IT All-Campus Workshop June 19, 2015 Sandra Furuto UH System Office of the Vice President for Academic Affairs 1 2 What is Data Governance (1) “The formal orchestration of people, process, and technology to enable an organization to leverage data as an enterprise asset.” — The MDM Institute http://0046c64.netsolhost.com/whatIsDataGovernance.html OVPAA|June 2015 3 What is Data Governance (2) DG is a framework that enables us to effectively manage data Defines how data are collected, stored, and used Defines who can access data, when, and under what conditions Establishes decision rights Establishes clear lines of accountability Gives a voice to all appropriate parties Provides a mechanism for conflict resolutions involving data OVPAA|June 2015 4 UH Data Governance Issues Lack of clarity on access and data requests (where to go, who to ask, etc.) No clear lines of accountability Reliance on local solutions Unnecessary duplication of University data No defined escalation procedures Insufficient education and training on handling sensitive data Lack of compliance with government and industry regulations (FERPA, HIPAA, HRS 92F, HRS 487N, PCI-DSS) OVPAA|June 2015 5 Impact of Non-Compliance Loss of federal financial aid funding (FERPA) Financial fines (HIPAA, PCI-DSS) Class action law suits Misdemeanor charges Financial expenses Loss of reputation Additional legislative scrutiny Unfavorable publicity OVPAA|June 2015 6 7 UH DG Vision Statement Data governance at the University of Hawai‘i fosters a culture of shared responsibility and active participation among members of the University community in the stewardship of data and information entrusted to the University. UH’s institutional data governance philosophy is grounded in the University’s core values of institutional integrity, service, collaboration, and respect, and its commitment to excellence and accountability. OVPAA|June 2015 8 Scope of UH Data Governance “Institutional Data” “Institutional Data System ” refers to refers to data created, received, maintained, and/or transmitted by UH in the course of meeting its administrative and academic requirements. any data repository owned/maintained by UH that collects and stores Institutional Data. These repositories house transactional and analytical (decision support) types of Institutional Data. Examples: Student (student name, ID number, grades); Employee (name, job title, payroll information) Examples: Banner (System with Student Data) PeopleSoft (System with HR Data) KFS (System with Financial Data) 9 DG Scope and Structure Senior Executives/Chancellors KFS (Finance) BANNER (Students) Data Governance Committee (DGC) Data Sharing Requests Data Classification Categories Records Management OTHER DATA SYSTEMS Data System Authorizations Strategic Procurement PEOPLESOFT (Human Resources) Users OVPAA|June 2015 10 UH Data Governance Goals Protect the privacy and security of Institutional data Produce higher quality data for informed decision making Promote efficient use of resources Increase transparency and accountability OVPAA|June 2015 12 Data-Related EPs Institutional Data Governance EP2.215 Data-Related APs ProcurementRelated APs FERPA AP7.022 System and Campus Wide Electronic Channels for Communicating with Students EP2.213 Records Retention Schedule (TBD) Data Classification Categories (in progress) Open Records Requests (TBD) Security and Protection of Sensitive Information EP2.214 Institutional Records Management and Electronic Approvals / Signatures EP2.216 Specialized Purchasing AP8.265 Data Sharing Request Process (in progress) HIPAA (TBD) Data System Authorizations (TBD) 13 UH Data-Related Executive Policies Number Title Description EP2.215 Institutional Data Governance Establishes the vision, goals, principles, best practices, roles and responsibilities, and definitions of UH’s data governance program. EP2.213 System and Campus Wide Electronic Channels for Communicating with Students Establishes the use of electronic channels for system and campus wide communications with students. EP2.214 Security & Protection of Sensitive Information Establishes guidelines for the identification and proper maintenance of sensitive information. EP2.216 Institutional Records Management and Electronic Approvals/ Signatures Establishes institutional requirements for the responsible management of University records which includes meeting legal and institutional requirements, optimizing space usage, and minimizing the cost of record retention. OVPAA|June 2015 14 UH Data-Related Admin Procedures (1) Number Title Description AP7.022 Procedures Relating to Protection of the Educational Rights and Privacy of Students Establishes procedures that protect the educational rights and privacy of students (UH’s FERPA policy). TBD UH Data Classification Categories (in progress) Organizes UH Institutional Data into categories based on different levels of security risk and penalties and specifies security requirements for each category. TBD Data Sharing Requests (in progress) Establishes a process for the release of UH Institutional Data and ensures the data is being appropriately used and is properly secured. TBD Data System Authorizations (in progress) Establishes procedures for granting an individual online access to Institutional Data Systems based on that individual’s roles and responsibilities. OVPAA|June 2015 15 UH Data-Related Admin Procedures (2) Number Title Description TBD Records Retention Schedule (not yet started) Document each type of University record, the official repository/office for that record, the retention period, disposition action, and data classification category. TBD Open Records Requests (not yet started) Provide recipients of Uniform Information Practices Act (UIPA) requests with instructions on how/when to respond. TBD HIPAA (not yet started) Provide standards and guidelines that align with the Health Insurance Portability and Accountability Act for those who work with health records. AP8.265 Specialized Purchasing Provide guidelines on software related purchases, especially for 3rd party hosted services in the Cloud. OVPAA|June 2015 16 Student Directory Information (AP7.022) Name of student Major field of study Class (i.e., freshman, sophomore, etc.) Past and present participation in officially recognized sports and activities Weight and height of members of athletic teams Dates of attendance Previous institution(s) attended Full or part-time status Degree(s) conferred (including dates) Honors and awards (including dean's list) OVPAA|June 2015 17 Key Regulations and Penalties (1) Regulation Description Hawai‘i Revised Statutes (HRS) §487N • State law that requires a breach notification to the legislature if there is an inadvertent disclosure or inappropriate access of data Family Educational Rights and Privacy Act (FERPA) • Federal law that protects the privacy of student education records • UH’s FERPA document is AP7.022 OVPAA|June 2015 Penalty Data subject to regulation: • First Name or First Initial/Last Name combined with: • Social Security Number (SSN) • Driver license or state ID # • Info to access a person’s financial account (account #, access codes, passwords, etc.) • Health information covered by HIPAA • PCI-DSS information Data subject to regulation: • All student data EXCEPT directory information • Student Personally Identifiable Information (PII) Potential loss of federal funding 18 Key Regulations and Penalties (2) Regulation Description Penalty Health Insurance Portability and Accountability Act (HIPAA) • Federal law that protects the privacy of individually identifiable health information Financial fines; also requires a breach notification in accordance with HRS §487N Hawai‘i Revised Statute (HRS) Chapter 92F • State law also known as the Uniform Information Practices Act (UIPA) which requires open access to government records • 92F-12 specifically refers government employee data that must be made available for public inspection and duplication during regular business hours Data subject to regulation: • Health Data subject to regulation 92F-12: • Employee OVPAA|June 2015 If data is intentionally revealed that should not be, could be convicted of a misdemeanor unless a greater penalty is provided for by law. 19 Key Regulations and Penalties (3) Regulation Description Payment Card • A widely accepted set of policies and Industry Data procedures intended to optimize the Security Standard security of credit, debit, and cash card (PCI-DSS) transactions and protect cardholders information against misuse of their personal information Penalty Financial fines; also requires a breach notification in accordance with HRS §487N Data subject to regulation: • Credit Card OVPAA|June 2015 20 21 What is Stewardship “The careful, responsible management of something entrusted to one’s care on behalf of others.” — The DAMA Dictionary of Data Management, 2nd Edition OVPAA|June 2015 22 Data Governance Program DGP Role Lead the University’s data governance program Sandra Furuto, Director of Data Governance and Operations Responsibilities Set the DG agenda with oversight by the Data Governance Committee (DGC) to resolve data issues and support DG goals in support of UH’s mission Create an organized and coordinated strategy and a formal, structured approach to carrying out the University’s DG goals Develop system-wide policies, processes, and standards with guidance from the DGC Increase knowledge and awareness of DG initiatives and DG goals throughout the UH community OVPAA|June 2015 23 Data Governance Committee DGC Role An executive decision making body that focuses on the resolution of system-wide data related issues Responsibilities Establish policies, processes, and standards that govern the University’s data management practices Articulate data issues to UH senior leadership involving disputes around Institutional Data Increase knowledge and awareness of DG initiatives and DG goals throughout the UH community OVPAA|June 2015 24 UH Data Governance Roles Executive Data Steward • Campus • System Roles are reflective of what people already do in their day-to-day jobs. Naming of DG roles formalizes responsibilities and provides structure and support. A person can fulfill multiple roles. Functional Data Steward Data Custodian 25 Executive Data Stewards: Role EDS are accountable for the use and management of Institutional Data at their respective campus or within the Institutional Data System under their purview. • Campus EDS – vice chancellors or appropriate administrators responsible for the major functional areas within a campus including, but not limited to, student affairs, academic affairs, and administration • System EDS – executives with functional responsibility for Institutional Data Systems OVPAA|June 2015 26 Executive Data Stewards: Responsibilities Authorize the release of Institutional Data in the course of improving University programs and services, meeting compliance and reporting requirements, and supporting research related studies Approve login access of employees and others to Institutional Data Systems OVPAA|June 2015 27 Functional Data Stewards: Role Use and manage Institutional Data on a daily basis as part of their job duties and responsibilities and are subject matter experts in their functional area • Exists among all levels and across all units within the University • Includes registrars, financial aid officers, fiscal administrators, human resources specialists, and institutional researchers • Lead FDS – Primary FDS that works along with Data Custodians to manage the Institutional Data Systems OVPAA|June 2015 28 Functional Data Steward Responsibilities Ensure Institutional Data is managed appropriately, according to policies and procedures Input Institutional Data and ensure the accuracy of the data Recommend enhancements for their respective program areas to improve data quality, access, security, performance, and reporting Serve as a conduit between EDS and DC to promote communication and a shared understanding of requirements Fulfill data sharing requests according to administrative procedures OVPAA|June 2015 29 Data Custodians: Role Manage and/or administer systems or media on which sensitive information resides: • PCs, laptops, PDAs, smartphones, departmental servers, enterprise databases, storage systems, magnetic tapes, CDs/DVDs, USB drives, paper files, cloud storage or services, etc. Note : IT personnel are commonly regarded as Data Custodians, however, any authorized individual who downloads or stores sensitive information onto a computer or other storage device becomes a Data Custodian through that act. OVPAA|June 2015 30 Data Custodian Responsibilities Responsible for the technical safeguarding of sensitive information Implement and administer controls that ensure the transmission of Institutional Data is secure and access controls are in place to the prevent inappropriate disclosure of that information Work with FDS, as needed, to fulfill data sharing requests that involve additional technical requirements Clarify with the appropriate EDS if a request is unclear or raises security concerns not addressed OVPAA|June 2015 31 Data Governance Conceptual Framework at UH Campus UH Manoa Business Area Finance Etc. UH Hilo UH West O’ahu Human Resources Hawai’i Community College Research Admin Honolulu Community College Kapi’olani Community College Kaua’i Community College Leeward Community College Maui College Windward Community College Etc. Etc. Identity Management Etc. Student Etc. Institutional Data System Kuali Financial System – KFS eThority eTravel Financial Data Mart (FDM) PeopleSoft HR Data Mart – HRDW myGrant (Kuali Coeus – KC) Cognos Identity Management System (IMS) Banner: Student Operational Data Store (ODS) Banner: Financial Aid STAR (Data Metrix, Academic Journey, Giving Tree) Student Employment and Cooperative Education (SECE) Banner: Accounts Receivable Destiny (UHCC Only) Laulima 32 33 DG Focus Areas Data Governance Committee (DGC) Data Sharing Requests OVPAA|June 2015 Data Classification Categories Records Management Data System Authorizations Strategic Procurement 34 Data Sharing Requests Data Sharing Data Sharing Request Process involves creating a copy of Institutional Data and storing it on another repository or medium for a specified use by individuals who do not normally have access to that data. (DSR) is a formal process for requesting and gaining access to the data of interest. It is the action required to request, review, and approve the release and use of Institutional Data. 35 Scope: People Subject to the DSR Process Individuals who have NOT been granted access to the specific Institutional Data of interest as part of their job requirements EDS, FDS, and DC do NOT need to fill out a DSR form for data within their functional area because working with the data is part of their daily job For example, Institutional Research (IR) has access to student record data as part of their responsibilities. If IR needs student employee data (which is in another system), then IR must submit a request to get the data from Student Employment. OVPAA|June 2015 36 Scope: Data Subject to the DSR Process If the request involves Institutional Data and any of the following: Individual record level data Data not considered ‘public’ The services of a third party A data feed (i.e., the establishment of a link that transfers data between an Institutional Data System and another repository, such as to a vendor-hosted server) OVPAA|June 2015 37 DG Focus Areas Data Governance Committee (DGC) Data Sharing Requests Data Classification Categories Records Management Data System Authorizations Strategic Procurement Organizes UH Institutional Data into categories based on different levels of security risk and penalties and specifies security requirements for each category. OVPAA|June 2015 38 UH Data Classification Categories Matrix Category Definition Examples Public Access is not restricted and is subject to open records requests Student directory information, employee’s business contact info Restricted Used for UH business only; will not be (proposed) distributed to external parties; released externally only under the terms of a written MOA or contract Sensitive Data subject to privacy considerations Date of birth, job applicant records, salary/payroll information, most student information Regulated Inadvertent disclosure or (proposed) inappropriate access requires a breach notification by law or is subject to financial fines OVPAA|June 2015 Student contact information, UH ID number FN or first initial/LN in combination with SSN, driver license number, or bank information; credit card (PCIDSS) or health (HIPAA) info 39 UH Classification Categories and DSR Process These classification categories should be considered by: EDS: When deciding whether to approve or deny the data sharing request FDS: When making recommendations to share the data, the specific method for sharing (encrypted, email, fileshare, etc.), and when fulfilling the data sharing request DC: When making recommendations to share the data, the specific method for sharing (data feed, encrypted at rest/in transit, etc.), and when fulfilling the data sharing request OVPAA|June 2015 40 DG Focus Areas Data Governance Committee (DGC) Data Sharing Requests Data Classification Categories Records Management Data System Authorizations Strategic Procurement Establishes institutional requirements for the responsible management of University records. OVPAA|June 2015 41 Records Management Create records retention schedule for University records, lead office, retention period, type of disposal/destruction, and data classification category. Provide standard guidelines for annual Records Reporting requirement to Office of Information Practices. OVPAA|June 2015 42 DG Focus Areas Data Governance Committee (DGC) Data Sharing Requests Data Classification Categories Records Management Data System Authorizations Strategic Procurement Provides a centralized process for granting individuals online access to Institutional Data Systems based on those individuals’ roles and responsibilities. OVPAA|June 2015 43 Mandatory Training and GCN (1) EP 2.215 broadly states that training and education on handling sensitive information must be completed before users are allowed access The policy will be updated to require users to complete: Mandatory Information Security Awareness Training in Laulima The General Confidentiality Notice (GCN) acknowledgment (www.hawaii.edu/its/acer) OVPAA|June 2015 University of Hawaii © 2014 44 Mandatory Training and GCN (2) Affects users with login privileges to any Institutional Data System. Examples: Banner/ODS Peoplesoft/HR Data Mart KFS/eThority STAR Identity Management System, etc. Reporting mechanism Executive Data Stewards and supervisors will receive a listing of individuals who have not completed either requirement OVPAA|June 2015 University of Hawaii © 2014 45 Mandatory Training and GCN (3) Timeline EP 2.215 revision: summer/fall 2015 Complete reporting module: fall 2015 Roll out training/GCN to current users: begin late fall 2015 starting with ODS Re-certification proposals GCN: annually Information Security Awareness Training: every 2 or 3 years OVPAA|June 2015 University of Hawaii © 2014 46 DG Focus Areas Data Governance Committee (DGC) Data Sharing Requests Data Classification Categories Records Management Data System Authorizations Strategic Procurement Coordinate purchases of third party vendor software/ services to reduce duplicative purchases and ensure appropriate language on data use and security are in all contracts and subscriptions. OVPAA|June 2015 47 Strategic Procurement: Duplicative Purchases Uncoordinated third party vendor purchases Campuses/programs are engaging different vendors for similar services, e.g., retention software Campuses are interested in the same vendor but contracts are negotiated at different times Cost/resource and implementation issues Lost opportunity for favorable contract pricing Many requests involve data feeds Data providers notified at the end, rather than involved during the planning stages OVPAA|June 2015 48 Strategic Procurement: Contract/Subscription Language Not all third party vendor contracts and subscriptions have language protecting the University’s data Completing a template on data use and security for all future data-related contracts Cloud-based subscriptions terms and conditions are inconsistent and may/may not be on their website OVPAA|June 2015 49 Strategic Procurement: Requests Involving Self-Disclosure of Info Requests involve: UH program offering a service ○ E.g., recruitment, parking, proctoring, application to a degree program, training, housing The individuals disclosing information about themselves in order to use the service Subscription-based third party vendors Data stored on a non-UH server, often in the Cloud May collect sensitive data Creating a form/process similar to DSR OVPAA|June 2015 50 DG Program Status Process to Develop a DG Focus Area DG Program creates a draft process or standard DGC and others provide input, modify, and approve Process or standard becomes Executive Policy or Admin Procedure DG Program communicates and trains those with R&R related to the process or standard, EP, or AP Data Sharing Request Complete Complete In progress In progress Data Classification Categories Complete In progress In progress Not started Records Management In progress In progress EP Complete Not started DG Focus Areas AP Not started Data System In progress Authorizations In progress Not started Not started Strategic Procurement In progress Not started Not started OVPAA|June 2015 In progress 51 52 Principle of Need to Know The basis for giving out data or granting access should be based on a need to know by the requester In FERPA terms, this is called having a “legitimate educational interest” What “hat” is the individual wearing when he is making the request? Access to the data should be consistent with the individual’s role associated with the request If the data is not something the individual would normally have access to, s/he may need to fill out a Data Sharing Request form OVPAA|June 2015 53 Principle of Least Access The basis for giving out data or granting access should be based on a need-to-have and not a niceto-have The minimal amount of data should be shared ○ Does the requester need identified data or can de-identified data meet the requester’s needs? The minimal amount of access privileges should be granted ○ Does the individual’s access privileges align with their job duties and responsibilities? OVPAA|June 2015 54 Principle of No Repurposing or Redisclosure Data that is shared should not be used for any other purpose than for what it was originally intended Approval for the new purpose should be sought before the data is used for a different purpose Similarly, data should not be redisclosed or released more often than specified OVPAA|June 2015 55 Questions or Comments? Ask DataGov or Tell DataGov Email: datagov@hawaii.edu www.hawaii.edu/uhdatagov Sandra Furuto Email: yano@hawaii.edu Phone: 956-7487 OVPAA|June 2015 56