机构数据治理

保单号码: 8.6

政策部分: 信息技术

Revised Date: July 28, 2023

1.  Definitions

大写术语的定义见附录A.

2.  政策声明

数据治理支持大学的教学、学习和研究中心任务. 以支持现代社会的需要, 机构数据必须是可访问的, accurate, and must be easily aggregated across the University’s information systems to support the organization’s strategic objectives. 大学将永久维持一个数据管理委员会, with the responsibility of maintaining this policy and the structure of data management at the University.

The responsible use of data means that the right people make the right decision at the right time using the right data. The University recognizes the importance of data-driven decision making and has developed this policy to ensure the greatest use of data while ensuring transparency and accountability. This policy recognizes that institutional data is a strategic asset of the University and promotes a philosophy of governance and stewardship throughout the entire lifecycle of data.

3.  Purpose

本政策的目的是:

  1. 建立管理的基本原则, access, 数据的使用,包括创作, privacy, security, integrity, 保密, and quality;
  2. 提高数据的安全性,包括隐私和防止丢失;
  3. Establish common terms and definitions aiding in collaboration and clear ownership; and
  4. 提供一个途径来建立明确的责任和决策权.

4.  Applicability

All faculty, students, staff, volunteers, 承包商和访客应遵守大学的政策, as applicable.

5.  Scope

本政策的范围涉及:

  1. 源自任何纪录系统的资料;
  2. 由新大管理的机构数据,用于学术研究, educational, 或行政目的;
  3. Paper; and
  4. 电子数据.

This policy recognizes the legal responsibilities of all SMU faculty and staff to protect the security of the University’s data irrespective of the method it is collected or managed.

6.  Process

  1. 大学,而不是任何个人或团体,是所有数据的所有者. The value of data as an institutional resource is increased through its widespread and appropriate use; its value is diminished through misuses, 误解, inaccuracies, 以及对其访问的不必要限制.
  2. 访问南威尼斯人娱乐城的数据时, 用户使用时应遵循以下原则:
  1. 数据应尽可能来自记录系统. The creation of alternate systems (or shadow systems) to track data causes security issues and potential for irreconcilable data issues.
  2. 不要不必要地重复数据. 重复的数据通过创建同步需求增加了风险和复杂性.
  3. 遵守所有联邦、德州和其他适用法律. 用户应为合法目的收集或查阅大学资料, 并且只是为了给学校增加价值. 数据不应用于商业或个人利益.

7.  分类

  1. It is the responsibility of all personnel at the University to ensure that institutional data are not misused, 并被道德地使用, 根据任何适用的法律, 同时也要考虑到个人隐私. 数据的使用取决于数据管家分配的安全级别. University personnel must access and use data only as required for the performance of their job functions, not for personal gain or for other inappropriate purposes; they must also access and use data according to the security levels assigned to the data.
  2. The institution will protect its data assets through security measures that assure the proper use of the data when accessed. 每个数据项将由相关的data Steward进行分类,以具有适当的访问级别. OIT将为准备的数据访问提供技术框架.
  3. 所有的机构数据都应该被划分为三个敏感级别之一, 或分类:
    1. 受限制的数据-当未经授权披露时,数据应归类为受限制的数据, alteration or destruction of that data could cause a significant level of risk to the University or its affiliates. Examples of Restricted data include data protected by state or federal privacy regulations and data protected by 保密 agreements. 应将最高级别的安全控制应用于受限制的数据.
    2. 私人数据-未经授权披露的数据应归类为私人数据, alteration or destruction of that data could result in a moderate level of risk to the University or its affiliates. By default, all Institutional Data that is not explicitly classified as Restricted or Public data should be treated as Private data. 应该对私有数据应用合理级别的安全控制.
    3. 公开数据——未经授权披露的数据应归类为公开数据, alteration or destruction of that data would result in little or no risk to the University and its affiliates. 公共数据的例子包括新闻稿、课程信息和研究出版物. 而很少或根本不需要控制来保护公共数据的机密性, 需要某种程度的控制来防止未经授权的修改或破坏公共数据.

8.  机构主任职责

Institutional officers have authority over policies and procedures regarding business definitions of data and the access and usage of that data within their delegations of authority. 机构官员任命特定主题领域领域的数据管理员.

9.  数据管理员职责

  1. A Data Steward will be assigned for every possible data source and will be responsible for data integrity and data management within their unit. 对机构数据的访问通常由数据专员的单位管理. 如果可能,将使用基于角色的方法来管理对数据的访问. 数据管理员的批准不提供数据使用的全面许可. 任何额外的使用都必须得到Data Steward的批准. 数据管理员负责确保适当的访问级别. Read only access to administrative information may be provided to employees for the support of institutional business without unnecessary difficulties/restrictions. 任何被拒绝访问的员工或非员工均可向数据治理委员会提出上诉.
  2. Data Steward的批准是特定于每个请求的. 为某一目的而授予的数据并不普遍适用于所有目的. Each new use case must be approved by 数据管家 in a new request or an amendment to the original request, 即使你已经有了数据.
  3. 数据管理员将:
    1. 将他们管理下的信息划分为以下三个安全类别之一:限制, private, 或根据信息的预期用途和披露后的预期影响公开.
    2. Bear primary responsibility for decisions regarding data usage and handling for the data under their stewardship.
    3. 与本政策规定的指导方针一致, 对访问其控制范围内的数据的请求进行适当的合作.
    4. Identify and authorize delegates for acting as 数据管家’s proxy for activities within 数据管家’s stewardship.

10. Data Access

  1. 访问机构数据是在需要知道的基础上授予的. Individuals who require access to Institutional Data should complete appropriate training before accessing the data. 适当的培训应与个人将要访问和使用的数据类型相一致, 比如为访问或使用学生数据的人员提供FERPA培训. Evidence of completed training should be provided before granting access to the requested data and shall be reviewed and approved by 数据管家 (see Section 9 for 数据管理员职责).
  2. 访问私人或受限制的机构数据必须得到数据管理员的批准, 就所寻求的具体数据集与其机构干事协调.
  3. 代表任何类型的人类受试者研究寻求或请求数据的情况, 包括在会议演示中使用的数据, 或出版物, 请参考新大政策第十条.10研究中的人类受试者. 在向发展和对外事务索取数据的情况下, 请参阅新大政策5.1支持发展和对外事务倡议的组成数据.
  4. 在数据管理员或相关机构官员拒绝访问的情况下, 可以向数据治理指导委员会(DGSC)提出申诉。.
  5. 根据数据的敏感程度,对机构数据的访问将受到限制. 受限数据(最敏感的分类级别), 比如社会保险号和信用卡信息, 是否只允许获授权人士在执行工作职责时使用.

11. 数据保护

  1. All individuals who have access to Institutional Data are responsible for protecting the 保密, integrity, 以及数据的可用性.
  2. 数据必须安全地存储和传输, 遵守所有适用法律, regulations, 以及行业标准. This includes, 但不限于, 使用强密码, encryption, 以及安全的存储地点.
  3. 以防数据泄露, individuals who have access to Institutional Data must report the incident to the appropriate University authority immediately. See Policy 8.有关此主题的更多信息,请参阅信息安全,第5节,第d段 http://libcat.186987.com/Policy/8-Information-Technology/8-2-Information-Security

12. Data Use

机构资料只可用于合法的大学商业用途. The use of institutional data for personal gain or for any illegal or unethical purposes is strictly prohibited. See Policy 8.1可接受的用途 http://libcat.186987.com/Policy/8-Information-Technology/8-1-Acceptable-Use 以获取有关此主题的更多信息.

13. Questions

The CIO, 为指定负责人, 本政策由指定人员负责解释, 解决与学校政策冲突的问题, 部门政策, 特殊情况下. The CIO, 与数据治理指导委员会合作, 在如上所述的正式审查后,是否可以对该政策和/或标准给予例外.

附录A:定义

“CIO” 指大学的首席信息官.

“数据管理” 指与信息有关的过程的决策权和责任体系, executed according to agreed-upon models which describe who can take what actions with what information, and when, 在什么情况下, 用什么方法.

“数据集成” 指来自多个系统或应用程序的数据的组合. 此外,在某些情况下,数据可以用于分析. 在这些情况下, 数据管家, 大学IT治理结构(包括数据治理), IT Leadership, 和企业应用程序)将决定数据使用的适当性. Specific information about Data integration procedures resides within the Office of 信息技术.

“电子数据” refers to any information stored on a computer system generated either by manual entry or through an automated process.

“机构数据” 指聚合为与操作相关的度量的数据元素, planning, 或南威尼斯人娱乐城任何单位的管理

“机构官员” 由校董会每年选举产生,并包括一名校长, 几位副总统, Secretary, Treasurer, 以及董事会可能决定的其他执行和行政官员.

“内幕信息” is defined as any information that is classified as Private or Restricted Information according to the data classification scheme defined in this Guideline.

“限制数据” 表示分类为“限制”的数据, 根据此策略中定义的数据分类方案. This term is often used interchangeably with confidential data or Personally Identifiable Information as defined in University Policy 8.2、信息安全.

“记录制度” 保存机构数据的官方值. 官方值是作为事实存储的数据的最准确表示.

Revised: July 28, 2023

Adopted: 2019年1月2日

官方的大学政策手册存放在大学秘书办公室. The University Secretary is responsible for maintaining new and updated policies and for maintaining this website. 官方的大学政策手册是否与任何内部政策冲突, procedures, 部门管理规章, or guidelines, 这可能包含在学校提供的手册中, departments, 或大学内部的部门, 官方的大学政策手册控制.