University of Saskatchewan

Policies

Data Management Policy

Operations and General Administration

Responsibility: President
Authorization: Board of Governors
Approval Date: Mar 22, 2005
Amended: Mar 21, 2017

Purpose

The University of Saskatchewan (U of S) is responsible for ensuring the availability, confidentiality, and integrity of all information to which it is entrusted. University data, whether managed and residing on university information technology resources, stored on personal devices, managed by a third party or a business partner, or outsourced to a service provider, is an important asset that must be governed, protected, and appropriately safeguarded.

Improper use of the university’s data may result in harm to the university, its faculty, staff, students, and alumni. This harm could impact the university’s mission of teaching and learning, research and service delivery. It exposes the university to criminal, financial and reputational risks. Members of the university community have the responsibility to appropriately use, maintain, and safeguard university data.

This policy will provide a framework to safeguard and protect the university’s data while providing flexibility to support the broad range of academic, research and administrative activities.

Principles

This policy is guided by the principles and values outlined in the U of S mission, vision, and values statement and by the principles outlined in the university’s IT enterprise architecture. It was also developed in the context of the following data management principles:

Definitions

Scope of this Policy

This policy is applicable to all university community members and all University of Saskatchewan academic and administrative units, ancillary units, and any affiliated organizations (collectively referred to as “units”) that create, modify or make use of university data.

It covers all university data regardless of where it is stored (on campus or off campus), where it is being accessed from (on campus or off campus), and whether the data is in raw form, derived, summarized or aggregated.

The policy has been developed in the context of, and is designed to complement,

Policy

All units and members of the university community must access and use university data in ways that safeguard the data and protect the institution.

Units and members of the university community must ensure:

  1. Compliance with regulatory requirements, as well as third-party and other contractual data obligations.
  2. Data is used for the purposes for which it is collected and any restrictions for its use are observed.
  3. Data is collected, stored, and disposed of in ways appropriate to the risk and impact of unintended disclosure.

For research data, the principal investigator is accountable for all decisions regarding their research data.

For decisions regarding institutional data, such as access, classification and appropriate use, members of the university community must consult the designated individual that has accountability for the data. These roles and accountabilities are defined in the Data Governance Framework.

 

Responsibilities

Designated individuals within the university have specific data management accountabilities and responsibilities as outlined in the Data Governance Framework.

Information and Communications Technology:

Information and Communications Technology (ICT) is responsible for maintaining the availability and security of the university’s data infrastructure and ensuring that authorized users have access to the data they require for academic, research, and administrative activities.

ICT is responsible for implementing security and access measures that mitigate the risk of unintended disclosure of electronic data. This includes, but is not limited to, continually improving end-user awareness of proper data management; maintaining physical security of data infrastructure; implementing appropriate data access; and providing data cataloging technologies to users.

Units:

Academic, administrative and ancillary units are responsible for ensuring they access and use university data (both electronic and hard copy) in a manner that minimizes risk to the university.

The best way to minimize risk to electronic university data is to use the university-approved IT infrastructure (including data centres and end-point devices) and services for all university activities to the greatest extent practicable. When not practicable, they must follow the IT Risk Management procedure.

University Community Members:

Individual members are responsible for ensuring they access and use university data (both electronic and hard copy) in a manner that minimizes risk to the university. They must understand that data management is a shared responsibility across the university community and they must abide by data management procedures and practices. These responsibilities include:

Non-compliance

If there is reason to suspect that laws or university policies have been, or are being violated, or that continued access poses a threat to the university’s data, data infrastructure, university community members or the reputation of the university, access to the university’s data and data infrastructure may be restricted or withdrawn.

Following due process, the university may take action against anyone whose activities are in violation of the law or of this policy. The actions taken may include, but are not limited to:

Procedures

Procedures and practices to support this policy will be developed, documented and made available online following further consultation and proper vetting.

Related Documents

Related Documents

There are no other documents associated with this policy.

Contact Information

Contact Person: CIO and Associate Vice-President, Information and Communications Technology
Phone: 306-966-8408