We live in a world full of data. Everything from our name and age to our food preferences is stored in a vault or in a cloud, on some sort of server somewhere, waiting to be retrieved and pinged across the world for reasons as simple as signing in to our email account or as complex as targeting us for a vacation advertisement.
Of course, agencies tasked with collecting this data are also expected to correctly store and manage access to it, and the more sensitive the information, the greater our expectations of privacy and security are. Yet the more data there is to handle, the more difficult it can be for agencies to maintain availability, quality, and privacy of our data.
These reasons—along with others—were what motivated the government to found PTAC: The Privacy Technical Assistance Center. This “center,” or online collection of resources, provides educational agencies and institutions with guidelines and training to develop a data governance program that ensures the privacy, confidentiality, and security of students’ data from pre-school through postsecondary education and into the workforce.
But wait a minute, what exactly is a data governance program?
At its essence, a data governance program is a set of rules and procedures that determine how data should be treated from the time it is acquired (when you fill out a form, register for an account, etc.), through its use (you use your email to log on to an online account, one company sells another company their mailing list, etc.), and culminating with its disposal (your record is deleted, your account is deactivated, etc.).
The benefits of developing a strong data governance program are fourfold. The data will be more accurate (meaning that it’s thorough and reflects reality). It will be more usable (better organized, more easily accessed). It will be timelier (available without delay). And finally—arguably most importantly—it will be more secure.
According to PTAC, there are four key steps to creating and maintaining a good data governance program. These “steps” are best framed as questions.
- Who will be responsible for the program and for making decisions about its governance?
- What are the rules and methods for managing the data?
- How will these rules and methods be implemented?
- Is the program a) doing what it is meant to do, and b) being followed by all stakeholders?
If you are able to adequately answer each of these questions, then your organization probably has a solid data governance program already in place. If not, PTAC provides a guide to the 10 components that you should follow to develop a comprehensive data governance program. These components are grouped into three overarching “themes”: a) rules of engagement, b) organizational bodies and individuals, and c) data governance processes.
A. Rules of engagement
First and foremost, a data governance program needs to fit with what the organization, as a whole, is trying to achieve. Likewise, it also needs to fall in line with what stakeholders expect from the organization. And finally, it must be reasonable—that is, the organization must have the resources necessary to put such a program in place, and then to sustain it. Therefore, here are PTAC’s six primary “rules of engagement”:
- Mission and vision – what is the organization’s overall mission/vision, and how do the expectations of data governance play into that?
- Goals, governance metrics, success measures, and funding strategies – what are the goals of the data governance program, how will they be tracked and measured, and how will the program be financially supported?
- Data rules and definitions – what data is being collected, and how will different types of data (e.g., personally identifying data vs. anonymous data) be treated differently?
- Decision rights – who is permitted to make a decision about what is done with the data?
- Responsibilities and enforcement and compliance mechanisms – who is responsible for the implementation and success of the program, and how will its rules be enforced?
- Security controls for risk management – what happens in the case of a data breach or data mismanagement?
B. Organizational bodies and individuals
Next, a data governance program must address who is “in charge”—i.e., who is responsible for making sure the program is implemented efficiently and effectively—as well as the rights and responsibilities of other involved parties. These are:
- Data stakeholders – these include data owners and users, and their rights and/or responsibilities should be spelled out
- A data governance body – this committee should include management and legal representatives, along with data system administrators, data providers, data managers, privacy/security experts, and data users
- Data stewards – these are individuals who possess specific roles and responsibilities within the data governance program
C. Data governance processes
The final, tenth piece of the data governance program is a set of procedures for implementing and modifying the program. These procedures should specify a number of “how to’s”: how to implement the program, how to manage data over the long term, how to judge the program’s success, and how to handle cases when data quality or security is jeopardized. These “how to’s” fall into three main categories: proactive (setting standards prior to collecting any data), reactive (correcting any security policies in response to a data breach), and ongoing maintenance (regular operating procedures to keep the program intact and functioning smoothly).
If you work to incorporate these ten components into your data governance program, you will end up with a securer system that presents you with more accurate, timely, usable data. For more details, you can access resources from the US Department of Education here.