UH DATA GOVERNANCE IT AllCampus Workshop June 19

UH DATA GOVERNANCE IT All-Campus Workshop June 19, 2015 Sandra Furuto UH System Office of the Vice President for Academic Affairs 1

What is Data Governance and Issues Around it 2

What is Data Governance (1) “The formal orchestration of people, process, and technology to enable an organization to leverage data as an enterprise asset. ” — The MDM Institute http: //0046 c 64. netsolhost. com/what. Is. Data. Governance. html OVPAA|June 2015 3

What is Data Governance (2) DG is a framework that enables us to effectively manage data Defines how data are collected, stored, and used Defines who can access data, when, and under what conditions Establishes decision rights Establishes clear lines of accountability Gives a voice to all appropriate parties Provides a mechanism for conflict resolutions involving data OVPAA|June 2015 4

UH Data Governance Issues Lack of clarity on access and data requests (where to go, who to ask, etc. ) No clear lines of accountability Reliance on local solutions Unnecessary duplication of University data No defined escalation procedures Insufficient education and training on handling sensitive data Lack of compliance with government and industry regulations (FERPA, HIPAA, HRS 92 F, HRS 487 N, PCI-DSS) OVPAA|June 2015 5

Impact of Non-Compliance Loss of federal financial aid funding (FERPA) Financial fines (HIPAA, PCI-DSS) Class action law suits Misdemeanor charges Financial expenses Loss of reputation Additional legislative scrutiny Unfavorable publicity OVPAA|June 2015 6

UH Data Governance Program 7

UH DG Vision Statement Data governance at the University of Hawai‘i fosters a culture of shared responsibility and active participation among members of the University community in the stewardship of data and information entrusted to the University. UH’s institutional data governance philosophy is grounded in the University’s core values of institutional integrity, service, collaboration, and respect, and its commitment to excellence and accountability. OVPAA|June 2015 8

Scope of UH Data Governance “Institutional Data” “Institutional Data System ” refers to data created, received, maintained, and/or transmitted by UH in the course of meeting its administrative and academic requirements. any data repository owned/maintained by UH that collects and stores Institutional Data. These repositories house transactional and analytical (decision support) types of Institutional Data. Examples: Student (student name, ID number, grades); Employee (name, job title, payroll information) Examples: Banner (System with Student Data) People. Soft (System with HR Data) KFS (System with Financial Data) 9

DG Scope and Structure Senior Executives/Chancellors KFS (Finance) BANNER (Students) Data Governance Committee (DGC) Data Sharing Requests Data Classification Categories Records Management OTHER DATA SYSTEMS Data System Authorizations Strategic Procurement PEOPLESOFT (Human Resources) Users OVPAA|June 2015 10

UH Data Governance Goals Protect the privacy and security of Institutional data Produce higher quality data for informed decision making Promote efficient use of resources Increase transparency and accountability OVPAA|June 2015

UH Policies/Procedures and Key Regulations 12

Data-Related EPs Institutional Data Governance EP 2. 215 System and Campus Wide Electronic Channels for Communicating with Students EP 2. 213 Data-Related APs FERPA AP 7. 022 Records Retention Schedule (TBD) Data Classification Categories (in progress) Specialized Purchasing AP 8. 265 Open Records Requests (TBD) Security and Protection of Sensitive Information EP 2. 214 Institutional Records Management and Electronic Approvals / Signatures EP 2. 216 Procurement. Related APs Data Sharing Request Process (in progress) HIPAA (TBD) Data System Authorizations (TBD) 13

UH Data-Related Executive Policies Number Title Description EP 2. 215 Institutional Data Governance Establishes the vision, goals, principles, best practices, roles and responsibilities, and definitions of UH’s data governance program. EP 2. 213 System and Campus Wide Electronic Channels for Communicating with Students Establishes the use of electronic channels for system and campus wide communications with students. EP 2. 214 Security & Protection of Sensitive Information Establishes guidelines for the identification and proper maintenance of sensitive information. EP 2. 216 Institutional Records Management and Electronic Approvals/ Signatures Establishes institutional requirements for the responsible management of University records which includes meeting legal and institutional requirements, optimizing space usage, and minimizing the cost of record retention. OVPAA|June 2015 14

UH Data-Related Admin Procedures (1) Number Title Description AP 7. 022 Procedures Relating to Protection of the Educational Rights and Privacy of Students Establishes procedures that protect the educational rights and privacy of students (UH’s FERPA policy). TBD UH Data Classification Categories (in progress) Organizes UH Institutional Data into categories based on different levels of security risk and penalties and specifies security requirements for each category. TBD Data Sharing Requests (in progress) Establishes a process for the release of UH Institutional Data and ensures the data is being appropriately used and is properly secured. TBD Data System Authorizations (in progress) Establishes procedures for granting an individual online access to Institutional Data Systems based on that individual’s roles and responsibilities. OVPAA|June 2015 15

UH Data-Related Admin Procedures (2) Number Title Description TBD Records Retention Schedule (not yet started) Document each type of University record, the official repository/office for that record, the retention period, disposition action, and data classification category. TBD Open Records Requests (not yet started) Provide recipients of Uniform Information Practices Act (UIPA) requests with instructions on how/when to respond. TBD HIPAA (not yet started) Provide standards and guidelines that align with the Health Insurance Portability and Accountability Act for those who work with health records. AP 8. 265 Specialized Purchasing Provide guidelines on software related purchases, especially for 3 rd party hosted services in the Cloud. OVPAA|June 2015 16

Student Directory Information (AP 7. 022) Name of student Major field of study Class (i. e. , freshman, sophomore, etc. ) Past and present participation in officially recognized sports and activities Weight and height of members of athletic teams Dates of attendance Previous institution(s) attended Full or part-time status Degree(s) conferred (including dates) Honors and awards (including dean's list) OVPAA|June 2015 17

Key Regulations and Penalties (1) Regulation Description Hawai‘i Revised Statutes (HRS) § 487 N • State law that requires a breach notification to the legislature if there is an inadvertent disclosure or inappropriate access of data Family Educational Rights and Privacy Act (FERPA) • Federal law that protects the privacy of student education records • UH’s FERPA document is AP 7. 022 OVPAA|June 2015 Penalty Data subject to regulation: • First Name or First Initial/Last Name combined with: • Social Security Number (SSN) • Driver license or state ID # • Info to access a person’s financial account (account #, access codes, passwords, etc. ) • Health information covered by HIPAA • PCI-DSS information Data subject to regulation: • All student data EXCEPT directory information • Student Personally Identifiable Information (PII) Potential loss of federal funding 18

Key Regulations and Penalties (2) Regulation Description Penalty Health Insurance Portability and Accountability Act (HIPAA) • Federal law that protects the privacy of individually identifiable health information Financial fines; also requires a breach notification in accordance with HRS § 487 N Hawai‘i Revised Statute (HRS) Chapter 92 F • State law also known as the Uniform Information Practices Act (UIPA) which requires open access to government records • 92 F-12 specifically refers government employee data that must be made available for public inspection and duplication during regular business hours Data subject to regulation: • Health Data subject to regulation 92 F-12: • Employee OVPAA|June 2015 If data is intentionally revealed that should not be, could be convicted of a misdemeanor unless a greater penalty is provided for by law. 19

Key Regulations and Penalties (3) Regulation Description Payment Card • A widely accepted set of policies and Industry Data procedures intended to optimize the Security Standard security of credit, debit, and cash card (PCI-DSS) transactions and protect cardholders information against misuse of their personal information Penalty Financial fines; also requires a breach notification in accordance with HRS § 487 N Data subject to regulation: • Credit Card OVPAA|June 2015 20

Stewardship and UH Data Governance Roles and Responsibilities 21

What is Stewardship “The careful, responsible management of something entrusted to one’s care on behalf of others. ” — The DAMA Dictionary of Data Management, 2 nd Edition OVPAA|June 2015 22

Data Governance Program DGP Role Lead the University’s data governance program Sandra Furuto, Director of Data Governance and Operations Responsibilities Set the DG agenda with oversight by the Data Governance Committee (DGC) to resolve data issues and support DG goals in support of UH’s mission Create an organized and coordinated strategy and a formal, structured approach to carrying out the University’s DG goals Develop system-wide policies, processes, and standards with guidance from the DGC Increase knowledge and awareness of DG initiatives and DG goals throughout the UH community OVPAA|June 2015 23

Data Governance Committee DGC Role An executive decision making body that focuses on the resolution of system-wide data related issues Responsibilities Establish policies, processes, and standards that govern the University’s data management practices Articulate data issues to UH senior leadership involving disputes around Institutional Data Increase knowledge and awareness of DG initiatives and DG goals throughout the UH community OVPAA|June 2015 24

UH Data Governance Roles Executive Data Steward • Campus • System Roles are reflective of what people already do in their day-to-day jobs. Naming of DG roles formalizes responsibilities and provides structure and support. A person can fulfill multiple roles. Functional Data Steward Data Custodian 25

Executive Data Stewards: Role EDS are accountable for the use and management of Institutional Data at their respective campus or within the Institutional Data System under their purview. • Campus EDS – vice chancellors or appropriate administrators responsible for the major functional areas within a campus including, but not limited to, student affairs, academic affairs, and administration • System EDS – executives with functional responsibility for Institutional Data Systems OVPAA|June 2015 26

Executive Data Stewards: Responsibilities Authorize the release of Institutional Data in the course of improving University programs and services, meeting compliance and reporting requirements, and supporting research related studies Approve login access of employees and others to Institutional Data Systems OVPAA|June 2015 27

Functional Data Stewards: Role Use and manage Institutional Data on a daily basis as part of their job duties and responsibilities and are subject matter experts in their functional area • Exists among all levels and across all units within the University • Includes registrars, financial aid officers, fiscal administrators, human resources specialists, and institutional researchers • Lead FDS – Primary FDS that works along with Data Custodians to manage the Institutional Data Systems OVPAA|June 2015 28

Functional Data Steward Responsibilities Ensure Institutional Data is managed appropriately, according to policies and procedures Input Institutional Data and ensure the accuracy of the data Recommend enhancements for their respective program areas to improve data quality, access, security, performance, and reporting Serve as a conduit between EDS and DC to promote communication and a shared understanding of requirements Fulfill data sharing requests according to administrative procedures OVPAA|June 2015 29

Data Custodians: Role Manage and/or administer systems or media on which sensitive information resides: • PCs, laptops, PDAs, smartphones, departmental servers, enterprise databases, storage systems, magnetic tapes, CDs/DVDs, USB drives, paper files, cloud storage or services, etc. Note : IT personnel are commonly regarded as Data Custodians, however, any authorized individual who downloads or stores sensitive information onto a computer or other storage device becomes a Data Custodian through that act. OVPAA|June 2015 30

Data Custodian Responsibilities Responsible for the technical safeguarding of sensitive information Implement and administer controls that ensure the transmission of Institutional Data is secure and access controls are in place to the prevent inappropriate disclosure of that information Work with FDS, as needed, to fulfill data sharing requests that involve additional technical requirements Clarify with the appropriate EDS if a request is unclear or raises security concerns not addressed OVPAA|June 2015 31

Data Governance Conceptual Framework at UH Campus UH Manoa Business Area Finance Etc. UH Hilo UH West O’ahu Human Resources Hawai’i Community College Research Admin Honolulu Community College Kapi’olani Community College Kaua’i Community College Leeward Community College Maui College Windward Community College Etc. Identity Management Etc. Student Etc. Institutional Data System Kuali Financial System – KFS e. Thority e. Travel Financial Data Mart (FDM) People. Soft HR Data Mart – HRDW my. Grant (Kuali Coeus – KC) Cognos Identity Management System (IMS) Banner: Student Operational Data Store (ODS) Banner: Financial Aid STAR (Data Metrix, Academic Journey, Giving Tree) Student Employment and Cooperative Education (SECE) Banner: Accounts Receivable Destiny (UHCC Only) Laulima 32

Current Data Governance Focus Areas 33

DG Focus Areas Data Governance Committee (DGC) Data Sharing Requests OVPAA|June 2015 Data Classification Categories Records Management Data System Authorizations Strategic Procurement 34

Data Sharing Requests Data Sharing involves creating a copy of Institutional Data and storing it on another repository or medium for a specified use by individuals who do not normally have access to that data. Data Sharing Request Process (DSR) is a formal process for requesting and gaining access to the data of interest. It is the action required to request, review, and approve the release and use of Institutional Data. 35

Scope: People Subject to the DSR Process Individuals who have NOT been granted access to the specific Institutional Data of interest as part of their job requirements EDS, FDS, and DC do NOT need to fill out a DSR form for data within their functional area because working with the data is part of their daily job For example, Institutional Research (IR) has access to student record data as part of their responsibilities. If IR needs student employee data (which is in another system), then IR must submit a request to get the data from Student Employment. OVPAA|June 2015 36

Scope: Data Subject to the DSR Process If the request involves Institutional Data and any of the following: Individual record level data Data not considered ‘public’ The services of a third party A data feed (i. e. , the establishment of a link that transfers data between an Institutional Data System and another repository, such as to a vendor-hosted server) OVPAA|June 2015 37

DG Focus Areas Data Governance Committee (DGC) Data Sharing Requests Data Classification Categories Records Management Data System Authorizations Strategic Procurement Organizes UH Institutional Data into categories based on different levels of security risk and penalties and specifies security requirements for each category. OVPAA|June 2015 38

UH Data Classification Categories Matrix Category Definition Examples Public Access is not restricted and is subject to open records requests Student directory information, employee’s business contact info Restricted Used for UH business only; will not be (proposed) distributed to external parties; released externally only under the terms of a written MOA or contract Student contact information, UH ID number Sensitive Data subject to privacy considerations Date of birth, job applicant records, salary/payroll information, most student information Regulated Inadvertent disclosure or (proposed) inappropriate access requires a breach notification by law or is subject to financial fines OVPAA|June 2015 FN or first initial/LN in combination with SSN, driver license number, or bank information; credit card (PCIDSS) or health (HIPAA) info 39

UH Classification Categories and DSR Process These classification categories should be considered by: EDS: When deciding whether to approve or deny the data sharing request FDS: When making recommendations to share the data, the specific method for sharing (encrypted, email, fileshare, etc. ), and when fulfilling the data sharing request DC: When making recommendations to share the data, the specific method for sharing (data feed, encrypted at rest/in transit, etc. ), and when fulfilling the data sharing request OVPAA|June 2015 40

DG Focus Areas Data Governance Committee (DGC) Data Sharing Requests Data Classification Categories Records Management Data System Authorizations Strategic Procurement Establishes institutional requirements for the responsible management of University records. OVPAA|June 2015 41

Records Management Create records retention schedule for University records, lead office, retention period, type of disposal/destruction, and data classification category. Provide standard guidelines for annual Records Reporting requirement to Office of Information Practices. OVPAA|June 2015 42

DG Focus Areas Data Governance Committee (DGC) Data Sharing Requests Data Classification Categories Records Management Data System Authorizations Strategic Procurement Provides a centralized process for granting individuals online access to Institutional Data Systems based on those individuals’ roles and responsibilities. OVPAA|June 2015 43

Mandatory Training and GCN (1) EP 2. 215 broadly states that training and education on handling sensitive information must be completed before users are allowed access The policy will be updated to require users to complete: Mandatory Information Security Awareness Training in Laulima The General Confidentiality Notice (GCN) acknowledgment (www. hawaii. edu/its/acer) OVPAA|June 2015 University of Hawaii © 2014 44

Mandatory Training and GCN (2) Affects users with login privileges to any Institutional Data System. Examples: Banner/ODS Peoplesoft/HR Data Mart KFS/e. Thority STAR Identity Management System, etc. Reporting mechanism Executive Data Stewards and supervisors will receive a listing of individuals who have not completed either requirement OVPAA|June 2015 University of Hawaii © 2014 45

Mandatory Training and GCN (3) Timeline EP 2. 215 revision: summer/fall 2015 Complete reporting module: fall 2015 Roll out training/GCN to current users: begin late fall 2015 starting with ODS Re-certification proposals GCN: annually Information Security Awareness Training: every 2 or 3 years OVPAA|June 2015 University of Hawaii © 2014 46

DG Focus Areas Data Governance Committee (DGC) Data Sharing Requests Data Classification Categories Records Management Data System Authorizations Strategic Procurement Coordinate purchases of third party vendor software/ services to reduce duplicative purchases and ensure appropriate language on data use and security are in all contracts and subscriptions. OVPAA|June 2015 47

Strategic Procurement: Duplicative Purchases Uncoordinated third party vendor purchases Campuses/programs are engaging different vendors for similar services, e. g. , retention software Campuses are interested in the same vendor but contracts are negotiated at different times Cost/resource and implementation issues Lost opportunity for favorable contract pricing Many requests involve data feeds Data providers notified at the end, rather than involved during the planning stages OVPAA|June 2015 48

Strategic Procurement: Contract/Subscription Language Not all third party vendor contracts and subscriptions have language protecting the University’s data Completing a template on data use and security for all future data-related contracts Cloud-based subscriptions terms and conditions are inconsistent and may/may not be on their website OVPAA|June 2015 49

Strategic Procurement: Requests Involving Self-Disclosure of Info Requests involve: UH program offering a service ○ E. g. , recruitment, parking, proctoring, application to a degree program, training, housing The individuals disclosing information about themselves in order to use the service Subscription-based third party vendors Data stored on a non-UH server, often in the Cloud May collect sensitive data Creating a form/process similar to DSR OVPAA|June 2015 50

DG Program Status Process to Develop a DG Focus Area DG Program creates a draft process or standard DGC and others provide input, modify, and approve Process or standard becomes Executive Policy or Admin Procedure DG Program communicates and trains those with R&R related to the process or standard, EP, or AP Data Sharing Request Complete In progress Data Classification Categories Complete In progress Not started Records Management In progress EP Complete Not started DG Focus Areas AP Not started Data System In progress Authorizations In progress Not started Strategic Procurement In progress Not started OVPAA|June 2015 In progress 51

Principles for Sharing and Accessing Data 52

Principle of Need to Know The basis for giving out data or granting access should be based on a need to know by the requester In FERPA terms, this is called having a “legitimate educational interest” What “hat” is the individual wearing when he is making the request? Access to the data should be consistent with the individual’s role associated with the request If the data is not something the individual would normally have access to, s/he may need to fill out a Data Sharing Request form OVPAA|June 2015 53

Principle of Least Access The basis for giving out data or granting access should be based on a need-to-have and not a niceto-have The minimal amount of data should be shared ○ Does the requester need identified data or can de-identified data meet the requester’s needs? The minimal amount of access privileges should be granted ○ Does the individual’s access privileges align with their job duties and responsibilities? OVPAA|June 2015 54

Principle of No Repurposing or Redisclosure Data that is shared should not be used for any other purpose than for what it was originally intended Approval for the new purpose should be sought before the data is used for a different purpose Similarly, data should not be redisclosed or released more often than specified OVPAA|June 2015 55

Questions or Comments? Ask Data. Gov or Tell Data. Gov Email: datagov@hawaii. edu www. hawaii. edu/uhdatagov Sandra Furuto Email: yano@hawaii. edu Phone: 956 -7487 OVPAA|June 2015 56