Skip to main contentSkip to footer content
 

Policies and Procedures
Data Governance Policy

The State University of New York College of Environmental Science and Forestry (SUNY ESF) strives to establish an essential framework for the necessary control and enforcement mechanisms of institutional data management and use. 

Reason for Policy

The purpose of the Data Governance Policy is to provide an organized framework of procedures for managing institutional data and data strategies by addressing data governance structure in the assigning of data administration roles and responsibilities. This policy also lays the foundations of clear lines of accountability and responsibilities to ensure that SUNY ESF institutional data meet high quality standards across college administrative data systems.

References

Policy Office: Executive Director for Administration 
Contact: [email protected]

Contacts

Specific questions should be directed to the following:

Policy Clarification and General Information Policy Development
Data Governance Committee Chair
(315) 565-3097
[email protected] 

Definitions

  • Employee - Term includes faculty, staff, graduate assistants, and student employees.
  • Data - Facts, ideas, or discrete pieces of information, especially when in the form originally collected and unanalyzed.Data Access The right to read, enter, copy, query, download, or update data, which is potentially different for different sets of data for each person and role.
  • Institutional Data - Institutional Data is a large subset of the totality of the College's records and includes any information in print, electronic, or audio-visual format that meets the following criteria:
    • Acquired and/or maintained by College employees in the performance of official administrative job duties;
    • Created or updated via the use of a College enterprise system or used to update data in an enterprise system;
    • Relevant to planning, managing, operating, or auditing a major function at the College;
    • Referenced or required for use by more than one organizational unit; and
    • Included in official College administrative reports or official College records.
  • Role-Based Access Control - Role-based access control (RBAC) is a method of restricting access to data based on the roles of individual users within an enterprise. RBAC lets employees have access rights only to the information they need to do their jobs and prevents them from accessing information that does not pertain to them.
  • Data Governance Committee - The standing College Committee which prepares, compiles, creates, and recommends policies and procedures to the President for approval on institutional data standards, guidelines, protocols on the collection, management, revision, and access to such data. Additionally, Data Governance will address any procedural issues and address appeals.
  • Data Trustees - Senior leader(s) of the college who have the responsibility for managing at least a segment of the Institutional Data. The Data Trustees are comprised of the President and the Data Governance Committee.
  • Data Stewards (Owners) - Individuals, roles, or committees primarily responsible for information assets in their functional areas.
  • Data Custodians - A college employee who has operational responsibility over institutional data. There may be multiple data custodians each responsible for varying functions.
  • Data User - A person that has been authorized access to specific institutional data.
  • Information Technology Staff - Information Technology staff who have responsibility for configuring and maintaining the infrastructure for the Institutional Data as well as implementing the security and access framework.

Policy Details

Overview

The value of data as an institutional resource is increased through its widespread and appropriate use; its value is diminished through misuse, misinterpretation, unnecessary restrictions to its access, or failure to maintain quality. Most importantly, wide access to data will enable consumers to identify new relationships in data and new information previously unknown or unavailable. This is the domain of data mining and to some degree what-if analysis. ESF endorses and supports this within the appropriate security and privacy constraints.

Information maintained by ESF is a vital asset that is available to all employees who have a legitimate need for it, consistent with the College’s responsibility to preserve and protect such information by all appropriate means. The College is the owner of all institutional data, including administrative and student data; individual units or departments may have stewardship responsibilities for portions of that data.

The College determines levels of access to institutional data according to principles drawn from various sources. State and federal law provides a clear description of some types of information to which access must be restricted. In an academic community, ethical, security, and privacy considerations are other important factors in determining access to institutional data.

The College is committed to establishing and maintaining data standards and quality, while adhering to all privacy and compliance requirements, including relevant information security concepts and constructs.

Most importantly, institutional data is a strategic asset to the College. When coupled with and processed through business intelligence, institutional data allows the College to make the best possible strategic decisions quickly, correctly, and without bias. Institutional Data includes, but is not limited to:

  • Financial data
  • Human resource data
  • Information technology data; Identity and access management, E-mail, shared documents
  • Library data
  • Official university reporting data
  • Physical facility data
  • Research Foundation data
  • Student data: All information in the Student Information System (SIS) and its related auxiliary systems, including admissions, student success, co-curricular, residence hall, and LMS.

The College expressly forbids the use of Institutional Data for anything but the conduct of College business. Those accessing data must observe requirements for confidentiality and privacy, must comply with protection and control procedures, must accurately present the data in any use, and must comply with applicable College policies, state and federal laws and regulations.

Purpose

Data Governance is the overall management of the availability, integrity, and security of data used in the enterprise, including a defined set of procedures and a plan to execute those procedures.

The primary purposes of this policy are:

  • To establish and define the Institutional Data
  • To establish the governance structure, including the responsibility and authority
  • To define and communicate the institutional data architecture, framework, and standards, including:
    • Data Standards
    • Data Classifications
    • Data Quality
    • Data Access
    • Data Compliance and Privacy
    • Data Retention and Archiving
    • Information Security
  • To monitor and enforce compliance with the framework and standards
  • To define the primary operational roles for execution of data governance, including identification of responsible parties

Framework

Ease of access to data by properly authorized individuals securely in performing their job responsibilities is the desired outcome of the policy and the framework, which is supported by the across-the-board baseline technology and the five pillars. The five pillars of this framework are:

  • Policies and standards
  • Quality and consistency
  • Security and privacy
  • Compliance
  • Retention and archiving

Scope

This policy establishes the framework for technical and behavioral standards and guidelines in creation and management of institutional data, especially as related to data quality and consistency, security and privacy, compliance, retention and archiving, and access by individuals. It assigns responsibilities to offices and individuals regarding management of data.

This policy covers all institutional data, including but not limited to machine-readable data and printed data on all media, principal copies, backup copies, and archival copies.

The policies and procedures of this document are applicable to and binding for all ESF constituents, including but not limited to all students, faculty, staff, affiliates, guests, contractors, vendors, and others who are on-campus and off-campus. Specifically, the policies and procedures of this document are applicable and binding for all providers who host College data in their off-site systems, unless specifically excluded or subjected to revised policy and contract provisions after due consideration by Information Security staff and Campus Counsel, followed by Data Governance Committee endorsement. To the maximum degree provisions of this policy and procedures must be made part of the contract with outside providers who host ESF College data in their off-site systems. 

Data Administration Roles

Data Trustees

Senior leader(s) of the college primarily responsible for establishing and enforcing the College Data Governance framework and policies regarding data classification, standards, quality, access, compliance, retention and archiving, and information security. The Data Trustees are comprised of the President and the Data Governance Committee. In doing so, Data Trustees may establish sub-committees or working groups with external membership.  Finally, Data Trustees will appoint Data Stewards. 

Data Stewards (Owners)

Individuals, roles, or committees primarily responsible for information assets in their functional areas. These individuals are responsible for:

  • Identifying the organization’s information assets under their areas of supervision;
  • Understanding risk tolerance and accepting or rejecting data access requests based on risk assessments related to security threats that impact the confidentiality, integrity, and availability of enterprise data;
  • Ensuring data assets receive an initial classification upon creation;
  • Determining the appropriate criteria for obtaining/allowing access to institutional data;
  • Assigning day-to-day administrative and operational responsibilities for institutional data to one or more Data Custodians;
  • Developing procedures and protocols to ensure institutional data integrity;
  • Reporting data deficiencies to Data Governance Committee;
  • Appoint Data Custodians.

Data Custodians

A college employee who has operational responsibility over institutional data. There may be multiple data custodians each responsible for varying functions. A data custodian is responsible for the following:

  • Understanding and reporting on how institutional data is stored, processed, and transmitted by the college and by third-party agents of the college;
  • Documenting and disseminating administrative and operational procedures to ensure consistent storage, processing, and transmission of institutional data;
  • Implementing the day-to-day aspects of the data quality and integrity procedures and protocols developed by Data Stewards;
  • Developing and recommending Data Definition and Classification to the Data Stewards;
  • Understanding and reporting on security risks and how they impact the confidentiality, integrity, and availability of institutional data.

Data User

A person that has been authorized access to specific institutional data making them responsible for:

  • Classifying and marking, where feasible, all created or modified institutional data, including any reproductions that are made (e.g., reports);
  • Appropriate handling of all classified data (electronic or non-electronic);
  • Abiding by all data classification rules defined by this policy and related procedures as well as all applicable rules and regulations.

Information Technology Staff

Information Technology staff who have responsibility for configuring and maintaining the infrastructure for the Institutional Data as well as implementing the security and access framework.

  • Creating and managing asset inventories used to store, process, transmit or provide access to electronic information;
  • Assist in development of Data Standards, Data Dictionary, and Data Quality. 

Procedures

Specific Procedure

Policy Development

  1. Identify current issues associated with institutional data management and use.
  2. Review data governance policies that SUNY and other higher education institutions have implemented.
  3. Draft an ESF data governance policy with hierarchical data administrative roles.
  4. Review and finalize the policy.
  5. Identify ESF data assets and responsible offices/units (Data Stewards).
  6. Assign data administrative roles (e.g., Data Custodians, Information Technology Staff)
  7. Develop standard procedures for documentation.
  8. Develop a data request form.
  9. Establish subcommittees as needed.

Policy Review

This policy will be reviewed every 12 months. The Data Governance Committee will review and if necessary, revise the Data Governance Policy in all its components once a year. Even if it is deemed no revision is necessary, it will be re-certified once a year. The ESF Data Governance Committee will present the progress and status of Data Governance to the Executive Cabinet annually.

History

Procedure Revision Record

02/05/2026  Implementation Date

Policy Revision Record

02/05/2026  Policy Implementation