Data Governance Policy

The purpose of this policy is to clarify roles and responsibilities for data governance across SUNY Plattsburgh, promote shared accountability for data quality, access, and classification, and support transparency, compliance, and responsible use of institutional data.

Date	Version Number	Change Description	Referenced Section
10/2/25	1.0	New Document	Entire Document

Review Process / Approval

Action:	Units	Date
Policy Review	Information Technology Services	9/24/25
Policy Approval	Executive Council	10/2/25

This Policy applies to:

• All faculty, staff, contractors, and third-party affiliates who create, access, modify, transmit, or store institutional data.
• All data systems and repositories maintained by or on behalf of SUNY Plattsburgh.
• All institutional data, regardless of format or storage location.

Institutional Data: Data used or created for official administrative or academic purposes.

Data Owner: The individual who is accountable for protecting a dataset, holds the legal rights and defines policies. Data Owners are typically management-level individuals (e.g.,VP’s, Director’s and even can include some department heads) who are ultimately responsible for the security and classification of specific data sets. They determine who has access to the data, how it should be classified, and when it should be archived or destroyed. They are accountable for ensuring that appropriate security controls are in place to protect the data.

Data Custodian: Data Custodians are the technical personnel (e.g., IT staff or third party) who handle the day-to-day management of data, including storage, access control, and backups. They implement the security controls defined by the Data Owner, ensure data integrity, and manage data backups and recovery. They work under the guidance and direction of the Data Owner to fulfill the owner’s security requirements.

User: Users are individuals who access and utilize data for business purposes. They must adhere to the security policies and procedures established by the Data Owner and implemented by the Data Custodian. User access is typically granted based on their roles and responsibilities, and they are restricted from accessing data they are not authorized to use.

Data Steward: Optionally designated by the Data Owner to maintain data quality within their areas, document standards, and support unit-level use. Data Stewards serve on the Data Governance Committee.

Data Oversight Committee: The Data Oversight Committee serves as a coordination body for resolving shared data issues across units; recommend practices for consistency; review significant cross-unit changes when escalated. The Committee does not own operational data decisions or enforce changes but facilitates coordination on shared concerns.

Information Security Steering Committee: Information Security Steering Committee is a group of senior management representatives responsible for ensuring that information security initiatives align with and support the organization’s overall business objectives. This committee plays a crucial role in information security governance, overseeing and guiding the organization’s security programs. Typically includes senior management representatives from various departments within the organization, such as IT, security, human resources, legal, finance, and audit.

Data Classification: SUNY Plattsburgh classifies data according to SUNY-wide standards:

Restricted Data: Legally or contractually protected (e.g., SSNs, financial aid data).

Private Data: Not public, but not subject to legal restrictions (e.g., employee evaluations).

Public Data: Approved for unrestricted distribution (e.g., directory info, published reports).

Role	Responsibilities
Data Owners	Data Classification: Determining the sensitivity of different data types and the level of protection each requires. Access Control: Establishing who can access which data and under what conditions as well as annual review of that access. Security Requirements: Setting data usage rules, backup frequency, and technical controls based on importance and legal obligations.
Data Stewards	Fulfill Delegated Roles: The Data Owner of a data set can optionally assign or delegate some or all of their responsibilities to a Data Steward. The Data Steward will fulfill those roles as directed but the Data Owner is ultimately accountable for the data set. Accountability can’t be delegated.
Data Custodians	Implementing Security Policies: Configuring firewalls, encrypting data, and setting up access controls as directed by data owners. Controlling User Access: Managing user accounts, enforcing security checks, and monitoring access logs. Protecting Data: Planning for incidents such as ransomware attacks or hardware failures by patching vulnerabilities and managing antivirus solutions. Setting Up Backup Systems: Ensuring data is securely stored and can be quickly restored following any data loss.
Data Users	Adhere to Security and Privacy Guidelines: Follow organizational policies and understand applicable privacy regulations (such as GDPR or HIPAA). Protect Access: Keep login credentials confidential, create strong passwords, and remain vigilant against phishing attempts. Report Problems: Notify IT or security teams of any suspicious activities or security issues immediately. Handle Data Carefully: Store, transmit, and dispose of data in accordance with best practices and company protocols. Complete annual data security training.
Data Oversight Committee	Serve as a coordination body for resolving shared data issues across units. Recommend practices for consistency. Review significant cross-unit changes when escalated.
Information Security Steering Committee	Understanding the University’s information security risks. Understanding the Information Security Program and SUNY System’s security standards. Providing timely, legally and professionally sound advice to executive management. Ensuring the Program incorporates external, professional perspectives, especially from SUNY’s Office of Information Security. Collaborating with key managers across major business functions to ensure the program maintains a comprehensive scope.

Access and Use of Data

• Access is granted based on role and business need.
• Users must complete mandatory training within 30 days of being given access to restricted or private data.
• Data Owners, in collaboration with ITS will annual review access in accordance with campus Data Access Control Policy.

Data Change and Quality Management

• Data Owners or their delegate Data Stewards are responsible for maintaining data quality and definitions within their domain.
• Changes affecting shared data definitions, code sets, or reporting logic across multiple units should be communicated to the Data Oversight Committee.
• The Date Oversight Committee may facilitate discussions, provide documentation support, and recommend solutions in cross-unit scenarios.

Policy Review and Updates

• This policy will be reviewed at least once every three years by the Information Security Steering Committee and updated as needed.

• Project Initiation Form — ITS Portal —This form captures information necessary to assess what type of data might be involved in a project and coordinate with data owner.

Security and Compliance

Data must be handled in accordance with the SUNY Plattsburgh Information Security Policy and all relevant regulations, including:

• FERPA (Family Educational Rights and Privacy Act)
• FOIL (New York State Freedom of Information Law)
• HIPAA
• PCI DSS (Payment Card Industry Data Security Standard)
• SUNY Data Risk Classification Policy
• SUNY Plattsburgh Policy #10021.1 — Data Access Control Policy
• SUNY Plattsburgh Policy #10025.1 – Data Retention and Secure Deletion Policy
• SUNY Plattsburgh Policy #10019.2 — Responsible Use of Technology Resources
• SUNY 6900 Information Security Policy
• Data Oversight Policy

Method	Date
Campus Handbook	N/A
Faculty / Staff Digest	11/7/25
Student Digest	N/A
Other	N/A

Data Owners (and any delegated data stewards assigned by the data owners) are responsible for ensuring that users in their units complete trining annually and within 30 days of being granted access to any restricted or private datasets.

The Data Oversight Committee, Information Security Committee, ITS, and HRPS will collaborate to develop and deliver training programs.