Data management strategy

We aim to enable data planning and governance to effectively manage university data as an asset, ensuring that data is collected, created and processed in a compliant manner that is also in the best interests of the wider University.

Overview

  1. The University acquires, creates and retains data in a variety of digital and non-digital formats. It also holds personal data and special category (sensitive) data about data subjects, including patients, so must comply with the provisions of current data protection legislation.
  2. It recognises that there needs to be a balance between its:
    1. Public accountability and transparency in its governance
    2. Compliance with regulatory obligations including data protection legislation
    3. Need to protect both the personal and commercially sensitive confidential information it holds.
  3. The University has implemented a data management strategy to ensure that data is collected, created and processed in a compliant manner in the best interests of the wider University, supports its organisational strategy and informs the design and development of its technical architecture and business processes.

Strategic aims

This strategy is underpinned by the following eight guiding principles:

Data, in all forms, is recognised as a University asset

Data is managed as a corporately owned asset with clear governance processes to control its processing and retention.

All data should be identifiable

Data is identified, findable and managed in a structured manner and labelled and recorded in a consistent and logical fashion.

Confidence in the reliability and quality of the data is maintained throughout its lifecycle

The University holds timely, accurate and reliable data in order to manage activities and meet internal and external requirements to enable it to demonstrate accountability through accurate reporting.

Data will be governed appropriately throughout its lifecycle in relation to its purpose

Data is assigned to a designated information asset owner (IAO). It must be kept secure and personal data must only be processed under appropriate, usually limited, conditions in compliance with data protection legislation.

Data is held in compliance with the University’s regulatory obligations including data protection legislation

Data is kept secure and personal data must only be processed under appropriate, usually limited, conditions in compliance with data protection legislation. Data subjects are able to exercise rights in respect of their own personal data.

All data processing changes are subject to control

Implementing and codifying the measures to be taken when making changes to the processing of data is vital to ensuring that the significant remedial work required to establish the right conditions for success does not have to be repeated in the future. Change control is a vital component of effective data management.

All data will be ultimately governed by the Executive Board with guidance from DISC

Governance structures for data are now in place with an appropriate data information security steering committee (DISC).

The level of rigour is proportionate to the risk

The University’s Information Assurance Strategy will inform data requirements. This Data Management Strategy will ensure that the data collection, processing and sharing meets the needs of the University and effectively supports its mission.

Objectives

  • University data, is managed as an increasingly important corporate asset and potential source of competitive advantage and is better protected and exploited.
  • There exists a benefit to or link through the use of data and the achievement of the University’s goals and strategy.
  • There is an understanding of data usage, flows against purposes and the data lifecycle is managed.
  • Accurate management data is provided to enable effective university decision making.
  • The IT Data Security Strategy is embedded.

  • The University is compliant with all current and emerging information compliance rules including the data protection legislation.
  • Categories of access to data are defined on a least privileged/need to know basis.
  • Data rights are able to be successfully fulfilled.

  • The University is compliant with data protection legislation in that the personal data it holds is accurate and that inaccurate data is rectified or erased without delay.
  • Accurate external returns are submitted to ensure maximisation of funding opportunities.
  • The funding requirements for the Office for Students and research grant requirements from private and public funders are met.

  • The University culture will become more data driven with generally enhanced data management capability across the organisation with an increase in the number of data specialists in key areas.
  • A community of clearly defined data management roles has been established and are maintained.
  • The community of appropriately trained and supported information asset owners (IAOs) ensure that enterprise data and other strategically important data held locally is managed for strategic, not local purposes.
  • The role and responsibilities of the IAOs are defined.
  • Data will be managed appropriately.
  • Guidance for IAOs on how to manage the data within their areas has been developed.
  • Appropriate resourcing, training and organisational conditions are in place to ensure that they can operate effectively.
  • Gaps in current resource and necessary university support to address them have been identified.

  • Data held within university systems and other networked locations has been identified and highlighted where personal data is stored.
  • Data that the University holds and its use is automatically identified and discoverable.
  • There is an understanding of data usage, flows against purposes and the data lifecycle is managed.
  • Interfaces, data flows, data modelling of systems and architecture support identification and management of data.
  • Data will be classified according to the data risk categories.
  • The management of data retention and governance is automated where appropriate.
  • Data is disposed of/archived appropriately.

  • The University’s plans for the development of its technical architecture is driven by the Information Assurance and IT Data Security strategies and any changes will be properly controlled to reduce data compliance risk.
  • The criteria for managing and risk assessing change to the way data is handled and processed is developed and embedded.
  • Changes to the processing of way personal data will follow the privacy impact assessment/data protection impact assessment process.

  • The Data Information Security Steering Committee (DISC) will oversee the design and implementation of the overarching Information Assurance Strategy, this strategy, IT Data Security Strategy and any subsequent data management.

  • Data risk categories are clearly defined.
  • Data is automatically and appropriately classified, tagged and protected according to its risk category.

Data Management Strategy

(234.6 KB .PDF)
DOWNLOAD

Contact us

Find us

Map of the University of Surrey
Address
Information Compliance Unit
Floor 8, Senate House
University of Surrey
Guildford
Surrey
GU2 7XH