Data Management, Data Access and Data Use
Operations and General Administration
Chief Information Officer
Authorization: Board of Governors
Approval Date: Mar 22, 2005
Amended: Mar 13, 2009
To provide a common basis of understanding of institutional data as a business-critical university resource, and of the responsibilities accompanying use of institutional data and its management by all members of the University of Saskatchewan community.
Institutional data is defined as that data which is created, collected and stored by the university, or any office of the university, in support of its academic and administrative functions. Such data may relate to students, faculty, employees, donors, members of the Board of Governors, members of Senate, researchers, alumni, prospects, patients and other members of the University community, and may include personal, academic, financial, curricular, clinical, and other information. Data about research and scholarly activity, such as research grants held and publications generated, is considered to be institutional data and is thus in scope.
Data created by or deriving from research and scholarly activities, however, is outside the scope of this definition of institutional data (even though it may be held in institutional systems) and is governed by university policies on Computer Use and Administration of Research Grants and Contract
Institutional data is among the university's most valuable assets and represents a significant investment of time and effort.
Sound data management policies, procedures and practices will support effective, data-driven business decision-making and can contribute significantly to furthering the university's strategic directions.
Our data management policies, procedures and practices are designed to safeguard three vital aspects of data: integrity, security, and access.
Data integrity includes qualities of accuracy, consistency, and timeliness. Institutional data is a university resource that may be used and relied upon by many users. Data integrity begins with the person or office creating the data, and is the continuing responsibility of all who subsequently access and use it.
Security of data encompasses more than electronic security, although that is an element of it. While some aspects of security may be assured by technology, security also involves a measure of trust. As a valuable and business-critical institutional resource, data must be safeguarded at all levels against damage, loss, and breaches of security, and all who use it share this responsibility.
Access to institutional data is granted internally when a legitimate business or research need for the data is demonstrated, and externally when release of such data would not violate the university's stewardship obligations, privacy legislation, or legal contracts. Institutional data has legitimate uses for research purposes, both to support institutional decision-making and as an object of academic study.
Wherever possible, data should be collected once, at the source, and made available to all members of the university who have a legitimate business need for the data for academic, research or administrative purposes.
Institutional data must be used only by those persons duly authorized to access and use the data by virtue of their position at the University of Saskatchewan, and only for the purpose for which use has been authorized. Authorization for access to data is not transferable.
Every data user must recognize that university's institutional data and information derived from it are potentially complex. It is the responsibility of every data user to understand the data that they use, and to guard against making misinformed or incorrect interpretations of data or misrepresentations of information.
Institutional data must not be accessed or manipulated for personal gain, or out of personal interest or curiosity.
Data users must carry out all tasks related to the creation, storage, maintenance, cataloguing, use, dissemination and disposal of institutional data responsibly, in a timely manner and with the utmost care.
Data users must not knowingly falsify data, delete data that should not be deleted or reproduce data that should not be reproduced.
Data users must respect the privacy of individuals whose records they may access. No subsequent disclosure of personal information contained in files or databases may be made. Disclosure is understood to include (but is not limited to) verbal references or inferences, correspondence, memoranda and sharing of electronic files.
The university has a duty to ensure that users are knowledgeable about and in compliance with federal and provincial privacy legislation.
Access to institutional data for research purposes may be granted by the appropriate Data Steward and its use is subject to university policies on privacy, intellectual property and research ethics as well as to provincial and federal privacy legislation.
Wherever possible the university should avoid maintaining redundant and duplicate data in multiple systems.
Institutional data should be readily accessible in electronic form to authorized users to view, query or update.
Institutional data must be stored in such a way as to ensure that the data is secure, and that access is limited to authorized users. Secure storage of institutional data is a joint responsibility of system and network administrators, database designers, application designers, and the data user who must ensure that passwords and other security mechanisms are used.
When electronic data is no longer required for administrative, legal or historical reasons, it should be deleted in such a way that recovery is not possible.
1. Scope of this policy
This policy has been developed in the context of, and is designed to complement,
- existing university policies and regulations, particularly those governing computer use, privacy and intellectual property
- legal contracts and agreements with external sponsors, granting agencies, and others
- collective agreements
- Provincial Local Authority Freedom of Information and Protection of Privacy Act (LAFOIPP)
- Federal Personal Information Protection and Electronic Documents Act (PIPEDA)
This policy encompasses activities which relate to the creation, collection, storage, maintenance, cataloguing, use, dissemination and disposal of institutional data
- whether the data is stored electronically or in hard copy,
- whether the data is held centrally in major administrative systems, or in colleges, departments or other academic or administrative offices,
- whether the data exists in raw form or is derived, summarized or aggregated.
2. Classifying institutional data
Institutional data can generally be assigned to one of three categories:
Public access data is data that is (or can be) generally available to all employees, the general public, and the media. Examples of such data at the University of Saskatchewan include information contained in the university's Annual Report, published convocation lists and statistical reports on enrolment.
Internal data is data that is available to those employees with a clear business need for access as part of their required job duties and responsibilities. In general, institutional data is considered internal data unless otherwise specified. Not all employees have access to all internal data; access is determined by the employee's job responsibilities and legitimate use. Examples of internal data include student grades and contact information.
Limited access data is data of a sensitive or confidential nature that is protected from general distribution, and for which special authorization must be obtained before access is made available, or to which limited access may be granted. Examples of limited access data include employment and education equity declarations, contact information for which an individual has requested non-disclosure, and records pertaining to academic and non-academic disciplinary actions.
3. Roles and responsibilities
To promote and safeguard the integrity and security of, and appropriate access to, institutional data, the following roles and responsibilities are defined. It is quite possible that any one person could participate in more than one of these roles.
The University of Saskatchewan is the owner of the university's institutional data. Individual units or departments have stewardship responsibilities for particular elements and/or aspects of the data.
The University Data Steward
The University Data Steward is the provost. The University Data Steward is the institutional authority on all matters pertaining to the management and use of the university's institutional data and institutional information, identifies and confirms the official version of all university information and ensures that university has adequate policies, processes and practices are in place to support its needs for information.
Senior university officials (typically at the level of an associate vice-president or a dean) who have planning and policy-level responsibilities for data in their functional areas are considered data stewards.
As a group, the data stewards are responsible for developing policies, guidelines and standards, and for establishing procedures for university-wide data management activities.
As individuals, the data stewards also have specific responsibilities and authority for the management, access, use, definition and quality of data that pertains to their functional areas and/or is deemed to be under their purview. Data stewards are responsible for identifying the access category (public, internal or limited) of data elements under their authority, and for determining what limitations or conditions apply to access. Because data and responsibility for them have traditionally been organized along functional lines, data stewards will generally follow the same organization. Some data stewardship responsibilities and authority, however, may not be clearly delineated and may be shared or delegated to a group of data stewards.
Access to institutional data for the purposes of research may be granted by the appropriate data steward, whose responsibility it is to ensure that appropriate agreements about the use of such data are negotiated and documented.
Both as individuals and collectively, the data stewards have a responsibility to promote and encourage an institutional view of the data resource and to ensure that its use is in line with institutional policy.
Data managers are responsible for the coordination of institutional data-related activities. The data manager(s) must recognize and promote the importance of data as a valuable institutional resource requiring consistent management of the creation, storage, maintenance, cataloguing, use, dissemination and disposal of data. Data managers have responsibility for promoting policies, guidelines, procedures and standards that allow the university to ensure the integrity, security, accessibility and usefulness of data. In addition, data managers act as a resource to the data stewards, data experts and data users. Generally, this role would apply to directors, managers or supervisors that have a direct responsibility for one or more institutional information systems.
Data experts are university employees who have operational level responsibility for data management activities related to the creation, storage, maintenance, cataloguing, use, dissemination and disposal of data. Among the responsibilities of the data experts are any data administration activities that may be delegated to them by the data stewards. Data experts must ensure that procedures are in place to carry out policies and comply with standards approved by the university. Typically, data experts are directors, department heads or managers of functional units.
Individuals who need and use institutional data as part of their assigned duties or in fulfillment of their role at the university are data users. Data users are responsible for complying with the institutional data policies outlined in this document, and for following procedures established by data managers. Since data may cross functional lines, data used by any one data user may have different data managers and data stewards.
The Chief Information Officer
The Chief Information Officer (CIO) provides vision and leadership in the development and use of information and information technologies, including strategic planning, governance, policy, infrastructure and resources. The CIO is the senior spokesperson for ICT issues at the university and represents these issues with university council and its committees, with the board of governors and its committees, with external bodies and agencies and with the general public. He/she works in collaboration with units across the university to promote coordination of local initiatives, systems or data within the overall institutional framework.
4. Recommended operational measures to support this policy
- will name a University Data Steward and vest in that individual the institutional authority on all matters pertaining to the management and use of information at the university.
- will identify Data Stewards who individually shall be considered the custodians of all University data under their jurisdiction, and who collectively will take responsibility for developing policies, guidelines and standards, and for establishing procedures for university-wide data management activities and for release of institutional data for research purposes.
- should make this policy available on its web site and draw its existence to the attention of all employees
- should provide information and training about institutional and individual responsibilities under the LAFOIPP and PIPEDA to all staff who have access to demographic, biographical, medical, academic, employment or other personal information, and maintain an audit of such training.
- should ensure that institutional data elements and common shared data standards and structures are identified, documented and made available to all users
- should catalogue the kinds of data contained in various university data bases, and identify the level of access and security required for access to the data
- should develop a common university procedure for requesting, granting, and documenting access to data elements or data views, including procedures for requesting and granting access to data for legitimate research purposes and to support data-driven decision making in university units.
- should develop procedures and schedules for identifying and deleting all institutional data no longer required for the purposes for which it was created or collected.
- should develop, within existing university policies, procedures for handling cases of suspected misuse of institutional data.
If there is reason to suspect that laws or university policies have been, or are being violated, or that continued access poses a threat to normal operations or the reputation of the university, access privileges may be restricted or withdrawn.
Following due process, the university may take action against anyone whose activities are in violation of the law or of this policy. The actions taken may include, but are not limited to:
- revocation of access privileges;
- disciplinary action for employees;
- disciplinary action for students under either Council Regulations on Academic Dishonesty or Senate Non-Academic Disciplinary regulations;
- legal action that could result in criminal or civil proceedings.
There are no other documents associated with this policy.
Contact Person: Chief Information Officer