Washington University in St. Louis’ university data resource, by definition, practice, and intent, is a university asset. University data is not limited to information captured and stored in university systems, but also includes all data created or acquired by any university community member or entity as a direct consequence of duties performed on behalf of the university. This guideline establishes guidelines for the management of securable university data and the responsibilities for the protection of this data. The guideline refers to all securable university data, whether printed or electronic, and whether individually controlled, shared, stand alone, or networked.
The guideline will serve to:
The data resource should be safeguarded and protected. As an institutional or research asset, data should be protected from deliberate, unintentional, or unauthorized alteration, destruction and/or inappropriate disclosure or use in accordance with established institutional or applicable funding agency policies and practices and federal and state laws.
Access to data should be authorized and managed. A user's right to access applicable university data should be granted based on authorization provided by university staff who have been designated by the data steward/owner as authorized signers for that data. Authorization to access university data, including public data, should be based on appropriateness to the user's role and the intended use. Access should be consistent with applicable requirements of university or funding agency policies and federal and state laws and should be granted only to those individuals or systems that have been authorized. Authorization and access should be documented, reviewed, modified, and terminated in accordance with university or applicable funding agency policies, and federal and state laws.
Data should be shared based on institutional or applicable funding agency policies, and federal and state laws. University data are not considered not owned by a particular individual, unit, department, or system of the University unless specifically tied to a researcher and having dean level approval. University data should be made accessible to all authorized users and systems.
Data should be managed as an institutional resource. Data organization and structure should be planned on functional and institutional levels. Data usage and data sources should be managed through the data stewardship principles of administering and controlling data quality and standards in support of institutional or funding agency goals and objectives.
University data should be identified and defined. Standards should be developed for their representation in databases. Controls should be established to assure the completeness and validity of the data, and to manage redundancy.
Information quality should be actively managed. Explicit criteria for data validity, availability, accessibility, interpretation, and ease of use should be established and promoted. Action programs for data quality improvement should be implemented.
Data storage and delivery mechanisms should be developed based on the needs of university processes. Data architectures should be developed to support institutional and research processes. These data architectures should drive the physical implementation of the selected solution.
Contingency plans should be developed and implemented. Disaster Recovery/Business Continuity plans and other methods of responding to an emergency or other occurrences of damage to systems containing university data, including electronic protected health information (ePHI), should be developed, implemented, and maintained. These contingency plans shall include, but are not limited to, data backup, disaster recovery, and emergency mode operations procedures. These plans should also address testing of and revision to disaster recovery/business continuity procedures and a criticality analysis.
Every data steward/owner of a university system that hosts or consumes university data is responsible for implementing and ensuring compliance with Washington University in St. Louis’ Data Resource Management Guideline and must initiate corrective action with the proper authorities of the university if it is needed.Responsibilities include:
HIPAA requires taking reasonable precautions when verbally communicating protected health information. Precautions should also be taken when verbally communicating other sensitive information.
Updated April 1, 2013.