UMGC Policy X-1.01

Information Governance

Policy Category Policy No. & Title Policy Owner/Administrator Effective Date Revision Number Revision Eff. Date Review Cycle

X
Information Governance, Security & Technology

X-1.01
Information Governance

VP & General Counsel

July 1, 2021

N/A

N/A

Annual

  1. Purpose

    This Policy establishes an enterprise-wide oversight framework to support effective Information Governance across the University and facilitate the integration of the following standards and attributes into applicable University decision-making (See III. Definitions for the meaning of each capitalized term below):

    1. Authenticity;

    2. Availability;

    3. Confidentiality;

    4. Data Minimization;

    5. Integrity;

    6. Privacy; and

    7. Security.

  2. Scope

    1. This Policy applies to all University operations involving University Information or its Information Resources.

    2. This Policy applies to all University Employees as well as adjunct faculty, Contractors, consultants, temporary employees, and other third parties performing duties on behalf of the University.

  3. Definitions

    Capitalized terms shall have the meaning ascribed to them herein and shall have the same meaning when used in the singular or plural form or any appropriate tense.

    1. Authenticity: The quality of Information and records as being genuine, verifiable, and trusted; confidence in the validity of a transmission, a message, or message originator.

    2. Availability: The principle of ensuring timely and reliable access to and use of Information based upon the concept of Least Privilege.

    3. Confidentiality: The principle of preserving authorized restrictions on Information access and disclosure, including means for protecting personal privacy and proprietary information.

    4. Contractor: A person or a company that undertakes a contract to provide materials or labor to perform a service.

    5. Data: Element(s) of Information in the form of facts, such as numbers, words, names, or descriptions of things from which "understandable information" can be derived.

    6. Data Minimization: The quality of Personal Information being adequate, relevant, and limited to what is necessary in relation to the purposes for which the Personal Information is Processed.

    7. Employee: University staff and faculty, including nonexempt, exempt, and overseas staff and collegiate faculty.

    8. Information: Any communication or representation of knowledge such as facts, data, or opinions in any medium or form, including textual, numeric, graphic, cartographic, narrative, or audiovisual.

    9. Information Governance: The delineation of decision rights and an accountability framework to encourage desirable behavior in the valuation, creation, storage, access, use, archival, disposal, and other Processing of Information. It includes the processes, roles, standards, metrics and technologies that ensure the effective and efficient use of Information in enabling the University to achieve its goals.

    10. Information Governance Team: A group of representatives from the various functional areas of the University and third party subject matter experts as appropriate who are responsible for (i) providing interdepartmental oversight and strategic management of the University's Information and Information Resources; (ii) facilitating the integration of Privacy by Design into University operations; and (iii) supporting the development and review of Information Governance related policies and procedures across the University.

    11. Information Resource: Anything that is intended to generate, store, or transmit Information.

    12. Integrity: The principle of ensuring records and the Information contained therein are accurate and authentic by guarding against improper modification or destruction.

    13. Least Privilege: The security objective of granting an individual access to only such Information Resources and records, and the Information contained therein, as necessary to perform the individual's job.

    14. Privacy: The right of a party to maintain control over and Confidentiality of Information about itself.

    15. Privacy by Design: The concept and practice that ensures that University Information Resources, business processes, and projects that involve the use of Personal Information take the protection of that Information into consideration during development and integrate the protection of that Information through technology design and implementation.

    16. Processing: Any operation or set of operations which is performed on Information, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

    17. Security: A condition that results from the establishment and maintenance of protective measures that enable an enterprise to perform its mission or critical functions despite risks posed by threats to its use of information systems. Protective measures may involve a combination of deterrence, avoidance, prevention, detection, recovery, and correction that should form part of the enterprise's risk management approach.

    18. University: University of Maryland Global Campus (UMGC)

  4. Policy Statements

    1. The University shall establish an Information Governance Team (IG Team) comprised of representatives from the various functional areas of the University. The primary responsibilities of the IG Team shall be to:

      1. Provide interdepartmental oversight and strategic management of the University's Information and Information Resources;

      2. Facilitate the integration of Privacy by Design into University operations; and

      3. Support the development and review of Information Governance related policies and procedures across the University.

    2. University Employees and third parties performing duties on behalf of the University shall consult with the University's Data Protection Officer ("DPO") and, when applicable, the IG Team when:

      1. Initiating a new program, project, policy, practice, acquisition or business operation that involves Information Resources or the Processing of University Information;
      2. Updating an existing program, project, policy, practice, acquisition or business operation that involves Information Resources or the Processing of University Information; and
      3. Assessing other issues that may fall under the scope of Information Governance.
  5. Related Policies/Standards
    1. Information Governance Team Charter
  6. Effective Date: This policy is effective as of the Effective Date set forth above.