10-04.00 – Data Stewardship Policy

  1. Policy Statement:

    Towson University (“University”) expects all stewards, custodians and users of its administrative data to manage, access, and utilize this data in a manner that is consistent with the University’s need for security and confidentiality. The University functional areas must develop and maintain clear and consistent procedures for access to University administrative data.

  2. Reason for Policy:

    Maintaining the confidentiality, integrity, and availability of University data is critical to the success of the University. This policy establishes the methodology by which the University will manage its data and assigns responsibilities for the control and appropriate stewardship of University data.

  3. Definitions:

    1. “University Data” are items of information that are collected, maintained, and utilized by the University for the purpose of carrying out institutional business even if subject to any contractual or statutory limitations. University Data may be stored either electronically or on paper and may take many forms (including but not limited to: text, graphics, images, sound, or video). Research data, scholarly work of faculty or students, and intellectual property that do not contain personally identifiable information or other data protected by law or University policy are not covered by this policy.

    2. “Data Steward” is a University official or designee having direct operational-level responsibility for information management (usually department directors). Data Stewards are responsible for data access and policy implementation issues

    3. “Data Custodian” is a department and/or personnel responsible for providing a secure infrastructure in support of the data including, but not limited to: providing physical security; backup and recovery processes; providing access to users as authorized by the Data Stewards; and implementing and administering appropriate levels of controls over the information.

    4. “Data User” is an individual who needs and uses University Data as part of their assigned duties or in fulfillment of assigned roles or functions within the University community. Individuals who are given access to sensitive data have a position of special trust and as such are responsible for protecting the security and integrity of that data. Any University employee with access to University Data can be considered a Data User.

    5. “University” means Towson University.

  4. Responsible Executive and Office:

    Responsible Executive:
    Vice President for Administration & Finance and Chief Fiscal Officer

    Responsible Office:
    Office of Technology Services

  5. Entities Affected by this Policy:

    All Data Stewards, custodians and users of University Data.

  6. Procedures:

    1. Data Classification

      All data shall be classified in one of three categories:

      1. Public Data – data intended for general public use. An example is the University’s online directory.

      2. Protected Data – All data which are not legally restricted and which may be accessed, without restriction, by University employees in the performance of official University business.

      3. Confidential Data – All data which, if released in an uncontrolled fashion, could have substantial fiscal or legal impact on the University. Examples include personal data containing elements such as Social Security Numbers, health records, credit card information, student grades, and personnel records. Personally identifiable information (other than public data [directory information as defined under FERPA, HIPAA or other federal law]) should be considered Confidential.

    2. Roles and Responsibilities

      All University employees, students, affiliates and others granted access to University Data or University information systems are responsible for understanding the terms and conditions under which they may access and use University Data. An individual may have one or more of the roles listed below.

      1. Data Steward

        1. Establishes definitions of the data assigned to them.

        2. Develops policies, procedures and guidelines for the management, security and access to data in their control according to University policies and standards.

        3. Reviews and approves users’ access to data.

        4. Reviews and updates user access routinely and communicates changes to Data Custodian.

        5. Ensures appropriate classification of data.

        6. Assists in establishing necessary security and access controls for data in electronic form.

        7. Provides guidance to departments and individuals within the area of responsibility on data access and policy implementation.

        8. Defines requirements for safeguarding data.

        9. Ensures that security policies are implemented. 

        10. Delegates operational responsibilities for data.

        11. Ensures that responsibilities within their office and delegated to technical administrators, third-party vendors, or other custodians are met.

      2. Data Custodian

        1. Provides user access to data as defined by the Data Steward.

        2. Removes user access as necessary.

        3. Provides a secure and stable environment for the storage of the data.

      3. Data User

        1. Protects all data and access to data in their care. Recipients of Confidential Data are responsible for maintaining the restricted nature of the data.

        2. Uses data and access to data only as required in the performance of legitimate University functions and their job.

        3. Adheres to applicable Federal and State laws, requirements of any applicable contracts, and University policies, standards and procedures.

    3. Enforcement

      Violations may result in disciplinary action in accordance with applicable University policies and procedures. Revocation or restriction of computer privileges is also possible. The Information Security Officer reserves the right to audit computer and network systems on a periodic basis to ensure compliance with this policy. Report any violation of this policy to the ISO.

Related Policies: 

TU Policy 10-01.01, Information Technology Security Policy

TU Policy 10-01.02, Acceptable Use Policy

Approval Date: 04/18/2011

Effective Date: 04/18/2011

Approved By: President’s Council 04/13/2011

Signed By: President’s Council

How to Request the Policy PDF

This online version of the policy may include updated links and names of departments. To request a PDF of the original, signed version of this policy, email the Office of the General Counsel, .