFinancial Data Mart (FDM)
Human Resources PeopleSoftHR Data Mart – HRDW
Research Admin myGrant (Kuali Coeus – KC)Cognos
Identity ManagementIdentity Management System (IMS)
Student Banner: StudentOperational Data Store (ODS)
Banner: Financial Aid
STAR (Data Metrix, Academic Journey, Giving Tree)Student Employment and Cooperative Education (SECE)
Banner: Accounts Receivable
Destiny (UHCC Only)
Laulima
Campus
UHManoa
UHHilo
UHWest O’ahu
Hawai’i Community College
Honolulu Community College
Kapi’olani Community College
Kaua’i Community College
Leeward Community College
Maui College
Windward Community College
Etc.
Etc.
Etc.
Etc.
Etc.
Current Data Governance Focus Areas
33
OVPAA|June 2015 34
DG Focus Areas
Data Governance Committee (DGC)
Data Sharing Requests
Data Classification
Categories
Records Management
Data System Authorizations
Strategic Procurement
35
Data Sharing Requests
Data Sharing involves creating a copy of
Institutional Data and storing it on another
repository or medium for a specified use by
individuals who do not normally have access to
that data.
Data Sharing Request Process (DSR)
is a formal process for requesting and gaining access to
the data of interest.It is the action required to request,
review, and approve the release and use of Institutional Data.
OVPAA|June 2015 36
Scope: People Subject to the DSR Process
Individuals who have NOT been granted access to the specific Institutional Data of interest as part of their job requirements
EDS, FDS, and DC do NOT need to fill out a DSR form for data within their functional area because working with the data is part of their daily jobFor example, Institutional Research (IR) has access
to student record data as part of their responsibilities. If IR needs student employee data (which is in another system), then IR must submit a request to get the data from Student Employment.
OVPAA|June 2015 37
Scope: Data Subject to the DSR Process If the request involves Institutional Data and
any of the following:Individual record level dataData not considered ‘public’The services of a third partyA data feed (i.e., the establishment of a link that
transfers data between an Institutional Data System and another repository, such as to a vendor-hosted server)
OVPAA|June 2015 38
DG Focus Areas
Data Governance Committee (DGC)
Data Sharing Requests
Data Classification
Categories
Records Management
Data System Authorizations
Strategic Procurement
Organizes UH Institutional Data into categories based on different levels of security risk and penalties and specifies security requirements for each category.
OVPAA|June 2015 39
UH Data Classification Categories MatrixCategory Definition Examples
Public Access is not restricted and is subject to open records requests
Student directory information, employee’s business contact info
Restricted (proposed)
Used for UH business only; will not be distributed to external parties; released externally only under the terms of a written MOA or contract
Student contact information, UH ID number
Sensitive Data subject to privacy considerations Date of birth, job applicant records, salary/payroll information, most student information
Regulated (proposed)
Inadvertent disclosure or inappropriate access requires a breach notification by law or is subject to financial fines
FN or first initial/LN in combination with SSN, driver license number, or bank information; credit card (PCI-DSS) or health (HIPAA) info
OVPAA|June 2015 40
UH Classification Categories and DSR Process
These classification categories should be considered by:
EDS: When deciding whether to approve or deny the data sharing request
FDS: When making recommendations to share the data, the specific method for sharing (encrypted, email, fileshare, etc.), and when fulfilling the data sharing request
DC: When making recommendations to share the data, the specific method for sharing (data feed, encrypted at rest/in transit, etc.), and when fulfilling the data sharing request
OVPAA|June 2015 41
DG Focus Areas
Data Governance Committee (DGC)
Data Sharing Requests
Data Classification
Categories
Records Management
Data System Authorizations
Strategic Procurement
Establishes institutional requirements for the responsible management of University records.
OVPAA|June 2015 42
Records Management
Create records retention schedule for University records, lead office, retention period, type of disposal/destruction, and data classification category.
Provide standard guidelines for annual Records Reporting requirement to Office of Information Practices.
OVPAA|June 2015 43
DG Focus Areas
Data Governance Committee (DGC)
Data Sharing Requests
Data Classification
Categories
Records Management
Data System Authorizations
Strategic Procurement
Provides a centralized process for granting individuals online access to Institutional Data Systems based on those individuals’ roles and responsibilities.
OVPAA|June 2015 University of Hawaii © 2014 44
Mandatory Training and GCN (1)
EP 2.215 broadly states that training and education on handling sensitive information must be completed before users are allowed access
The policy will be updated to require users to complete:Mandatory Information Security Awareness Training
in LaulimaThe General Confidentiality Notice (GCN)
acknowledgment (www.hawaii.edu/its/acer)
OVPAA|June 2015 University of Hawaii © 2014 45
Mandatory Training and GCN (2)
Affects users with login privileges to any Institutional Data System. Examples:Banner/ODSPeoplesoft/HR Data MartKFS/eThoritySTARIdentity Management System, etc.
Reporting mechanism
Executive Data Stewards and supervisors will receive a listing of individuals who have not completed either requirement
OVPAA|June 2015 University of Hawaii © 2014 46
Mandatory Training and GCN (3)
TimelineEP 2.215 revision: summer/fall 2015Complete reporting module: fall 2015Roll out training/GCN to current users: begin late fall
2015 starting with ODS Re-certification proposals
GCN: annuallyInformation Security Awareness Training: every 2 or 3
years
OVPAA|June 2015 47
DG Focus Areas
Data Governance Committee (DGC)
Data Sharing Requests
Data Classification
Categories
Records Management
Data System Authorizations
Strategic Procurement
Coordinate purchases of third party vendor software/ services to reduce duplicative purchases and ensure appropriate language on data use and security are in all contracts and subscriptions.
OVPAA|June 2015 48
Strategic Procurement: Duplicative Purchases
Uncoordinated third party vendor purchases Campuses/programs are engaging different vendors
for similar services, e.g., retention softwareCampuses are interested in the same vendor but
contracts are negotiated at different times Cost/resource and implementation issues
Lost opportunity for favorable contract pricingMany requests involve data feedsData providers notified at the end, rather than
involved during the planning stages
OVPAA|June 2015 49
Strategic Procurement: Contract/Subscription Language
Not all third party vendor contracts and subscriptions have language protecting the University’s dataCompleting a template on data use and security for
all future data-related contracts Cloud-based subscriptions terms and conditions are
inconsistent and may/may not be on their website
OVPAA|June 2015
Strategic Procurement: Requests Involving Self-Disclosure of Info
Requests involve: UH program offering a service
○ E.g., recruitment, parking, proctoring, application to a degree program, training, housing
The individuals disclosing information about themselves in order to use the service
Subscription-based third party vendorsData stored on a non-UH server, often in the CloudMay collect sensitive data
Creating a form/process similar to DSR 50
OVPAA|June 2015 51
DG Program Status
DG Focus Areas
DG Program creates a draft process or standard
DGC and others provide input, modify, and approve
Process or standard becomes Executive Policy or Admin Procedure
DG Program communicates and trains those with R&R related to the process or standard, EP, or AP
Data Sharing Request
Complete Complete In progress In progress
Data Classification Categories
Complete In progress In progress Not started
Records Management
In progress In progress EP CompleteAP Not started
Not started
Data System Authorizations
In progress In progress Not started Not started
Strategic Procurement
In progress In progress Not started Not started
Process to Develop a DG Focus Area
Principles for Sharing and Accessing Data
52
OVPAA|June 2015 53
Principle of Need to Know
The basis for giving out data or granting access should be based on a need to know by the requesterIn FERPA terms, this is called having a “legitimate
educational interest” What “hat” is the individual wearing when he is
making the request? Access to the data should be consistent with the individual’s role associated with the request
If the data is not something the individual would normally have access to, s/he may need to fill out a Data Sharing Request form
OVPAA|June 2015 54
Principle of Least Access
The basis for giving out data or granting access should be based on a need-to-have and not a nice-to-haveThe minimal amount of data should be shared
○ Does the requester need identified data or can de-identified data meet the requester’s needs?
The minimal amount of access privileges should be granted○ Does the individual’s access privileges align with their
job duties and responsibilities?
OVPAA|June 2015 55
Principle of No Repurposing or Redisclosure
Data that is shared should not be used for any other purpose than for what it was originally intendedApproval for the new purpose should be sought
before the data is used for a different purpose Similarly, data should not be redisclosed or
released more often than specified
OVPAA|June 2015 56
Questions or Comments?
Ask DataGov or Tell DataGov Email: datagov@hawaii.eduwww.hawaii.edu/uhdatagov
Sandra FurutoEmail: yano@hawaii.eduPhone: 956-7487