Washington University in St. Louis’ university data resource, by definition, practice and intent, is a university asset.
University data is not limited to information captured and stored in university systems, but also includes all data created or acquired by any university community member or entity as a direct consequence of duties performed on behalf of the university.
This guideline establishes guidelines for the management of securable university data and the responsibilities for the protection of this data. The guideline refers to all securable university data, whether printed or electronic, and whether individually controlled, shared, stand-alone or networked.
The guideline will serve to:
- Ensure establishment, maintenance and delivery of secure, confidential, trustworthy, stable, reliable and accessible collections of securable university data for shared access by the university community;
- Maximize the value received from the data asset by increasing the understanding and use of the data;
- Provide an integrated view of the functions of the university as they relate to securable university data;
- Improve direct access to data by end-users in accordance with institutional policies and state and federal privacy and security laws and regulations;
- Support the university’s strategy to incorporate information technology as an integral part of decision-making, competitive positioning and delivery of services.
The data resource should be safeguarded and protected. As an institutional or research asset, data should be protected from deliberate, unintentional or unauthorized alteration, destruction and/or inappropriate disclosure or use in accordance with established institutional or applicable funding agency policies and practices and federal and state laws.
Access to data should be authorized and managed. A user’s right to access applicable university data should be granted based on authorization provided by university staff who have been designated by the data steward/owner as authorized signers for that data. Authorization to access university data, including public data, should be based on appropriateness to the user’s role and the intended use. Access should be consistent with applicable requirements of university or funding agency policies and federal and state laws and should be granted only to those individuals or systems that have been authorized. Authorization and access should be documented, reviewed, modified and terminated in accordance with university or applicable funding agency policies, and federal and state laws.
Data should be shared based on institutional or applicable funding agency policies, and federal and state laws. University data are not considered not owned by a particular individual, unit, department or system of the university unless specifically tied to a researcher and having dean-level approval. University data should be made accessible to all authorized users and systems.
Data should be managed as an institutional resource. Data organization and structure should be planned on functional and institutional levels. Data usage and data sources should be managed through the data stewardship principles of administering and controlling data quality and standards in support of institutional or funding agency goals and objectives.
University data should be identified and defined. Standards should be developed for their representation in databases. Controls should be established to assure the completeness and validity of the data, and to manage redundancy.
Information quality should be actively managed. Explicit criteria for data validity, availability, accessibility, interpretation and ease of use should be established and promoted. Action programs for data quality improvement should be implemented.
Data storage and delivery mechanisms should be developed based on the needs of university processes. Data architectures should be developed to support institutional and research processes. These data architectures should drive the physical implementation of the selected solution.
Contingency plans should be developed and implemented. Disaster Recovery/Business Continuity plans and other methods of responding to an emergency or other occurrences of damage to systems containing university data, including electronic protected health information (ePHI), should be developed, implemented and maintained. These contingency plans shall include, but are not limited to, data backup, disaster recovery and emergency mode operations procedures. These plans should also address testing of and revision to disaster recovery/business continuity procedures and a criticality analysis.
Responsibilities for implementation
Every data steward/owner of a university system that hosts or consumes university data is responsible for implementing and ensuring compliance with Washington University in St. Louis’ data resource management guideline and must initiate corrective action with the proper authorities of the university if it is needed.
- Communicating all applicable guidelines to applicable faculty, staff and students
- Establishing specific goals, objectives and action plans to implement the applicable guidelines
- Developing plans that guide information system and data development to satisfy both customers and institutional information needs
- Actively supporting strong data management through data stewardship
- Ensuring availability of education and training in data management principles, including security awareness, to workforce members whose jobs require them to access, maintain or use this data
- Defining an appropriate level of security that corresponds to the sensitivity of the information
HIPAA requires taking reasonable precautions when verbally communicating protected health information. Precautions should also be taken when verbally communicating other sensitive information.
Updated April 1, 2013