Authorization and Approval

Responsibility: President 
Authorization: Board of Governors
Approval Date: Mar 22, 2005
Amended: Mar 21, 2017

Purpose

The University of Saskatchewan (U of S) is responsible for ensuring the availability, confidentiality, and integrity of all information to which it is entrusted. University data, whether managed and residing on university information technology resources, stored on personal devices, managed by a third party or a business partner, or outsourced to a service provider, is an important asset that must be governed, protected, and appropriately safeguarded.

Improper use of the university’s data may result in harm to the university, its faculty, staff, students, and alumni. This harm could impact the university’s mission of teaching and learning, research and service delivery. It exposes the university to criminal, financial and reputational risks. Members of the university community have the responsibility to appropriately use, maintain, and safeguard university data.

This policy will provide a framework to safeguard and protect the university’s data while providing flexibility to support the broad range of academic, research and administrative activities.

Principles

This policy is guided by the principles and values outlined in the U of S mission, vision, and values statement and by the principles outlined in the university’s IT enterprise architecture. It was also developed in the context of the following data management principles:

  • Protecting the university’s data is a responsibility shared by all members of the university community. Data protection begins with the person or office creating the data, and is the continuing responsibility of all who subsequently access and use it.
  • University data is critical to the university’s academic, research, and administrative activities. In order to reduce the damaging impact of data loss on business continuity, academic activities, and research programs, university data must be appropriately safeguarded.
  • The requirement to safeguard university data must be balanced with the need to access and use data in support of the pursuit of legitimate academic, research, and administrative activities.
  • The university uses a risk-based approach, and follows best practices in data management, to select appropriate access controls to minimize risk to an acceptable level, and to design security and privacy into its data infrastructure.

Definitions

  • University data – Data that is created, collected and stored (either electronically or in hard copy) by units and members of the university community, in support of academic, research, and administrative activities. University data may include the following (these are not mutually exclusive):

    • Institutional data – Data that is created, collected and stored by all units and members of the university community, in support of academic and administrative activities. Administrative data about teaching, learning, research and scholarly activity, such as grades, attendance, research grants held and publications generated, is considered institutional data.
    • Research data – Data that is created by or derived from research, scholarly, and artistic activities.
    • Personal data – Data that contains personal information about an identifiable individual as defined in the Provincial Local Authority Freedom of Information and Protection of Privacy Act (LAFOIP). This data if compromised or used inappropriately would have implications to the privacy of an individual.
    • Third-party data – Data that is created or owned by a third party and is being used in support of academic, research and administrative activities. This data if compromised or used inappropriately would have implications for the third party. This includes data such as licensed software or software components, and copyrighted material.

  • Derived data – Data that is changed from the original data using a mechanism such as an arithmetic formula, composition, or aggregation.

  • Data management – Encompasses activities that relate to the creation, collection, storage, maintenance, cataloguing, use, dissemination, and disposal of university data.

  • University community – All students, employees, faculty, postdoctoral fellows, alumni, agents, contractors, authorized guests, persons or organizations acting for or on behalf of the university.

  • University owned – Assets purchased by university funds including research grants administered by the university or acquired by the university through some contractual agreement.

  • IT services – Technology-based services managed or hosted by a university community member, the university or vendors/contractors.

  • IT infrastructure – IT assets including, but not limited to, servers, databases, data, software, end-point devices, the university network, Internet connections, central authentication, the telephone system, and data centres, whether provided directly by Information and Communications Technology or contracted.

  • IT outsourcing  The use of external service providers to deliver IT-enabled business process, application service and infrastructure solutions. Outsourcing can include, but is not limited to, utility services, software as a service, and cloud-enabled outsourcing.

Scope of this Policy

This policy is applicable to all university community members and all University of Saskatchewan academic and administrative units, ancillary units, and any affiliated organizations (collectively referred to as “units”) that create, modify or make use of university data.

It covers all university data regardless of where it is stored (on campus or off campus), where it is being accessed from (on campus or off campus), and whether the data is in raw form, derived, summarized or aggregated.

The policy has been developed in the context of, and is designed to complement,

  • Existing university policies and regulations, particularly those governing use of university property and services; computer use; information technology security; privacy; risk management; records management; responsible conduct of research; disciplinary procedures; copyright and intellectual property
  • Legislation such as provincial Local Authority Freedom of Information and Protection of Privacy Act (LAFOIP) and federal Personal Information Protection and Electronic Documents Act (PIPEDA)
  • Legal contracts and agreements with external sponsors, granting agencies, and others
  • Collective agreements

Policy

All units and members of the university community must access and use university data in ways that safeguard the data and protect the institution.

Units and members of the university community must ensure:

  1. Compliance with regulatory requirements, as well as third-party and other contractual data obligations.
  2. Data is used for the purposes for which it is collected and any restrictions for its use are observed.
  3. Data is collected, stored, and disposed of in ways appropriate to the risk and impact of unintended disclosure.

For research data, the principal investigator is accountable for all decisions regarding their research data.

For decisions regarding institutional data, such as access, classification and appropriate use, members of the university community must consult the designated individual that has accountability for the data. These roles and accountabilities are defined in the Data Governance Framework.

Responsibilities

Designated individuals within the university have specific data management accountabilities and responsibilities as outlined in the Data Governance Framework.

Information and Communications Technology:

Information and Communications Technology (ICT) is responsible for maintaining the availability and security of the university’s data infrastructure and ensuring that authorized users have access to the data they require for academic, research, and administrative activities.

ICT is responsible for implementing security and access measures that mitigate the risk of unintended disclosure of electronic data. This includes, but is not limited to, continually improving end-user awareness of proper data management; maintaining physical security of data infrastructure; implementing appropriate data access; and providing data cataloging technologies to users.

Units:

Academic, administrative and ancillary units are responsible for ensuring they access and use university data (both electronic and hard copy) in a manner that minimizes risk to the university.

The best way to minimize risk to electronic university data is to use the university-approved IT infrastructure (including data centres and end-point devices) and services for all university activities to the greatest extent practicable. When not practicable, they must follow the IT Risk Management procedure.

University Community Members:

Individual members are responsible for ensuring they access and use university data (both electronic and hard copy) in a manner that minimizes risk to the university. They must understand that data management is a shared responsibility across the university community and they must abide by data management procedures and practices. These responsibilities include:

  • Using data only for authorized and intended purposes.
  • Understanding the data and guarding against misinformed or incorrect interpretations. For any questions regarding the data, they should contact the designated individual with data management accountability for that data.
  • Respecting the privacy of the data and the individuals that it represents. This includes not disclosing personal information, nor accessing or manipulating such data for personal gain or interest.
  • Ensuring that they do not knowingly falsify data nor inappropriately delete or reproduce data.

Non-compliance

If there is reason to suspect that laws or university policies have been, or are being violated, or that continued access poses a threat to the university’s data, data infrastructure, university community members or the reputation of the university, access to the university’s data and data infrastructure may be restricted or withdrawn.

Following due process, the university may take action against anyone whose activities are in violation of the law or of this policy. The actions taken may include, but are not limited to:

  • Revocation of access to the university’s data, IT services, IT infrastructure or parts of it.
  • Disciplinary action for students following the Regulations on Student Academic Misconduct (under the authority of University Council) and Standard of Student Conduct in Non-Academic Matters (under the authority of Senate).
  • Disciplinary action for employees.

Procedures

Procedures and practices to support this policy will be developed, documented and made available online following further consultation and proper vetting.

Related Documents

Questions?

If you have questions about this policy please contact:

Contact Person: CIO and Associate Vice-President, Information and Communications Technology
Phone: 306-966-8408