2023-2024 Administrative Policy Manual Published August 22, 2023 
    
    Nov 23, 2024  
2023-2024 Administrative Policy Manual Published August 22, 2023 [ARCHIVED COPY]

Data Management and Classification


Policy Number: 10.8
Effective Date: March 14, 2023
Revision History: September 12, 2019; May 26, 2016
Policy Contact: Chief Enrollment Management Officer; Chief Information Technology Officer

I. Purpose and Policy Statement

This policy describes the roles, responsibilities, and classification for institutional data and provides guidance on management of, access to, and utilization of institutional data for the purpose of ensuring the integrity and security of institutional data and protecting the privacy of those persons for whom we maintain data records.

This policy was developed with these guiding principles:

  1. Everyone is a data user; some individuals may also have additional designated roles with regard to specific data or databases.
  2. All institutional data are classified as internal unless otherwise designated.
  3. All personnel are responsible for ethical use of data.
II. Scope

Information is one of Georgia Gwinnett College’s (“GGC”) most valuable resources and as such requires responsible management by all members of the GGC community. All institutional data should be used with appropriate and relevant levels of access and with sufficient assurance of its security and integrity in compliance with existing laws, rules, and regulations. This policy applies to all employees and students in the GGC community, as defined below.

III. Definitions

Confidential data: Institutional data for which there is a legal obligation not to disclose.

Data managers: Operational managers within a functional area overseeing the data for a particular subject area.

Data stewards: Senior level officials who have planning and policy responsibilities for data in their functional areas.

Data trustees: GGC chief officers who have overall responsibility for all the data sets maintained by the units reporting to them.

Data owner: As the chief executive officer, the president is identified as the data owner.

Data users: GGC employees or students who have been granted authorization by the data managers to access institutional data.

Employee: Full-time or part-time worker at GGC, whether directly employed, contracted, sub-contracted, work-study, or volunteer. (Note that this definition applies to data management policies only, and does not affect other operational definitions in use at GGC.)

Institutional data: Any data element that originates or is in the custody and control of GGC, excluding personal notes and records or data whose primary purpose is scholarly, such as syllabi, course notes, and the products of research or creative scholarly work unless such work meets the criteria for College ownership (full or partial) as defined in 6.3 Intellectual Properties . Examples of institutional data include, but are not limited to:

  1. Elements supporting financial management
  2. Payroll
  3. Student educational records
  4. Student financial data
  5. Medical data
  6. Employee personnel records
  7. Intellectual property
  8. Intellectual research property
  9. Capital equipment inventory
  10. Donor data
  11. Alumni data

Internal data: Institutional data that are available freely within institution but are not available to the public unless required by law. This is the default categorization for institutional data.

Protected Health Information (“PHI”): Individually identifiable health information that is maintained or transmitted in any form or medium. Protected health information excludes individually identifiable health information in education records covered by the Family Educational Right and Privacy Act (“FERPA”)

Scholarly data: Data elements, both quantitative and qualitative, developed for the purpose of classroom instruction, classroom management, research, or creative endeavors. Some products of such work may be owned in part or in whole by the College, as determined by APM 6.3 Intellectual Properties.

Sensitive data: Institutional data that are not legally protected, but should not be made public and should only be disclosed under limited circumstances.

Student: Any individual who is or has been enrolled in classes at Georgia Gwinnett College at any time and/or about whom GGC maintains records. (Note that this definition applies to data management policies only, and does not affect other operational definitions in use at GGC.)

Unrestricted data: Institutional data that have no access restrictions and are available to the general public

IV. Roles and Responsibilities
  1. Data user: Authorization is granted for a specific level of access, as defined by the data management policies, solely for the conduct of institutional business. Data users may have technical access to data, or they may have rights to use data that they need assistance to access. Responsibilities include:
    1. Following the policies and procedures established by the data stewards for responsible use of GGC data.
    2. Using institutional data only as required to conduct GGC business.
    3. Ensuring the security and privacy of data by viewing and storing data, and the information derived from data, under secure conditions.
    4. Ensuring accuracy and timeliness of the data they enter or update.
    5. Collecting, preparing, entering or maintaining data for the authorized unit(s), if authorized by the data manager.
  2. Data manager: Data managers are identified by a data steward and given specific responsibilities and accountability. Data managers have day-to-day responsibility for managing administrative processes and establishing business rules for the transactional systems. They have operational responsibility for the data management activities related to the collection, maintenance, protection, and dissemination of data in their functional areas. The data manager may authorize operational tasks to be performed by data users outside the units that report to the data manager. The data managers are accountable for the data subsets they manage, whether the data are collected or maintained directly by the data manager (or their staff), by data users in other units or by external sources. Responsibilities include:
    1. Reviewing and approving requests for access by other GGC users, as defined by campus data policy.
    2. Determining the type of access given to GGC users.
    3. Assuring compliance with federal, state, and campus regulations regarding the release of, responsible use of, and access to, data.
    4. Training GGC users in relevant regulations and proper understanding of data.
    5. Providing data definitions for each data element within the domain of their operational unit(s).
    6. Communicating any data definition or database changes to the appropriate data administrator.
    7. Ensuring the accuracy, privacy and integrity of the data they manage.
    8. Assisting in the design of data warehouse structures that contain data from their subject areas.
  3. Data steward:   Data stewards, or their designees, are responsible for recommending policies, and establishing procedures and guidelines concerning the accuracy, privacy, security, and integrity of the data subsets for which they are responsible. Individually, data stewards act as advisors to the data trustees and have management responsibilities for data administration issues in their functional areas. They have overall responsibility for the data in the subsets overseen by all their designated data managers. These responsibilities include:
    1. Interpreting and implementing federal, state, and GGC policies and guidelines.
    2. Ensuring data quality and data definition standards are met.
    3. Identifying the privacy level (unrestricted, internal, sensitive, or confidential) for the data subsets.
    4. Establishing authorization procedures to facilitate appropriate data access as defined by campus data policy and ensuring security for that data.
    5. Resolving issues related to stewardship of data elements that cross multiple units or divisions. For example, Social Security number may have more than one data steward since it is collected or used in multiple systems, such as financial, human resources, and student systems.
    6. Developing standard definitions for data elements, including those that cross multiple units or divisions. For example, there should either be a single definition of “full-time employee” or new data elements should be created for each unique definition.
  4. Data trustee: Individually the data trustees are accountable for all the data sets within their division. The Vice President for Information Technology/CIO has the additional responsibility for ensuring an adequate and appropriate technical infrastructure is in place to support the data needs of the institution across all divisions. Data trustees are responsible for ensuring that campus institutional data resources are used in ways consistent with the mission of the GGC. The data trustees have the responsibility for the appointment and accountability of data stewards.
  5. Data owner: As the chief executive officer, the president is identified as the data owner. The data owner has ultimate responsibility for submission of organizational data to the USO. Data owners have the responsibility for the identification, appointment and accountability of data trustees. Data owners will inform the Data Governance Committee of their data trustee appointments.
V. Data Classification
  1. All GGC institutional data is categorized into four main classifications. Information may be considered institutional data if it satisfies one or more of the following criteria:
    1. Data used for planning, managing, reporting, or auditing a major administrative function
    2. Data referenced or used by an organizational unit to conduct institutional business
    3. Data included in an official institutional administrative report
    4. Data used to derive an element that meets any of the criteria above
    5. Data generated under contractual arrangements (grants, etc.) that specifically designate data as belonging to the institution
  2. Unrestricted Data: These data will be designated as unrestricted or public data. The following are examples of unrestricted data:
    1. Information on the public website
    2. College fact books
  3. Internal Data: The following are examples of internal data:
    1. National Survey of Student Engagement (NSSE) report comparisons
    2. Composite course evaluation reports
    3. Selected internal survey data
    4. Selected directory information
  4. Sensitive Data: Users must be granted specific authorization to access since the data’s unauthorized disclosure, alteration, or destruction could cause perceivable damage to the institution. The following are examples of sensitive data elements:
    1. Any non-confidential information identifiable to an individual (including students, staff, faculty, trustees, donors, and alumni) including but not limited to dates of birth, driver’s license numbers, employee and student id numbers, license plate numbers, and compensation information.
    2. The University’s proprietary information including but not limited to intellectual research findings, intellectual property, financial data, and donor and funding sources.
  5. Confidential Data: These data elements require the highest levels of restriction due to the risk of harm that will result from disclosure or inappropriate use. The following are examples of confidential data elements:
    1. Data not releasable under the Georgia Open Records Act or the Georgia Open Meetings Act
    2. All regulated data
    3. Social Security and credit card numbers
    4. Data protected under the Family Educational Rights and Privacy Act of 1974 (FERPA)
    5. Data protected under the Health Insurance Portability and Accountability Act of 1996 (HIPAA)
    6. Protected Health Information (PHI)
    7. Data protected under the Gramm-Leach-Bliley Act (GLBA)
  6. By default, all institutional data will be designated as internal data for use within GGC or  external data as reported to the USG Board of Regents (“BOR”), and to state, federal, or other external agencies, unless the appropriate data steward assigns the data elements  to one of the three other categories: unrestricted, sensitive, or confidential. Such assignment may be made for special  circumstances or on a case-by-case basis.
VI. Data Management
  1. College employees will have access to institutional data for use in the conduct of GGC business within the scope of their positions. The permission to view or query institutional data should be granted to data users for legitimate institutional purposes, as defined by job requirements and direct manager.
  2. All GGC employees and students are responsible for understanding their roles as data users, data managers, data stewards, or data trustees and for understanding the classification of any data they use in the normal execution of job duties.
  3. All GGC employees and students are responsible for observing all applicable laws, data classification restrictions, security procedures, and appropriate precautions with data.
  4. GGC employees must complete training in data security and management . Data users, data managers, data stewards and data trustees are not required to make explicit requests for the data to which they have access in the course of day-to-day execution of their job duties. However, any employee who has an identified need for data beyond his/her day-to-day duties or for a special purpose analysis must make a request following the GGC data request process.
  5. An inventory of known data systems at GGC and their data trustees and stewards is maintained by Information Technology, as required by the University System of Georgia. Employees seeking information on these systems should contact IT for information.
VII. Compliance
  1. Compliance with the provisions of this policy is mandatory. Non-compliance poses a significant risk to the security of GGC data and to the privacy and security of individuals about whom the College maintains data.
  2. Accessing or making use of institutional data for personal interests or purposes constitutes a violation of this policy. Release of institutional data, at any level of classification, without authorization, constitutes a violation of this policy.
  3. Any employee found to have violated this policy through unauthorized access, use, disclosure, alteration or destruction of data will be subject to disciplinary procedures up to and including termination of employment.
VIII. Related Regulations, Statutes, Policies, and Procedures
Family Educational Rights and Privacy Act of 1974 (FERPA)
Health Insurance Portability and Accountability Act of 1996
Gramm-Leach-Bliley Act
BOR Business Procedures Manual 12.3 Data Management