Data Governance Policy

Purpose

College Data is a valuable asset to all constituencies at Emerson College. (students, faculty, staff, etc.) and requires the coordinated use of significant resources (funds, space, technology, etc.) involving all  operations of the College. College Data enables the institution to assess the needs of the College community and to manage and modify its services and operations accordingly. It is vital not only in the day-to-day operations of the College but to short-term and long-term planning, and it serves as the basis for internal and external reports.

Appropriate and timely access to College Data is critical for the efficient and effective operation of the College. Controlling access to College Data and keeping data confidential is also important to protect the College from accidental loss or destruction of data, liability, and acts of malice.

The objectives of this policy are to:

  • Detail responsibilities for managing College Data;
  • Establish a framework for standards and guidelines to be followed in the creation of data storage, destruction, and access mechanisms.

Scope

This policy is applicable to all individuals accessing College Data (Users of College Data).

Nothing in this policy precludes or addresses the release of College Data to external organizations, governmental agencies, or authorized individuals as may be required by legislation, regulation, or other legal obligation.

Definitions

For purposes of this policy, the following definitions apply:

  • Access – the ability to read, copy, modify, delete, or query data.
  • College Data – Data that is created, acquired or maintained by the College. College Data includes, but is not limited to, Data that is: (a) acquired and/or maintained by College employees in the performance of administrative job duties; (b) relevant to planning, managing, operating, or auditing a major function at the College; or (c) referenced or required for use by more than one organizational unit. College Data may reside on College-owned systems or systems owned by third parties.
  • Users of College Data - any person extended access and use privileges to College Data. Includes students, faculty, visiting faculty, staff, volunteers, alumni, persons hired or retained to perform work for the College, and any other person extended access and use privileges by the College under contractual agreements or otherwise.
  • Data Custodians – College officials and their staff who have operational-level responsibility for data capture, data maintenance, and data dissemination.
  • Data Stewards – College officials who have policy-level responsibility for managing a segment of College Data.
  • Personal Information – data that identifies or could potentially be used to identify a particular person. Examples include a full name, Social Security number, driver's license number, bank account number, passport number, and email address.
  • Health Information – health data created, received, stored, or transmitted in relation to the provision of healthcare, healthcare operations and payment for healthcare services.

Statement of Policy

Regulations, Statutes, and Policies

Responsibility for and access to College Data is governed by the following policies and legal statutes:

Data Stewardship

  • The College as an organization owns its data (or in some cases, such as with Social Security numbers or other personal data, is the custodian of data), and specific departments and positions in the roles of Data Stewards are responsible for different segments of that data.  Those departments and Data Stewards shall define how the assigned data is managed within the scope of the legal and regulatory obligations.
  • Data Stewards are responsible for:
    • Assigning Data Custodians in their respective area(s), the current status of which is documented in Exhibit 2.
    • Enforcing the requirements of this policy.
    • Setting additional/internal standards, procedures, and expectations for how Data Custodians handle College Data. Data Stewards are empowered to determine if their data was handled appropriately by their designated Data Custodians.

Data Custodianship

  • Data Custodians will authorize access to College Data only on a need-to-know-basis. Individuals seeking access will submit a request for approval to the appropriate Data Custodian that has responsibility for the data at issue.
  • Data Custodians will grant access to College Data for legitimate College purposes according to the classification of the data being requested and the internal expectations set by their Data Steward. The method of transmittal of any College Data must be in compliance with the College's Data Classification Guideline (Exhibit 3).

Data Handling

  • Users of College Data shall respect the confidentiality and privacy of individuals whose records they may access, and shall abide by applicable laws and College policies (listed in Section 4) with respect to access, use, protection, proper disposal, and disclosure of data.
  • To the extent that the law permits, as determined by the Office of General Counsel, Data Stewards reserve the right to deny access to any person or organization to College Data for any reason.
  • See the Records Management Policy for data retention requirements, schedules, and practices.

Compliance

By delegation of the President, the Vice President for Information Technology shall ensure compliance with this policy. Data Stewards and Data Custodians shall implement the policy as described above.

Violations of this policy may result in disciplinary action, in accordance with Emerson College's Human Resources policies and any additional collective bargaining agreements. Please review HR's Service Center for details regarding Emerson College's disciplinary process.

Effective Date

This policy is effective as of April 2nd, 2020.

Exhibits

  • Exhibit 1: Data Stewards
  • Exhibit 2: Data Custodians
  • Exhibit 3: Data Classification Guideline and Data Transmittal and Storage Requirements

Exhibit 1: Data Stewards

Data Stewards are College officials who have policy-level responsibility for managing a segment of the College's data. Data Stewards designate (or in some cases, act as) Data Custodians by functional area and data area.

The College has designated the following Data Stewards (by title):

  • Vice President and Special Assistant to the President
  • Provost and Vice President for Academic Affairs
  • Vice President for Administration and Finance
  • Vice President for Enrollment
  • Vice President for Institutional Advancement
  • Vice President for Information Technology
  • Vice President and General Counsel
  • Vice President for Equity & Social Justice
  • Vice President & Dean of Campus Life
  • Vice President for Office of the Arts
  • Vice President for Government and Community Relations

Exhibit 2: Data Custodians and Functional Areas

Data Custodians are College officials and their staff who have operational-level responsibility for data capture, data maintenance, and data dissemination. Data Stewards designate Data Custodians by functional area and data area. New designees must be submitted in writing to the Vice President for Information Technology, who is the Responsible Officer for this Policy, and must specify the Data Custodian by title and describe the functional and data areas for which the Data Custodian is responsible. It is recommended, but not required, that responsibilities as Data Custodian be added to the official position description of that Designee.
The following positions have been designated as Data Custodians. Note that to the extent that there are overlaps or gaps, please interpret this list as illustrative and not exhaustive.

Data Custodians and Functional Areas
Functional Area and Data Areas Data Custodians
Academic Affairs
Academic Affairs budget data
Academic Affairs compensation data
Assistant Vice President Academic Administration & Finance
Patrice Ambrosia
Academic Affairs
Advising data
Curriculum data
Faculty resources data
Faculty union data
Assistant Vice President for Academic Affairs
Anne Doyle
Academic Affairs
Learning management system data
Director, Instructional Technology Group
Jennifer Stevens
Athletics
Athletics operations data
NCAA student athlete data
Recreation services data
Director of Athletics
Patricia Nicol
Board of Trustees
Board of Trustees data
Vice President and Special Assistant to the President
Anne Shaughnessy
Budget
College budget data
Director, Budget and Planning
John Richard
Campus Life
Housing data
Counseling data
New Student Orientation data
Student conduct records
Student communications data
Student health and wellness data
Vice President and Dean of Campus Life
James Hoppe
Communications and Marketing
Communications and marketing data
Associate Vice President, Communication and Marketing
Sofiya Cabalquinto
Enrollment
Student diversity data
Student academic records
Student accounting data
Student immigration and visa data
Undergraduate biographic/demographic data
Assistant Vice President, Enrollment Technology and Data
Justin Sharifipour
Facilities Management
Architecture, engineering, and construction data
Business Services data
Facilities/management space data
Parking operations data
Real estate data
Senior Associate Vice President Real Estate
(OPEN)
Finance
Emergency response and communication plans
Insurance plans and claims
Training compliance records
Debt issuance data
Treasury services data (banking and tax data)
Director, Treasury Services and Risk Management
Alan Bowers
Finance
Capital assets data
General ledger data
Accounts receivable data
Controller
Jonathan Pearsall
Financial Business Services
Payroll data
Purchasing data
Time tracking and absence data
Associate Vice President, Financial Business Services
Loretta Bemis
General Counsel
Case files
Data produced pursuant to legal requests or eDiscovery
Miscellaneous legal advice and communications
Vice President and General Counsel
Christine Hughes
Graduate and Professional Studies
Graduate Studies data
Professional Studies data
Dean, Graduate and Professional Studies
Jan Roberts-Breslin
Health and Wellness
Protected Health Information
Director, Health and Wellness
Mary Powers
Human Resources
Benefits data
Compensation data
Employee biographic/demographic data
Employee personnel data
Employment records
Labor relations data
Recruitment data
Senior Associate Vice President, Human Resources
Shari Stier
Information Technology
Information Technology data
Associate Vice President, Information Technology
Brian Basgen
Institutional Advancement
College donor and prospect data
Data supporting charitable gift trusts and annuities
Vice President for Institutional Advancement
John Malcolm
Internationalization and Global Engagement
External Programs data
Associate Vice President for Academic Affairs - Internationalization & Global Engagement
Anthony Pinder
Kasteel Well, The Netherlands
European Center staff and program data
Executive Director, European Center
Dulcia Meijers
Institute of Liberal Arts and Interdisciplinary Studies
Program data
Dean of Liberal Arts and Interdisciplinary Studies
Amy Ansell
Los Angeles
Los Angeles program data
Associate Dean for Student Life & Administration, Emerson College Los Angeles
Timothy Chang
Police Department
CLERY data
Enforcement data
Internal affairs data
Investigations data
Services data
Chief of Police
Robert Smith
Registrar
Registrar data
Registrar
John Pestana
School of the Arts
School of the Arts data
Dean, School of the Arts
Robert Sabal
School of Communication
School of Communication data
Dean, School of Communication
Raul Reis
Social Justice Center
Diversity & inclusion data
Vice President for Equity & Social Justice
Sylvia Spears
Social Justice Center
Title IX investigation data
Associate Vice President, Title IX and Clery Coordinator
Pamela White
Student Financial Services
Financial aid data
Director, Financial Aid
Angela Grant

 

Exhibit 3: Data Classification Guideline and Data Transmittal and Storage Requirements

 

The table below lists the categories of data and examples. Any data that falls into multiple categories should be considered of the higher security category for protection purposes. If you have questions about a classification of data, contact your Department Records Officer or the Director of Information Security and IT Infrastructure.

Data Classification Guideline and Data Transmittal and Storage Requirements
Data Classification Risk Level Description Examples
High Risk (PII, GLBA, PCI, and PHI Data) High Data whose loss, corruption, or unauthorized access would pose an extreme identity or financial risk to the College, a school partner, or the public and may require notification of a governmental regulator and/or affected users.
  • Social Security Number
  • Credit/Debit Card Number
  • Bank/Financial Account Numbers
  • HIPAA or medical records
  • Passwords or Biometric data
  • Driver's License or State ID number
  • FERPA records
Moderate Risk Medium Data whose loss, corruption, or unauthorized access would impair the academic, research, or business functions of the College or is not available to the general public.
  • Student ID
  • Employee ID
  • HR Documents
  • College Proprietary Data or Intellectual Property
  • Copyrighted College or Student material
  • Board meeting minutes
  • Expense reports
  • Litigation materials
  • Software license numbers
  • College infrastructure plans
  • System configuration/log files
  • Training data
Low Risk Low to None Data to which the general public has access
  • Any data found publicly on www.emerson.edu
  • Policies
  • Publications
  • Academic Calendar
  • Campus Maps

Data Transmittal and Storage

All members of the Emerson College community and its working partners are responsible for the proper handling, transmittal and storage of College Data. All individuals and departments must follow the policies and procedures of the College to ensure that data is protected and used properly. Any partner, consultant, or vendor that needs access to or shares any non-public College Data must sign a Third Party Data Security Agreement.

Below is the Data Transmission and Storage Table by which all members of the Emerson College community, all working partners, vendors and consultants must abide when transmitting and storing College Data.

Data Transmittal and Storage
Data Classification Data Transmission Data Storage
High Risk (PII, GLBA, PCI, and PHI Data)

Emerson College IT Dept. approved encryption is REQUIRED when transmitting any information over a network. Third party email or file transfer services are prohibited when transmitting High Risk information. High Risk numbers/data may be redacted instead of encrypted.

High Risk data is PROHIBITED from being stored on local computing hard drives or storage equipment. All High Risk data should be stored and/or transmitted via Emerson College's approved file storage system (Box), encrypted Emerson Email, approved contractual partners, or IT maintained databases. If given approval for local storage, Emerson College IT Dept. approved encryption MUST be used for all data. Data may be redacted instead of encrypted if on Emerson College owned equipment. Data stored by external partners MUST be encrypted at all times. Printing of High Risk data is strongly discouraged. Printed data must be stored in a secure and locked area. Printed data may also be redacted to prevent unauthorized access.

Moderate Risk

Emerson College IT Department approved encryption is REQUIRED when transmitting any information over a network. Third party email or file transfer services are prohibited when transmitting Moderate Risk information. Moderate Risk numbers/data may be redacted instead of encrypted.

Moderate Risk data is PROHIBITED from being stored on local computing hard drives or storage equipment. All Moderate Risk data should be stored and/or transmitted via Emerson College's approved file storage system (Box), encrypted Emerson Email, approved contractual partners, or IT maintained databases. If given approval for local storage, Emerson College IT Dept. approved encryption MUST be used for all data. Data may be redacted instead of encrypted if on Emerson College owned equipment. Data stored by external partners MUST be encrypted at all times. Printing of Moderate Risk data is discouraged. Printed data must be stored in a secure and locked area. Printed data may also be redacted to prevent unauthorized access.