Skip to main contentSkip to main navigationSkip to footer content

Data Governance Policy and Procedure

Policy Purpose

This policy defines the framework to govern university data and any regulatory or legal compliance standards that cover the data. Employees of the University of Arkansas at Fort Smith have access to data and sensitive information about employees and students, including personally identifiable information (PII), and this policy covers that access.

Policy Statement

It shall be the policy of the University of Arkansas-Fort Smith that users must follow the procedures in this policy governing data, data access, and data security.

Applicability

This policy applies to all University employees, students, and any person that has access to University data.

Definitions

Data Classification – The ranking of data according to its sensitivity and criticality
Data Custodians – Individuals or groups that are responsible for the safe custody, transport, storage of the data. The University IT department is the data custodian for the UAFS campus. Some data may reside on systems not owned, managed, or maintained by the University
Data Inventory – a matrix that contains associated information on the type of data, location of data, who is responsible for the data, and other data attributes.
Data Owners – Individuals or departments that are responsible for the accuracy, privacy, and security of the data under their purview
Data Users – A person or account that has access to read, write, and modify university data
Data Sets - a collection of related data
FERPA – Family Educational Rights and Privacy Act
GBLA – Gramm Leach Bliley Act
GDPR – General Data Protection Act
Highly Sensitive Data - Information that if disclosed to unauthorized persons, would be a violation of federal or state laws, university policy, or university contracts. The highly sensitive classification includes all data defined by the state of Arkansas’ “Data and System Security Standard Classifications” as Level C (Very Sensitive) or Level D (Extremely Sensitive).
HIPAA – Health Insurance Portability and Accountability Act
Internal Data - Information that must be guarded due to proprietary, ethical, or privacy considerations and must be protected from unauthorized access, modification, transmission, storage, or other use. This classification applies even though there may not be any law or other regulation requiring this protection. Internal data is information that is restricted to personnel designated by the university who have a legitimate business purpose for accessing such data. Internal data includes all data defined by the state of Arkansas’ “Data and System Security Standard Classification” as Level B
(Sensitive).
PCI – Payment Card Industry
PHI – Protected Health Information
PII - Personally Identifiable Information
Public Data - Information to which the general public may be granted access in accordance with University of Arkansas policy or standards. Public data includes all data defined by the state of Arkansas’ “Data and System Security Standard Classification” as Level A (Unrestricted).

Policy Procedure

Data criteria:
1. Data will be maintained in a secure, accurate, and reliable manner and be readily available for authorized use.
2. Data security measures will be implemented commensurate with the value, sensitivity, and risk involved.
3. Data will be assigned one of three classifications according to its sensitivity and criticality. The three classifications are highly sensitive, internal, and public.
4. Data and associated data attributes will be listed in a data inventory matrix that will be reviewed annually.
Data user responsibilities:
1. Comply with all guidelines set forth in legal or governmental regulations outlined in laws such as FERPA, HIPAA, GLBA, and GDPR. These regulations cover highly sensitive data.
2. Ensure that data is obtained fairly and is stored securely.
3. Ensure that data is kept confidential and is not disclosed to unauthorized personnel or third parties. Ensure that data is used and shared appropriately and legally.
4. If applicable, ensure that data is disposed of properly when no longer required.
Data Inventory Procedure:
1. Data information will be maintained in a data inventory matrix spreadsheet with the following columns.
2. Data Sets
3. Data Classification
4. Data Storage Location
5. Data Owner who is responsible for the data
Data Compliance Training:
1. Financial Aid Department – GLBA (Gramm-Leach-Bliley-Act) training to be conducted annually
for users that deal with Financial Aid.
2. IT/Finance Department - PCI-DSS (Payment Card Industry Data Security Standard) training to be conducted annually for users that handle debit/credit card transactions on the physical campus.
3. HR Department – HIPAA (Health Insurance Portability Accountability Act) training to be conducted for all new HR employees that have access to benefit information.
4. Registrar Department – FERPA (Family Educational Rights and Privacy Act) – training to be conducted annually for enrollment management staff and professional advisors.
Note:
1. University of Arkansas Fayetteville policy and procedure 309.4 was used as a guideline for the initial writing this policy. This policy was re-written using a compilation of policies from other UA schools in order to satisfy UA System audit requirements.

Enforcement

This policy is enforced by the IT department and by each individual department responsible for their related data. 

Policy Management

This policy is managed by the IT department. The IT Director and appointed IT personnel are the primary administrators of this policy. The responsible executive is the VCFA.

Exclusions

None Applicable

Effective and Approved Date

This internal policy was approved by Terry Meadows – Director of IT/CIO on 3/15/2019

Last Updated

10/20/2025 – Reformatted for accessibility by Terry Meadows Director of IT/CIO