UH's institutional data governance

advertisement
IT All-Campus Workshop
June 19, 2015
Sandra Furuto
UH System Office of the Vice President for Academic Affairs
1
2
What is Data Governance (1)
“The formal orchestration of people,
process, and technology to enable an
organization to leverage data as an
enterprise asset.”
— The MDM Institute
http://0046c64.netsolhost.com/whatIsDataGovernance.html
OVPAA|June 2015
3
What is Data Governance (2)
DG is a framework that enables us to effectively manage
data

Defines how data are collected, stored, and used

Defines who can access data, when, and under what
conditions

Establishes decision rights

Establishes clear lines of accountability

Gives a voice to all appropriate parties

Provides a mechanism for conflict resolutions
involving data
OVPAA|June 2015
4
UH Data Governance Issues

Lack of clarity on access and data requests (where to go,
who to ask, etc.)

No clear lines of accountability

Reliance on local solutions

Unnecessary duplication of University data

No defined escalation procedures

Insufficient education and training on handling sensitive
data

Lack of compliance with government and industry
regulations (FERPA, HIPAA, HRS 92F, HRS 487N, PCI-DSS)
OVPAA|June 2015
5
Impact of Non-Compliance

Loss of federal financial aid funding (FERPA)

Financial fines (HIPAA, PCI-DSS)

Class action law suits

Misdemeanor charges

Financial expenses

Loss of reputation

Additional legislative scrutiny

Unfavorable publicity
OVPAA|June 2015
6
7
UH DG Vision Statement

Data governance at the University of Hawai‘i fosters
a culture of shared responsibility and active
participation among members of the University
community in the stewardship of data and
information entrusted to the University.
 UH’s institutional data governance philosophy is
grounded in the University’s core values of
institutional integrity, service, collaboration, and
respect, and its commitment to excellence and
accountability.
OVPAA|June 2015
8
Scope of UH Data Governance
“Institutional Data”
“Institutional Data System ”
refers to
refers to
data created, received,
maintained, and/or
transmitted by UH in the
course of meeting its
administrative and
academic requirements.
any data repository
owned/maintained by UH that
collects and stores Institutional
Data. These repositories house
transactional and analytical
(decision support) types of
Institutional Data.
Examples:
Student (student name, ID number,
grades); Employee (name, job title,
payroll information)
Examples:
Banner (System with Student Data)
PeopleSoft (System with HR Data)
KFS (System with Financial Data)
9
DG Scope and Structure
Senior Executives/Chancellors
KFS
(Finance)
BANNER
(Students)
Data Governance Committee (DGC)
Data Sharing
Requests
Data
Classification
Categories
Records
Management
OTHER
DATA
SYSTEMS
Data System
Authorizations
Strategic
Procurement
PEOPLESOFT
(Human
Resources)
Users
OVPAA|June 2015
10
UH Data Governance Goals

Protect the privacy and security of Institutional
data

Produce higher quality data for informed
decision making

Promote efficient use of resources

Increase transparency and accountability
OVPAA|June 2015
12
Data-Related EPs
Institutional Data
Governance
EP2.215
Data-Related APs
ProcurementRelated APs
FERPA
AP7.022
System and Campus Wide
Electronic Channels for
Communicating with
Students
EP2.213
Records Retention
Schedule
(TBD)
Data Classification
Categories
(in progress)
Open Records
Requests
(TBD)
Security and Protection of
Sensitive Information
EP2.214
Institutional Records
Management and
Electronic Approvals /
Signatures
EP2.216
Specialized
Purchasing
AP8.265
Data Sharing
Request Process
(in progress)
HIPAA
(TBD)
Data System
Authorizations
(TBD)
13
UH Data-Related Executive Policies
Number
Title
Description
EP2.215
Institutional Data
Governance
Establishes the vision, goals, principles, best
practices, roles and responsibilities, and
definitions of UH’s data governance program.
EP2.213
System and Campus Wide
Electronic Channels for
Communicating with
Students
Establishes the use of electronic channels for
system and campus wide communications
with students.
EP2.214
Security & Protection of
Sensitive Information
Establishes guidelines for the identification
and proper maintenance of sensitive
information.
EP2.216
Institutional Records
Management and
Electronic Approvals/
Signatures
Establishes institutional requirements for the
responsible management of University
records which includes meeting legal and
institutional requirements, optimizing space
usage, and minimizing the cost of record
retention.
OVPAA|June 2015
14
UH Data-Related Admin Procedures (1)
Number
Title
Description
AP7.022
Procedures Relating to
Protection of the
Educational Rights and
Privacy of Students
Establishes procedures that protect the educational
rights and privacy of students (UH’s FERPA policy).
TBD
UH Data Classification
Categories (in progress)
Organizes UH Institutional Data into categories based
on different levels of security risk and penalties and
specifies security requirements for each category.
TBD
Data Sharing Requests (in
progress)
Establishes a process for the release of UH Institutional
Data and ensures the data is being appropriately used
and is properly secured.
TBD
Data System
Authorizations
(in progress)
Establishes procedures for granting an individual online
access to Institutional Data Systems based on that
individual’s roles and responsibilities.
OVPAA|June 2015
15
UH Data-Related Admin Procedures (2)
Number
Title
Description
TBD
Records Retention
Schedule (not yet started)
Document each type of University record, the official
repository/office for that record, the retention period,
disposition action, and data classification category.
TBD
Open Records Requests
(not yet started)
Provide recipients of Uniform Information Practices Act
(UIPA) requests with instructions on how/when to
respond.
TBD
HIPAA (not yet started)
Provide standards and guidelines that align with the
Health Insurance Portability and Accountability Act for
those who work with health records.
AP8.265
Specialized Purchasing
Provide guidelines on software related purchases,
especially for 3rd party hosted services in the Cloud.
OVPAA|June 2015
16
Student Directory Information (AP7.022)

Name of student

Major field of study

Class (i.e., freshman, sophomore, etc.)

Past and present participation in officially recognized sports
and activities

Weight and height of members of athletic teams

Dates of attendance

Previous institution(s) attended

Full or part-time status

Degree(s) conferred (including dates)

Honors and awards (including dean's list)
OVPAA|June 2015
17
Key Regulations and Penalties (1)
Regulation
Description
Hawai‘i
Revised
Statutes
(HRS) §487N
• State law that requires a breach notification to the
legislature if there is an inadvertent disclosure or
inappropriate access of data
Family
Educational
Rights and
Privacy Act
(FERPA)
• Federal law that protects the privacy of student
education records
• UH’s FERPA document is AP7.022
OVPAA|June 2015
Penalty
Data subject to regulation:
• First Name or First Initial/Last Name combined with:
• Social Security Number (SSN)
• Driver license or state ID #
• Info to access a person’s financial account
(account #, access codes, passwords, etc.)
• Health information covered by HIPAA
• PCI-DSS information
Data subject to regulation:
• All student data EXCEPT directory information
• Student Personally Identifiable Information (PII)
Potential
loss of
federal
funding
18
Key Regulations and Penalties (2)
Regulation
Description
Penalty
Health Insurance
Portability and
Accountability
Act
(HIPAA)
• Federal law that protects the privacy of
individually identifiable health
information
Financial fines;
also requires a
breach notification
in accordance with
HRS §487N
Hawai‘i Revised
Statute (HRS)
Chapter 92F
• State law also known as the Uniform
Information Practices Act (UIPA) which
requires open access to government
records
• 92F-12 specifically refers government
employee data that must be made
available for public inspection and
duplication during regular business hours
Data subject to regulation:
• Health
Data subject to regulation 92F-12:
• Employee
OVPAA|June 2015
If data is
intentionally
revealed that
should not be,
could be convicted
of a misdemeanor
unless a greater
penalty is provided
for by law.
19
Key Regulations and Penalties (3)
Regulation
Description
Payment Card
• A widely accepted set of policies and
Industry Data
procedures intended to optimize the
Security Standard
security of credit, debit, and cash card
(PCI-DSS)
transactions and protect cardholders
information
against misuse of their personal
information
Penalty
Financial fines;
also requires a
breach notification
in accordance with
HRS §487N
Data subject to regulation:
• Credit Card
OVPAA|June 2015
20
21
What is Stewardship
“The careful, responsible management of
something entrusted to one’s care on
behalf of others.”
— The DAMA Dictionary of Data Management, 2nd
Edition
OVPAA|June 2015
22
Data Governance Program

DGP
Role
 Lead the University’s data governance program
 Sandra Furuto, Director of Data Governance and Operations

Responsibilities
 Set the DG agenda with oversight by the Data Governance
Committee (DGC) to resolve data issues and support DG goals
in support of UH’s mission
 Create an organized and coordinated strategy and a formal,
structured approach to carrying out the University’s DG goals
 Develop system-wide policies, processes, and standards with
guidance from the DGC
 Increase knowledge and awareness of DG initiatives and DG
goals throughout the UH community
OVPAA|June 2015
23
Data Governance Committee

DGC
Role
 An executive decision making body that focuses on
the resolution of system-wide data related issues

Responsibilities
 Establish policies, processes, and standards that
govern the University’s data management practices
 Articulate data issues to UH senior leadership
involving disputes around Institutional Data
 Increase knowledge and awareness of DG initiatives
and DG goals throughout the UH community
OVPAA|June 2015
24
UH Data Governance Roles
Executive Data Steward
• Campus
• System

Roles are reflective of
what people already
do in their day-to-day
jobs.

Naming of DG roles
formalizes
responsibilities and
provides structure
and support.

A person can fulfill
multiple roles.
Functional Data Steward
Data Custodian
25
Executive Data Stewards: Role

EDS are accountable for the use and management
of Institutional Data at their respective campus or
within the Institutional Data System under their
purview.
• Campus EDS – vice chancellors or appropriate
administrators responsible for the major functional
areas within a campus including, but not limited to,
student affairs, academic affairs, and administration
• System EDS – executives with functional
responsibility for Institutional Data Systems
OVPAA|June 2015
26
Executive Data Stewards: Responsibilities

Authorize the release of Institutional Data in
the course of improving University programs
and services, meeting compliance and
reporting requirements, and supporting
research related studies

Approve login access of employees and others
to Institutional Data Systems
OVPAA|June 2015
27
Functional Data Stewards: Role

Use and manage Institutional Data on a daily basis as
part of their job duties and responsibilities and are
subject matter experts in their functional area
• Exists among all levels and across all units within the
University
• Includes registrars, financial aid officers, fiscal
administrators, human resources specialists, and
institutional researchers
• Lead FDS – Primary FDS that works along with Data
Custodians to manage the Institutional Data Systems
OVPAA|June 2015
28
Functional Data Steward Responsibilities

Ensure Institutional Data is managed appropriately,
according to policies and procedures

Input Institutional Data and ensure the accuracy of the data

Recommend enhancements for their respective program
areas to improve data quality, access, security,
performance, and reporting

Serve as a conduit between EDS and DC to promote
communication and a shared understanding of
requirements

Fulfill data sharing requests according to administrative
procedures
OVPAA|June 2015
29
Data Custodians: Role

Manage and/or administer systems or media on
which sensitive information resides:
• PCs, laptops, PDAs, smartphones, departmental
servers, enterprise databases, storage systems,
magnetic tapes, CDs/DVDs, USB drives, paper files,
cloud storage or services, etc.
Note : IT personnel are commonly regarded as Data Custodians, however, any
authorized individual who downloads or stores sensitive information onto a
computer or other storage device becomes a Data Custodian through that act.
OVPAA|June 2015
30
Data Custodian Responsibilities

Responsible for the technical safeguarding of sensitive
information

Implement and administer controls that ensure the
transmission of Institutional Data is secure and access
controls are in place to the prevent inappropriate
disclosure of that information

Work with FDS, as needed, to fulfill data sharing requests
that involve additional technical requirements

Clarify with the appropriate EDS if a request is unclear or
raises security concerns not addressed
OVPAA|June 2015
31
Data Governance Conceptual Framework at UH
Campus
UH
Manoa
Business Area
Finance
Etc.
UH
Hilo
UH
West O’ahu
Human Resources
Hawai’i
Community
College
Research Admin
Honolulu
Community
College
Kapi’olani
Community
College
Kaua’i
Community
College
Leeward
Community
College
Maui
College
Windward
Community
College
Etc.
Etc.
Identity Management
Etc.
Student
Etc.
Institutional Data System
Kuali Financial System – KFS
eThority
eTravel
Financial Data Mart (FDM)
PeopleSoft
HR Data Mart – HRDW
myGrant (Kuali Coeus – KC)
Cognos
Identity Management System (IMS)
Banner: Student
Operational Data Store (ODS)
Banner: Financial Aid
STAR (Data Metrix, Academic Journey,
Giving Tree)
Student Employment and Cooperative
Education (SECE)
Banner: Accounts Receivable
Destiny (UHCC Only)
Laulima
32
33
DG Focus Areas
Data Governance Committee (DGC)
Data Sharing
Requests
OVPAA|June 2015
Data
Classification
Categories
Records
Management
Data System
Authorizations
Strategic
Procurement
34
Data Sharing Requests
Data Sharing
Data Sharing Request Process
involves creating a copy of
Institutional Data and
storing it on another
repository or medium for
a specified use by
individuals who do not
normally have access to
that data.
(DSR)
is a formal process for
requesting and gaining access to
the data of interest.
It is the action required to request,
review, and approve the release
and use of Institutional Data.
35
Scope: People Subject to the DSR Process

Individuals who have NOT been granted access to
the specific Institutional Data of interest as part of
their job requirements

EDS, FDS, and DC do NOT need to fill out a DSR
form for data within their functional area because
working with the data is part of their daily job
 For example, Institutional Research (IR) has access to
student record data as part of their responsibilities.
If IR needs student employee data (which is in
another system), then IR must submit a request to
get the data from Student Employment.
OVPAA|June 2015
36
Scope: Data Subject to the DSR Process

If the request involves Institutional Data and
any of the following:
 Individual record level data
 Data not considered ‘public’
 The services of a third party
 A data feed (i.e., the establishment of a link that
transfers data between an Institutional Data
System and another repository, such as to a
vendor-hosted server)
OVPAA|June 2015
37
DG Focus Areas
Data Governance Committee (DGC)
Data Sharing
Requests

Data
Classification
Categories
Records
Management
Data System
Authorizations
Strategic
Procurement
Organizes UH Institutional Data into categories based on
different levels of security risk and penalties and specifies
security requirements for each category.
OVPAA|June 2015
38
UH Data Classification Categories Matrix
Category
Definition
Examples
Public
Access is not restricted and is subject
to open records requests
Student directory information,
employee’s business contact info
Restricted Used for UH business only; will not be
(proposed) distributed to external parties;
released externally only under the
terms of a written MOA or contract
Sensitive
Data subject to privacy considerations Date of birth, job applicant
records, salary/payroll
information, most student
information
Regulated Inadvertent disclosure or
(proposed) inappropriate access requires a
breach notification by law or is
subject to financial fines
OVPAA|June 2015
Student contact information, UH
ID number
FN or first initial/LN in
combination with SSN, driver
license number, or bank
information; credit card (PCIDSS) or health (HIPAA) info
39
UH Classification Categories and DSR Process

These classification categories should be
considered by:

EDS: When deciding whether to approve or deny the data
sharing request

FDS: When making recommendations to share the data,
the specific method for sharing (encrypted, email,
fileshare, etc.), and when fulfilling the data sharing
request

DC: When making recommendations to share the data,
the specific method for sharing (data feed, encrypted at
rest/in transit, etc.), and when fulfilling the data sharing
request
OVPAA|June 2015
40
DG Focus Areas
Data Governance Committee (DGC)
Data Sharing
Requests

Data
Classification
Categories
Records
Management
Data System
Authorizations
Strategic
Procurement
Establishes institutional requirements for the responsible
management of University records.
OVPAA|June 2015
41
Records Management

Create records retention schedule for University
records, lead office, retention period, type of
disposal/destruction, and data classification
category.

Provide standard guidelines for annual Records
Reporting requirement to Office of Information
Practices.
OVPAA|June 2015
42
DG Focus Areas
Data Governance Committee (DGC)
Data Sharing
Requests

Data
Classification
Categories
Records
Management
Data System
Authorizations
Strategic
Procurement
Provides a centralized process for granting individuals online
access to Institutional Data Systems based on those
individuals’ roles and responsibilities.
OVPAA|June 2015
43
Mandatory Training and GCN (1)

EP 2.215 broadly states that training and education
on handling sensitive information must be
completed before users are allowed access

The policy will be updated to require users to
complete:
 Mandatory Information Security Awareness Training in
Laulima
 The General Confidentiality Notice (GCN)
acknowledgment (www.hawaii.edu/its/acer)
OVPAA|June 2015
University of Hawaii © 2014
44
Mandatory Training and GCN (2)

Affects users with login privileges to any Institutional
Data System. Examples:
 Banner/ODS
 Peoplesoft/HR Data Mart
 KFS/eThority
 STAR
 Identity Management System, etc.

Reporting mechanism
 Executive Data Stewards and supervisors will receive a
listing of individuals who have not completed either
requirement
OVPAA|June 2015
University of Hawaii © 2014
45
Mandatory Training and GCN (3)

Timeline
 EP 2.215 revision: summer/fall 2015
 Complete reporting module: fall 2015
 Roll out training/GCN to current users: begin late fall
2015 starting with ODS

Re-certification proposals
 GCN: annually
 Information Security Awareness Training: every 2 or 3
years
OVPAA|June 2015
University of Hawaii © 2014
46
DG Focus Areas
Data Governance Committee (DGC)
Data Sharing
Requests

Data
Classification
Categories
Records
Management
Data System
Authorizations
Strategic
Procurement
Coordinate purchases of third party vendor software/
services to reduce duplicative purchases and ensure
appropriate language on data use and security are in all
contracts and subscriptions.
OVPAA|June 2015
47
Strategic Procurement: Duplicative Purchases

Uncoordinated third party vendor purchases
 Campuses/programs are engaging different vendors
for similar services, e.g., retention software
 Campuses are interested in the same vendor but
contracts are negotiated at different times

Cost/resource and implementation issues
 Lost opportunity for favorable contract pricing
 Many requests involve data feeds
 Data providers notified at the end, rather than
involved during the planning stages
OVPAA|June 2015
48
Strategic Procurement:
Contract/Subscription Language

Not all third party vendor contracts and
subscriptions have language protecting the
University’s data
 Completing a template on data use and security for
all future data-related contracts
 Cloud-based subscriptions terms and conditions are
inconsistent and may/may not be on their website
OVPAA|June 2015
49
Strategic Procurement:
Requests Involving Self-Disclosure of Info

Requests involve:
 UH program offering a service
○ E.g., recruitment, parking, proctoring, application to a
degree program, training, housing
 The individuals disclosing information about
themselves in order to use the service
 Subscription-based third party vendors
 Data stored on a non-UH server, often in the Cloud
 May collect sensitive data

Creating a form/process similar to DSR
OVPAA|June 2015
50
DG Program Status
Process to Develop a DG Focus Area
DG
Program
creates a
draft
process or
standard
DGC and
others
provide
input, modify,
and approve
Process or
standard
becomes
Executive Policy
or Admin
Procedure
DG Program
communicates and
trains those with
R&R related to the
process or
standard, EP, or AP
Data Sharing
Request
Complete
Complete
In progress
In progress
Data
Classification
Categories
Complete
In progress
In progress
Not started
Records
Management
In progress
In progress
EP Complete
Not started
DG Focus
Areas
AP Not started
Data System
In progress
Authorizations
In progress
Not started
Not started
Strategic
Procurement
In progress
Not started
Not started
OVPAA|June 2015
In progress
51
52
Principle of Need to Know

The basis for giving out data or granting access
should be based on a need to know by the
requester
 In FERPA terms, this is called having a “legitimate
educational interest”
 What “hat” is the individual wearing when he is
making the request? Access to the data should be
consistent with the individual’s role associated with
the request
 If the data is not something the individual would
normally have access to, s/he may need to fill out a
Data Sharing Request form
OVPAA|June 2015
53
Principle of Least Access

The basis for giving out data or granting access
should be based on a need-to-have and not a niceto-have
 The minimal amount of data should be shared
○ Does the requester need identified data or can
de-identified data meet the requester’s needs?
 The minimal amount of access privileges should be
granted
○ Does the individual’s access privileges align with their
job duties and responsibilities?
OVPAA|June 2015
54
Principle of No Repurposing or Redisclosure

Data that is shared should not be used for any
other purpose than for what it was originally
intended
 Approval for the new purpose should be sought
before the data is used for a different purpose

Similarly, data should not be redisclosed or
released more often than specified
OVPAA|June 2015
55
Questions or Comments?
Ask DataGov or Tell DataGov
Email: datagov@hawaii.edu
www.hawaii.edu/uhdatagov
Sandra Furuto
Email: yano@hawaii.edu
Phone: 956-7487
OVPAA|June 2015
56
Download