Data Custodianship

Approved 1/29/2018

Purpose

The University values openness and promotes access to a wide range of information; accordingly, the campus information systems have been designed to be as open as possible. This policy seeks to strike a balance between access to information, data integrity and appropriate confidentiality for University faculty, staff, and students. 

Definitions

Data Steward:  Term used by the University of Wisconsin (UW) System Administrative Policy 1031 - Information Security: Data Classification and Protection to include "An individual who has direct responsibility to ensure that a data domain is classified appropriately.  The data steward collaborates with institutional Security, Privacy and Data Officers."  At UW-Whitewater, this responsibility is performed by the Data Owners.

Protected data:  Any UW - Whitewater data and resources assigned a classification level other than public, as defined in the UW - Whitewater Instructional, Communication, and Information Technology (ICIT) Information Asset Classification Policy. 

Statement of Policy

The reliability, availability and accessibility of University data is critical to the day-to-day function of the University. Each member of the University community (students, faculty, staff, and guests) and designated agents are expected to protect the integrity of data and to know and adhere to University rules, regulations and guidelines for its appropriate use. To that end, University information should be protected by acknowledging information custodial roles and responsibilities. Data owners, users and managers should each understand their particular roles in the custodianship of University data. By exercising appropriate custodial roles, appropriate due care of University information can be assured. 

Roles and Responsibilities of Data Custodians

The University classifies data owners as those responsible for:

  • Knowing and understanding the data for which they are responsible;
  • Identifying the major system(s) where the data for which they are responsible resides;
  • Evaluating and ensuring the data has been appropriately classified based on state and federal law, University of Wisconsin System policy and procedure, regulatory agency requirements and any contractual obligations, and University regulations;
  • Documenting the classifications and associated risk levels;
  • Reviewing data classifications and associated risk levels at least annually;
  • Establishing access and utilization criteria; 
  • Exercising due care in setting standards for protection of data;
  • Monitoring compliance and enforcing policy;
  • Implement practices to assure data accuracy.

 
The University classifies data users as those responsible for:

  • Following this policy and information access procedures established by data owners;
  • Access only the information for which they are authorized;
  • Report suspected or actual violations of policies and standards to management;
  • Exercising due care in the use of confidential and restricted data.

 
The University classifies data managers as those responsible for:

  • Executing access authorizations or data transfers authorized by the data owner;
  • Using best practices to maintain the confidentiality, integrity, and availability of information;
  • Providing a mechanism for monitoring compliance and enforcing policy;
  • Exercising due care in the administration of systems hosting the data.

ICIT Responsibilities

ICIT facilitates the development of policies, and develops procedures and guidelines which enable University employees to understand their particular custodial roles and responsibilities with respect to University information. ICIT implements the technical infrastructure that allows University employees to efficiently and effectively exercise these custodial roles. ICIT also serves as the de facto data manager for most University data. 

Related Documents 

Scheduled Review

This document will be reviewed on an annual basis, or as deemed necessary.

Revision/Review Log

Date Approver Action Description
1/29/2018 Revised to include references to the requirements contained in the July 31, 2017 revisions of the University of Wisconsin System Administrative Policy 1031 - Information Security: Data Classification and Protection and the UW System Administrative Procedure 1031.A - Information Security: Data Classification documents. 

Live Chat