TABLE OF CONTENTS

PURPOSE OF THIS POLICY

APPLICATION OF THIS POLICY

DEFINITIONS USED IN THIS POLICY

POLICY PROVISIONS

A: Data Classifications

B: Data Governance Roles

C: Administrative Data Governance and Architecture Committee

APPENDIX A Governing Regulations

APPENDIX B Sensitive Data User Agreement

PURPOSE OF THIS POLICY

Administrative data of all kinds are an institutional asset. The value of data as an institutional asset is increased through its widespread and appropriate use; its value is diminished through misuse, misinterpretation, or unnecessary restrictions to its access. Therefore, it is necessary to be explicit about data governance roles, data access and appropriate data use; all of which are under the purview of the Administrative Data Governance and Architecture Committee, hereinafter referred to as the “Committee”.

The purpose of this Administrative Data Governance Policy is to formalize policies, procedures, and oversight for the Colorado State University administrative data environment, balancing the issues of providing and accommodating access while ensuring that there are reasonable and prudent safeguards to protect and preserve the security, integrity and privacy of those data.

Specifically, the policy sets forth (1) the definition of administrative data as distinct from other types of data at CSU; (2) the definition of Administrative Systems, i.e. IT systems containing administrative data; (3) the framework for classifying administrative data and administrative data users: (4) the responsibilities for managing different classifications of administrative data; and (5) the responsibilities for custodianship of university data by requiring Data Stewards to coordinate implementation of this policy for the Data Users under their purview.

APPLICATION OF THIS POLICY

 The scope of this policy is institutional administrative data, as defined below. Hereinafter, “data” is synonymous with “Administrative Data.”

Data must be substantive, reliable, secure, timely, and well-defined in order to be relevant to the planning, managing, operating, documenting, staffing or auditing of one or more administrative functions of the University. This policy encompasses data regardless of whether created, validated, or accessed from on-campus or off-campus locations.

This policy applies to all employees at Colorado State University and anyone involved in any way with CSU’s Administrative Data.

DEFINITIONS USED IN THIS POLICY

Administrative Data –Data pertaining to the administrative operations of the University, i.e. data contained within our selected administrative systems, including data extracted from those systems and made available elsewhere for access.

Administrative Systems – Those major information technology (IT) systems required for the effective and efficient operations of the University, including, but not limited to, the following Systems of Record (SORs): the Student Information System, the Human Resources System, the Kuali Financial System, the Kuali Research System, the Facilities Management and Information System, the Operational Data Store (ODS), and other such systems as may emerge.

Data Access – Access to institutional data refers to the permission to view or query institutional data; permission does not necessarily imply delivery or support of specific methods or technologies of information access. The permission to access institutional data is granted to current employees and designated appointees for legitimate university business only.

Learner Analytics Data Warehouse – A system maintained by the Data Analytics Group in CSU Online to perform analyses and studies of learner and learning data in conjunction with the Center for Analytics for Learning and Teaching (C-ALT), The Institute for Learning and Teaching (TILT), and other units, both internal and external to CSU.

Other Data –Data contained in systems other than SORs, including data maintained for Institutional Research Planning and Effectiveness, learner and learning data maintained by and within Canvas and other systems, in-course data maintained in the Unizin Data Warehouse, scholarly communications consisting of publications and data associated therewith (particularly including research data), working data sets associated with academic courses and research projects, etc. “Other data” are not covered under this policy.

Unizin Data Warehouse – A system operated and maintained by Unizin for in-course and pre-course learner data.

POLICY PROVISIONS

A. Data Classifications

Institutional data falls into three classifications. In the absence of being formally classified, institutional data should be treated as restricted, internal use only, by default. Classifications are intended to provide guidance to issues of access and distribution. All data will be classified. Inappropriate handling of data could result in criminal or civil penalties, identity theft, personal financial loss, invasion of privacy, and/or unauthorized access to information by an individual or many individuals (data breach).

• Public – Public data are directory data, and data explicitly made available to the public, for example, data available on open, public web pages, or in other unrestricted publications and venues.
• Restricted – Restricted data must be treated with propriety, and used only within the confines of the University, unless specific and appropriate approval is provided for sharing, generally from the Office of the General Counsel. Restricted data may be accessed by all eligible employees of the university needing such access in the conduct of university business. Employees accessing data must conform to the de minimis access principle, where they are personally responsible for accessing only the minimum amount of data required in the conduct of their business. Employees are also personally responsible for adhering to any and all pertinent university policies, including the CSU IT Security Policy, the Acceptable Use Policy, etc. Any requests for restricted data from a member of the public should be referred to the appropriate data authority or the Office of the General Counsel.
• Private – Private data are the most sensitive data at CSU, and as such are subject to the greatest protections. Because of legal, ethical, or other constraints, private data may not be accessed without specific authorization, and access may be granted only selectively with final approval from the appropriate Data Authority. Private data encompasses social security numbers, financial information including credit card information, driver’s license information, legally protected personnel information, proprietary research information, third-party proprietary information, personal health information and any other information that through disclosure would adversely affect an individual or tarnish the reputation of the University. Private data may not be shared outside of the University without the express, prior approval of the Office of General Counsel.

NOTE: Irrespective of classification under this policy, institutional administrative data may be subject to disclosure under the Colorado Open Records Act and/or subject to subpoena. Immediately contact the Office of General Counsel upon receipt of any such request.

B. Data Governance Roles

Principals involved in Data Governance exist in four categories, as defined below.

Chief Data Administrator – The Chief Data Administrator co-chairs the Committee and has overall responsibility for the operational, procedural, and technological data environment. Unless otherwise appointed by the Provost, this is the Associate Vice President of Enterprise Systems. The Chief Data Administrator is responsible for carrying out the policies, procedures and activities engendered by the Committee. It is also the responsibility of the Chief Data Administrator to oversee the appointment of Data Stewards in colleges and administrative units, and to distribute updates to documentation and guidelines as appropriate.

Data Authority – A Data Authority is ultimately responsible for data pertaining to the SOR under their authority, and is normally at the level of Director or above. The Data Authority is responsible for classifying the data on the SOR under their auspices into the Data Classifications set forth previously herein. Administrative Data security is managed, ultimately, through Information Systems. Examples of data authorities are:

• The Registrar – Student Information System
• CSU Controller – Kuali Finance System
• Assistant Vice President for Research – Kuali Research System
• Assistant Vice President for Human Resources and Equal Opportunity – Human Resources System
• Assistant Vice President for Facilities – FAMIS
• Vice President for University Development – Advance system

It is the responsibility of the Data Authority to ensure that processes are in place to make certain that administrative data are accurate and that the appropriate data are collected to accommodate business purposes of the University, reporting requirements to governing bodies, and data sharing with the University community. The Data Authority will be supportive of and work collaboratively with the Division of Information Technology to ensure data security and protect student, faculty and staff, and administration confidentiality.

Data Stewards – Data Stewards are responsible for oversight of the Data Users under their authority, including understanding the individual’s business needs for access to data, approving requests for access to data from potential Data Users, ensuring Data Users have the knowledge, expertise, and ability to access, manipulate and generate high-quality reports from institutional administrative data (including attending training as need to maintain a high level of skill and facility), informing Data Authorities when responsibilities or job duties have changed such that a Data User no longer needs or should have access to institutional administrative data, and verifying and keeping up to date the list of Data Users under their authority. The Data Steward must attend required training appropriate to the Data Authority’s area prior to being authorized to function as a Data Steward and participate in management of and coordination/communication with their Data Users.

Data Users – Data Users are CSU employees who have been given permission to access institutional administrative data by their Data Steward, as approved by the appropriate Data Authority(ies), and generally as implemented by the Division of Information Technology.

Data Users must:

• Complete training on the appropriate definition, access, storage and use of data sets as well as centrally managed enterprise reporting tool(s).
• Access only the minimum amount of data required to perform their business functions.
• Access data only in their conduct of university business, and in ways consistent with furthering the university's mission of education, research, and public service.
• Preserve the confidentiality and privacy of individuals whose records they may access.
• Observe any ethical restrictions that apply to the data to which they have access.
• Abide by applicable laws, regulations, standards, and policies with respect to access, use, disclosure, retention, and/or disposal of information (see Appendices A & B).

Data Users must not:

• Disclose data to others except as required by their job responsibilities and approved by their Data Steward.
• Use data for their own or others’ personal gain or profit.
• Access data to satisfy personal curiosity.
• Store data in any manner that violates existing university policies.

Training

Data Stewards are responsible for ensuring Data Users attend training on the appropriate access and use of data generated or stored within their functional areas. No request for data access will be granted without the completion of appropriate training. Updates on data structures and definitions should be provided by Data Authorities to all approved Users as warranted.

Noncompliance Sanctions

Colorado State University will handle reports of misuse and abuse of information and information technology resources in accordance with existing policies and procedures issued by appropriate authorities. Abuse and misuse may result in disciplinary action, up to and including dismissal from the university, depending upon the severity of the misconduct. This may involve the offices of Human Resources, Provost and Executive Vice President, Vice President for Information Technology, Dean of Students, Office of General Counsel, and/or appropriate law enforcement agencies.

Failure to comply with or report violations of this policy, all other related Colorado State University policies, and related state or federal laws may result in sanctions relating to the individual's use of information technology resources (such as suspension or termination of access, or removal of online material); the individual's studies within the university (such as student discipline in accordance with applicable university policy); civil or criminal liability; or any combination of these. 

C. Administrative Data Governance and Architecture Committee

The Administrative Data Governance and Architecture Committee serves as the steering committee for institutional administrative data governance, and will be a standing committee. The Executive Sponsor of the Committee is the Vice President for Information Technology (“VP for IT”). The VP for IT will receive quarterly updates on the Committee’s work. Committee members will be as follows:

• The Associate Vice President of Enterprise Systems and Infrastructure, co-chair
• The Associate Provost for Planning and Effectiveness, co-chair
• The Registrar, or his/her designee
• The Director of Business and Financial Services, or his/her designee
• The Director of the Human Resources department, or his/her designee
• The Director of Budgets, or his/her designee
• The Director of IT for CSU Online, or his/her designee
• The Director of Student Financial Aid, or his/her designee
• Vice President for University Development, or his/her designee
• An additional member representing the Colleges, appointed by the director of the College IT Advisory Council (CITAC)
• An additional member representing a Vice Presidential unit, excluding the VP units already represented.

The Committee may call upon additional personnel for advice and counsel, as it deems advisable to meet its goals and objectives. Such additional participants will be ex-officio, non-voting, and generally their service will be temporary.

Committee members have planning and policy-level responsibility and accountability for data within their functional area(s) and are expected to thoroughly understand data generated in their functional area. Meeting this expectation helps them anticipate how data from their area might be used strategically.

The Committee is responsible for the efficient and effective operations of the administrative data environment, including oversight and management of this policy. The Committee is responsible for the operational, procedural, and cultural aspects associated with administrative data. The Committee is responsible for the operational, procedural, and cultural aspects associated with administrative data, including (1) maintenance and update of this policy, (2) approval of the administrative data architecture, data systems, and technologies used for data transfer, storage, aggregation, archival, and delivery, (3) maintenance of metadata for administrative data (e.g., data dictionaries and associated communications about administrative data), (4) efficient and effective delivery of data from SORs, (5) procedures and requirements for efficient and effective access to administrative data, including requirements for training, (6) advice and input associated with Data User support, and (7) overall coordination and communications associated with the administrative data environment inclusive of change notifications relating to data and/or processes.

Reporting

The Committee must deliver updates at least quarterly to the ITEC Advisory Council and provide an update as often as appropriate to the CAAG, at least once annually. After appropriate input, communications, and consultation, the Committee may devise proposals and budget requests for appropriate upgrades to the administrative data environment, in accordance with CSU annual planning and budgeting processes.

APPENDIX A
Governing Regulations

There are many regulations governing data. These regulations cover topics such as access, security, privacy, theft, and rights. At the University, the final authority is the General Counsel. Responsibility for and access to correspondence and documents created or received by University personnel are governed by the following overarching policies and legal statutes:

• Colorado Open Records Act (CORA)

• Health Insurance Portability and Accountability Act (HIPAA)

• Colorado State Records Retention Schedule
• Americans with Disabilities Act (ADA)
• Family Educational Rights and Privacy Act (FERPA)
• The Electronic Communications Privacy Act of 1986 (ECPA)
• Federal Trade Commission (FTC) Red Flags Rule?
• Gramm Leach Bliley Act (GLBA)
• Colorado State University Research Data Policy
• Colorado State University Information Collection and Personal Records Privacy Policy
• Colorado State University Information Technology Security Policy
• Colorado State University Accessibility of Electronic Information and Technologies Policy
• Colorado State University Red Flags Policy
• Colorado State University Information Technology Governance Charter (ITEC)

APPENDIX B
Sensitive Data User Agreement

This form is intended for those who, by virtue of their position and function, have elevated or privileged access to sensitive and/or personal information. This Agreement is part of the continuing effort to maintain a high degree of awareness and accountability regarding such access, and to ensure consistency with respect to the handling of this information.

The CSU IT Security Policy defines sensitive data to include "…social security numbers, personally identifiable health information, personally identifiable financial information, personnel employment and student performance information, proprietary research and academic information, and any other information that through disclosure would adversely affect an individual or besmirch the reputation of the University." This includes information stored on electronic media as well as hardcopy (printed material).

As one who has such access, I agree to the following practices and guidelines:

• Hardcopy containing sensitive data should be protected from open view, stored behind locked doors and/or cabinets, and shredded for disposal.
• Access to desktops, particularly when logged into with privileged accounts, must be protected when unattended during work hours and at night. This protection can be in the form of software screen locking or logging out of the system.
• Portable devices, e.g. laptops, tablets, smart phones, storage devices associated with such systems, e.g. memory sticks, etc. containing sensitive data must have sensitive data encrypted with strong encryption.
• Removable media containing sensitive information, e.g. CDs, DVDs, memory sticks, tapes, and removable hard drives, etc. must be physically secured (key access) and accessible only to those requiring access necessary to perform their job duties.
• Disks containing sensitive information in obsolete systems bound for Surplus must be sanitized in a timely fashion using DiskWipe or another product meeting or exceeding the latest NIST standards for data disposal. Surplus Property will perform this function for a modest fee.
• I agree to raise awareness of these requirements with others to whom I grant access to such information.
• I agree to “de minimis” access, that is, to access only the minimum amount of information necessary to perform my job duties.
• I am responsible for reading, understanding, and complying with the CSU IT Security Policy.
• I am responsible for reading and understanding the CSU Acceptable Use Policy for Computing and Networking Resources.
• I must exercise similar safeguards with my home computer whenever handling the University's sensitive data.
• I agree not to share my password or my access to sensitive information or systems containing sensitive information with others.
• In the case that sensitive data has been compromised, it is my responsibility to immediately notify my supervisor, and the Vice President for Information Technology.
• Use storage in the cloud for sensitive data strictly in accordance with the CSU IT Security Policy.

APPROVALS

Approved by Anthony A. Frank, President, February 23, 2018