What is Data Governance?

Data is a valued asset maintained and utilized by the University of Louisville to support our strategic goals. Institutional data, while not owned by units, is effectively and securely managed by units on behalf of the university.

Data governance is an institution-wide framework of principles to define and manage the availability, usability, integrity and security of an institution’s data (information in digital form) based on internal policies, processes and compliance standards.

Data governance, for the University of Louisville, ensures that our data is secure, private, accurate, available and usable. It includes the actions people must take, the processes they must follow, and the technology that supports them throughout the data life cycle.

Data governance looks to achieve a range of goals:

  • Definition of data
  • Security, compliance and privacy of data
  • Stewardship of data
  • Availability of data
  • Utilization and quality of data for business decisions
  • Enforcement of data policies

Quick Links

The Data Governance Committee (DGC) enables intentional decision-making about UofL’s institutional data assets.

The university’s resource for information regarding regulations which may impact the privacy of our students, employees, patients and campus visitors.

Privacy

Overseeing UofL’s information security compliance, policies and standards; provides compliance oversight, and risk assessments; coordinates information security efforts, incident response and user awareness.

Information Security

Serving as a resource and providing guidance to administration, faculty, staff and units (departments, programs, committees), by supporting and fostering a culture of integrity, compliance, and accountability.

University Integrity and Compliance

Mission and Charter

Mission

The goal of the Data Governance Committee (DGC) is to create a culture of information literacy, campus-wide data-driven decision-making and institute diligence and accountability for institutional data across the university.

Data Governance Committee Members

  • Adams, Kimberly – Information Security Office
  • Andersen, Brad – Information Technology Services
  • Baugh, David – Information Technology Services
  • Goldstein, Robert – Office of Institutional Research
  • Kaugars, Karlis – Information Technology Services
  • Klein, Jon – Research & Innovation
  • Mudd, Jennifer – Office of Risk & Compliance
  • Patterson, Becky – Office of Institutional Research
  • Pipes, Shannon - Office of University Counsel
  • Ruffin, Erika - Office of Institutional Research
  • Russell, Sandra - Office of Risk & Compliance
  • Simrall, Harrison - Information Technology Services
  • Yehud, Ethan - Information Technology Services

Data Classification

Data classification is the process of organizing and tagging data into different categories according to sensitivity, importance and a predefined criterion. It is mandatory for university regulatory compliance and foundational to our data governance mission. Understanding the significance of data classification should be considered pivotal to safeguarding sensitive information and mitigating risk.

The listings below are examples, not definitive taxonomies. We encourage all units and departments to apply appropriate safeguards at all levels of storing information, in addition to digital and online data. Remember to report any possible or actual data loss to a supervisor or security/compliance officer. Proper disposal of electronic files, devices or data storage is mandatory as outlined in university policy and procedures.

Classification Levels

L1 - Information intended and released for public use.

The University intentionally provides this information to the public.

L1 Examples:

  • Published research
  • Course catalogs
  • Published faculty and staff information
  • Student directory information*
  • Basic emergency response plans (life safety)
  • University-wide policies
  • UofL publications
  • Press releases
  • Published marketing materials
  • Regulatory and legal filings
  • Published annual reports
  • Code contributed to Open Source
  • Released patents
  • Plans of public spaces

* Directory information about students who have requested FERPA blocks must be classified and handled as L3, at minimum.

L2 - Low Risk Confidential Information that may be shared only within the University of Louisville community.

The University chooses to keep this information private, but its disclosure would not cause material harm.

L2 Examples:

  • Department policies and procedures
  • Employee web/intranet portals
  • UofL training materials
  • Pre-release articles
  • Drafts of research papers
  • Work papers
  • Patent applications
  • Grant applications
  • Non-public building plans or layouts (excluding L3 or L4 items)
  • Information about physical plant (excluding L3 and L4 items)
  • Non-sensitive administrative survey data

L3 - Medium Risk Confidential Information intend only for those with a “business need to know.”

Disclosure of this information beyond intended recipients might cause material harm to individuals or the University.

L3 Examples:

  • Non-directory student information
  • Non-published faculty and staff information
  • Information protected under FERPA, in general/li>
  • ULID tied to an individual
  • Personnel records**
  • Donor information (excluding L4 data points or special handling)
  • Non-public legal work and litigation information
  • Budget/financial transactions information
  • Non-public financial statements
  • Information specified as confidential by vendor contracts and NDAs
  • Information specified as confidential by Data Use Agreements
  • Security findings or reports (e.g. SSAE16, vulnerability assessment and penetration test results)
  • Most UofL source code
  • Non-security technical specifications/architecture schema
  • Library/museum object valuations
  • IRB records
  • Sensitive administrative survey data, such as performance reviews or course feedback, especially if free text response is permitted

** Employees have the right to discuss terms and conditions of their own employment, including salary and benefits, with each other or with third parties.

L4 - High Risk Confidential Information that requires strict controls.

Disclosure of this information beyond specified recipients would likely cause serious harm to individuals or the University.

L4 Examples:

  • Passwords and PINs
  • System credentials
  • Private encryption keys
  • Government issued identifiers (e.g. Social Security Number, Passport number, driver’s license)
  • Individually identifiable financial account information (e.g. band account, credit or debit card numbers)
  • Individually identifiable health or medical information***
  • Security system procedures and architectures
  • Trade secrets
  • Systems managing critical Operational Technology

***UofL units or programs that qualify as “covered entities” under the Health Insurance Portability and Accountability Act (HIPAA) must comly with HIPAA’s data security rules.

L5 - Reserved for Research Data only, as determined by IRB or Data Use Agreement.

Data that could place the subject at severe risk of harm or data with contractual requirements for exceptional security measures.

L5 Examples:

  • Research data classified as Level 5 by IRB
  • Information or research under a contract stipulating specific security controls beyond L4

Data Storage Matrix

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Fusce rutrum nisi sit amet mauris eleifend, eget fermentum metus suscipit. Integer pretium libero sit amet luctus lobortis. Ut nec elit ac libero euismod consectetur. Donec non arcu in lectus varius facilisis. Nullam eu purus nec arcu consequat vestibulum. Nullam nec felis sem. Duis auctor, justo nec accumsan cursus, nisi metus ultricies orci, id volutpat velit elit nec leo. Quisque pulvinar semper convallis. Fusce eu leo id nulla condimentum accumsan nec ac nunc. Vivamus malesuada sapien sit amet tortor sodales, sed pharetra elit sollicitudin. Integer congue,

Cloud Services

Storage Service
Description
University Contract
For Students
For Staff & Faculty
HIPPA
FERPA
SSNs
PCI
KRS
ITAR
IRB
Cloud Storage Services
Box - University Cardbox
Personal and departmental shared storage
Yes
Yes
Yes
Yes
Yes
Yes
No
Yes
No
Yes
MS OneDrive - Business
Personal storage
Yes
Yes
Yes
No
No
No
No
No
No
No
MS SharePoint
Teams, departmental, collaboration
Yes
Yes
Yes
Yes
Yes
Yes
No
Yes
No
Yes
Cloud Infrastructure as a Service (IaaS)
AWS
Glacier and virtualized workloads
Yes
No
Yes
Yes
Yes
Yes
No
Yes
No
Yes
Azure
S3 storage and virtualized workloads
Yes
No
Yes
Yes
Yes
Yes
No
Yes
No
Yes

Local Services

Storage Service
Description
University Contract
For Students
For Staff & Faculty
HIPPA
FERPA
SSNs
PCI
KRS
ITAR
IRB
Central Storage
REDCap
Research and library services
Yes
No
Yes
No
Yes
Yes
No
Yes
No
Yes
Central VM Hosting
Hyperflex vSphere Cluster
Main cluster containing VM servers with local storage on the hypervisors in vmdk files
Yes
No
Yes
Yes
Yes
Yes
No
Yes
No
Yes
Hyperflex Veeam Cluster
Secondary cluster used for Veeam backups
Yes
No
Yes
Yes
Yes
Yes
No
Yes
No
Yes
Central VM Hosting
IT - MySQL
...
Yes
No
Yes
Yes
Yes
Yes
No
Yes
No
Yes
IT - SQLServer
...
Yes
No
Yes
Yes
Yes
Yes
No
Yes
No
Yes
IT - Oracle
...
Yes
No
Yes
Yes
Yes
Yes
No
Yes
No
Yes

Acronym Key

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Fusce rutrum nisi sit amet mauris eleifend, eget fermentum metus suscipit. Integer pretium libero sit amet luctus lobortis. Ut nec elit ac libero euismod consectetur. Donec non arcu in lectus varius facilisis. Nullam eu purus nec arcu consequat vestibulum. Nullam nec felis sem. Duis auctor, justo nec accumsan cursus, nisi metus ultricies orci, id volutpat velit elit nec leo. Quisque pulvinar semper convallis. Fusce eu leo id nulla condimentum accumsan nec ac nunc. Vivamus malesuada sapien sit amet tortor sodales, sed pharetra elit sollicitudin. Integer congue,

Control Requirements

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Fusce rutrum nisi sit amet mauris eleifend, eget fermentum metus suscipit. Integer pretium libero sit amet luctus lobortis. Ut nec elit ac libero euismod consectetur. Donec non arcu in lectus varius facilisis. Nullam eu purus nec arcu consequat vestibulum. Nullam nec felis sem. Duis auctor, justo nec accumsan cursus, nisi metus ultricies orci, id volutpat velit elit nec leo. Quisque pulvinar semper convallis. Fusce eu leo id nulla condimentum accumsan nec ac nunc. Vivamus malesuada sapien sit amet tortor sodales, sed pharetra elit sollicitudin. Integer congue,

Data Stewards

Data Stewards are accountable for the implementation of data governance policy within a data category. There may be multiple Data Stewards within a data domain depending on the type and facilitation of procedures and appropriate access. Data Stewards are often subject matter experts in a system or process and can make decisions on to be apply data governance policy and principles in different situations.

Data Stewards by Category