Data Governance Policy

Sponsor:

Office of Information Technology Services and Office of Academic Affairs

Contact:

Assistant Vice President of Analysis, Planning, and Support

Category:

University-wide

Number:

 1000.016

Effective Date:

 09/2025/26

Implementation History:

 Approved: September 26, 2025

Keywords:

Institutional Data, Access Control, Data Stewardship, Compliance, Confidentiality, Governance Structure, Role-Based Access

Background Information:

Until April 2025, Empire State University directly followed the SUNY Data Governance Policy. As of April 2025, Empire State University wrote a local policy for Data Governance to refine controls with SUNY, state and federal compliance requirements.

Purpose

The purpose of this policy is to establish a formal structure for the effective management and governance of institutional data at the University. This policy ensures that institutional data is accurate, secure, accessible, and used responsibly throughout the University.

Definitions

  1. Compliance Requirements – Legal, regulatory, contractual, or policy-based obligations that govern how data must be handled and protected.

  2. Confidential Data – Any data classified as sensitive or private and subject to legal or policy-based restrictions on access, use, or disclosure.

  3. Data Custodian – Technical staff responsible for data storage, maintenance, and security. (e.g., IT staff managing database security, system administrators maintaining data storage infrastructure, and application administrators overseeing access controls for institutional systems.)

  4. Data Consumer – Authorized individuals who access and use data as part of their job responsibilities. (e.g., faculty analyzing student performance data, advisors accessing degree progress reports, and administrators using dashboards to inform strategic decisions.)

  5. Data Governance – A system of decision rights and accountabilities for information-related processes, executed according to agreed-upon models to ensure proper data management throughout its lifecycle.

  6. Data Guardian – IT and other personnel who maintain infrastructure and enforce security standards. (e.g., the Information Security Officer ensuring data protection, the Director of Compliance overseeing regulatory adherence, and the Privacy Officer managing personal data confidentiality.)

  7. Data Integrity – The accuracy, consistency, and reliability of data throughout its lifecycle. Ensuring that data is not altered inappropriately and remains trustworthy over time.

  8. Data Lifecycle – The stages through which data passes, from initial creation and storage to use, archiving, and deletion.

  9. Data Literacy – The ability to read, understand, create, and communicate data as information. Includes recognizing data quality, ethical use, and the context of use in decision-making.

  10. Data Quality – A measure of data’s fitness to serve its purpose in a given context, characterized by attributes such as accuracy, completeness, timeliness, consistency, and reliability.

  11. Data Security – The protective measures applied to safeguard data from unauthorized access, disclosure, alteration, or destruction.

  12. Data Steward – Individual responsible for implementing policies and maintaining data quality. (E.g., data stewards include registrar staff managing student records, HR personnel overseeing employee data, and financial aid officers maintaining compliance-related data integrity.

  13. Data Trustee – Senior executive accountable for strategic oversight and proper use of data within a domain. (e.g., data trustees include the Provost for academic data, the Chief Financial Officer for financial data, and the Vice President for Student Affairs for student services data.)

  14. Institutional Data – Information used for university operations that meets defined criteria (e.g., created or maintained by employees, used in official reports). University data includes student records, financial information, research data, and information you create or use in your work.

  15. Role-Based Access Control (RBAC) – A method of managing user access to systems or data based on the roles assigned to users, ensuring that individuals only access data necessary for their job functions.

  16. University – Empire State University, State University of New York

Policy Statements

  1. The University is committed to treating institutional data as a strategic asset that must be managed with integrity, security, and accountability. All individuals accessing institutional data are expected to adhere to role-based access controls, comply with applicable laws and policies, and uphold the highest standards of ethical data use.

  2. The Institutional Data Governance Advisory Workgroup (DGAW) will prepare and recommend relevant data governance policies. The President will review and approve those policies as appropriate. Additionally, the DAGW will create and maintain the technical definitions and detail the necessary control and enforcement mechanisms. Every University employee is responsible for following the data practices and policies.

  3. Institutional data is owned by the University. Access to data, reports, and related outputs is governed by the University’s policies and guidelines. Individuals and departments serve as data stewards and are responsible for properly applying the University's policies and guidelines.

    Institutional Data includes:

    Student Data: All information in the Student Information System and its related affiliated systems: Admissions, Student Success, Co-Curricular, etc.

      1. Administrative Research Data
      2. Financial Data
      3. Human Resources Data
      4. Library Data
      5. Information Technology Data: Identity and Access Management Data, E-mail, Shared Documents
      6. Facilities Management Data
      7. Alumni/Advancement/Fundraising Data
      8. Survey Data

  4. The University expressly forbids using institutional data for anything other than university business. Those accessing data must:
      1. Observe requirements for confidentiality and privacy.
      2. Comply with protection and control procedures.
      3. Accurately present the data for any use.
      4. Have a legitimate business purpose.
      5. Comply with applicable University policies, state and federal laws, and regulations.

  5. GOVERNANCE STRUCTURE
      1. The Institutional Data Governance Advisory Workgroup (DGAW) shall:
      2. Review and recommend data governance policies
      3. Monitor compliance with applicable data governance standards, laws, and regulations
      4. Coordinate with institutional stakeholders to ensure adherence

  6. ROLES AND RESPONSIBILITIES
      1. Data Trustees – Strategic oversight and delegation of duties.
      2. Data Stewards – Implement and enforce data governance procedures.
      3. Data Custodians – Ensure data systems are secure and operational.
      4. Data Guardians – Maintain technical infrastructure.
      5. Data Consumers – Follow ethical, compliant, and secure data use practices.

  7. ENFORCEMENT

    Violations of this policy may result in disciplinary action, including loss of access privileges, termination, and legal consequences. Any clarifying questions can be directed to Assistant Vice President for Analysis, Planning, and Support.

Applicable Legislation and Regulations

GLBA Safeguards Rules

Related References, Policies, Procedures, Forms and Appendices

Empire State University General Data Protection Regulations

Empire State University Family Educational Rights Privacy Act (FERPA)

Empire State University Information Security Policy

Enterprise Data Classification Policy