Data Governance Policy

Effective April 2026

The purpose of this Data Governance Policy is to establish a framework for the proper management, protection, and ethical use of institutional data at Union College. This policy ensures that data is treated as a strategic asset, maintaining its integrity, availability, security, and compliance with applicable laws and regulations, including FERPA, HIPAA, GDPR, and other relevant federal and state guidelines.

This policy applies to all institutional data collected, processed, stored, shared, or disposed of by faculty, staff, students, affiliates, and third parties operating on behalf of the institution. It covers all data domains, including:

• Student Data (e.g., admissions, enrollment, academic records, financial aid)
  • Student data encompassess records from recruitment to conferral of degree and includes admissions, bursar, financial aid, registrar and all academic records. This is not a comprehensive list and the offices mentioned are examples.
• To be addressed in future phases as data governance initiatives advance.
  • Research Data (e.g., grant-funded research, IRB-regulated data)
  • Administrative & Financial Data (e.g., HR, payroll, finance, procurement)
  • Alumni & Advancement Data (e.g., donor records, alumni information)

3.1 Data Governance Council

• Senior leadership responsible for data governance strategy.
• Final authority on data governance policies. Approves major initiatives and resolves escalated issues.

3.2 Data Stewardship Council

• Data Stewards responsible for operations of data governance.
• Operational decision-making within the framework set by the Data Governance Council. Escalates major issues to the Data Governance Council.
• Final authority on data governance standards and overall strategy

3.3 Data Stewards

• Assigned for each data domain (Student, HR, Finance, Research, etc.).
• Enforce data standards and quality within their domain, escalating issues to the Data Governance Council as needed.

3.4 Data Custodians

• Personnel responsible for data storage, security, and technical controls.
• Make decisions related to technical implementation and data security within their systems.

3.5 Unit Data Coordinators

• Faculty, staff, and affiliates who access and utilize institutional data.
• Resolve data-related issues within their unit and escalate to Data Stewards as needed.

• Student data must comply with FERPA regulations, ensuring that personally identifiable information (PII) is not disclosed without consent unless legally permitted.
• Health-related data must comply with HIPAA standards, including access control and encryption for electronic protected health information (ePHI).
• EU citizens' personal data must be processed per GDPR, ensuring user rights such as data access, rectification, and erasure.
• Institutional data must not be shared with third parties without a data-sharing agreement (DSA) or equivalent contract language that ensures compliance with applicable laws and university policies.

• All institutional data must be encrypted at rest and in transit where applicable.
• Multi-factor authentication (MFA) is required to access confidential and sensitive data.
• Data backup and recovery procedures must be implemented to prevent data loss.
• Security incidents and potential data breaches must be reported immediately to the IT Security Office.
• Annual reviews of user data access will be conducted on a yearly basis to confirm alignment with current roles and responsibilities.
• Access must follow the principle of least privilege, granting users, applications, and systems only the minimum permissions required for their assigned function or need.

6.1 Data Quality Standards

• Institutional data must be accurate, complete, timely, and consistent to support decision-making.
• Data Stewards must routinely audit data quality and implement corrective actions as needed.

6.2 Data Retention & Disposal

• Data must be retained in compliance with the Records Retention Policy .
• Expired or obsolete data must be securely deleted or anonymized based on approved retention schedules.

• Data sharing within the institution should follow the minimum necessary principle, ensuring that only required data is disclosed.
• External data transfers must be governed by contracts ensuring compliance with privacy laws (e.g., FERPA, GDPR) and institutional policies.
• Any third-party vendor handling institutional data must adhere to strict data protection agreements.

• Training will be provided to all faculty, staff, and affiliates handling institutional data annually.
• The institution will provide ongoing awareness campaigns and resources to promote best practices in data security and governance.

• Users who violate this policy may be denied access to the institution’s resources and may be subject to penalties and disciplinary action both within and outside of the institution. The institution may temporarily suspend or block access to an account, prior to the initiation or completion of such procedures, when it reasonably appears necessary to do so in order to protect the integrity, security or functionality of institution or other computing resources or to protect the institution from liability.
• The Data Stewards Council will review this policy annually, with updates made as necessary to align with evolving regulatory requirements and best practices.

• FERPA Compliance Policy
• GDPR Data Protection Policy
• HIPAA Notice
• Data Classification Policy
• Union IT Security Policy
• Records Retention Policy