Jill Martin, Budget and Finance
Data, in their many forms, are one of the University's most important assets. In every area, and at every level of the campus, members of the campus community (i.e., faculty, students, staff, and agents or affiliates of the University) are managing or using campus data. As with sensitive lab equipment, laptop computers, or cash drawers, managing data requires each of us to take responsibility for the reliability and security of this valuable campus asset. Until now, questions about campus standards and guidelines (for managing, using, and protecting data) have not been easily answered. Unlike well-established procedures for the management of financial or physical assets, the campus has had no cohesive platform for identifying roles, responsibilities, and best practices for the management of information. Recognizing this insufficiency, the Data Stewardship Council was charged with developing a comprehensive policy that would standardize data management and usage guidelines for the campus.
After almost two years of development, the new Data Management, Use, and Protection policy (DMUP) was released to the campus on July 26, 2004. Unanimously approved by the e-Berkeley Steering Committee, the policy is provisional pending final review and approval by the Academic Senate. However, the campus community is encouraged to begin implementing the policy now, where it applies to their current work environments.
DMUP interprets and sets campus standards and expectations for data management to ensure responsible supervision of campus data, and to support the campus goals of improving campuswide data exchange, as well as the accuracy and security of our data. Some of the major data-related problems facing the campus are: improper access to and sharing of restricted information; intentional and unintentional data misuse; accidental data loss; inability to access data essential to one's work; inconsistent data rules and poorly defined elements; cross-system data duplication; and ongoing threats presented by hackers and identity thieves. Though we cannot eliminate all of these problems, they can be mitigated by following the guidelines and practices set forth in DMUP.
This policy is not intended as "just another set of rules" that the campus must follow. Instead, it compiles existing information, highlights best practices, and interprets existing policy to establish a platform of standardized management and usage guidelines for the campus. It provides common definitions, best practices, and summaries of data stewardship roles and responsibilities. None of these roles or responsibilities are new; they are being practiced every day by all of us who handle campus data. What is new is that DMUP names the roles and explains the responsibilities associated with those roles. By standardizing roles and their definitions, DMUP serves as a checklist to be used by departments and individuals when determining roles and responsibilities related to specific data being handled. From there, campus departments are expected to implement local procedures that uphold their data stewardship responsibilities to the campus but which make sense in their data environment.
DMUP applies to campus data only, that is, data which are owned by the University. (However, campus members who have non-University-owned data should consider adopting the best practices outlined in the policy.) It does not prescribe or control data ownership for the campus, but does define campus data as
data that are prepared, supplied, used, or retained by University employees, within the scope of their employment, or by agents or affiliates of the University, under a contractual agreement, except for data specifically excluded from University ownership by law, policy, or through special overriding ownership provisions.
It is up to the individual unit, or in some cases, a person, to determine if the data they are handling are campus data, and if so, to then determine what their role and responsibilities are in relationship to that data. What follows is a short description of the roles articulated by DMUP. See the policy for a description of the responsibilities associated with each role.
A good strategy for getting started with implementing DMUP begins by
The following questions may assist in this process.
Local procedures based on the answers to these questions will ensure responsible management of campus data; reduce data related risk for individuals, departments, and the campus; and improve the overall accuracy, ease of exchange, and security of campus data. It will also support efforts to combat hackers and identity thieves and to comply with the demands of new legislation geared at addressing these problems.
The Data Stewardship Council will be developing related tools to assist the campus in the implementation of DMUP, such as risk analysis guidelines and model agreement forms for use when granting access to restricted data. These tools will be broadly disseminated to the campus as they become available. In addition, members of both the DMUP and the Minimum Security Standards for Networked Devices policy drafting teams are collaborating to develop a supplement to both policies, which will define minimum security standards for networked devices containing restricted data.
The full DMUP policy can be found on the Data Stewardship Council web page (http://datasteward.berkeley.edu/). Questions about the policy can be sent to
[ iNews | Search | IST | UC Berkeley Computing | UC Berkeley ]
iNews: UC Berkeley information technology news channels
Copyright 2004, The Regents of the University of California