Executive Policy 2.215 Executive Policy 2.215

Institutional Data Governance

Executive Policy Chapter 2, Administration
Executive Policy EP 2.215, Institutional Data Governance
Effective Date:  December 2025
Prior Dates Amended:  August 2019, February 2018, September 2012
Responsible Office:  Office of the Vice President for Information Technology
Governing Board of Regents Policy:  RP 2.202, Duties of the President
Review Date:  December 2027

The objectives of this policy are to:

1. Establish fundamental principles governing the management and use of data and information at the University, including, but not limited to, the collection and creation, privacy and security, and integrity and quality of that data and information;


2. Ensure compliance with all federal and state laws, rules, and regulations;


3. Set forth best practices for effective data management with ongoing objectives of increasing efficiencies, managing and mitigating information privacy and security risks, and promoting data quality;


4. Establish clear lines of accountability and decision rights through the definition of roles and responsibilities related to data management;


5. Establish a set of standardized terms and definitions to promote consistent interpretations and implementations of policies, procedures, and practices related to data management.

1. “Data Governance Process” or “DGP” – The DGP process that governs the release of Protected Data and provides an understanding of how the data is being used, by whom, where it is being copied and stored, and how it is being secured.


2. “Data Users” – All UH employees, including student employees, and affiliates who, in order to fulfill their job duties and responsibilities, require access to UH Institutional Data.


3. “Departmental/Unit/Local Data Repositories” – Various UH academic and administrative departments or units copy Institutional Data from Institutional Data Systems into their own departmental, unit, or local data repositories. Any Departmental/Unit/Local Data Repository that contains a copy of Institutional Data are subject to the same policies and procedures which govern the use of Institutional Data.  This policy applies to all repositories of Institutional Data, irrespective of where the repository is maintained (for example, a department may contract for cloud storage services to maintain its data repository).


4. “Institutional Data” – Data elements which are created, received, maintained and/or transmitted by the University of Hawai‘i in the course of meeting its administrative and academic requirements.
   Institutional Data may be


1. contained in any form, including but not limited to documents, databases, spreadsheets, email, and websites;


2. represented in any form, including but not limited to letters, numbers, words, pictures, videos, sounds, symbols, or any combination thereof;


3. communicated in any form, including but not limited to handwriting, printing, photocopying, photographing, and web publishing; and


4. recorded upon any form, including but not limited to papers, maps, films, prints, discs, drives, memory sticks, and other information systems.


5. “Institutional Data Systems” – UH systemwide data repositories that collect and store both transactional (operational) and reporting types of Institutional Data, including Systems of Record. In some cases, Institutional Data may be purged on a regular basis from an Institutional Data System. Institutional Data Systems are subject to the same policies and procedures that govern the use of Institutional Data. Examples of Institutional Data Systems are the Banner Student Information System, PeopleSoft, Kuali Financial System, STAR, Lamakū, etc.
   A list of Institutional Data Systems and associated System Executive Data Stewards is available on the UH data governance website. Note the list is not intended to be all-inclusive of the University’s Institutional Data Systems, but rather, represents Institutional Data Systems that are most likely to contain Protected Data.


6. “Protected Data” – Institutional Data that are subject to security and privacy considerations that range from moderate to very high (i.e., all non-public data). These data fall under the Institutional Data Classification Categories of “Restricted,” “Sensitive,” and “Regulated.” For more information, refer to Executive Policy EP2.214, Institutional Data Classification Categories and Information Security Guidelines.


7. “System of Record” – Institutional Data that are designated by a Data Steward as representing official values of the University. Official values are the data designated as the most accurate representation of the meaning and context of Institutional Data elements, which are recorded as facts. Official values are not necessarily the originally entered values, and as such, a System of Record may not necessarily be the system where values are originally entered. When questions arise over the meaning or interpretation of data elements or their values, the System of Record is used to resolve discrepancies.

1. POLICY STATEMENT
   The University holds itself accountable for the privacy and security of its Institutional Data and other data under its stewardship while keeping that data accessible for appropriate use. The data governance program strives to achieve this by fostering a culture of shared responsibility and active participation among members of the University community.


2. GOALS
   The goals of data governance at the University are to:


1. Protect the privacy and security of data and information under the stewardship of the University;


2. Support a culture of responsible data use for informed and actionable decision making;


3. Establish systemwide standards that enable holistic understanding of data across institutional boundaries;


4. Promote the efficient use of resources to meet the data and information needs of the University community;


5. Increase the University’s transparency and accountability to external stakeholders and the public by promoting access to relevant information.


3. SCOPE
   The scope of this institutional data governance policy applies to the following:


1. Institutional Data created, collected, analyzed, and reported on by UH units as part of their administrative and academic functions, regardless of where they are located and in what medium they are stored (e.g., physical or electronic), how they are accessed, and how they are transmitted.
                 

2. Individuals and organizations with access to Institutional Data. They include, but are not limited to:
   
   1. University employees, including some student employees
   
   
   2. RCUH and UH Foundation employees and other affiliates
   
   
   3. Third parties, such as contractors, partner institutions and          organizations, and auditors
   
   All parties with access to Institutional Data have a responsibility to protect the data under their care. Section III-F, Roles and Responsibilities, identifies groups and individuals with special stewardship responsibilities.


3. Institutional Data, such as student demographics, used in surveys or studies.


4. Artificial intelligence (AI) tools used to assist with managing Institutional Data.


5. Many of the basic principles and best practices in this policy also apply to research related data (i.e., information embodying facts resulting from scientific inquiry).


4. PRINCIPLES
   The following principles are set forth as minimum standards to govern the appropriate use and management of Institutional Data.


1. Institutional Data is the property of the University of Hawai‘i and shall be managed as a key asset through defined governance standards, policies, and procedures.


2. Institutional Data will be safeguarded and protected according to security, privacy, and compliance rules and regulations established by the federal and state government, and University of Hawai‘i policies. This executive policy is not intended to supercede federal and state rules and regulations, but to promote and reinforce them.


3. Access to Institutional Data will be based on the principle of least privilege. Implementing least privilege reduces the risk of unauthorized access or accidental misuse of the data in UH Institutional Data Systems and minimizes the potential damage from security breaches.


4. Access to Institutional Data will be based on defined roles. Users deemed to have a legitimate educational interest will be assigned appropriate access based on their roles.


5. Institutional Data will be accessed for legitimate business needs, never for personal interest.


6. Institutional representatives will be held accountable to their roles and responsibilities. Roles and responsibilities involving the management and use of Institutional Data will be clearly defined, and individuals assigned to specific roles will be held accountable for their data management responsibilities.


7. The use, storage, and exposure of protected data will be minimized whenever possible.


8. The University strives to ensure the safety and security of its employees and its data assets. It will employ strategies in multiple ways, including the use of technology, physical space, etc. The strategies will take into consideration the privacy of individuals and the protection of data based on the level of sensitivity.


9. The University’s technical resources will be used for institutional purposes only and not for personal and/or private gain or for malicious intent.


5. BEST PRACTICES
1. Minimal access to Institutional Data and/or Institutional Data Systems will be granted to Data Users based on the principle of least privilege. UH employees and student employees will be granted the most restrictive set of permissions and privileges based on feasibility and a need-to-know. Not only will the minimal level of access to perform an operation be granted, that access will be granted only for the duration of time necessary to complete the operation.
   Third parties, such as consultants and auditors, may be granted temporary login privileges to Institutional Data Systems. Programs must submit a Temporary Access Request (TAR) for each non-UH individual specifying the scope of work, start and end dates, and type of access. The TAR must be vetted and approved before access to an Institutional Data System will be granted.
             

2. Disclosure of Institutional Data that are considered protected and personally identifiable will be based on a need to know. When possible, Institutional Data being disclosed will be de-identified.


3. Unnecessary duplication of Institutional Data is discouraged. Maintaining repositories of redundant data increases the risk of inadvertent disclosure or inappropriate access to Institutional Data. Executive Data Stewards and Data Custodians (defined in section III-G, Roles and Responsibilities) will exercise responsible records management practices, including minimizing redundant storage where reasonable and appropriate.


4. Data Users must complete mandatory training requirements on the appropriate handling of Protected Data before they are allowed access. AP2.215, Mandatory Training on Data Privacy and Security, requires Data Users to complete annual training.


5. Institutional Data released for a specific purpose must be used for that purpose only. This best practice ensures transparency, accountability, and informed consent. It also ensures compliance with FERPA, which allows for the release of student data only under specific circumstances.
   In most cases where Institutional Data will be collected, managed, shared, exchanged, used and/or released with third parties, a Data Governance Process (DGP) review and approval are required. A separate DGP approval is required if, at any point, the original data will be re-used or re-purposed in any way.
   Data sharing agreements should include language that limits the use of the data to its originally intended purposes. Agreements include, but are not limited to, vendor contracts, subscriptions, and memoranda of agreement/understanding. Data Sharing Protections and Requirements templates for identified and de-identified data in Appendices 9A and 9B of EP8.200, Policy on Contracts and Signing Authority, include language that can be incorporated into data sharing agreements, as needed.


6. Institutional Data should not be shared by our third-party vendors to their partners or other third parties for targeted advertising and other marketing purposes. EP2.219, Student Online Data Protection Requirements for Third Party Vendors, focuses on protecting student data from being used for gain by online vendors.


7. Limited types of surveys will be allowed access to Institutional Data, such as student contact information. These surveys must be administered for institutional purposes (such as improving services for students) and/or for the benefit students. Campuses make the final decision on which surveys student contact information will be released.
   Certain types of student surveys may require DGP approval. In those cases, an affirmative response from each Campus Executive Data Steward is required as part of the DGP approval.


8. Resolution of issues related to Institutional Data will follow consistent and public processes. The Data Governance Committee (DGC) will coordinate the resolution of issues related to risks, costs, access, management, and use of Institutional Data with the appropriate Data Stewards and with UH leadership.


9. Quality standards for Institutional Data will be defined, implemented, monitored, and communicated by System Executive Data Stewards of Institutional Data Systems (defined in sections II, Definitions and III-G, Roles and Responsibilities). Examples of data quality standards include: data validation rules, timeliness of updates, defined error rates, etc.


10. Guidelines and procedures for the effective management of Institutional Data throughout its lifecycle (from creation to destruction) will be established. Guidelines and procedures involving the creation or acquisition, storage and maintenance, use, archival, and destruction of Institutional Data will be available to direct Data Users and Data Custodians in their data management practices.


11. Activities that reduce the potential exposure of sensitive information will be implemented through an information security program. The University will maintain an information security program that addresses the following areas, including, but not limited to, governance structures, security audits, risk assessments, identity management, access controls, education and training, and network monitoring. The program will perform ongoing audits of high risk areas and enforce remediation measures, as necessary.


12. Contingency plans for managing security breaches and disaster recovery will be established. The process for managing security breaches and other inappropriate uses of Institutional Data will be addressed in University policy. Types of information included will be a definition of a security breach, guidelines on the timing, contents, and means of notice to affected parties, etc. Disaster recovery plans will include contingencies for the physical security of affected sites containing Protected Data.


13. Accessing Institutional Data remotely (for example, off-campus) will be done in a secure manner. Individuals who will be electronically accessing Institutional Data from a location other than their usual work areas will ensure they are not using unprotected or public wireless connections.


6. ROLES AND RESPONSIBILITIES
   The following roles and responsibilities are defined, for both individuals and groups, for the purpose of establishing clear governance and accountabilities over Institutional Data. The terms and conditions for appointments and assignments are outlined for each. Note that for University employees whose duties and responsibilities fall within a controlled access environment, this policy should not impact their daily activities, but rather, should clarify and formalize their roles and responsibilities.


1. Vice President for Academic Strategy (VPAS) – Authority and responsibility resides with the VPAS on policy and system (multi-campus) issues. The VPAS is the University’s authority to approve data commitments involving student success initiatives with other educational institutions or national education related non-profit organizations that require the collection, management, sharing, exchange, use and/or release of Protected Data.


2. Vice President for Information Technology and Chief Information Officer (VPIT/CIO) – The officer responsible for setting and enforcing standards and guidelines for data management technologies and systems related to computing infrastructures, data processing performance, data delivery and integration, data architectures and structures, metadata repositories, and access control mechanisms. The VPIT/CIO has custodial authority over centralized Institutional Data Systems, including, but not limited to, the University’s student, financial, and human resources databases.     
   The VPIT/CIO is the University’s authority to approve:


1. Selected purchases of electronic equipment, hardware, software, and related services through the OVPIT Approval for IT Procurement process. These purchases have specific criteria (e.g., purchase is over $25,000, interaction/integration with UH Institutional Data Systems, and/or require ITS support). For details, refer to section III.B.f(1) of EP8.200, Policy on Contracts and Signing Authority.


2. Low cost, shrink-wrapped software/subscriptions (less than $2,500) that have non-compliant terms. For details, refer to section III.B.f(3) of EP8.200, Policy on Contracts and Signing Authority.


3. Chancellors/Provost and System Vice Presidents – Chancellors/provost and system vice presidents (collectively referred to as “UH Leadership”) have authority and responsibility over policies and procedures regarding access and usage of data within their delegations of authority. The VPAS will consult with UH leadership on strategic matters and conflict resolution issues. The DGC serves in an advisory capacity to UH leadership, providing recommendations for actions.


4. Data Governance Committee (DGC) – A systemwide group dedicated to implementing a data governance program at the University.   
   The DGC’s charges are to:


1. revise, recommend, and develop policies and standards that govern the University’s data and information management practices at the direction of UH leadership;


2. define clear and consistent structures, models, and processes that promote the efficient use of resources to meet the information needs of the University community;


3. provide guidance and recommendations concerning the University’s Institutional Data, including expanding access, improving quality, ensuring data security, and improving performance;


4. provide recommendations to UH leadership as part of a formal appeal process involving disputes around Institutional Data and Institutional Data Systems.


5. Student Data Oversight Committee (SDOC) – A DGC subcommittee focused on improving data quality and access and providing guidance on future directions, priorities, and uses of student Institutional Data Systems. The SDOC has the authority to make decisions on student data issues and may recommend to the DGC policies and principles on data management and use. The IRAPO Director convenes the SDOC.


6. Data Governance Office – Responsible for implementing the University’s data governance program. The office receives guidance and approval from the DGC to move forward on data governance initiatives, such as data sharing, data classification, records management, vendor management, etc. The director convenes quarterly DGC meetings and ensures there is broad representation from across the UH system.


7. Institutional Research, Analysis, and Planning Office (IRAPO) Director – A member of the DGC, the IRAPO Director oversees the office that is the official reporting entity for student-related data and information for the University. The IRAPO Director coordinates the cross-functional reporting and analysis of student, finance, and human resource data. The IRAPO Director leads the University’s efforts around data quality and works collaboratively with system and campus leadership to improve the consistency and accuracy of data residing within the University’s Institutional Data Systems.
           

8. Chief Information Security Officer (CISO) – A member of the DGC, the CISO leads the University’s Information Security Program. The Information Security Team reports to the CISO within Information Technology Services (ITS), and works with system and campus leadership to improve the security posture of the University.
   To meet the requirements of the Information Security Program, ITS has the authority to require that all servers be registered and to implement standard security controls, such as network and server scanning, to identify security weaknesses in any University information system or network that may compromise protected data or the operations and availability of institutional services.
   Likewise, ITS has the authority to enforce technical measures to ensure the protection of Protected Data that are stored or transmitted, whether intentionally or unintentionally, on University systems and networks, including but not limited to the immediate disconnection of compromised systems from the University network.


9. Information Security Governance Council (ISGC) – A systemwide group comprised of two representatives, an Information Security Coordinator and an Information Technology (IT) Lead, from each Vice President’s office, UH Manoa units, and nine UH campuses.
   
   1. Information Security Coordinator - Designated by VP/Provost/Chancellor/Dean/Director, the Information Security Coordinator is the administrative authority responsible for ensuring compliance with data governance and information security mandates and policies.
      The Information Security Coordinator is a non-technical leadership role responsible for ensuring compliance and implementation of information security policies and procedures for the entire unit. The Information Security Coordinator is the point of contact for the Information Security Team and Data Governance Office.
   
   
   2. IT Lead - Designated by the VP, Provost/Chancellor, Dean/Director, and/or Information Security Coordinator, the IT lead is the technical staff who is responsible for disseminating information on IT security initiatives with the rest of the unit’s IT staff and ensures the implementation of security requirements across the entire unit are completed. The IT Lead will be expected to report to the Information Security Coordinator on the status of security and compliance within the unit.
      Additional ISGC members include representation from various System Offices that support compliance with data governance and information security mandates and policies.
   
   The CISO convenes the Information Security Governance Council which meets quarterly.


10. Campus FERPA Officer – The campus registrar serves as a campus-wide technical resource and subject matter expert on FERPA issues, and provides interpretation as needed.


11. Data Stewards – Data Stewards act in accordance and ensure compliance with applicable federal and state rules and regulations and University policies involving Institutional Data. Data Stewards are responsible for minimizing the use, storage, and exposure of Protected Data, particularly personally identifiable information. They are expected to limit the exposure of such data to only situations that are deemed essential and appropriate.
    There are two levels of Data Stewards at the University of Hawai‘i: executive and functional.
    
    1. Executive Data Stewards are accountable for the use and management of Institutional Data at their respective campus or within the Institutional Data System under their purview.
    
    
    1. Campus Executive Data Stewards
    
    
    1. These Data Stewards are vice chancellors or appropriate administrators responsible for the major functional areas within a campus including, but not limited to, student affairs, academic affairs, and administration. They have the authority to govern the use of Institutional Data within their respective areas.
    
    
    2. Campus Executive Data Stewards have the responsibility of reviewing and approving data requests through the DGP process for their campuses in their respective functional areas. As part of the review process, a Campus Executive Data Steward will assess various factors, including appropriateness, privacy, and risk at the campus level.
    
    
    3. Campus Executive Data Stewards also have the authority to grant access to Institutional Data Systems for campus personnel within their functional areas.
    
    
    2. System Executive Data Stewards
       
       1. These Data Stewards are primarily system level executives with functional responsibility for Institutional Data Systems (see section II, Definitions). They have the authority to govern the use of Institutional Data within these Institutional Data Systems.
       
       
       2. System Executive Data Stewards review and approve DGP requests involving multiple campuses, external parties, and/or electronic linkages to Institutional Data Systems. As part of the review process, the System Executive Data Steward will assess various factors, including appropriateness, privacy, and risk at the system level.
       
       
       3. System Executive Data Stewards also have the authority to grant access to Institutional Data Systems for system office and campus personnel within their functional areas or for the Institutional Data Systems they are the stewards of. The approval process may includes multiple stewards.
       
       
       4. System Executive Data Stewards have the additional responsibility of responding to the data and information needs of the University community through the Institutional Data Systems they oversee. They sponsor and promote a shared understanding of data through clear data element definitions, and oversee data quality and performance improvements within these systems.
       
       Refer to the UH Data Governance website (a UH login is required) for a listing of Institutional Data Systems and associated Executive Data Stewards.
    
    
    2. Functional Data Stewards are responsible for the day-to-day use, management, and distribution of Institutional Data. Functional Data Stewards exist among all levels and across all units within the University. Registrars, financial aid officers, fiscal managers, human resources specialists, and institutional researchers are among those considered Data Stewards.
       Functional Data Stewards engage in the following types of data related activities:
    
    
    1. Ensure Institutional Data is managed appropriately, according to policies and procedures;
    
    
    2. Recommend enhancements for their respective program areas to improve data quality, access, security, performance, and reporting;
    
    
    3. Serve as a conduit between functional and technical personnel to promote communication and a shared understanding of requirements;
    
    
    4. Fulfill DGP requests.
    
    
12. Data Custodians – Data Custodians are the managers and/or administrators of systems or media on which protected data reside, including, but not limited to, personal computers, laptop computers, PDAs, smartphones, departmental servers, enterprise databases, storage systems, magnetic tapes, CDs/DVDs, USB drives, paper files, and any other removable or portable devices or off-site storage technologies. These may include, but are not limited to, cloud storage or cloud services. Information technology personnel are commonly regarded as Data Custodians, however, any authorized individual who downloads or stores sensitive information onto a computer or other storage device becomes a Data Custodian through that act.
    Data Custodians are responsible for the technical safeguarding of protected data, including implementing and administering controls to ensure the transmission of those data are secure and that access controls are in place to prevent inappropriate disclosure.


13. Data Users – UH employees, students, and affiliates who, in order to fulfill their job duties and responsibilities, require access to protected data as defined in Executive Policy E2.214, Institutional Data Classification Categories and Information Security Guidelines. Data Users are responsible for understanding and complying with applicable University policies and procedures and all recognized federal and state laws for dealing with protected data.
    To ensure compliance and to meet the objectives of this policy, individuals must complete training requirements as outlined in AP2.215, Mandatory Training on Data Privacy and Security. Those who do not comply will be denied access to selected Institutional Data Systems. Specific questions about the appropriate handling or usage of Institutional Data should be directed to the Executive Data Steward responsible for that area.

There is no policy-specific delegation of authority.

Data Governance Office
Sandra Furuto, 956-7487, yano@hawaii.edu

Executive Policy EP2.215, Institutional Data Governance, provides the overall structure for the University’s data governance program. Other University of Hawai‘i executive policies, State of Hawai‘i Revised Statutes, and external regulations that relate to data governance are available here.

No Exhibits and Appendices found

    President