1

UH DATA GOVERNANCE

IT All-Campus WorkshopJune 19, 2015

Sandra Furuto UH System Office of the Vice President for Academic Affairs

What is Data Governance and Issues Around it

2

OVPAA|June 2015 3

What is Data Governance (1)

“The formal orchestration of people, process, and technology to enable an organization to leverage data as an enterprise asset.”

— The MDM Institutehttp://0046c64.netsolhost.com/whatIsDataGovernance.html

OVPAA|June 2015 4

What is Data Governance (2)

DG is a framework that enables us to effectively manage data Defines how data are collected, stored, and used Defines who can access data, when, and under what

conditions Establishes decision rights Establishes clear lines of accountability Gives a voice to all appropriate parties Provides a mechanism for conflict resolutions

involving data

OVPAA|June 2015 5

UH Data Governance Issues

Lack of clarity on access and data requests (where to go, who to ask, etc.)

No clear lines of accountability Reliance on local solutions Unnecessary duplication of University data No defined escalation procedures Insufficient education and training on handling sensitive

data Lack of compliance with government and industry

regulations (FERPA, HIPAA, HRS 92F, HRS 487N, PCI-DSS)

OVPAA|June 2015 6

Impact of Non-Compliance Loss of federal financial aid funding (FERPA) Financial fines (HIPAA, PCI-DSS) Class action law suits Misdemeanor charges Financial expenses Loss of reputation Additional legislative scrutiny Unfavorable publicity

UH Data Governance Program

7

OVPAA|June 2015 8

UH DG Vision Statement

Data governance at the University of Hawai‘i fosters a culture of shared responsibility and active participation among members of the University community in the stewardship of data and information entrusted to the University. UH’s institutional data governance philosophy is

grounded in the University’s core values of institutional integrity, service, collaboration, and respect, and its commitment to excellence and accountability.

Scope of UH Data Governance

Examples: Student (student name, ID number, grades); Employee (name, job title, payroll information)

Examples:Banner (System with Student Data)PeopleSoft (System with HR Data)KFS (System with Financial Data)

“Institutional Data”

refers to

data created, received, maintained, and/or

transmitted by UH in the course of meeting its

administrative and academic requirements.

“Institutional Data System ”

refers to

any data repository owned/maintained by UH that collects and stores Institutional Data. These repositories house

transactional and analytical (decision support) types of

Institutional Data.

9

OVPAA|June 2015

DG Scope and Structure

10

Senior Executives/Chancellors

BANNER(Students)

Data Governance Committee (DGC)

Data Sharing Requests

Data Classification

Categories

Records Management

Data System Authorizations

Strategic Procurement

KFS(Finance)

OTHERDATA

SYSTEMS

PEOPLESOFT(Human

Resources)

Users

OVPAA|June 2015

UH Data Governance Goals

Protect the privacy and security of Institutional data

Produce higher quality data for informed decision making

Promote efficient use of resources Increase transparency and accountability

UH Policies/Procedures and Key Regulations

12

13

Institutional Data Governance

EP2.215

System and Campus Wide Electronic Channels for

Communicating with StudentsEP2.213 Specialized

Purchasing AP8.265

Data Sharing Request Process

(in progress)

FERPAAP7.022

Security and Protection of Sensitive Information

EP2.214

Institutional Records Management and

Electronic Approvals / Signatures

EP2.216

Records Retention Schedule

(TBD)

Open Records Requests

(TBD)

HIPAA (TBD)

Data Classification Categories

(in progress)

Data System Authorizations

(TBD)

Data-Related APs Procurement-Related APs

Data-Related EPs

OVPAA|June 2015 14

UH Data-Related Executive PoliciesNumber Title Description

EP2.215 Institutional Data Governance

Establishes the vision, goals, principles, best practices, roles and responsibilities, and definitions of UH’s data governance program.

EP2.213 System and Campus Wide Electronic Channels for Communicating with Students

Establishes the use of electronic channels for system and campus wide communications with students.

EP2.214 Security & Protection of Sensitive Information

Establishes guidelines for the identification and proper maintenance of sensitive information.

EP2.216 Institutional Records Management and Electronic Approvals/ Signatures

Establishes institutional requirements for the responsible management of University records which includes meeting legal and institutional requirements, optimizing space usage, and minimizing the cost of record retention.

OVPAA|June 2015 15

UH Data-Related Admin Procedures (1)Number Title Description

AP7.022 Procedures Relating to Protection of the Educational Rights and Privacy of Students

Establishes procedures that protect the educational rights and privacy of students (UH’s FERPA policy).

TBD UH Data Classification Categories (in progress)

Organizes UH Institutional Data into categories based on different levels of security risk and penalties and specifies security requirements for each category.

TBD Data Sharing Requests (in progress)

Establishes a process for the release of UH Institutional Data and ensures the data is being appropriately used and is properly secured.

TBD Data System Authorizations (in progress)

Establishes procedures for granting an individual online access to Institutional Data Systems based on that individual’s roles and responsibilities.

OVPAA|June 2015 16

UH Data-Related Admin Procedures (2)Number Title Description

TBD Records Retention Schedule (not yet started)

Document each type of University record, the official repository/office for that record, the retention period, disposition action, and data classification category.

TBD Open Records Requests (not yet started)

Provide recipients of Uniform Information Practices Act (UIPA) requests with instructions on how/when to respond.

TBD HIPAA (not yet started) Provide standards and guidelines that align with the Health Insurance Portability and Accountability Act for those who work with health records.

AP8.265 Specialized Purchasing Provide guidelines on software related purchases, especially for 3rd party hosted services in the Cloud.

OVPAA|June 2015 17

Student Directory Information (AP7.022) Name of student Major field of study Class (i.e., freshman, sophomore, etc.) Past and present participation in officially recognized sports

and activities Weight and height of members of athletic teams Dates of attendance Previous institution(s) attended Full or part-time status Degree(s) conferred (including dates) Honors and awards (including dean's list)

OVPAA|June 2015 18

Key Regulations and Penalties (1)Regulation Description Penalty

Hawai‘i Revised Statutes (HRS) §487N

• State law that requires a breach notification to the legislature if there is an inadvertent disclosure or inappropriate access of data

Data subject to regulation:• First Name or First Initial/Last Name combined with:

• Social Security Number (SSN)• Driver license or state ID #• Info to access a person’s financial account

(account #, access codes, passwords, etc.)• Health information covered by HIPAA• PCI-DSS information

Family Educational Rights and Privacy Act (FERPA)

• Federal law that protects the privacy of student education records

• UH’s FERPA document is AP7.022

Data subject to regulation:• All student data EXCEPT directory information• Student Personally Identifiable Information (PII)

Potential loss of federal funding

OVPAA|June 2015 19

Key Regulations and Penalties (2)Regulation Description Penalty

Health Insurance Portability and Accountability Act(HIPAA)

• Federal law that protects the privacy of individually identifiable health information

Data subject to regulation:• Health

Financial fines;also requires a breach notification in accordance with HRS §487N

Hawai‘i Revised Statute (HRS) Chapter 92F

• State law also known as the Uniform Information Practices Act (UIPA) which requires open access to government records

• 92F-12 specifically refers government employee data that must be made available for public inspection and duplication during regular business hours

Data subject to regulation 92F-12:• Employee

If data is intentionally revealed that should not be, could be convicted of a misdemeanor unless a greater penalty is provided for by law.

OVPAA|June 2015 20

Key Regulations and Penalties (3)Regulation Description Penalty

Payment Card Industry Data Security Standard (PCI-DSS) information

• A widely accepted set of policies and procedures intended to optimize the security of credit, debit, and cash card transactions and protect cardholders against misuse of their personal information

Data subject to regulation:• Credit Card

Financial fines;also requires a breach notification in accordance with HRS §487N

Stewardship and UH Data Governance Roles and Responsibilities

21

OVPAA|June 2015 22

What is Stewardship

“The careful, responsible management of something entrusted to one’s care on behalf of others.”

— The DAMA Dictionary of Data Management, 2nd Edition

OVPAA|June 2015 23

Data Governance Program

Role Lead the University’s data governance program

Sandra Furuto, Director of Data Governance and Operations

Responsibilities Set the DG agenda with oversight by the Data Governance

Committee (DGC) to resolve data issues and support DG goals in support of UH’s mission

Create an organized and coordinated strategy and a formal, structured approach to carrying out the University’s DG goals

Develop system-wide policies, processes, and standards with guidance from the DGC

Increase knowledge and awareness of DG initiatives and DG goals throughout the UH community

DGP

OVPAA|June 2015 24

Data Governance Committee

RoleAn executive decision making body that focuses on

the resolution of system-wide data related issues Responsibilities

Establish policies, processes, and standards that govern the University’s data management practices

Articulate data issues to UH senior leadership involving disputes around Institutional Data

Increase knowledge and awareness of DG initiatives and DG goals throughout the UH community

DGC

25

UH Data Governance Roles

Roles are reflective of what people already do in their day-to-day jobs.

Naming of DG roles formalizes responsibilities and provides structure and support.

A person can fulfill multiple roles.

Executive Data Steward• Campus• System

Functional Data Steward

Data Custodian

OVPAA|June 2015 26

Executive Data Stewards: Role

EDS are accountable for the use and management of Institutional Data at their respective campus or within the Institutional Data System under their purview.• Campus EDS – vice chancellors or appropriate

administrators responsible for the major functional areas within a campus including, but not limited to, student affairs, academic affairs, and administration

• System EDS – executives with functional responsibility for Institutional Data Systems

OVPAA|June 2015 27

Executive Data Stewards: Responsibilities

Authorize the release of Institutional Data in the course of improving University programs and services, meeting compliance and reporting requirements, and supporting research related studies

Approve login access of employees and others to Institutional Data Systems

OVPAA|June 2015 28

Functional Data Stewards: Role

Use and manage Institutional Data on a daily basis as part of their job duties and responsibilities and are subject matter experts in their functional area• Exists among all levels and across all units within the

University

• Includes registrars, financial aid officers, fiscal administrators, human resources specialists, and institutional researchers

• Lead FDS – Primary FDS that works along with Data Custodians to manage the Institutional Data Systems

OVPAA|June 2015 29

Functional Data Steward Responsibilities

Ensure Institutional Data is managed appropriately, according to policies and procedures

Input Institutional Data and ensure the accuracy of the data

Recommend enhancements for their respective program areas to improve data quality, access, security, performance, and reporting

Serve as a conduit between EDS and DC to promote communication and a shared understanding of requirements

Fulfill data sharing requests according to administrative procedures

OVPAA|June 2015 30

Data Custodians: Role

Manage and/or administer systems or media on which sensitive information resides:• PCs, laptops, PDAs, smartphones, departmental

servers, enterprise databases, storage systems, magnetic tapes, CDs/DVDs, USB drives, paper files, cloud storage or services, etc.

Note : IT personnel are commonly regarded as Data Custodians, however, any authorized individual who downloads or stores sensitive information onto a computer or other storage device becomes a Data Custodian through that act.

OVPAA|June 2015 31

Data Custodian Responsibilities

Responsible for the technical safeguarding of sensitive information

Implement and administer controls that ensure the transmission of Institutional Data is secure and access controls are in place to the prevent inappropriate disclosure of that information

Work with FDS, as needed, to fulfill data sharing requests that involve additional technical requirements

Clarify with the appropriate EDS if a request is unclear or raises security concerns not addressed

Data Governance Conceptual Framework at UH

32

Business Area Institutional Data SystemFinance Kuali Financial System – KFS

eThorityeTravelFinancial Data Mart (FDM)

Human Resources PeopleSoftHR Data Mart – HRDW

Research Admin myGrant (Kuali Coeus – KC)Cognos

Identity ManagementIdentity Management System (IMS)

Student Banner: StudentOperational Data Store (ODS)

Banner: Financial Aid

STAR (Data Metrix, Academic Journey, Giving Tree)Student Employment and Cooperative Education (SECE)

Banner: Accounts Receivable

Destiny (UHCC Only)

Laulima

Campus

UHManoa

UHHilo

UHWest O’ahu

Hawai’i Community College

Honolulu Community College

Kapi’olani Community College

Kaua’i Community College

Leeward Community College

Maui College

Windward Community College

Etc.

Etc.

Etc.

Etc.

Etc.

Current Data Governance Focus Areas

33

OVPAA|June 2015 34

DG Focus Areas

Data Governance Committee (DGC)

Data Sharing Requests

Data Classification

Categories

Records Management

Data System Authorizations

Strategic Procurement

35

Data Sharing Requests

Data Sharing involves creating a copy of

Institutional Data and storing it on another

repository or medium for a specified use by

individuals who do not normally have access to

that data.

Data Sharing Request Process (DSR)

is a formal process for requesting and gaining access to

the data of interest.It is the action required to request,

review, and approve the release and use of Institutional Data.

OVPAA|June 2015 36

Scope: People Subject to the DSR Process

Individuals who have NOT been granted access to the specific Institutional Data of interest as part of their job requirements

EDS, FDS, and DC do NOT need to fill out a DSR form for data within their functional area because working with the data is part of their daily jobFor example, Institutional Research (IR) has access

to student record data as part of their responsibilities. If IR needs student employee data (which is in another system), then IR must submit a request to get the data from Student Employment.

OVPAA|June 2015 37

Scope: Data Subject to the DSR Process If the request involves Institutional Data and

any of the following:Individual record level dataData not considered ‘public’The services of a third partyA data feed (i.e., the establishment of a link that

transfers data between an Institutional Data System and another repository, such as to a vendor-hosted server)

OVPAA|June 2015 38

DG Focus Areas

Data Governance Committee (DGC)

Data Sharing Requests

Data Classification

Categories

Records Management

Data System Authorizations

Strategic Procurement

Organizes UH Institutional Data into categories based on different levels of security risk and penalties and specifies security requirements for each category.

OVPAA|June 2015 39

UH Data Classification Categories MatrixCategory Definition Examples

Public Access is not restricted and is subject to open records requests

Student directory information, employee’s business contact info

Restricted (proposed)

Used for UH business only; will not be distributed to external parties; released externally only under the terms of a written MOA or contract

Student contact information, UH ID number

Sensitive Data subject to privacy considerations Date of birth, job applicant records, salary/payroll information, most student information

Regulated (proposed)

Inadvertent disclosure or inappropriate access requires a breach notification by law or is subject to financial fines

FN or first initial/LN in combination with SSN, driver license number, or bank information; credit card (PCI-DSS) or health (HIPAA) info

OVPAA|June 2015 40

UH Classification Categories and DSR Process

These classification categories should be considered by:

EDS: When deciding whether to approve or deny the data sharing request

FDS: When making recommendations to share the data, the specific method for sharing (encrypted, email, fileshare, etc.), and when fulfilling the data sharing request

DC: When making recommendations to share the data, the specific method for sharing (data feed, encrypted at rest/in transit, etc.), and when fulfilling the data sharing request

OVPAA|June 2015 41

DG Focus Areas

Data Governance Committee (DGC)

Data Sharing Requests

Data Classification

Categories

Records Management

Data System Authorizations

Strategic Procurement

Establishes institutional requirements for the responsible management of University records.

OVPAA|June 2015 42

Records Management

Create records retention schedule for University records, lead office, retention period, type of disposal/destruction, and data classification category.

Provide standard guidelines for annual Records Reporting requirement to Office of Information Practices.

OVPAA|June 2015 43

DG Focus Areas

Data Governance Committee (DGC)

Data Sharing Requests

Data Classification

Categories

Records Management

Data System Authorizations

Strategic Procurement

Provides a centralized process for granting individuals online access to Institutional Data Systems based on those individuals’ roles and responsibilities.

OVPAA|June 2015 University of Hawaii © 2014 44

Mandatory Training and GCN (1)

EP 2.215 broadly states that training and education on handling sensitive information must be completed before users are allowed access

The policy will be updated to require users to complete:Mandatory Information Security Awareness Training

in LaulimaThe General Confidentiality Notice (GCN)

acknowledgment (www.hawaii.edu/its/acer)

OVPAA|June 2015 University of Hawaii © 2014 45

Mandatory Training and GCN (2)

Affects users with login privileges to any Institutional Data System. Examples:Banner/ODSPeoplesoft/HR Data MartKFS/eThoritySTARIdentity Management System, etc.

Reporting mechanism

Executive Data Stewards and supervisors will receive a listing of individuals who have not completed either requirement

OVPAA|June 2015 University of Hawaii © 2014 46

Mandatory Training and GCN (3)

TimelineEP 2.215 revision: summer/fall 2015Complete reporting module: fall 2015Roll out training/GCN to current users: begin late fall

2015 starting with ODS Re-certification proposals

GCN: annuallyInformation Security Awareness Training: every 2 or 3

years

OVPAA|June 2015 47

DG Focus Areas

Data Governance Committee (DGC)

Data Sharing Requests

Data Classification

Categories

Records Management

Data System Authorizations

Strategic Procurement

Coordinate purchases of third party vendor software/ services to reduce duplicative purchases and ensure appropriate language on data use and security are in all contracts and subscriptions.

OVPAA|June 2015 48

Strategic Procurement: Duplicative Purchases

Uncoordinated third party vendor purchases Campuses/programs are engaging different vendors

for similar services, e.g., retention softwareCampuses are interested in the same vendor but

contracts are negotiated at different times Cost/resource and implementation issues

Lost opportunity for favorable contract pricingMany requests involve data feedsData providers notified at the end, rather than

involved during the planning stages

OVPAA|June 2015 49

Strategic Procurement: Contract/Subscription Language

Not all third party vendor contracts and subscriptions have language protecting the University’s dataCompleting a template on data use and security for

all future data-related contracts Cloud-based subscriptions terms and conditions are

inconsistent and may/may not be on their website

OVPAA|June 2015

Strategic Procurement: Requests Involving Self-Disclosure of Info

Requests involve: UH program offering a service

○ E.g., recruitment, parking, proctoring, application to a degree program, training, housing

The individuals disclosing information about themselves in order to use the service

Subscription-based third party vendorsData stored on a non-UH server, often in the CloudMay collect sensitive data

Creating a form/process similar to DSR 50

OVPAA|June 2015 51

DG Program Status

DG Focus Areas

DG Program creates a draft process or standard

DGC and others provide input, modify, and approve

Process or standard becomes Executive Policy or Admin Procedure

DG Program communicates and trains those with R&R related to the process or standard, EP, or AP

Data Sharing Request

Complete Complete In progress In progress

Data Classification Categories

Complete In progress In progress Not started

Records Management

In progress In progress EP CompleteAP Not started

Not started

Data System Authorizations

In progress In progress Not started Not started

Strategic Procurement

In progress In progress Not started Not started

Process to Develop a DG Focus Area

Principles for Sharing and Accessing Data

52

OVPAA|June 2015 53

Principle of Need to Know

The basis for giving out data or granting access should be based on a need to know by the requesterIn FERPA terms, this is called having a “legitimate

educational interest” What “hat” is the individual wearing when he is

making the request? Access to the data should be consistent with the individual’s role associated with the request

If the data is not something the individual would normally have access to, s/he may need to fill out a Data Sharing Request form

OVPAA|June 2015 54

Principle of Least Access

The basis for giving out data or granting access should be based on a need-to-have and not a nice-to-haveThe minimal amount of data should be shared

○ Does the requester need identified data or can de-identified data meet the requester’s needs?

The minimal amount of access privileges should be granted○ Does the individual’s access privileges align with their

job duties and responsibilities?

OVPAA|June 2015 55

Principle of No Repurposing or Redisclosure

Data that is shared should not be used for any other purpose than for what it was originally intendedApproval for the new purpose should be sought

before the data is used for a different purpose Similarly, data should not be redisclosed or

released more often than specified

OVPAA|June 2015 56

Questions or Comments?

Ask DataGov or Tell DataGov Email: datagov@hawaii.eduwww.hawaii.edu/uhdatagov

Sandra FurutoEmail: yano@hawaii.eduPhone: 956-7487