The purpose of data governance is to establish a culture that ensures that institutional data is both secure and available to those who should have access to it. The policies and procedures delineated below serve as useful guidance to data stewards, users, and seekers alike. Data is a vital institutional asset that must be used legally and ethically. College records exist for the purposes of the business of the college. Requests for data are subject to many considerations, including:
- Data sensitivity
- Compelling institutional need
- Reputational risk
- IRB Approval
- Staff resource availability
Roles Required to Govern Institutional Data
Several roles and responsibilities govern the management of, access to, and accountability for institutional data.
Data Governance Committee
This committee is comprised of the Data Stewards from across all functions and departments of the College. It brings together the data stewards to recognize the importance and raise awareness of sound data management across the college. This group adds shared accountability and calibration to our practices to provide clear and consistent responses to data requests.
Data Trustees are senior college officials who have planning, policy-level and management responsibility for data within their functional areas. (Table 1)
Data Stewards are college officials who have direct operational-level responsibility for the management of one or more types of institutional data. Data Stewards are assigned by the Data Trustee and are generally associate vice presidents, directors or managers. Data Stewards review annually (minimum) who has access to the data for which they have responsibility.
Data Stewards evaluate information requests, bringing in others as needed to evaluate each request. The Data Governance Committee is a resource for advice. If there is not a clear answer, the Steward makes recommendations to the Data Trustee and Senior Staff. (Table 1)
Data Managers are individuals who are responsible for data collection, quality control, processing, and management for their functional area.
Data Users are college units or individual college community members who have been granted access to institutional data in order to perform assigned duties or in fulfillment of assigned roles or functions within the college; this access is granted solely for the conduct of college business.
Policies and Procedures
Responsible stewardship of Williams College data is critical to the work of the college and required in order to ensure those with official educational or administrative responsibilities are able to access and rely on the accuracy and integrity of the data. Data stewards are expected to comply with the following data policies and manage data within their care in a manner that is consistent with legal, ethical, and practical considerations.
Data access is granted to those with legitimate educational or business interest in the data upon approval of the appropriate Data Steward and may require approval of a Data Trustee. See Figure 1 for a flowchart representing the process.
Improper release, maintenance or disposal of college data may be damaging to the college community and exposes Williams to significant risk and possible legal action. Those granted access to college data must agree to the following guidelines.
- Maintenance of data must strictly adhere to the policies and procedures of Williams College. Unauthorized use, disclosure, alteration, or destruction of data is prohibited.
- Data Stewards, as defined in the roles policy, may grant access to data if it needs to be shared with others. Others seeking data access, including Data Managers and users, must seek approval from the relevant Data Steward before using that data.
- Data may not be released to third parties or others at the college who do not have access to the data without the consent of the appropriate Data Steward and must always be done in compliance with all laws and regulations (e.g., FERPA, HIPAA, and GDPR).
- If uncertainty or high risks exist for releasing data, the decision is elevated to the Data Trustee and Senior Staff.
- The institutional need must be demonstrated in order for access to be granted.
- Access to and use of data is restricted to the scope of an individual’s work. Data should not be viewed or analyzed for purposes outside of official business.
- Access is granted for specific purposes and durations, the data may not be used for other purposes or kept beyond its need.
- All data must be used, transmitted, and stored according to the Data Classification Policy and Usage Guidelines.
- Any actual or suspected loss, theft, or misuse of data must be reported to the Data Trustee, the Data Steward, and OIT immediately.
All security and computer use policies must be adhered to: see the Williams OIT website.
Classification of College Data
Classification of Data
Accurate classification provides the basis to apply an appropriate level of security to college data. All College data are classified into four levels of sensitivity to provide a basis for understanding and managing college data. These classifications take into account the legal protections (by statute, regulation, or by the data subject’s choice), contractual agreements, ethical considerations, or strategic or proprietary value. They also consider the application of “prudent stewardship,” where there is reason to protect the data to protect individuals or the institution.
The classification level assigned to data guides Data Trustees, Data Stewards, Data Managers, and Data Users in the security protections and access authorization mechanisms appropriate for those data. Such categorization encourages the discussion and subsequent full understanding of the nature of the data being displayed or manipulated.
Williams has four levels of classification for our data. They are listed here and explained in the Data Classification Policy
Public Data – low level of sensitivity
Internal Data – moderate level of sensitivity
Need to Know – confidential information
Protected Data – highest level of sensitivity
Table 1: The organizational scheme for stewards and trustees by data area.
In cases where there is no data steward, the Chief Information Officer acts as the Data Steward until one is appointed and brings in the relevant senior staff members as Data Trustees.
Figure 1: Flowchart representing the typical process paths for data requests.