Data Governance FAQs
Click any question below to reveal the answer.
Data Governance is about making sure that data is used in ways that are legal, appropriate, and that don’t create unnecessary risk for people (personal information) or the University. You need to do this because most people aren’t experts in those things. There are so many laws, and so many ways that information can be used to hurt people, that the University provides a set of experts who can help you figure it all out. You need to do this because you don’t want to be going along doing your work and find that you’ve committed a crime you didn’t even know about, or exposed data that puts people at risk, or caused an embarrassing data breach that causes people to lose trust and respect for UNC.
Assume your data is Tier 2 unless you have some reason to believe it’s something else. Use the Information Classification Standard to see what “else” it might be. These are some informal ways to think about it. Data is in context though, so something Tier 1 most of the time might be Tier 2 or even 3 in context! (For example, a person’s name isn’t sensitive…but if it’s on a list of patients in your genital warts clinic, it sure is.) This is complicated. Don’t hesitate to ask an expert. DGOG is available to give guidance. We love to be asked!
When the Data Governance review of your request is complete and we have determined that you can move forward with your process or procurement, you will receive an email from the ServiceNow platform. It will show up in your inbox as being from “IT Service Desk” or firstname.lastname@example.org.
A list of approved applications is kept at safecomputing.unc.edu. You can see if why you want is already there or if there is something similar to what you need.
As soon as possible in the process of procurement. How long it takes to process a Data Governance request can vary depending on multiple factors, such as the presence of Sensitive Information in scope, the ease of getting answers from the vendor, the need for further agreements with the vendor (such as a BAA), and the need for other parties to be involved in the review. Submit a Data Governance request as early as possible to avoid delay in your procurement process!
Before you have finished writing your RFP you could submit a request with the “Guidance or other data needs” box checked. This gives the Data Governance Oversight Group an opportunity to help you get better data governance terms in your RFP, spot issues, and help you get compliance milestones set up in your project! You are likely to need security and accessibility documentation from your vendor and the DGOG support person can help you make sure you get what’s needed.
Data that is classified as Tier 2 or Tier 3 by the Information Classification Standard is Sensitive Data. Data is classified as Sensitive if the University is required to keep it confidential or restricted by a law, regulation, contract, or policy. If the release of information could incur harm to the University, its employees, students, research subjects, patients, or other members of the community, that information is likely to be Sensitive. If you are not sure, you can submit a “Guidance” or other data needs” request through the University Data Assistance form, and DGOG will help you figure it out!
Types of Reviews
If you need an IT Security Risk Assessment, you need a DGOG review (and a DGOG request will get you both!). If you’re doing something new with SSN, you need a DGOG review. If you’re not sure what Tier something is, ask us! If You’re not sure if you need a DGOG review, ask us!
You need an IT Security Risk Assessment if:
- you have a new in-house or vendor-supplied application or IT service that is either “mission critical” to your unit, or will have any potential contact with Tier 2 or 3 information, (you will also need a DGOG review).
- anything important changes with that application or system such as moving to a new architecture like from on-premises to the cloud for example
- the data changes tier, for example adding new Tier 2 information when it was only Tier 0 or 1 or adding Tier 3 when it was only Tier 0-2 before.
- you’re adding a new kind of interface – maybe it was only available to logged-in staff, but now you’re adding a public web interface.
- you’re adding a new class of users, for example it was only staff, but now will be students as well.
If you have a new kind of use for SSN (a new form, putting it in a new system, using it for a new purpose), you need a review. If you’ve had a review, but something important has changed with the use, you need to bring it back. Examples of that might be moving the system it’s in from on-premises to a cloud application, or storing it longer. You can learn more about SSN review on the Process for New or Changing How Social Security Numbers Are Used webpage.
You can find more information about Business Associate Agreements on the Privacy Office’s website. If you have a review with the Data Governance Oversight Group, you will be referred to the IPO for assistance if it is likely a BAA will be needed.
FAQs About When a Data Governance Review is Necessary
Maybe. Some changes to a contract with a vendor may trigger a new review, and you are always welcome to submit a request to check! If possible, please reference the RITM number of the previous request. Some important contract changes that would warrant a new Data Governance review include:
- Changes in the vendor’s access to University data stored in the software
- The vendor is becoming a Business Associate because they are creating, receiving, maintaining, storing, or transmitting Protected Health Information for a HIPAA Covered Entity at the University
- Adding additional features or services from the vendor that were not a part of your previous package
- Changes in how the software is hosted (from on-premises to cloud-based or vice versa)
- Adding new instances or interfaces of the software may warrant a review
Yes. When there are important changes to a system that has already been reviewed, we ask that you submit a new request. If possible, please reference the RITM number of the previous request. Substantive changes might include:
- Creating, receiving, maintaining, storing, or transmitting new data elements or data types (ex: previously you only stored student grades in a platform, and now you’ll be storing other student information as well, such as disciplinary records)
- Adding a new kind of interface (ex: currently, the interface is only available behind an onyen login, but you want to add a public-facing web interface)
- Adding a new class of users (ex: currently only a small, selected pool of individuals in a certain department has access, and you want to give access to all employees in the College of Arts & Sciences)
- Adding services or features (ex: when you renew your contract with the vendor you want to add their transaction module to take card payments)
- Changing how software is hosted (ex: from on-premises to cloud-based or vice versa)
- Changes in contract terms that affect data protection (ex: the vendor was previously unable to access any of the University’s data in the product, and now they require access to support new features)
Yes. The need for a review from the Data Governance Oversight Group is not determined by the cost of software or how it’s purchased (even if it’s free!). We review systems that affect Tier 2 or 3 “Sensitive Information” to be sure our higher-risk data is used and protected well. Oftentimes, even software designed for productivity may end up with some Tier 2 information in scope. It is best to buy software with a Purchase Order to be sure University terms are in the contract. Even if you believe no Sensitive Information is in scope, we recommend submitting a request to the Data Governance Oversight Group to be sure.
Data-Type Specific FAQs
That IT Data is managed by the University with sets of policies and practices. We can at least start to answer those questions.
By default, the University treats signatures as Tier 2. While signatures can be used to access confidential or restricted information and to authenticate documents, they can also be used in other ways that involve their public display. Applying all Tier 2 sensitive information protections to signatures in every context they’re used isn’t practical or appropriate. For more information on how to determine when a signature should be treated as Tier 2 and how to reduce risk, please see the Guidance on the Sensitivity and Use of Digitized Signatures webpage.
The University uses many different kinds of keys. This might be building keys, car keys, door keys, cabinet and drawer keys, keys to equipment, or any other physical key to a place or property. Information about keys range from Tier 1 to Tier 3, and multiple factors influence the tier of a specific use of key information. For more information on protecting keys and the sensitivity of information about keys, please see the Guidance on the Sensitivity and Protection of Information about Keys webpage.
FAQs About Types of Platforms or Tools
If you have questions about whether you are allowed to communicate with human subjects of a research study or whether a specific platform or tool is appropriate to use, you can always submit a University Data Assistance request for a Data Use Review. If you want to learn more or have questions, you can visit the Unencrypted Communication for Human Subject Research FAQ page on the UNC Research website.
Generative Artificial Intelligence tools are becoming more and more popular. While they can be useful in the workplace, it’s important, as you would for any new application or system, to consider the risks of using tools like these. The Office of the Provost has created a list of Generative AI Employee Resources. On this page, you can find many valuable resources, including a link to Generative AI Training Modules and a handful of usage guides which address how to properly and ethically use generative AI for various purposes at the University. Those guides include:
- The Staff Generative AI Usage Guide, for administrative uses of generative AI.
- The Research Generative AI Usage Guide, for using generative AI in research.
- The Teaching Generative AI Usage Guide, for using generative AI for teaching.
If you would like to procure a new generative AI tool, or use new generative AI features in an existing tool, please submit a University Data Assistance request for a data use review.