Data Governance

All Towson University (“the university”) employees, students, affiliates, and others granted access to university data or university information systems are responsible for understanding the terms and conditions under which they may access and use university data. These guidelines define the roles and their required responsibilities.

For data classification and definitions, see the university’s Data Classification Standards

Data Authorization Process

Data Usage Requests are necessary for authorization of data storage in information systems where those data types have not previously been approved. 

See the Data Usage Requests article for more information (NetID/log in required).

Procedures for obtaining approval and granting access to data within information systems are based on the principle of least privilege. Typically, access control is managed by the Application Manager or designee. 

Roles and Responsibilities

The (CISO) is responsible for the university’s Information Security and Data Privacy program to ensure the protection of confidentiality, integrity, availability and privacy of information assets. The CISO coordinates the Information Governance program and chairs the Information Governance Committee (IGC).   

The Director of Enterprise Applications & Analytics is responsible for the university’s data management standards such as the data dictionary to ensure data security, quality and integrity of information assets. 

The Information Privacy Analyst administers the university’s Data Privacy program to ensure compliance with university policies and standards, state and federal regulations. Also, the position helps manage risks related to processing, storage and transmission of information. Major responsibilities of the Information Privacy Analyst include:  

  • Facilitate data usage requests to ensure adequate security and data minimization. 
  • Provide guidance to Data Trustees, Data Stewards, Application Managers, and Technical Data Custodians on their responsibility for data access and policy implementation. 
  • Maintain process documentation related to Information Governance functions (e.g., Listing of Data Trustee's, Data Stewards, Data Inventories, etc.). 
  • Facilitate data subject access requests related to data privacy. 

The Information Governance Committee (IGC) is the steering group for the Information Governance Program. The IGC strategically and proactively addresses issues related to data governance across the university. Major responsibilities include: 

  • Serve as the Data Governance Committee and Data Privacy Committee.
  • Establish policies and standards related to the confidentiality, integrity, availability, privacy, and quality of university data. 
  • Serve as the risk management group for conflicts related to data privacy, data management and university goals.  

A Data Trustee is a member of senior management (e.g. Provost, Vice Presidents, etc.) with authority over policies, standards, guidelines, and overall university strategy regarding the confidentiality, integrity, availability privacy and quality of data within their delegations of authority (i.e., data domain). Major responsibilities of a Data Trustee include: 

  • Appoint and oversee a Data Steward(s) for data within their data domain. 
  • Serve as an escalation point for decisions related to conflicts of university data within their data domain.   
  • Provide management support for the overall security and privacy of university data, particularly highly sensitive data, within their data domain. 

See the list of Data Trustees (NetID/log in required). 

An individual reporting directly to senior management that is delegated by a Data Trustee to carry out implementation and administration of policies, standards, and guidelines regarding the confidentiality, integrity, availability, privacy and quality of data within their delegated data domain. Responsibilities of a Data Steward shall not be delegated. Major responsibilities of a Data Steward include: 

  • Review and approve requests for data from source information systems within their delegated data domain by promoting data minimization and least-privilege.   
  • Oversee access and protection requirements to ensure they are consistent with university policies and that data classifications are in place. 
  • Provide guidance to departments and individuals responsible for data access and policy implementation within their delegation of authority. 
  • Coordinate with Application Managers to ensure access control, data security and information assurance. 

See the list of Data Stewards (NetID/log in required).

The Application Manager is considered the system administrator who handles operation and maintenance of a university application. The Application Manager establishes security awareness and maintains compliance with federal and state regulations, university policies, and data classification standards for the application in their delegation of authority. To ensure separation of duties, an Application Manager should not be the same individual as the Data Steward. Based on the risk profile, the CISO may approve an individual to serve both roles. Major responsibilities of the Application Manager include: 

  • Review and approve requests for data from source locations within their delegated data domain by promoting data minimization and least-privilege.   
  • Acknowledge and ensure data from source locations are properly protected in destination systems and/or use cases according to university standards and criteria established by Data Stewards.  
  • Ensure the application properly protects confidentiality, integrity, availability, privacy, and quality of data and is compliant with TU’s information technology and security standards as well as the USM IT Security Standards such as, but not limited to the following:   
  • Access control (e.g., provisioning, deprovisioning, access appropriateness reviews, etc.). 
  • Configuration management. 
  • Release and update management. 
  • Business continuity processes. 
  • Secure integrations and data movement (i.e., data-in-transit). 
  • Promote security awareness and training for users of the application. 
  • Understand and report on security risks and their impacts. 
  • Vendor relationship management. 
  • Assist with data privacy requests from data subjects that are coordinated by the Information Privacy Analyst.  

The Technology Data Custodian is generally an individual and/or group from the Office of Technology Services or similar discipline who ensures the data integrations are secure and according to university standards and procedures. In some cases, the Technology Data Custodian may provide technical support to the Application Manager or be responsible for certain technical components of the application and/or infrastructure. Major responsibilities of the Technical Data Custodian include:  

  • Consult with the Office of Information Security and Privacy and Privacy to ensure safe transmission of data integrations and movements in accordance with university information technology and security standards.   
  • Provide a secure and stable infrastructure in support of the data, including usability, reliability, integrity, physical security, and backup and recovery processes. 
  • Provide guidance to the Application Manager on technical safeguards and requirements as required by Data Classification. 

A Data User is anyone (e.g., employee, contractor, student employee, etc.) authorized to access university information systems or data. Individuals given access to confidential data have a position of special trust and are responsible for protecting its security, confidentiality, and integrity. Any university employee with access to university data can be considered a Data User.  

Major responsibilities of a Data User include: 

  • Complete training and follow university policies and applicable laws related to information security, privacy and data management.  
  • Protect all data and access to data in their care. Recipients of confidential data are responsible for maintaining the restricted nature of the data. 
  • Use data and access to data only as required in the performance of legitimate university functions and their job. 

If the information stored and/or processed is considered Personally Identifiable Information (PII), the data subject is the individual that the information represents. 

Related Policy

10-05.00 - Data Governance Policy