| Topic: | Financial and Operations |
|---|---|
| Approval Authority: | Board of Governors |
| Approval Date: | December 1, 2025 |
| Effective Date: | January 1, 2026 |
1. Purpose
York University ("the University") is committed to the effective management and use of Data in support of its academic, research, and administrative activities.
This Policy establishes the governing rules, standards, roles, and responsibilities for Data usage at the University, in alignment with the University's Data Governance Framework. It lays the foundation for the successful operationalization of the University’s Data and Analytics Strategy and practical aspects of Data Management.
This Policy aims to achieve the following objectives:
1.1. To ensure that Data is recognized as a valuable institutional asset and governed according to established frameworks, policies, and guidelines.
1.2. To establish clear ownership of Data and formalize Data-related roles and responsibilities.
1.3. To promote a culture of responsible and skillful Data use as an integral part of institutional assessment, planning, and management practices.
1.4. To improve Data accessibility and usability across the University to achieve more effective decision-making.
1.5. To enhance Data quality and integration to ensure Data collected and used by the University is accurate and reliable.
1.6. To standardize Data definitions and formats for consistency and accuracy across departments and systems.
1.7. To mitigate Data security risks and privacy concerns.
2. Scope and Application
2.1. This Policy applies to University Employees and any third-party or other University affiliates who are authorized to access Data.
2.2. This Policy applies to the collection, storage, management, utilization and disposal of Data, and to the exchange, transfer, storage, and disclosure of Data between or by individuals, units, departments, or organizations, including external contractors, vendors, partners, or affiliates who access Data pursuant to agreements with the University.
2.3. This Policy covers all Data, regardless of its form, medium, or location, with the exception of Research Data which is managed by other relevant policies and procedures.
2.4. This Policy should be read in conjunction with the University’s associated policies, procedures, guidelines, and any relevant and applicable legislation, and any other policy that may become applicable and/or relevant.
3. Definitions
Data: for the purpose of this Policy, Data refers to Institutional Data, which includes all quantitative and qualitative information that is collected, stored, managed, analyzed, and utilized across various functions and activities of the University. Institutional Data encompasses any Data that is owned, licensed, or otherwise under the control of the University, including University administrative records and information associated with teaching and learning. This Data may appear in multiple formats and states, such as raw, aggregated, processed, analyzed, structured, semi-structured, or unstructured.
Data Asset: any entity comprising of Data from which value may be derived. A Data Asset may be a system or application output file, database, document, dashboard, web page, or another artifact.
Data Domain: a specific category or subject area of Data within the University. It is a broad area of Data that contains a set of similar or related Data Elements, such as student Data, financial Data, and human resources Data.
Data Element: a fundamental unit of information that represents, defines, or records a specific attribute, fact, or concept. A Data Element may be a field in a database, a column in a spreadsheet, or a property in a data object, which individually or collectively contributes to the understanding and interpretation of a Data Asset.
Data Governance: a function that outlines policies, processes, and roles and responsibilities to ensure the effective and ethical management of Data across the University. These standards are articulated in the Data Governance Framework, which outlines a system of decision rights and accountabilities for Data-related processes.
Data Management: a function that creates and implements architectures and processes to manage the full Data lifecycle needs of the University. This includes Data collection, storage, integration, security, quality, and usage to ensure that Data is accurate, accessible, and usable for decision-making and operations.
Data Sharing: the exchange, transfer, or disclosure of Data among different individuals, units, departments, or organizations.
Data Sharing Agreements: formal contracts or documents that stipulate the terms and conditions under which Data is exchanged, transferred, or disclosed.
Data Sub-Domain: a subset or a specific aspect of a Data Domain. It is a smaller, more specific area of Data that is part of a larger Data Domain, such as student profile Data, student advising Data, and student athletics Data.
Employee: any person who performs work or services for the University in exchange for wages.
Metadata: structured, descriptive information about Data Elements and Data Assets that provides context, facilitates understanding, and enables effective management, discovery, and usage of the Data Elements. For example, for a “Student ID” Data Element, the Metadata might include a definition and a validation rule. For Data Assets, like the University’s Student Information System, the Metadata records ownership and creation dates, among other descriptive information.
Principal Data: the identifiers and detailed attributes that describe the core entities of the University. It represents the core information that is essential for the University's operations and decision-making processes. Principal Data includes information about students, alumni, staff, faculty, academic programs and services, organizational and financial structures, and physical space.
Reference Data: the sets of predefined, permissible values or categories that are used within the University’s systems and databases to classify, organize, and ensure the consistency of Data. It provides context and structure to transactional and operational Data, enabling accurate Data interpretation, reporting, and analysis. Reference Data includes country codes, currency codes, and program classification codes.
Research Data: Data produced as a result of research activities. Research data may be experimental, observational, operational, third party, public sector, monitoring, processed, or repurposed. This includes research proposals, publications including articles, conference papers, reviews, books and book chapters, Data sets, laboratory records, patents, and any other documented findings or innovations generated through research efforts.
4. Policy
4.1 Data Ownership
Data generated and collected by the University is an institutional asset that is governed according to established policies and frameworks. Each Data Asset must have a designated Data Trustee and Data Steward who are responsible for ensuring that the Data Asset is accurate, reliable, and relevant to the University's mission and goals.
4.2 Data Quality
a. Data should be accurate, complete, timely, and relevant to the University's needs.
b. Principal and Reference Data must be consistently defined and maintained to ensure the accuracy and integrity of Data throughout the organization.
4.3 Data Definition
Data Elements will be clearly defined to ensure that Data is usable, accurate, and consistently described.
4.4 Data Classification
Data must be classified according to its sensitivity and importance to the University. Classification categories, established in the Information Security Classification Standard, determine the appropriate access, transmission, storage, and destruction of Data.
4.5 Data Access and Sharing
a. Access to Data must be authorized in accordance with the Information Security Classification Standard and be consistent with other relevant university policies and procedures.
b. Data Sharing must be authorized based on operational and strategic needs, ensuring appropriate protection, use, and destruction of shared Data in compliance with applicable laws, regulations, and ethical standards.
c. Data should be securely shared among Employees whose work can benefit from Data availability, across departments, unless restricted by University policies or provincial or federal regulations.
d. Data Sharing Agreements are required where appropriate for sharing Data with external parties and in other special circumstances. These agreements must set standards for the protection, appropriate use, and destruction of shared Data, and must receive approval from the relevant authority.
4.6 Data Retention
Data must be retained only as long as necessary to fulfill its intended purpose, in compliance with the Common Records Schedule, Information, Privacy and Copyright Office policies and procedures, and legal and regulatory requirements.
4.7 Data Security
Data must be protected against unauthorized access, use, disclosure, alteration, or destruction in accordance with the Information Security Policy and Information Security Classification Procedures.
4.8 Data Privacy
The collection, use, retention, and disposal of Data must be in compliance with the University’s Policy on Access to Information and Protection of Privacy and other legal and regulatory obligations and should adhere to higher education institutions and other best practices where possible.
4.9 Data Ethics
Data will be collected, used, and shared in an ethical manner, consistent with the University's mission, values, applicable ethical standards, and principles.
4.10 Reporting
Reporting mechanisms will track the usage, quality, and security of Data Assets where possible.
4.11 Violations of Data Governance Policy
Any Data User who violates the University’s Data Governance Policy may have their Data access terminated. Violations of applicable statutes or laws may result in disciplinary or legal action.
5. Roles and Responsibilities
The roles outlined below contribute to promoting a culture of Data-informed decision-making at the University and to the operationalization of York’s Data and Analytics Strategy.
5.1 Data Trustee
The Data Trustee is a senior leader accountable for the Data in a specific and bounded Data Domain. Their responsibilities include:
- Setting strategic direction and governance for Data within their Data Domain in alignment with the Data and Analytics Strategy, ensuring that the University has adequate policies, processes, and practices in place to support its information needs.
- Overseeing Data Management practices within their Data Domain, including promoting proper access, accuracy, privacy, integrity, security, and availability of the Data.
- Making decisions about the authoritative sources of Data within their Data Domain.
- Authorizing Data Sharing Agreements.
- Approving Data definitions and classifications.
- Ensuring that their designated Data Stewards and their teams have the necessary Data Management tools and training, and appointing Data Stewards to manage specific Data Sub-Domains.
5.2 Data Steward
The Data Steward is a senior manager responsible for the Data in a specific and bounded Data Sub-Domain. As experts on the Data within their Data Sub-Domains, their responsibilities include:
- Overseeing and managing the integrity, quality, and relevance of Data Assets, including setting standards for Data collection and validation.
- Establishing and maintaining procedures for Data Sharing and Data access, including evaluating requests for access to Data in their Data Sub-Domain.
- Overseeing Data lifecycle procedures, including acquisition, storage, classification, retention, and disposal of Data within their Data Sub-Domain.
- Leading and approving Data definitions and classifications.
- Ensuring the proper use of Data within their Data Sub-Domain and providing necessary training and documentation to relevant Data Users.
5.3 Data Custodian
The Data Custodian handles the technical management, Data quality, and security within a specific system. Their responsibilities include:
- Implementing Data lifecycle procedures, including the acquisition, storage, classification, retention, and disposal of Data within their system.
- Maintaining Data quality and integrity within their system.
- Ensuring consistent application of Data security and privacy considerations within their system, including managing access to Data and ensuring solution designs adhere to security policies and architecture principles.
- Working with Data Stewards to establish and promote policies, guidelines, and procedures for the responsible management of Data.
5.4 Data User
A Data User is any individual who accesses or uses Data, including Employees, contractors, partners, and affiliates. Their responsibilities include:
- Using Data only for official University business.
- Maintaining confidentiality of Data and complying with University policies, guidelines and procedures, and applicable laws, regulations, and ethical standards.
- Possessing the necessary skills to work with Data effectively and ensuring accurate Data presentation.
- Consulting Data Stewards for guidance on Data use and reporting any Data security or quality concerns to the appropriate Data Steward.
6. Review
The University will review the Data Governance Policy every two (2) years, or as necessary to ensure compliance with legislation or statutes, or when it is deemed necessary in the best interests of the University. The Chief Data Officer is responsible for initiating and overseeing the review and update process.
| Legislative History: | Approved by the Board of Governors 2025/12/01 |
|---|---|
| Date of Next Review: | December 2030 |
| Related Policies, Procedures and Guidelines: |
|