About UW–Madison’s Institutional Data Policy
Issued Sept. 1, 2020 and effective Jan. 1, 2021, the Institutional Data Policy establishes minimum requirements for the management and stewardship of institutional data resources. The policy defines roles and responsibilities for managing data, plans for data identification, documentation, classification, as well as rules for storage and access to protected information in accordance with applicable laws and regulations. The collection, secure storage, access, and appropriate use of the growing quantity and variety of data poses many challenges. The policy ensures proper care and maximum leverage potential for the entire life cycle of all institutional data. With an emphasis on quality, access, security, and decision-making, the policy ensures the data can be leveraged as an enterprise asset. The policy reflects a review and assessment of peer institutions’ institutional data policies, as well as alignment with the DAMA (international data management organization) framework. It was the result of more than six months of work by the Institutional Data Policy Subcommittee including consultation and review by a broad set of campus stakeholders. The Institutional Data Policy Implementation Statement outlines the timeline and details of the phased implementation of the policy. More information including specific procedures and standards for each of the policy’s elements will be made available on a rolling basis.
Institutional Data Policy Implementation Statement
The new Institutional Data Policy seeks to establish consistent and effective university-wide governance and management of institutional data, which has long been decentralized and uncoordinated across systems, functional areas, and campus organizations. Due to the size and structure of our university and the breadth of the institutional data environment, it will take significant time and effort to bring existing systems, applications, and institutional data products into compliance with the policy. Timely compliance is made even more difficult due to the COVID-19 pandemic, which has resulted in a shift of priorities and an uncertain budget outlook. With these challenges in mind, the Institutional Data Policy will be implemented in phases. Although the policy has been issued, it will not take effect until January 1, 2021. The gap between issuance and effective dates provides time for communicating the policy to those impacted and for planning. As of January 1, 2021, the policy will immediately apply to new systems implementation and integration work, new application and institutional data product development, and new institutional data use cases. For existing systems, applications, institutional data products, and institutional data use cases, good faith efforts must be made to achieve compliance within one year of the effective date. Where compliance is unfeasible or impractical within one year of the effective date of the policy due to technical, budgetary, or other constraints, a request for an exception must be made in accordance with the policy. Compliance with some aspects of the policy will be impossible prior to issuance of procedures and standards that will provide more detail and specific requirements and processes to effectuate policy statements. In those cases, additional implementation time may be incorporated into those procedures and standards. Note: Policy statements 1, 5, 7, 10, 11, and 12 were determined to not require an accompanying procedure or standard in order for implementation to be possible, and compliance with those statements is required in accordance with the policy’s implementation timeline. Policy statements 2, 3, 4, 6, 8, and 9 were identified as requiring supporting procedures or standards, and compliance with those policy statements will not be required until their respecting procedures or standards are issued. Please see below chart for status updates.
View the Institutional Data Policy Implementation Statement as a PDF.
Procedures and Standards
Procedures and standards provide additional detail and specific requirements and processes to effectuate policy statements. The procedures and standards will be made available as they are developed and approved. Please check back for updated status information and additional procedures and standards not yet in progress.
Procedures and Standards Status Chart
Policy Statement Supporting | Name | Status |
2 | Data Issue Management Procedure | Completed and issued |
3 | Data Documentation Standard | Completed and issued |
4 | Data Access and Authorization Standard | Completed and issued |
6 | Data Quality Standard | Need identified |
8 | Data Systems Planning Standard | Need identified |
9 | Data Integrations Standard | Completed and issued |
This is an accordion element with a series of buttons that open and close related content panels.
Does the Institutional Data Policy apply to me?
If you have any contact with institutional data, or IT systems and applications that generate, store, or transmit institutional data, then the policy applies to you. The extent to which the policy impacts you may depend on your role and relationship to institutional data.
I am a data user/consumer. How does the Institutional Data Policy apply to me?
As a data user/consumer, the institutional data policy does apply to you as you access institutional data. Institutional data is all information, regardless of medium, generated, collected, stored, maintained, transmitted, enhanced, or recorded by or for the university to conduct university business. As you use/consume institutional data:
- You have a duty to protect the privacy, security, and confidentiality of the data.
- You must consider individual privacy rights before sharing personally identifiable data.
- Protected institutional data may only be accessed for business purposes within the scope of your official duties.
- Access to protected institutional data is authorized by institutional Data Stewards. (The Data Authorization Standard is currenting being drafted outlining more details, so no further action regarding access is required for users between now and the release.)
- Unnecessary storage or duplication of protected institutional data must be avoided.
I am a developer or I distribute data for others to use. How does the Institutional Data Policy apply to me?
The Institutional Data Policy impacts your role as a developer/distributor and outlines your responsibilities as you perform your duties. As a developer/distributor of institutional data:
- You must properly identify and document data products in accordance with the Data Documentation Standard (once issued – no action is required at this time).
- Access to the things you are building or distributing will be controlled by reasonable physical, technical, and administrative measures and will be granted based on the authorization provided by the applicable institutional Data Steward.
- Protected institutional data may only be accessed for business purposes within the scope of your official duties.
- Access to protected institutional data is authorized by institutional Data Stewards (The Data Authorization Standard is currenting being drafted outlining more details, so no further action regarding access is required for users between now and the release.)
- You must consider individual privacy rights before sharing personally identifiable data.
- Unnecessary storage or duplication of protected institutional data must be avoided.
- Data products should source from designated systems of reference or systems of record.
Does this policy apply to the data I use in performing academic research?
The policy applies to institutional data, which is defined in the policy and does not include data used exclusively in academic research. Research data is subject to a separate, research-specific data policy. Data about research activity, such as research administration and research compliance data, is institutional data and subject to the Institutional Data Policy.
When do I need to be in compliance with the policy?
On January 1, 2021, all new institutional data, systems, integrations, applications, products, and uses must comply with the policy. Institutional data, systems, integrations, applications, products, and uses that exist as of December 31, 2020 will have until January 1, 2022 to work towards compliance. In cases where compliance by January 1, 2022 is unfeasible, an exception to the policy should be requested from the policy manager. Read the full Institutional Data Policy Implementation Statement for more details.
How do I request an exception to the policy?
The policy allows the Chief Data Officer, in consultation with applicable data stewards or Data Governance Council, to grant exceptions to the policy in certain circumstances. To initiate a request for an exception, please use this policy exception request form.
How do I report noncompliance?
Once the policy is in effect, issues of noncompliance can be reported by using the Institutional Data Issue Management Issue reporting form.
What if I have more questions or need help?
If you have additional questions or need help related to the Institutional Data Policy, please contact us at dapir@provost.wisc.edu, and a member of our staff will respond as soon as possible.