The policy establishes proper standards to assure the quality and integrity of Lanetix data. This policy also defines the roles and responsibilities of Lanetix staff and its agents in relation to data access, retrieval, storage, destruction, and backup to ensure proper management and protection of data is maintained.
1. Background Information
Institutional data is a strategic asset of Lanetix, Inc. (Lanetix) and the appropriate governance for management and use of data is critical to the Lanetix's operations. Inappropriate governance can result in inefficiencies and exposes the Lanetix to unwanted risk. A consistent, repeatable, and sustainable approach to data governance is therefore necessary in order to protect the security and integrity of the Lanetix's data assets.
2. Policy Purpose
The purpose of the Data Governance Policy is to:
- Define the roles and responsibilities for different data usage and establish clear lines of accountability;
- Develop best practices for effective data management and protection;
- Protect the Lanetix's data against internal and external threats (e.g. breach of privacy and confidentiality);
- Ensure that the Lanetix complies with applicable laws, regulations, and standards; and
- Ensure that a data trail is effectively documented within the processes associated with accessing, retrieving, reporting, managing and storing of data.
3. Policy Scope
This policy applies to all institutional data used in the administration of the Lanetix and all of its Organizational Units, except data used for the purpose of academic research. This policy covers, but is not limited to, institutional data in any form, including print, electronic, audio-visual, and backup and archived data.
4. Definition and Terms
To establish operational definitions and facilitate ease of reference, the following terms are defined:
Access is the right to read, copy or query data.
Data is a general term used to refer to Lanetix's information, documents and records, which can generally be assigned to one of four categories:
- Public access data: data that is openly available to the general public, such as on the Lanetix website.
- Internal general data: data used for Lanetix administration activities and not for external distribution unless otherwise authorized.
- Internal protected data: data that is only available to Lanetix staff with the required access in order to perform their assigned duties.
- Internal restricted data: data that is of a sensitive or confidential nature and is restricted from general distribution. Special authorization must be approved before access or limited access is granted
Data Governance Hierarchy outlines the access rights, roles and responsibilities of Lanetix staff in relation to the management and protection of data:
- Data Steering Group is a Lanetix-wide committee, consisting of Senior and Executive Management. This group is responsible for approving the procedures related to the Data Governance Policy. The Data Steering Group also assures appropriate data processes are used in all of the Lanetix’s data-related decisions.
- Data Trustee is a member of the Executive Team with planning and decision-making authority for Lanetix's data governance. The Data Trustee is responsible for overseeing the continuous improvement of the Lanetix's data governance and management.
Data Management Life Cycle refers to the process for planning, creating, managing, storing, implementing, protecting, improving and disposing of all data of Lanetix (see Appendix 1).
Integrity or data integrity refers to the accuracy and consistency of data over its entire lifecycle.
Member of the Executive is defined as the positions which normally report to either the Chief Executive Officer or a Member of the Executive Team, and having staffing and supervisory responsibilities.
Quality or data quality refers to the validity, relevancy and currency of data.
Security refers to the safety of Lanetix data in relation to the following criteria:
- Access control;
- Effective incident detection, reporting and solution;
- Physical and virtual security; and
- Auditing and version control.
5. Policy Principles
The following principles outline the minimum standards that guide the Lanetix's data governance procedures and must be adhered to by all Lanetix staff:
5.1 Lanetix, rather than any individual or organizational unit, is the steward of all data. The Data Trustee has the responsibility for the management of data. The Data Steering Group, is responsible for the overall management of Lanetix's data governance.
5.2 The Data Trustee is responsible for the quality and integrity, implementation and enforcement of data management. Managers are responsible for ensuring effective local protocols are in place to guide the appropriate use of data.
5.3 Access to, and use of, data will generally be administered by the appropriate manager.
5.4 Managers, having determined the category of the data as confidential, will approve access based on appropriateness of the role and the intended use. Where necessary, approval from the Data Trustee may be required prior to authorization of access.
5.5 Managers must ensure the process for the administration of data is in accordance with the Data Management Life Cycle (See Appendix 1).
5.6 Customers, as the data controllers, bear the entire responsibility of ensuring appropriate procedures are followed to uphold the quality and integrity of the data they enter and access.
5.7 Customers, as the data controllers, bear the entire responsibility of ensuring that data records are kept up-to-date throughout every stage of the Data Management Life Cycle and in an auditable and traceable manner.
5.8 Customers, as the data controllers, bear the entire responsibility of ensuring that data is only collected for legitimate uses.
5.9 Extraction, manipulation and reporting of data must be done only to perform Lanetix business:
- Personal use of data, including derived data, in any format and at any location, is prohibited.
- Where appropriate, before any data (other than publicly available data) is used or shared outside the Lanetix, verification with the Data Steward is required to ensure the quality, integrity and security of data will not be compromised.
5.10 Data stored in an electronic format must be protected by appropriate electronic safeguards and/or physical access controls that restrict access only to authorized user(s). Similarly, data in hard copy format must also be stored in a manner that will restrict access only to authorized user(s).
5.11 Appropriate data security measures must be adhered to at all times to assure the safety, quality and integrity of data. Any potential or likely breach of this policy, whether intentional or unintentional, must be appropriately escalated within our management chain. Policy breaches can or will result in disciplinary actions, up to and including termination of employment.
5.12 The definition and terms used to describe different types of data should be defined consistently across Lanetix.
5.13 Data shall be retained and disposed of in an appropriate manner in accordance with the Lanetix policies.
6. Policy Review
This Policy will be reviewed and updated every five (5) years from the approval date, or more frequently if appropriate. In this regard, any staff members who wish to make any comments about the Policy may forward their suggestions to the Data Trustee or the Data Steering Group.
7. Further Assistance
Any staff member who requires assistance in understanding this Policy should first consult their supervisor who is responsible for the implementation and operation of these arrangements in their work area. Should further assistance be needed, the staff member should contact the the Data Trustee or the Data Steering Group for clarification.
8. Appendix 1 - Data Management Life Cycle
Below is an image of the Data Management Life Cycle, which consists of the following stages of: Plan and Design; Capture and Develop; Organize, Store and Protect; Implement; Monitor and Review; and Improve, and/or Dispose.