Summary of Changes to Existing UH Institutional Data Governance Policiesand Addition Of

Summary of Changes to Existing UH Institutional Data Governance Policiesand Addition of a New Administrative Procedure

EP 2.215, Institutional Data Governance

EP2.215 is the overarching policy on data governance at UH and outlines its purpose, vision, and scope. In addition, the policy establishes data governance principles, best practices, and roles and responsibilities of groups and individuals. Updates to the policy include:

1.Adding a new principle on minimal access;

2.Movinga statement on resolution of issues from the principles section to the best practice section;

3.Adding best practiceson minimal access, need-to-know, mandatory training and education (a new administrative procedure), student surveys, and remote access;

4.Including a new subcommittee called theStudent Data Oversight Committee (SDOC) which falls under the policy making Data Governance Committee and focuses on improving data quality and access through the resolution of operational issues;

5.Including authorization of data security measures under the roles and responsibilities of the Chief Information Security Officer (similar to what is in EP2.214);

6.Expanding thedata users section to include mandatory training and education requirementsfor individuals working with protected data.

EP 2.214, Security and Protection of Sensitive Information

EP2.214 was established in 2009 and was the first policy on data governance and security andaddressed a broad number of topics. With EP2.215 serving as the overarching policy, EP2.214 has been revised to focus on data classification categories and technical guidelines. The majority of the original content has been removed since they already exist or will exist in other policies and procedures. The update to EP2.214 is part of a planned policy structure around data governance and security.A summary of the policy revisions by section are outlined below:

1.Policy name change

OLD:Security and Protection of Sensitive Information

NEW:Institutional Data Classification Categories and Data Security Guidelines

2.Philosophy – removed since it exists in EP2.215, Institutional Data Governance

3.Data classification categories – expanded from two to four categories

Public – Institutional Data where access is not restricted and is subject to open records requests.

Restricted (new) – Institutional Data used for UH business only. Includes student contact information and UH ID numbers. Restricted data will not be distributed to external parties except under the terms of a written memorandum of agreement or contract.

Sensitive – Institutional Data subject to privacy or security considerations or any Institutional Data not designated as public, restricted, or regulated. Examples of sensitive data include the contents of a student’s record.

Regulated (new) – Institutional Data where inadvertent disclosure or inappropriate access requires a breach notification in accordance with HRS487N or is subject to financial fines. Social Security Number (SSN) and personal financial information fall within this category.

4.Roles and responsibilities – removed since it exists in EP2.215, Institutional Data Governance

5.Access – removed; to be addressed in a separate policy at a later date

6.Technical guidelines around use and storage – to be revised and included as an ITS link

7.Breaches – removed; will become a new admin procedure

8.Data security related measures – retained in the policy

Data ITS authority to enforce technical measures to ensure data is protected, including requiring server registrations

ITS authority to require departments/units/programs to report on the data they manage

FTC Red Flags Identity Theft Prevention Program

9.Personnel related actions (terminations, violations, background checks) – retained in the policy

10.New guidelines for reporting and dissemination of protected data (e.g., recommended small cell size) – to be added as a link to the data governance website

AP2.xxx, Mandatory Training and Continuing Education Requirements for Data Users

As part of the University’s commitment to protecting the privacy and security of its data, a mandatory training and continuing education requirement will be implemented for data userswith access to personally identifiable information. The purpose of the training and education requirement is to increase user knowledge and awareness on safeguardingour data.Currently, UH has an in-house training module that is being taken by pockets of data users. The training module comprises of narratives followed by multiple choice questions. The training takes approximately 30 minutes. The training module is being updated to reflect the latest UH policies and practices and security concerns.

The individuals affected by the mandatory training and education requirement will be those who already have or new hires who will need to havelogin privileges to UH enterprise information systems as part of their job duties and responsibilities. After the administrative procedure is approved and the training module is updated, a rollout of the mandatory training and education requirement for data users will occur, one enterprise information system at a time. A sample notification email to data users of the first enterprise information system is included for reference.

Others affected by the training and education requirement are UH individuals who are requesting the release of UH data as part of UH’s data sharing request process. The data sharing request process governs the release of data to individuals who do not normally have access to the data but who have a specific need for it.

DGO: 5/16/17