The purpose of this policy is to define the Data Governance Program used at the University of North Carolina Wilmington to ensure the formal management of university information resources and data.
Chancellor
Updated January 2023; Established March 2022
UNC System adoption of ISO/IEC 27002; ISO/IEC 27002:2013 8.2 Classification of Information; UNC System Policies 1400 Series on Information Technology
Chief Information Officer/Information Technology Services
Purpose
The purpose of this policy is to define the Data Governance Program used at the University of North Carolina at Wilmington (“UNCW” or “University”) to ensure the formal management of University information resources and data.
Scope
This policy applies to any person or entity using University information resources and data, including but not limited to all university faculty, staff, students, affiliates, contractors, vendors, and consultants. As such, all users of university information resources and data must be familiar with and comply with this policy and related standards, guidelines, and procedures issued by the University in support of this policy.
This policy further applies to all University information resources and data, regardless of form or location, and the hardware and software resources used to electronically store, process, or transmit data. This includes data processed or stored and applications used by the University in hosted environments in which the university does not operate the technology infrastructure.
Definitions
Data Classification: Data Classification refers to the categorization of data and consistent application of security standards based on such categorization. University data will be classified according to the UNCW Data Classification Standard: Data Classification Statement and Matrices.
Data Handling: Data Handling refers to the actions that Data Users should take to use, process, transmit, store, archive, and destroy University data in a secure manner that aligns with the classification of the data.
Data Lifecycle: The Data Lifecycle is the progression of stages in which a piece of information may exist between its original creation or collection and final archival or destruction.
Information Resources: As used in the University of North Carolina (UNC) System Policy 1400.1, “information resources are information owned or processed by the university, or related to the business of the university, regardless of form or location, and the hardware and software resources used to electronically store, process or transmit that information.” Information Resources expressly include data, software, and physical assets. The term university data may be used interchangeably with the term Information Resources in this policy.
University means the University of North Carolina at Wilmington, its colleges, schools, affiliates, divisions, and subsidiaries.
Policy
University Authority. The University has authority over the use of its information resources and data and is the legal custodian of all University information resources and data. University Information Resources and data are valuable assets, the use of which must be aligned with the administrative, educational, and institutional research functions of the University.
Data Governance Program. The University shall establish a Data Governance Program to guide the strategic use, management, and reporting of University data. The Data Governance Program shall ensure that University data is used in compliance with federal, state, and local regulations, applicable university policies, and relevant contractual obligations. The Data Governance Program shall be established by a charter that lays out the objectives of the program, program structure and organization, and program metrics.
Data Classification. All University data must be classified and can have only one classification. The University uses five data classification levels based on the nature of the data and relevant compliance requirements. Classification levels are outlined in the UNCW Data Classification Standard: Data Classification Statement and Matrices. (Reference: ISO 27002:2013-8.2.1.)
Data Lifecycle and Data Handling. Data Trustees, the Data Governance Committee, Data Stewards, and Data Custodians are collectively responsible for the management of all University data throughout the data lifecycle. The University shall issue policies, standards, and procedures as appropriate that address the quality, consistency, usability, accessibility, availability, and protection of University information resources and data throughout its lifecycle and according to classification level. (Reference: UNC System Policy 1400.1.)
Roles and Responsibilities
All University employees are responsible for supporting data governance. This includes not only individuals with management and oversight roles defined by the Data Governance Program but also any user of University information resources and data. Specific roles and responsibilities regarding University data include:
Chancellor: The Chancellor has final authority over all University Information Resources and data. The Chancellor and Chancellor’s designees are responsible for overseeing the protection of University data according to the security level assigned. The Chancellor makes the following delegations in support of this policy:
The Provost and Vice Chancellor for Academic Affairs and the Vice Chancellor for Business Affairs shall serve as the executive sponsors for the University Data Governance Program and have the responsibilities set forth in the Data Governance Program charter.
The Associate Vice Chancellor for Information Technology Services and Chief Information Officer (CIO) shall serve as the University official responsible for administering the Data Governance Program in accordance with this policy and the Data Governance Program charter.
Data Trustees are named by the Chancellor and are responsible for the data governance and management activities as specified in this policy and the Data Governance Program charter.
Data Trustees: Data Trustees shall mean those individuals serving as University Vice Chancellors or senior members of the Chancellor’s Cabinet who are appointed by the Chancellor and are the highest-ranking leaders with responsibility for ensuring that University data is properly managed and that appropriate compliance is practiced as related to University functions for their units.
Data Governance Committee: The Data Governance Committee, with membership determined by the Data Trustees and committee co-chairs, is an University inter-divisional group accountable to the Executive Sponsors and Chancellor, with the authority to make decisions on all aspects of data governance for the university. The Data Governance Committee is tasked with overseeing data governance policy, strategy, risk management, and data management, ensuring engagement across the institution, and promoting a culture that embraces the responsible use of data and resources to achieve institutional goals.
Data Governance Committee Co-Chairs: The Associate Provost for Institutional Research and Planning and the Associate Vice Chancellor for Information Technology Services and Chief Information Officer (CIO) are the co-chairs of the Data Governance Committee. The co-chairs lead the Data Governance Program, report to the Executive Sponsors and Chancellor on program activities, and, in consultation with the Chancellor and Executive Sponsors, mediate conflicts and discrepancies between the interests of Data Trustees and the needs and interests of the University.
Data Stewards: Data Stewards are individuals designated by and accountable to the Data Trustees for the accuracy, privacy, and security of the institutional data under their responsibility.
Data Custodians: Data Custodians are University employees who are assigned specific data management and information security responsibilities by the appropriate Data Steward.
Data Users: Data Users are all users granted access to University Information Resources and data, including but not limited to University employees, affiliates (e.g., contractors, partners, volunteers), and students.
Executive Sponsors: The Executive Sponsors are responsible for the strategic oversight of the Data Governance Program as set forth in the Data Governance Program charter.
Chief Information Officer (CIO): The Associate Vice Chancellor for Information Technology Services and Chief Information Officer is the University official responsible for the administration of the University’s Data Governance Program as described in this policy and the Data Governance Program charter.
Enforcement / Addressing Concerns
All users of University Information Resources and data must be familiar with and comply with this policy and related standards, guidelines, and procedures issued by the University in support of this policy. Failure to comply with the requirements of this policy and related documents may result in harm to individuals, organizations, or the University. Failure to comply with the requirements of this policy may result in University discipline, termination of volunteer service, or a determination that the user has materially breached an agreement, or violated applicable law.
Questions about this policy, the University’s Data Governance Program, and any related standards, guidelines, and procedures issued by the University in support of this policy should be addressed to: Information Technology Services, Chief Information Officer.