Administrative Data Management Policy
All Administrative Data is owned by New York University and, as such, all members of the University community and affiliates are responsible for appropriately using and safeguarding that data. This policy establishes uniform data management standards for Administrative Data and identifies the shared responsibilities for assuring: a) the integrity of Administrative Data, and b) that Administrative Data efficiently and effectively serves the needs of the University.
Scope of this Policy
This policy applies:
- To all employees whose job responsibilities include inputting, safeguarding, retrieving, or using Administrative Data, and to those who supervise such individuals.
- To the University and all of its campuses, schools, colleges, institutes, and administrative and auxiliary units, other than the NYU Langone Medical Center.
- To all Administrative Data regardless of means or location of storage. Therefore, this policy applies to Source Data Systems and Administrative Data extracted from those Source Data Systems, as well as data stored in any data repository.
A. Guiding Principles
- In order for the University to effectively manage and safeguard its Administrative Data, procedures must be in place to guide appropriate access to Administrative Data, ensure the security of Administrative Data, and provide a means to address procedural exceptions. It is necessary for all employees who deal with Administrative Data to be trained and informed about data security.
- Role definitions of individuals with data responsibilities and of eligible users are necessary to support data integrity and security.
- Sharing Administrative Data between academic and/or administrative units within the University should be facilitated where appropriate, subject to appropriate security restrictions as established by each Data Domain Trustee and ratified by the Data Trustees.
- Implementation of this policy will reinforce, wherever possible, a uniform set of definitions for commonly consumed data throughout the University (e.g., “enrolled student” should wherever possible have the same meaning throughout the University).
- Integration of Administrative Data across the University should be encouraged to foster data accuracy and uniformity, consistent with NYU’s institutional complexity, various data systems, and differing data formats (e.g., the country codes in student vs. alumni applications). This should result in reduced duplication of data and greater data accuracy.
- Administrative Data should be safeguarded to maintain the confidentiality and privacy of personally identified and personally identifiable information.
B. Data Administration
1. University Ownership of Administrative Data
All Administrative Data is owned by New York University. As such, all members of the University community have the obligation to appropriately use and safeguard the asset, in all formats and in all locations.
Roles and responsibilities for safeguarding and classifying the Administrative Data asset are defined below in section C, Data Management Roles and Responsibilities.
3. Data Classification
Administrative Data is categorized as Low Risk, Moderate Risk, and High Risk following the Data and System Security Policy and Electronic Data and System Risk Classification Policy and should be safeguarded appropriately.
4. Access and Confidentiality
Access to University Administrative Data should be based on the business needs of the organization and should enhance the ability of the University to achieve its mission. Employees shall have access to the Administrative Data needed to perform their responsibilities. Individually identifiable data shall be available to the extent necessary to perform administrative tasks. The Chief Administrative Data Management Officer is responsible for ensuring that procedures are developed by functional offices to address those cases where a member of the University community seeks permission to access Administrative Data beyond the normal performance of their duties. The Data Trustees will review and ratify the procedures as developed.
Because no computer system is completely immune from unauthorized access or attempted access (e.g., “hacking”), applying layered security controls (e.g., multiple levels of access permissions) will better safeguard University computers and NYU’s ever-expanding body of Administrative Data, which is often sensitive. In order that the proper controls are applied, it is the responsibility of each person accessing Administrative Data to:
a. Know the classification of the system being used.
b. Know the type of Administrative Data being used.
c. Follow the appropriate security measures.
d. Consult the Related Policies in the right sidebar for further information.
Beyond existing policies, specific policies implementing data access and security and developed by functional areas shall be reviewed and approved by the Data Trustee Committee to ensure consistency with the Guiding Principles set forth in Section A, above.
Before an individual is permitted access to Administrative Data in any form, training in the use and attributes of the data, functional area data policies, and University policies regarding data is strongly encouraged. The Data Domain Trustees shall establish the appropriate levels of training for all such individuals within their units.
6. Integrity, Validation, and Correction
Administrative Data must be safeguarded and managed in all formats and media (e.g., print and digital), at all points of access, and across all University systems through coordinated efforts and shared responsibilities. Each Data Trustee, in conjunction with the appropriate Data Domain Trustee, shall be responsible for developing a plan for their functional area to assess the risk of erroneous or inconsistent data and indicate how such Administrative Data, if found, will be corrected. The Chief Administrative Data Management Officer will be responsible for ensuring that each functional area uses that plan to develop and implement processes for identifying and correcting erroneous or inconsistent data.
7. Extraction, Manipulation, and Reporting
8. Access to University Data from Global Locations
All campuses and sites will need to access Administrative Data following the same University policies, as well as to comply with any federal, state, or local requirements.
C. Data Management Roles and Responsibilities
Data management roles with responsibilities are outlined below:
1. Data Trustee
Data Trustees are senior University officials (typically at the level of Vice President or higher) who have planning and policy-making responsibilities for Administrative Data and for the establishment of operational processes to collect and record data in accordance with University business rules. The Data Trustees, as a group, are responsible for overseeing the establishment of Administrative Data management policies and procedures, and for the assignment of data management accountability.
2. Data Domain Trustee
Data Domain Trustees are senior managers in operational areas responsible for maintaining the content of Transactional Systems. The Data Domain Trustees implement policy as established by Data Trustees, assign Data Stewards, and serve as the first escalation point for problem/policy resolution from the Data Stewards.
3. Data Steward
Data Stewards are typically operational managers in a functional area with day-to-day responsibilities for managing business processes and establishing the business rules for the Transactional Systems. Data Stewards are appointed by the respective Data Domain Trustees. In support of the role of the Data Steward, the Vice President, Information Technology & Global University Chief Information Officer provides technological data protection services.
4. Data User
Data Users are individuals who access Administrative Data to perform their assigned duties. Data Users are responsible for safeguarding their access privileges, for the use of the Administrative Data in conformity with all applicable University policies, and for securing such data.
5. Office of Institutional Research and Data Integrity
The Office of Institutional Research and Data Integrity shall be responsible for working with the appropriate Data Stewards to develop definitions of commonly used terms and will define how official University metrics are calculated. Further, in the course of its work, the Office of Institutional Research and Data Integrity will typically discover data discrepancies and inconsistencies and will promptly report such to the appropriate Data Steward for resolution.
6. Chief Administrative Data Management Officer
The role of Chief Administrative Data Management Officer is assigned to a member of the University's Office of Institutional Research and Data Integrity who is responsible for coordinating all activities related to Administrative Data Management.
7. Data Trustee Committee
The Data Trustee Committee establishes overall policies for management and access to the Administrative Data of the University. This committee shall be composed of the Data Trustees; shall be chaired by the Chief Administrative Data Management Officer; shall approve the policies and procedures developed in each functional area by the Data Stewards and Data Domain Trustees to ensure appropriate compliance with this policy; shall provide oversight of all University processes which capture, maintain, and report on Administrative Data; and shall approve any decisions to archive Administrative Data.
8. Data Stewardship Advisory Group
The Data Stewardship Advisory Group is a University-wide committee, primarily composed of Data Stewards. Designated Data Users may be invited to attend, as appropriate. This group reviews the operational effectiveness of Administrative Data management policies and procedures and makes recommendations to the Data Trustee Committee for improvement or change. Data Stewards will share best practices during their meetings, as well as raise concerns which cross functional areas. The group is chaired by the Chief Administrative Data Management Officer. The Data Stewardship Advisory Group must ensure regular and appropriate collaborative communication with Data Users on any operational changes which impact business processes and data.
9. Data Custodian
The Data Custodians are information technology experts assigned to each transactional and reporting system which maintains Administrative Data. Data Custodians oversee the safe transport and storage of data, establish and maintain the underlying infrastructure, and perform activities required to keep the data intact and available to users.
In addition, Data Custodians are responsible for working with Data Stewards and the Chief Administrative Data Management Officer to develop automated processes which identify erroneous, inconsistent, or missing data. Data Custodians work with data support groups, the Chief Administrative Data Management Officer, and Data Stewards to resolve data issues.
- Dates of official enactment and amendments: Not Available
- History: Last Review: January 29, 2019. Last Revision: January 29, 2019. (Under current review to determine revisions.)
- Cross References: N/A
About This Policy
Effective Date Supersedes N/A Issuing Authority Executive Vice President Responsible Officer Senior Vice President for Enrollment Management; Vice President for Information Technology and Global University Chief Information Officer
Administrative Data: Data that is gathered, produced, stored, and/or disseminated concerning any aspect of the University’s operations. Such data includes, but is not limited to, general ledger/accounting, human capital management, student, alumni/development, space management, faculty housing, and student housing data, and also includes any data derived from the use of such data. Administrative Data excludes data related to Teaching and Learning, Research, or Community Life, which are not covered by this policy, and specifically excludes “Personal Digital Content” as described in the NYU Policy on University Access to Personal Digital Content. Administrative Data may be stored in University-supported or other data systems.
Data Classification: Details and examples of different data classifications are contained in the Electronic Data and System Risk Classification Policy. A summary of those classifications is provided here:
- High Risk - Data whose unauthorized access or loss could seriously or adversely affect NYU, a partner, or the public.
- Moderate Risk - Data with a less high level of criticality, but that should be protected from general access.
- Low Risk - All other non-public data not included in the Restricted or Protected classes.
- Public - All public data.
Source Data System: An information storage system that is the authoritative data source for a given data element or piece of information.
Transactional Systems: Information processing systems for business processes involving the collection, modification and retrieval of data, as contrasted with systems used for analytics or reporting.
University: All parts of New York University other than the NYU Langone Medical Center.