10-05.00 – Data Governance Policy

  1. Policy Statement:

    University data is an essential and key asset that must be managed, accessed, and secured appropriately. The University has an obligation to protect and govern the use of that data. 

    The purpose of this policy is to govern the confidentiality, integrity, availability, and quality of University data, to assign responsibilities for the control and appropriate stewardship of University data, and to support and maintain related policy principles and procedures. 

  2. Definitions:

    1. “University Data” items of information that are collected, maintained, and/or utilized by the University for the purpose of carrying out institutional business, even if subject to any contractual or statutory limitations. University Data may be stored either electronically or on paper and may take many forms (including but not limited to: text, graphics, images, sound, or video). Research data, scholarly work of faculty or students, and intellectual property that do not contain personally identifiable information or other data protected by law or University policy are not covered by this policy. University Data include all data required to conduct the operations of the University. This includes any data elements that are created, received, maintained or transmitted by entities and individuals within the scope of this Policy. 

    2. “Data Governance” is the exercise of authority, planning, monitoring, and enforcement over the management of data assets, defining who can take what actions, with what information, under what circumstances, using what methods.  

    3. “University Classification" in the context of information security, this is the classification of data based on its level of sensitivity and the impact to the University should that data be disclosed, altered or destroyed without authorization. This classification of data helps determine what baseline security controls are appropriate for safeguarding that data. 

  3. Responsible Executive and Office:

    Responsible Executive:
    Vice President of Administration & Finance and Chief Fiscal Officer

    Responsible Office:
    Office of Technology Services

  4. Entities Affected by This Policy:

    All divisions, colleges, departments and operating units, and University faculty, staff, students, volunteers, visitors, contractors and any other persons using University information resources.

  5. Data Governance Principles:

    1. Policy Principles

      The purpose of Data Governance is to protect University Data and the information resources of the University from unauthorized access or damage. The underlying principles followed to achieve this objective are:

      1. University Data are the property of the University and shall be managed as a key asset within Federal, State and University System of Maryland (“USM”) regulations.

      2. Data shall be collected in a lawful and appropriate manner in accordance with the requirements of applicable laws and regulations (e.g., FERPA, HIPAA, GDPR, PCI, etc.).

      3. All University data shall be categorized according to a data classification scheme that defines security requirements based on impact and sensitivity. Towson University categorizes data into three classifications (Public, Protected and Confidential). 

      4. University Data must be created, processed, stored, shared, and or destroyed according to approved Data Use Standards.

      5. Data Governance roles and responsibilities are defined in the Roles and Responsibilities Guidelines, and all entities and individuals within the scope of this policy will be held accountable according to the policies stated within. 

      6. Resolution of issues related to University Data shall be approved and documented by the OTS designated committee responsible for data governance. 

      7. Quality standards for University Data shall be defined and monitored by OTS. 

      8. Necessary maintenance of University Data shall be defined by OTS.

      9. University Data shall not be unnecessarily duplicated.

    2. Enforcement

      1. All individuals within the scope of this policy are responsible for understanding and complying with all applicable University policies, procedures, standards, and guidelines for dealing with University Data and its confidentiality, integrity, availability and quality.

      2. Violations of this policy may result in disciplinary action in accordance with applicable University policies and procedures. Revocation or restriction of computer privileges is also possible.

      3. Exceptions to this policy must be escalated according to the Data Governance Roles and Responsibilities Guidelines.

      4. The Director of Information Security reserves the right to audit the use and handling of all University Data on a periodic basis to ensure compliance with this policy.

      5. Any individual within the scope of this document that has any knowledge or suspicion of a violation or inappropriate use and/or disclosure of University Data must report it to the Director of Information Security at datagovernance@towson.edu or by contacting SPeakTU, a 24-hour / 7 day a week hotline.  University faculty and staff should also report it to their supervisor.

Related Policies:

TU Policy 10-01.01, Information Technology Security Policy

TU Policy 10-01.02, Acceptable Use Policy

USM Policy X-1.00 - Policy on USM Institutional Information Technology Policies

USM Policy X-2.00 Policy on Compliance with USM Policies through Technology

TU Policy 07-01.00 et seq. - Human Resources Policies

See also:

Towson University Code of Student Conduct

Guidelines for Responsible Computing

Data Governance Roles and Responsibilities Guidelines

Standards for Data Classification

Data Use Standards

Approval Date: August 31, 2016

Effective Date: August 31, 2016

Amended Date: February 24, 2021

Approved By: President’s Council February 24, 2021

Signed By: President’s Council

How to Request the Policy PDF

This online version of the policy may include updated links and names of departments. To request a PDF of the original, signed version of this policy, email the Office of the General Counsel, .