Skip to Navigation | Skip to Content

University Data Management Policy

Title: University Data Management Policy
Effective Date: Upon approval by University Senior Team
Issuing Authority:
- Executive Vice President for Finance and Information Technology
- Vice President for Budget and Planning
- Vice President for Information Technology and Chief Information Technology Officer for NYU New York
Responsible Officer:
- Executive Vice President for Finance and Information Technology
- Vice President for Budget and Planning
- Vice President for Information Technology and Chief Information Technology Officer for NYU New York

Policy

All institutional data is owned by New York University and, as such, all members of the University community are responsible for appropriately respecting and protecting the asset. (Also refer to the Policy on Responsible Use of NYU Computers and Data, www.nyu.edu/about/policies-guidelines-compliance/policies-and-guidelines/responsible-use-of-nyu-computers-and-data-policy-on.html.) This policy establishes uniform data management standards and identifies the shared responsibilities for assuring the integrity of the data and that it efficiently and effectively serves the needs of the University. This policy applies to data used in the administration of the University and all of its units, such as schools and administrative and auxiliary units, as well as data reposited in the University Data Warehouse.

  1. Guiding Principles
    1. In order for the University to effectively manage and safeguard the University data assets, procedures must be in place to guide appropriate data access, ensure the security of the data, and provide a means to address procedural exceptions.
    2. Roles, including those both of individuals with data responsibilities and of eligible users, are necessary to support data integrity and security.
    3. Sharing information across organizational boundaries should be facilitated where appropriate.
    4. A sustained data administration function should reinforce a set of definitions for commonly consumed data, with the understanding that there may be multiple valid definitions.
    5. Data integration across the University should be encouraged to foster data accuracy and uniformity, and demonstrate an understanding of NYU's institutional complexity, various data systems, and differing data formats.
    6. Data should be safeguarded to maintain the confidentiality and privacy of personally identifiable information; such safeguards should be balanced and reflect the necessity for the University to conduct its business.
  2. Data Administration
    1. University Ownership of Institutional Data

      All institutional data is owned by New York University. As such, all members of the University community have the obligation to appropriately respect and protect the asset, in all formats and in all locations.

    2. Stewardship

      Roles and responsibilities for protecting and classifying the institutional data asset are defined below in section C, "Data Management Roles and Responsibilities".

    3. Data Classification

      Institutional data is categorized as Restricted, Protected, Confidential, or Public, following the Data and Computer Security Policy (www.nyu.edu/its/policies/sec_compdata.html) and the Reference for Data and System Classification (www.nyu.edu/its/policies/sec_ref.html), and should be safeguarded appropriately.

    4. Access and Confidentiality

      Access to University data should be based on the business needs of the organization and should enhance the ability of the University to achieve its mission. Employees should have access to the data needed to perform their responsibilities, without regard to arbitrary barriers. In many cases, that data need not be individually identifiable. The University Data Warehouse should be built taking into account these constraints.

      Because no computer system is completely immune from exploitation, applying layered security controls will better safeguard University computers and NYU's ever-expanding body of sensitive data/information. In order that the proper controls are applied, it is the responsibility of each individual utilizing University computer and data resources to:

      1. Know the classification of the system you are using.
      2. Know the type of data you are using.
      3. Follow the appropriate security measures.
      4. Consult the "Related Policies" at the end of this policy for further information.

      Beyond existing policies, specific policies implementing data access and security, including within the University Data Warehouse, developed by functional areas, need to be approved by the Committee on Institutional Data Policy and Data Management to ensure consistency with the Guiding Principles, set forth in Section A, above.

    5. Training

      Before individuals will be allowed to access University data, training in the use and attributes of the data, functional area data policies, and University policies regarding data is mandatory.

    6. Master (Metadata) Standards and Definitions

      A terminology/taxonomy shall be developed by the Data Stewardship Advisory Group, or an appropriate subset, in order to provide a framework for requesting and producing consistent data across all levels of the enterprise. The definitions shall be accessible to all University data users and shall be included in training.

    7. Integrity, Validation, and Correction

      Data, as a University asset, must be safeguarded and managed at all points and across all systems, from creation to use to archive, through coordinated efforts and shared responsibilities, to ensure its accuracy. Each functional area will develop and implement processes for identifying and correcting erroneous or inconsistent data. When and if erroneous or inconsistent data has been identified, the Data Steward from the corresponding functional area shall within five business days either correct the data or escalate the issue to the appropriate Data Trustee and Chief Data Management Officer. Information Technology Services (ITS) will develop and implement data auditing processes.

    8. Extraction, Manipulation, and Reporting

      Extraction, manipulation, and reporting of University data must be done only for University business purposes.

      1. Personal use of institutional data, including derived data, in any format and at any location, is prohibited.
      2. Where appropriate, before any information is used outside the Data User's functional unit, verification with the functional area manager is recommended.
      3. Any report that presents University data, whether in tabular or graphic form, should indicate clearly the name of the NYU unit that prepared the report and the date the report was issued (which may be earlier than the date the report is printed). To facilitate later use of the report or its underlying data, the report ideally also will contain the file name where the report is stored in the unit that issued it.
    9. Retention and Archiving

      Before decisions are made concerning data retention and data archiving, the appropriate Data Users must be consulted.

    10. Access to University Data from Global Locations

      As New York University continues its evolution as a Global Network University, all remote sites will need to access University data following the same University policies.

    11. Exceptions to Standard Data Access

      Procedures must be developed to address those cases where an individual seeks permission to access data outside of the access plan and defined roles. In those instances, the individual must submit a written request seeking non-standard access. This request should include a statement indicating the access being sought and the reason for the request, and should be submitted to the Chair of the Data Stewardship Advisory Group. The Chair will send the request to the appropriate Data Steward for review and decision. The Data Steward will report the decision to the appropriate Data Trustee and to the requestor's manager.

  3. Data Management Roles and Responsibilities
  4. To support an effective University data administration and management program, a series of data management roles are outlined below:

    1. Data Trustees

      Data Trustees are senior University officials (typically at the level of Vice President or higher) who have planning and policy-making responsibilities for University data and the University Data Warehouse. The Data Trustees, as a group, are responsible for overseeing the establishment of data management policies and procedures, and for the assignment of data management accountability.

    2. Data Stewards

      Data Stewards are typically operational managers in a functional area with day-to-day responsibilities for managing business processes and establishing the business rules for the production transaction systems. Data Stewards are appointed by the respective Data Trustees. Data Steward responsibilities include the data management activities outlined in this policy and other activities that may be assigned by a Data Trustee. Data Stewards are responsible for defining the criteria for archiving data to satisfy retention requirements. Data Stewards have the responsibility to establish the processes for documenting data elements.

      The Data Steward will be responsible for developing an overall data access plan. The plan should outline various roles and the access each role will have to data, including within the University Data Warehouse, and will seek to balance the need for information to perform one's job responsibilities and to ease administrative functionality with the need for keeping data confidential and secure. Data is categorized as Restricted, Protected, Confidential or Public, following the Data and Computer Security Policy (www.nyu.edu/its/policies/sec_compdata.html) and the Reference for Data and System Classification (www.nyu.edu/its/policies/sec_ref.html). The data access plan needs to consider the categorization of the data in developing each access role.

      Data Steward responsibilities include, but are not limited to:

      1. Develop a data access plan.
      2. Create and perform processes to capture and fix inconsistent or erroneous data.
      3. Certify published reports and analytics.
      4. Certify data reposited in the University Data Warehouse.
      5. Work with the Office of Institutional Research and the University's Finance offices in developing definitions of commonly used terms and the algorithms for calculating University metrics.
      6. Participate in security access audits.

      In support of the role of the Data Steward, the Vice President for Information Technology and Chief Information Technology Office for NYU New York provides technological data protection services.

    3. Data Users

      Data Users are individuals who access University data to perform their assigned duties. Data Users are responsible for protecting their access privileges and for the proper use of the University data they access.

    4. Office of Institutional Research

      The Office of Institutional Research, through the role of the Chief Data Management Officer, shall be responsible for working with the appropriate Data Stewards to develop definitions of commonly used terms such as "faculty" (e.g., who is included in the count of faculty?) and "enrolled student." In addition, the Office of Institutional Research, with the appropriate Data Stewards, and using its knowledge of external reporting requirements and standards, will define how official University metrics are calculated (e.g., if calculating space per student, what type of space is included in the calculation [all space, academic space, etc.] and which student count is used [FTE, FT only, undergraduate, etc.].) Further, in the course of its work, the Office of Institutional Research will typically discover data discrepancies and inconsistencies and will promptly report such to the appropriate Data Steward for resolution.

    5. Committee on Institutional Data Policy and Data Management

      The Committee on Institutional Data Policy and Data Management establishes overall policies for management and access to the institutional data of the University. This committee shall be composed of the Data Trustees; shall be coordinated by the Chief Data Management Office; shall approve the policies and procedures developed in each functional area to ensure appropriate compliance; and shall provide oversight of all University processes which capture, maintain, and report on data used in the University's data-driven decisions.

    6. Data Stewardship Advisory Group

      The Data Stewardship Advisory Group is a University-wide committee, typically composed of Data Stewards. Designated Data Users may be invited to attend, as appropriate. This group reviews the operational effectiveness of data management policies and procedures and makes recommendations to the Committee on Institutional Data Policy and Data Management for improvement or change. In addition, the Group ratifies definitions of commonly used terms and University metrics. The group is chaired by the Chief Data Management Officer and uses collaborative tools to foster communication and to archive the decision-making process. The Data Stewardship Advisory Group must ensure regular and appropriate collaborative communication with school-based Data Users.

  5. University Data Warehouse
    1. Data Warehouse

      The University Data Warehouse shall exist to support Data User queries to track and respond to business trends, to facilitate forecasting and planning efforts, to produce reports, and to store sharable historic data from operational systems-of-record. The University Data Warehouse serves as the University repository from which official information is produced. The accuracy of data which is reposited in the University Data Warehouse must be certified by the appropriate Data Steward.

    2. Training

      Before individuals will be allowed to access the University Data Warehouse, training in the use and attributes of the data, the data retrieval tools, functional area data policies, and University policies regarding data is mandatory.

    3. Extraction, Manipulation, and Reporting

      Extraction, manipulation, and reporting of data from the University Data Warehouse must be done only for University business purposes.

      1. Personal use of institutional data, including derived data, in any format and at any location, is prohibited.
      2. Where appropriate, before any information from the University Data Warehouse is used outside the Data User's functional unit, verification with the functional area manager is recommended.
    4. Storage

      There is only one official data source for each data element in the University Data Warehouse, to be determined by the appropriate Data Steward. To the extent possible, data element names, formats, and codes should be consistent across all applications which use the data, as well as consistent with University standards.

    5. Data Documentation

      Data Stewards are responsible for establishing the processes for documenting data elements in the University Data Warehouse. Documentation of derived data should include the algorithms or decision rules for the derivation. ITS shall specify a standard data format for receiving and loading data definitions and descriptions into a metadata repository.

Purpose of this Policy

NYU values access to, and the timeliness, accuracy, and consistency of, information, while fully appreciating the basic security and privacy requirements involved. Controlled access by employees to administrative information is necessary in order to support University functions. Shared definitions for data and appropriate roles have been developed to support the use of University data and the University Data Warehouse.

Scope of this Policy

All employees whose job responsibilities include inputting data to or retrieving data from University data systems, or using data from the University Data Warehouse, and those who supervise such individuals.

Policy Definitions

Chief Data Management Officer: The role assigned to a member of the University's Office of Institutional Research, who will be responsible for coordinating all activities related to University Data Management.

Committee on Institutional Data Policy and Data Management: A senior level team comprised of the Data Trustees that establishes overall policies for management and access to the institutional data of the University. See section C.5 for more detail.

Data Stewardship Advisory Group: A University-wide committee, comprised of the Data Stewards, charged with the on-going review of the operational effectiveness of data management policies. See section C.6 for more detail.

Data Steward: Typically an operational manager in a functional area with day-to-day responsibilities for managing business processes. See section C.2 for more detail.

Data Trustees: Senior University officials who have planning and policy-making responsibility for the University Data Warehouse. See section C.1 for more detail.

Data User: Individuals who access University data in order to perform their assigned duties. See section C.3 for more detail.

Institutional Data: Data gathered, produced, stored, and/or disseminated concerning any aspect of the University's operations. Also referred to as University data.

University Data: Data gathered, produced, stored, and/or disseminated concerning any aspect of the University's operations. Also referred to as institutional data.

University Data Warehouse: The repository for institutional data, which is used for reporting both transactional and analytical data.

Related Policies

Page last reviewed: February 3, 2014