PPM 10-8, Institutional Data Policy

Responsible Office: Academic Affairs

1.0 PURPOSE

The purpose of this policy is to establish principles and responsibilities for the management and governance of institutional data. Institutional data shall be treated as a strategic university asset managed in compliance with applicable laws, policies, and standards — to support the university’s mission, operations, and data-informed decision making. This policy promotes the integrity, security, accessibility, and appropriate use of institutional data and establishes expectations for responsible data stewardship across the university.

1.1 Scope of Policy

1.1.1 This policy applies to all institutional data generated, collected, maintained, or otherwise used by Weber State University, and to all individuals and systems that interact with institutional data.

1.1.2 This policy does not apply to data acquired or maintained by University personnel primarily for the purposes of conducting and publishing academic research. 

2.0 DEFINITIONS

2.1 Data Classification - The process of grouping institutional data by sensitivity to determine the level of protection required for appropriate access, use, and security.

 

2.2 Data Domain - A high-level functional data category used to assign accountability and responsibility for institutional data. Each data domain is overseen by a designated data trustee.

 

2.3 Data Standard - A standard or rule that is relevant to the data within at least one data domain (or subdomain). It is based on policy or law and further explains how the University interprets the policy or law. It may also name or require the documentation of procedures that describe how the interpretation is applied.

 

2.4 Data Governance System - A platform used to support the implementation of the institution’s data governance program by managing governance artifacts, business glossaries, data dictionaries, and data catalogs (inventories of institutional data assets). It may also support data profiling, classification, stewardship workflows, and processes for managing appropriate data access.

 

2.5 Data Governance Program - A framework of processes and tools established by the university that provides structure for formally managing the quality, integrity, security and usability of institutional data.

 

2.6 Data Lifecycle - Encompasses the entire span of data existence (in all its various forms and derivatives, including data points, datasets, databases, data files, visualizations, and code) from creation/collection through storage, processing, use, and eventual disposal or archival.

 

2.7 Institutional Data - Information created, collected, maintained, transmitted, or recorded by or for the University to conduct University operations. It includes data used for planning, managing, operating, controlling, or auditing university functions, operations, and mission. Institutional data includes, but is not limited to, information in physical, electronic, audio, and visual formats. Institutional data does not include personal medical, psychiatric, or psychological data for both employees and students; data created or used in the conduct of research; or information created through acceptable, limited personal use of university systems that are not related directly to university functions.

 

2.8 System of Record - The single system designated as the University’s authoritative source for a specific data element, where the data is created, captured, and/or maintained according to defined rules and expectations.

 

2.9 System of Reference - An authoritative system that contains a reliable version of data for analysis or operational use, regardless of where the data originated. It serves as a trusted source for accessing accurate institutional data.

 

3.0 POLICY

 

3.1 Data Governance Roles and Responsibilities - Institutional data is a university asset and shall be managed as a shared resource that supports academic, administrative, and strategic functions. The following roles and responsibilities establish accountability for the proper governance, protection, and use of institutional data.

 

3.1.1 Data Governance Executive Sponsors - Executive level leaders responsible for the strategic oversight of the institutional data governance program. They provide high-level approval and prioritization of strategic initiatives, endorse policies, and ensure adequate funding and resources. These executives advocate for data governance initiatives, align data practices with the institution’s academic and administrative missions, and help remove organizational barriers to effective implementation.

 

3.1.2 Chief Data Officer (CDO) - An executive leadership position responsible for enterprise-wide data governance and the strategic use of data as an institutional asset. The CDO develops and implements a data strategy that aligns with organizational goals, ensures data quality and regulatory compliance, and maximizes the value of data assets.

 

3.1.3 Data Governance Council - The Data Governance Council is composed of designated officials (trustees and experts) with planning, policy, and management responsibilities for data within their respective functional areas or area of expertise. The Council supports the effective management of the University’s data assets by making policy recommendations, establishing procedures and standards, advocating for necessary resources, and guiding and monitoring data governance initiatives. It is chaired by the CDO.

 

3.1.4 Institutional Data Trustees - University officials with authority over institutional data or its use, as designated by the Data Governance Executive Sponsors. They are accountable for managing, protecting, and ensuring the integrity and value of institutional data within their respective domains. Trustees are responsible for upholding all applicable WSU policies, as well as relevant state and federal laws. Each trustee may appoint one or more Institutional Data Stewards to assist with responsibilities within their specific data domain.

 

3.1.5 Institutional Data Stewards - Institutional Data Stewards serve as the primary point of contact for data management within their assigned data domains. Appointed by and accountable to Data Trustees, they help define, implement, and enforce data management policies and procedures. Data Stewards are responsible for managing, provisioning, protecting, and ensuring the integrity and usefulness of institutional data in compliance with WSU policies, as well as applicable state and federal laws.

 

3.1.6 Institutional Data Custodians - Data Custodians are responsible for the administration of institutional data systems, tools, and related technical resources. Identified by Institutional Data Stewards, Custodians serve as the primary point of contact for data management issues that require technical or system-level support. They ensure that data systems operate securely, reliably, and in accordance with data governance policies and standards.

 

3.1.7 Data Users - Individuals who access, use, or generate institutional data in support of University operations. They are responsible for handling data in accordance with applicable policies, procedures, and data governance standards.

3.2 Data Quality and Integrity.- The University shall manage institutional data in a manner that supports its accuracy, integrity, and fitness for intended purposes. Data Trustees have the role of accountability and oversight to assure this trust, with decisions and actions recorded at an appropriate level of detail.

3.3 Data Lifecycle Management - Institutional data shall be actively managed from creation through disposal in accordance with applicable laws, university policies, and approved retention schedules. The University follows the retention schedule approved by the State Records Committee.

 

3.4 Data Identification and Documentation - Institutional data shall be appropriately identified and documented, including data sources, elements, processes, integrations, and products. Documentation should be maintained in the University’s data governance systems to promote transparency, consistency, shared understanding, and ease of access and use.

3.5 Data Access and Authorization - Access shall be granted based on data classification and an individual’s role and business need, consistent with the principle of least necessary access and approved by the appropriate Data Trustee. Permissions shall be documented, regularly reviewed, updated, and revoked as needed, in compliance with applicable policies and laws.

3.6 Data Classification - The classification of institutional data establishes the minimum-security requirements needed to protect Institutional Data from unauthorized disclosure or misuse. Classification levels are defined by Data Trustee in the Data Classification Standard and are reviewed and approved by the Data Governance Council.

3.7 Data Collection and Sharing - - Institutional data shall be collected, acquired, and shared in accordance with applicable laws, regulations, and university policies. All data collection, acquisition, and sharing shall comply with established privacy standards. 

3.8 Systems Management - Information systems that store, process, or transmit institutional data shall be purposefully planned, documented, and integrated into the university’s data architecture and data governance processes. The entire data lifecycle and classifications shall be considered when evaluating, procuring, or implementing IT systems and services. Each system shall be clearly documented as to its business purpose, the domains and classification of the data it holds, and align with data governance requirements to ensure consistent, reliable, and secure data management.

 

3.9 Systems of Record / Systems of Reference - Institutional data products shall source data from designated systems of record or systems of reference. Published, distributed, or shared institutional data resources and products shall avoid unnecessary duplication and adhere to established integration standards.

 

3.10 Procedures and Standards - Procedures, standards, and guidelines will be developed by nominated stakeholders and approved by the Data Governance Council to support the implementation and operationalization of this policy.

 

3.11 Public Records - The University is subject to the Government Records Access and Management Act and other applicable transparency laws. While certain records may be designated as public, data maintained for University purposes must be protected according to its data classification. Public records requests shall be managed in accordance with the University’s Public Records policy and related procedures.

 

3.12 Training and Awareness - Individuals with access to institutional data are expected to complete all required University training related to data use, security, privacy, records management, and compliance. The University will regularly review and update training content as part of a continuous improvement cycle to reflect changes in laws, technologies, and institutional standards. Training effectiveness and participation will be monitored and evaluated to ensure accountability, preparedness, and ongoing alignment with institutional needs.

 

3.13 Compliance - Institutional data shall be accessed, used, disclosed, and stored only for legitimate University purposes and in accordance with applicable laws, regulations, contracts, and University policies. Data Users are responsible for protecting confidentiality, respecting privacy, and ensuring institutional data is acquired, accessed, managed, handled, and shared in accordance with University policy.

 

3.14 Relinquishing Data - All Data Users are required to relinquish institutional data upon the end of their University employment or as required by changes in their role or relationship with the University, arrangements with senior management, Data Steward requirements, contractual requirements, and/or University policy requirements.

 

3.15 Policy Violations - Penalties and enforcement of this policy will be in accordance with University policies. Appropriate disciplinary and/or legal action will be taken when warranted in any area involving violations of this policy. The University may temporarily suspend or block access to university computing resources prior to the initiation or completion of disciplinary procedures. The University may refer or be required to refer suspected violations of applicable law to appropriate law enforcement agencies.

 

3.16 Duty to Report - All individuals to whom this policy applies shall report suspected unauthorized or inappropriate access, use, disclosure, or generation of institutional data immediately upon discovery in accordance with approved standards, procedures, and guidelines.

3.17 Review and Revision - This policy shall be reviewed as needed by the Data Governance Council to ensure alignment with evolving university needs, best practices, and applicable legal and regulatory requirements. The CDO serves as the Policy Manager and is responsible for initiating regular maintenance processes with the Data Governance Council and disseminating policy changes through the University’s Policy Office policy, procedures and standards.

 

Revision History 

Creation Date: 10-16-2025

Last Reviewed:

Amended: