Data Governance Section 21.0

21.2 Governance Structure 

This section describes the roles and responsibilities that Clayton State organizations must designate and document within their data governance structure. 

A data governance structure is required at each University System of Georgia Institution.  The data governance structure will demonstrate accountability for the data assets of Clayton State organizations to ensure proper use and handling of data being read, created, collected, reported, updated, or deleted. 

The data governance structure documentation should identify the offices/positions (including incumbent) responsible for fulfilling the roles herein.   

21.2.1 Governance and Organizational Structure 

The following committees and positions reflect the structure for Data Governance at Clayton State University.  

21.2.1.1 Data Governance Committee 

The Data Governance Committee is responsible for defining, implementing, and managing policies and procedures for data governance and data management functions. 

Specific responsibilities include, but are not necessarily limited to the following: 

• Defining data management roles and responsibilities contained in this section and other policy and procedure documentation; 
• Maintaining documentation pertaining to data governance and management policy and procedure in a centralized and accessible location for the participant organization staff; 
• Identifying the Data Governance and Management Committee structure and membership; 
• Ensuring that cybersecurity control processes detailed in the Cybersecurity section are developed and operational; and, 
• Assisting the chairs of the functional and technical committees to ensure effectiveness. 

21.2.1.2 Functional Data Governance Committees 

Functional Data Governance Committees are responsible for collective decision making around substantive changes to organization data collection, maintenance, access, and use within their functional area. It is the role of the Functional Data Governance Committee to identify what the threshold is for decisions to require Committee consideration. 

21.2.1.3 Technical Data Governance Committees 

Technical Data Governance Committees are responsible for technical guidance to support the work of the other Data Governance Committees and for decision making about the feasibility of and methods for carrying out decisions of the Functional Data Governance Committees.  

21.2.1.4  Data Owner 

Clayton State University is responsible for all data read, created, collected, reported, updated, or deleted by offices of the organization. As the chief executive officer, the president of Clayton State University is identified as the data owner. The Clayton State University data owner has ultimate responsibility for submission of organizational data to the University System Office. 

Data owners have the responsibility for the identification, appointment, and accountability of data trustees. Data owners will inform Clayton State University’s Data Governance Committee of their data trustee appointments including office, name, and contact information of the incumbent. 

21.2.1.5  Data Trustees 

Data trustees, designated by the data owner, are executives of Clayton State University who have overall responsibility for the data read, created, collected, reported, updated, or deleted in their data area(s). Clayton State University data trustees have overall responsibility for accuracy and timeliness of submission of data to the University System Office. These positions/offices would normally be cabinet-level positions reporting directly to the entity data owner. 

Responsibilities of the data trustees include, but are not necessarily limited to: 

• Ensuring that data accessed and used by units reporting to them is done so in ways consistent with the mission of the office and Clayton State University; 
• Appointing data stewards within each functional area for which they are responsible. The data trustees will inform the Clayton State University’s Data Governance Committee of their data stewards’ appointments, including office, name, and contact information of the incumbent; 
• Participating as a member of the Data Governance Committee; and, 
• Communicating unresolved concerns about data (such as data quality, security, access, etc.) to the data owner. 

21.2.1.6  Data Stewards 

Data stewards, designated by the data trustees, are personnel responsible for the data read, used, created, collected, reported, updated, or deleted, and the technology used to do so if applicable, in their data area(s). Data stewards recommend policies to the data trustees and establish procedures and guidelines concerning the access to, completeness, accuracy, privacy, and integrity of the data for which they are responsible. Individually, data stewards act as advisors to the data trustees and have management responsibilities for data administration issues in their functional areas. Data stewards have responsibility for accuracy and timeliness of submission of data to the University System of Georgia system office in their area. Depending on the size and complexity of a functional department/division, it may be necessary, and beneficial, for a designated data steward to identify associate data stewards to manage and implement the stewardship process. 

Responsibilities of the data stewards include, but are not necessarily limited to: 

• Developing standard definitions for data elements created and/or used within the functional unit. The data definition will extend to include metadata definitions as well as the root data element definition. 
• Ensuring data quality standards are in place and met. 
• Identifying the privacy level as unrestricted, sensitive, or confidential, for functional data within their area(s) of supervision/direction and communicate it to those responsible for ensuring data is handled according to its appropriate classification. (See 21.4.2 Classification) 
• Establishing authorization procedures with Clayton State University’s Data Governance Committee and/or chief information officer (CIO) to facilitate appropriate data access as defined by institutional/office data policy and ensuring security for that data. Authorization documentation must be maintained. 
• Working with the Clayton State University’s Data Governance Committee, identifying and resolving issues related to stewardship of data elements, when used individually or collectively, that cross multiple units or divisions. For example, the individual data element “Social Security Number” may have more than one data steward since it is collected or used in multiple systems. 
• Participating as a member of the Functional Data Governance Committee(s) as appointed by the data trustee. 
• Communicating concerns about data (such as data quality, security, access, etc.) to the data trustees. 

21.2.1.7 Chief Information Officer (CIO)/Chief Information Security Officer (CISO) 

The responsibilities of the CIO and CISO are to ensure that technical infrastructure is in place to support the data needs and assets, including availability, delivery, access, and security across their operational scope. 

21.3 Data Management 

This section contains data management requirements for data system documentation, data elements and data definition documentation, data quality and data availability. 

21.3.1 Data System Documentation 

This subsection defines documentation about Clayton State University data systems. Documentation is required to ensure proper accounting of the organization’s data systems, the relationships among them, the architecture of the individual systems, and the data within them. This documentation also fosters proper use. 

Clayton State University must maintain a listing of mission-critical data systems along with information essential to the effective loading, maintenance, use of, as well as reporting from, those systems. This should include at a minimum: 

• Function and purpose of the system; 
• Who the data trustee and steward responsible for the system are; 
• Who administers the system from a technical perspective; 
• Any methods being applied to sustain data quality; 
• Any important relationships and/or dependencies in business practice and reporting between systems; 
• Any special life cycle requirements; 
• User and technical guidelines for proper use and reporting; 
• Process flow diagram(s); and, 
• Contingency documentation 

21.3.2 Data Elements and Data Definition Documentation 

For all data systems, there must be a mechanism to access documentation of the system’s table structure and data elements. In addition, for systems that are part of routine data collection and reporting, data element dictionaries should be maintained that include: 

• Data definitions; 
• Metadata including data sources and security classifications; 
• Business practices where applicable; 
• Any validations or quality checks applied against the elements;
• Change history; and,
• Valid values. 

21.3.3 Data Quality Control 

Clayton State University will ensure that information is of the highest possible quality to facilitate effective decision-making. Data quality refers to the accuracy, timeliness, comparability, usability, completeness, and relevance of data. Data quality requires Clayton State University to appropriately collect, store, process and manage data, whether electronic or physical. As part of data governance, Clayton State University will communicate, prioritize, and practice data quality. Just as institutions maximize their financial resources and facility assets, Clayton State University should invest in the quality of their data holdings. 

For all data essential to operation and reporting, Clayton State University will: 

• Document and promulgate data standards and definitions to ensure accurate data entry or data creation; 
• Assess collected data to ensure accuracy, completeness, and adherence to standards at a minimum on an annual basis; and, 
• Regularly consult data users or stakeholders to ensure data usability and relevance. 

 21.3.4 Data Availability 

This subsection details minimum requirements for Clayton State University around the availability of data resources. Assets of Clayton State University should be available commensurate with their operational importance. For all data domains and their respective data systems, the organization should document and socialize to data users the expectations and processes around the availability of each data resource including, but not limited to: 

• The periods of time data is available; 
• Expectations for “uptime” (percent of time data is available) if appropriate; 
• Modes of access (types of devices, etc.) that are provided for; 
• Communications plan around both planned and unplanned system downtime; and, 
• Method for users to report an unexpected lack of availability of data or data systems. 

21.3.5 Data Lifecycle 

Clayton State organizations should ensure their data retention and destruction comply with the policy referenced Section 18.1 of the University Business and Operations Policies and Procedures Manual located at: https://www.clayton.edu/about/docs/business-operations/business-operations-policies-procedures-manual.pdf. 

21.4 Cybersecurity 

Cybersecurity refers to preventative methods used to protect information and information systems from unauthorized access, compromise, or attack. Cybersecurity requires an understanding of potential threats and utilizes strategies that include, for example, identity management, risk management and incident management. 

21.4.1 Safeguards 

Shared information is a powerful tool and loss, or misuse can be costly, if not illegal. The purpose of this section is to ensure that cybersecurity safeguards are established, in place, effective and adhered to, in order to reduce risk. This applies to all users of Clayton State University information resources. 

Safeguards include the policies, procedures, requirements, and practices that are necessary for maintaining a secure environment for the storage and dissemination of information. The objective of Clayton State University divisions, departments, and schools is to protect information from inadvertent or intentional damage as well as unauthorized disclosures or use. The benefits of safeguards include identification of fraud, security vulnerabilities, unforeseen threats, and minimization of potential impacts. Other benefits include audit compliance, service level monitoring, performance measuring, limiting liability and capacity planning. 

Clayton State University recognizes that cybersecurity: 

• Is everyone’s responsibility; 
• Is a cornerstone of maintaining public trust; 
• Should be risk-based and cost-efficient; 
• Should align with USG priorities, industry best practices and government requirements; and, 
• Should be applied holistically, regardless of medium. 

Clayton State organizations must designate trained cybersecurity representatives whose role includes: 

• Communicating cybersecurity policies to all employees and contractors; and, 
• Reporting deviations from policies. 

Clayton State University must: 

• Develop procedures and processes that support compliance with Board of Regents (BOR) and USG policies and procedures. Clayton State University procedures and processes may be more specific than BOR and USG policies and procedures but shall in no case be less than the minimum requirements; and, 
• Develop strategic and operational control guidance of hardware, software, and telecommunications facilities. 

Clayton State University must develop reporting processes to support investigation of and response to suspicious activities and follow Clayton State guidelines for reporting or investigating acts of suspected malfeasance that involve organizational data as noted in the BOR University System of Georgia Ethics Policy. 

21.4.2 Classification 

Because Clayton State University data must be given appropriate protection from unauthorized use, access, disclosure, modification, loss or deletion, Clayton State University must classify each record. When classifying a collection of data, the most restrictive classification of any of the individual elements should be used based on the following classification structure or similar schema required by regulations governing specific data domains: 

• Unrestricted/Public Information is information maintained by Clayton State University that is not exempt from disclosure under the provisions of the Open Records Act or other applicable state or federal laws. Some level of control is required to prevent unauthorized modification or destruction of public information. 
• Sensitive Information is information maintained by Clayton State University that requires special precautions to protect from unauthorized use, access and disclosure to guard against improper information modification, loss or destruction. Sensitive information is not exempt from disclosure under the provisions of the Open Records Act or other applicable state or federal laws but is not necessarily intended for public consumption. 
• Confidential Information is information maintained by Clayton State University that is subject to authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information. (44 USC Sec 3542) Confidential classified documents are exempt from disclosure under the provisions of the Open Records Act or other applicable state or federal laws. 

Note: The Open Records Act is located at  https://law.georgia.gov/key-issues/open-government/law. 

In addition, Personal Information may occur in unrestricted/public, sensitive, and/or confidential information. Personal Information is information that identifies or describes an individual and must be considered in the classification structure. Please refer to the University System of Georgia IT Handbook for further information and guidance. Information classification must be part of the information technology risk management program, as detailed in the IT Handbook. 

21.4.3 Access Procedures 

This section promotes secure and appropriate access to USG information systems, and to the data used, processed, stored, maintained and/or transmitted in and through those systems. It is essential that access to and use of the Clayton State University information systems and data are properly secured and protected against cybersecurity threats and dangers. 

All users are required to adhere to the following rules in order to use, access, store, process, and/or display data acquired from Clayton State University information systems. These rules also apply to any contractors or non-USG persons who acquire access to Clayton State University systems in any format, and on any device. 

Procedures: 

• Clayton State University shall identify and categorize information systems that process or store confidential or sensitive information or are critical systems. The suggested responsible party is the data trustee or designee. 
• Clayton State University will identify the data trustee and data steward for each critical system or systems containing confidential or sensitive information. A list of these systems and the associated trustee and steward shall be made available upon request. 
• Clayton State University will maintain a current list of users granted access to information systems. Only authorized users should be allowed physical, electronic or other access to information systems. 
• Clayton State University will define both administrative and technical access controls. The suggested responsible parties are Human Resources (HR), the data trustee and data steward. 
• Access controls must include, but are not limited to: 
• Documented procedures to grant, review, deactivate, update or terminate account access; 
• Ensure appropriate resources are available and maintained to adequately authenticate and verify authorized access; and, 
• Ensure appropriate resources are available and maintained to prevent and detect unauthorized use. 
• Data trustees, data stewards and users share the responsibility of preventing unauthorized access to Clayton State University’s information systems. 
• Data stewards will analyze user roles and determine the level of access required to perform a job function. The level of authorized access must be based on the Principle of Least Privilege. 
• HR and/or the supervisor will notify the data steward of personnel status changes in job function, status, transfers, referral privileges or affiliation. 

• Access to an information system must be reviewed regularly. Data stewards must review user access to the information system every six months and document findings. 

Data trustee or designee will ensure that a business process exists to update information system access no more than five business days after terminations and no more than 30 days after other personnel status changes. 

21.4.4 Segregation and Separation of Duties 

In addition to having a well-organized and defined data governance structure, Clayton State University must ensure that its organizational structure, job duties, and business processes include an adequate system of separation of duties (SOD) considering a cost-benefit and risk analysis. SOD is fundamental to reducing the risk of loss of confidentiality, integrity, and availability of information. To accomplish SOD, duties are divided among different individuals to reduce the risk of error or inappropriate action. For example, the employee or office responsible for safeguarding an asset should be someone other than the employee or office that maintains accounting records for that asset. In general, responsibility for related transactions should be divided among employees so that one employee’s work serves as a check on the work of other employees. When duties are separated, there must be collusion between employees for assets/data to be used inappropriately without detection. 

While electronic processes enhance accuracy and efficiency, they also can blur SOD. Clayton State University divisions, departments, and schools must evaluate and establish well-documented controls to deter an individual or an office from having the authority (or the ability) to perform conflicting functions both outside and within technology information systems. 

21.5 Compliance 

As a unit of the University System of Georgia, Clayton State University will develop operational strategies and procedures to comply with policies required by the University System of Georgia Business Procedures Manual Section 12.0. 

Meeting the provisions of Section 12 on Data Governance and Management requires active measures by University System of Georgia organizations to ensure ongoing compliance. These include ensuring compliance with external regulations in addition to the provisions in this section through regular training, monitoring, and auditing. The Data Governance Committee will audit Clayton State University Data Governance policies annually, unless otherwise required, to ensure compliance with University System of Georgia policies. 

21.5.1 Regulatory Compliance 

Closely managing data content is necessary to ensure compliance with federal, state and local regulations as well as grants and contract specifications. Each Clayton State division, department, and school is responsible for clearly understanding and managing data to ensure confidential data is appropriately classified and safeguarded. Clayton State University will comply with Data Governance policies and procedures by ensuring that appropriate organizational personnel have a working knowledge of: 

• Georgia’s Open Records Act OCGA § 50-18-70 
• Family Education Rights and Privacy Act (FERPA) 
• U.S. Department of Health and Human Services Health Information Probability and Accountability Act (HIPAA) 
• Gramm-Leach-Bliley Act (GLBA) 
• General Data Protection Regulation (GDPR) 
• Specific research data requirements 
• Other applicable regulations 

 21.5.2 Training 

The purpose of this section is to ensure that appropriate individuals at Clayton State University receive training on the data governance policies, procedures, and roles developed in compliance with preceding requirements in this Data Governance and Management section. 

Organizations must: 

• Provide role specific training to all individuals within the data governance structure, including data users and all those subject to data governance policies; 
• Ensure individuals understand their roles and the larger governance structure, responsibilities, and applicable policies and procedures; 
• Provide training to individuals as they enter these roles, when there are substantive changes to training and at regular intervals over time to ensure up-to-date understanding; 
• Update training materials as changes to policy and procedure require;
• Document participation in training and audit training participation at regular intervals;
• Provide training materials in a permanent form (such as on a website) for individuals to reference as needed;
• Specifically address in training materials for all individuals how data classified as public or protected is managed throughout its lifecycle; and,
• Provide clear information about how an individual should proceed if he or she believes data policies or standards are not followed, or there has been a breach of data security. 

21.5.3 Monitor 

The Data Governance Committee of Clayton State University is responsible for assigning roles and responsibilities for data governance and management per Section 21.2.1. In addition to the development and implementation of policies and procedures, the Data Governance Committee will assign roles and responsibilities for active monitoring of these policies and procedures to ensure compliance. 

12.5.4 Audit 

Compliance with this Data Governance and Management section of the Business Procedures Manual can be a subject of institution, system, or state audit. Clayton State will maintain records not only of documentation explicitly referenced in this section but also general evidence that the organization is in compliance with its data governance and management policies and procedures. 

21.5.5 Compliance with University System of Georgia Policy and Procedures