10.4 MGA Data Governance Policy

MGA POLICY NUMBER: Records: 10.4

MGA POLICY NAME: Data Governance

Added: 12/19/2019
Revised: 12/19/2019
Last Reviewed: 12/16/2019
Effective: 01/19/2020

Policy:

Middle Georgia State University (MGA) shall abide by all polices established by the Board of Regents of the University System of Georgia (BOR) and all other relevant statutory or regulatory requirements of the state of Georgia and the federal government pertaining to data governance.

MGA’s data governance structure will demonstrate accountabilities for the data assets of the organization to ensure proper use and handling of data being read, created, collected, reported, updated or deleted. The data governance structure via its charter documentation identifies the offices and positions responsible for the data management, cybersecurity and compliance along with their responsibilities.

Context:

Information is a strategic asset of all University System of Georgia (USG) organizations and is critical to administration, planning and decision-making. Effective and responsible use of information requires that data is secure, well documented, and accessible for use by authorized, trained personnel.

Related Definitions:

    1. Data Owner – the chief executive office, or President of the institution who is responsible for all data read, created, collected, reported, updated or deleted by the offices of the organization.
    2. Data Trustee – the executives of the organizations who have overall responsibility for the data being read, created, collected, reported, updated or deleted in their data area(s). These individuals are normally cabinet-level positions reporting directly to the President of the institution.
    3. Data Steward – the individual identified by the data trustees to be responsible for the data being read, used, created, collected, reported, updated or deleted and the technology used to do so, in their data area(s).
    4. Data User – any faculty or staff, authorized by the appropriate institutional authority, to access enterprise data or data related to their institutions.
    5. The Global Data Governance Committee – Committee consisting of Data Trustees designated by the President.
    6. The Functional Data Governance Committee – Committee consisting of Data Stewards designated by the Data Trustees.
  • Chief Information Officer – Designated individual with managerial oversight ensuring that technical infrastructure is in place to support the data needs and assets, including availability, delivery, access, and security across their operational scope. 
  • Chief Information Security Officer - Designated individual with operational oversight ensure that technical infrastructure is in place to support the data needs and assets, including availability, delivery, access, and security across their operational scope.
  • Chief Privacy Officer- Institutional designee responsible for the development and implementation of general privacy policies and procedures.
  • HIPAA Privacy Officer - Institutional designee responsible for the development and implementation of privacy policies and procedures regarding the handling of protected health information in compliance with HIPAA regulations
  • Open Records Officer - Institutional designee as compliance officer for Georgia Open Records Act (O.C.G.A. § 50-18-70, et seq.)
  • Chief Data Officer: Institutional designee responsible for data integrity and fosters value creation across the ecosystem.
  • Data Protection Officer -  Institutional designee as compliance officer for European Union General Data Protection Regulation (“EU GDPR”) 

ADMINSTRATIVE AND ADDITIONAL RESOURCES:

  • Short Title: “Data Governance”
  • Original Draft Date: 11/25/19
  • Previous Version: N/A
  • Oversight: Global Data Governance Committee

Additional Resources:

  • USB Business Procedures Manual Section 12
  • USG IT Handbook
  • Health Insurance Portability and Accountability Act - HIPAA
  • Open Records Act (O.C.G.A. § 50-18-70, et seq.)
  • European Union General Data Protection Regulation - GDPR

Associated Procedures:

  • MGA Data Governance Charter
  • MGA Cybersecurity Plan
  • MGA Data Management and Classification Procedure
  • MGA HIPAA Procedure
  • MGA Open Records Policy
  • MGA GDPR Procedure