Data and Information Governance
- Responsible Office: Office of Planning and Decision Support, Office of the Provost
- Current Approved Version: 03/09/2020
- Policy Type: Administrative
Policy Statement and Purpose
Virginia Commonwealth University recognizes that integrity in all information assets is vital to the university’s success, and as such, these assets must be maintained in a manner that supports the university’s mission. In furtherance of this imperative, this policy establishes and outlines the university’s data and information governance program and the core roles and responsibilities for individuals participating in the university data and information lifecycle.
VCU must protect and utilize its information assets, in all forms and throughout the information life cycle, in accordance with this policy and all applicable federal, state and regulatory requirements, as well as any contractual requirements with third parties. In order to adequately govern information, the university must set requirements for the management of processes, personnel and technology used in data transformation and information management.
Data and information governance plays a central role in the control and distribution of important information within the university. Appropriate data and information governance provides clarity of roles and responsibilities for all individuals generating, managing, and using data. To ensure the quality, security and availability of information assets, the data and information governance program:
● Classifies and defines key information assets;
● Establishes appropriate roles and responsibility for the management of information assets;
● Defines authoritative data and information and outlines information sources;
● Outlines requirements and baseline practices, throughout the information management lifecycle;
● Improves ease of access for authorized users and ensures that once data are located, users have enough information about the data to interpret them correctly and consistently;
● Outlines requirements related to security of the data and information, including confidentiality and protection from loss; and
● Outlines requirements structured around maintaining data integrity, including: accuracy, timeliness, and quality of information for decision-making.
Data trustees, data stewards, and data custodians of university data and information are expected to preserve the quality, security, and availability of data and information for which they create, access or manage. As such, these individuals are expected to collectively exercise their responsibilities as defined in this policy.
In the event any existing or future school/department processes, standards, practices, or local policies conflict with this policy, this policy shall govern. This policy sets the minimum requirements for all schools, departments and units and permits them to introduce additional requirements that are not in conflict with this policy.
Noncompliance with this policy may result in disciplinary action up to and including termination. VCU supports an environment free from retaliation. Retaliation against any employee who brings forth a good faith concern, asks a clarifying question, or participates in an investigation is prohibited.
Who Should Know This Policy
Individuals employed by, or affiliated with, Virginia Commonwealth University who create, manage, analyze, or access university data and information are responsible for knowing this policy and familiarizing themselves with its contents and provisions.
Authoritative Data Source
The authoritative data source is a recognized and official source for a given data element or a specific piece of information.
Data are sets of signs, signals, facts, or statistics that serve as the fundamental building blocks for information. When collectively placed within context, sets of data can be transformed into information.
Data transformation is the process of converting data or information from one format to another. This process usually occurs when data is moved from the current format in a source system to the required format of a destination system.
Derivative Data Product
Within the context of this document, a derivative data product is the data or information asset created from the interpretation of the original information asset. Often the creation of a derivative data product involves combined interpretation of the original information asset with other data or information assets.
Within the context of this document, governance refers to the process of governing, as it relates to the processes and rules associated with particular interactions among units, persons, and information assets. Governance includes the establishment and administration of policies, procedures, and processes.
Information is an organized and interpreted collection of data presented within a context that gives the collection of data meaning and relevance. Information can be used to help guide individuals in making informed decisions.
Information assets within the context of this document refer to the information that are critical to the operational success of the university, where the loss in quality, security, or availability may significantly hinder the university’s academic, research and administrative missions.
The information hierarchy defines the relationship among data, information, knowledge, and wisdom, where data are meaningless facts, symbols or signals that serve as fundamental building blocks for information, and information is derived through the interpretation and aggregation of data.
The information lifecycle consists of seven stages for information and cover the life of information from the time it is generated until the time it is destroyed. In relation to this policy, these seven stages include: Generation, Use, Transfer, Transformation, Storage, Archival, and Destruction.
Information in paper, electronic or oral form that is collected, generated, transmitted, processed, or stored by a VCU employee, consultant, contractor, or other affiliate in the course of their work and is used to support the academic, research, patient care, or administrative operations in VCU.
The Data and Information Management Council (DIMC) officially interprets this policy. DIMC is responsible for obtaining approval for any revisions as required by the policy Creating and Maintaining Policies and Procedures through the appropriate governance structures. Please direct policy questions to the email@example.com.
Policy Specifics and Procedures
Data and information governance at VCU is the practice of making strategic and effective decisions regarding Virginia Commonwealth University’s information assets. It supports the philosophy of freedom of access to non-confidential university data and information by all members of the community, coupled with the responsibility to adhere to all policies and all legal requirements that govern that data usage.
While the DIMC co-chairs are assigned the leadership and oversight role for the activities of the data and information governance program, the implementation and enforcement functions are supported by DIMC Steering Committee and executed by appropriate data trustees.
Roles and Responsibilities
Data and Information Management Council (DIMC)
DIMC serves as the data and information governance board for VCU. DIMC is a cross-functional group charged with the responsibility of overarching data and information management for the university. This includes - but is not limited to:
● Establishing data as a trusted institutional asset to further VCU’s mission to advance knowledge and student success;
● Instituting and managing definitions, policies, processes, standards and structures that support operational efficiency, effective decision-support and university wide collaboration; and
● Improving the security, integration, accessibility, quality, transparency, consistency and shared governance of data across the institution.
Data trustees are university officials who have the ultimate authority over policies, procedures, standards and guidelines regarding business definitions of data, and the access and usage of that data, within their delegated authority. Data trustees are responsible for appointing data stewards for the business domains (operational areas) within the institutional domains (subject areas) under their authority. Data trustees are also responsible for:
● Enforcing compliance with policies and procedures related to data and information management;
● Developing a defined and documented approach (in cooperation with data stewards) for requesting permission to access data elements in information assets;
● Administering and managing information assets under their purview in accordance with this policy (to include formally documented local policies, protocols, procedures, plans, etc. to implement appropriate data management practices); and
● Ensuring that all derivative data products, created from university information assets, are made available to the broader university community and upholding the integrity standards outlined herein.
Data stewards are appointed by and accountable to the data trustees. Data stewards must have knowledge of and work in accordance with the policies, standards and guidelines across the institution, including university policies on information security and privacy. Data stewards are expected to be subject matter experts for the business domains under their authority. Data stewards are responsible for:
● Interpreting, implementing, and executing policies, standards and guidelines for institutional data and information management within their purview;
● Identifying systems of record containing institutional data and information;
● Categorizing institutional data and information in accordance with the university’s Information Security policy and Data Classification Standard;
● Defining access and usage requirements, standards and guidelines for institutional data and information, in compliance with the overarching institutional data and information management policies and standards;
● Defining data quality control activities;
o Defining data validation, reconciliation, and monitoring processes to be conducted by the data custodians and perform them where applicable or as needed
o Documenting business processes and workflows that identify dependencies between business domains from an institutional data stand point of view and implement practices that monitor the accuracy and efficiency of the processes/workflows and develop process improvement plans where needed
● Coordinating with other data stewards and custodians in developing/maintaining business requirements; communicating the business requirements to custodians and other stewards and business domains who might be impacted;
● Communicating concerns, issues, and problems with institutional data and related processes to the DIMC; and
● Communicating and share best practices with other data management personnel.
The data custodians are individuals or organizations (including third party vendors) who are responsible for entering, modifying and maintaining data in institutional, or third-party-provided information systems. Data custodians are also responsible for:
● Producing (inserting, updating, deleting) business and technical data in the business information systems that support the business processes; and
● Practice data quality (e.g. completeness, uniqueness, timeliness), security and integrity (e.g. accuracy, validity, consistency) standards, provided by the data stewards, for the data they produce and maintain
There are no forms associated with this policy and procedures
1. VCU Policy: Information Security
2. VCU Standard: Data Classification Standard
3. VCU Policy: Computer and Network Use
4. VCU Policy: Exposure and Breach of Information
5. VCU Policy: Records Management
6. VCU Policy: University Archives
This policy supersedes the following archived policies:
|None -New Policy|
1. Who is the data steward of the data I seek?
Please visit the VCU DIMC website at https://dimc.vcu.edu/ for assistance in identifying the data steward for the data you seek.
2. When is it appropriate for me to collect my own data rather than going to one of the authoritative data sources?
You should consult with the appropriate data stewards for the authoritative data sources before collecting your own data.
3. I have discovered some issues with the quality or process in handling authoritative data, where do I report such issues?
Data and information management issues can be reported to the DIMC at firstname.lastname@example.org. Alternatively, please visit the DIMC website at https://dimc.vcu.edu/.
4. Where do I go to find information on access request procedures for specific data?
Please visit the VCU DIMC website at https://dimc.vcu.edu/ and the institutional data map for assistance on role based access requirements, and please check the VCU Policy Library at http://go.vcu.edu/itpolicy and the VCU IT Standards page at http://go.vcu.edu/itstandard for policies and standards related to data classification and information security.
5. I am a data steward, where can I find information and assistance on proper management of information assets?
Please visit the VCU DIMC website at https://dimc.vcu.edu/ for assistance on management of information assets. Additionally, the VCU Data Management System (https://dms.vcu.edu) can be utilized as a resource in identifying available information asset management controls.
6. There is a suspected data breach or exposure with data under my purview, what should I do?
Please contact the VCU Information Security Office at email@example.com for assistance without unreasonable delay. An Exposure and Breach of Information policy is available to the university community, and must be used as a resource for the handling of potential data exposure and breaches.