Chapter 2: Data Governance

The Data Governance policy outlined in this section aims to foster the appropriate use and sharing of institutional data to advance the mission of The University of Texas at El Paso (University).

Access to reliable University data is essential in ensuring institutional effectiveness. This Data Governance policy ensures efficient access to University data and compliance with all University data use and protection policies.

Data Trustees have an obligation to protect data and an obligation to share data with other employees of the University when needed for University purposes, even if the data requested was not originally gathered or developed for that other purpose. Employees will not refuse access to data under their control needed for a University purpose unless there is a compelling reason to prohibit sharing.

University data refers to all data or information held on behalf of the University, created as a result and/or in support of University business, or residing on University Information Resources, including paper and digital records. The Data Governance policy outlined in this section applies to data requests for administrative, evaluation, and other institutional purposes. Guidelines for open records requests for data are provided in Section VII, Chapter 10.5. 

The data request can be made directly to the Data Custodian.  If access is denied by the Data Custodian, a requester may submit a written appeal to the Data Trustee. The Data Trustee must make a decision within five (5) business days. If a decision is not made the request will be deemed approved.  If the first appeal is denied by the Data Trustee, the requester may submit a second appeal, in writing, to the Data Management Committee. The Data Management Committee has ten (10) business days to issue a decision. If a decision is not made within this timeframe, it will be deemed approved.

 If the appeal is denied by the Data Management Committee, with the support of their Vice President, the requester may submit a final written appeal to the Vice President and Chief of Staff of the University.

Confidential Data or other data that is required to be maintained as private or confidential by law may require additional review by the Chief Legal Officer or, in some cases, other responsible offices.  If additional review is required, the Data Custodian will inform the requester of the review to be done and the reason for the additional review.

Allowable data uses vary by situation. However, users should request and use data only within the scope of the user’s University duties as needed to perform their job.  They must follow University standards for data protection to ensure compliance with institutional, system, state, and federal policies, procedures, laws, and regulations. For a detailed classification of University data, please refer to Section X, Chapter 1,  Standard 9.

Data users must follow UTEP’s established procedures for protecting data. Procedures and Standards are available at:  Information Security Office Minimum Security Standards for Data Stewardship, Protection of Digital Research Data, and on the Information Security Office’s Policies Page.

Violations of data governance rules may result in disciplinary action in accordance with applicable University policy.

Chief Data Officer (CDO): The (CDO) ensures security and reduces risks associated with institutional data collected and controlled by the University. The CDO is appointed by the University President.

Chief FERPA Officer: Designated official that ensures protection of educational records in accordance with the Family Educational Rights and Privacy Act (FERPA) as described in Section II, Chapter 6. The Chief FERPA Officer serves as the Data Trustee of student educational records. The Chief FERPA Officer is appointed by the University President.

Confidential Data: Data that has additional protections by law or policy such as Controlled Unclassified Information (CUI), information that is classified as Confidential, Secret, or Top Secret by the federal government, information that is protected under non-disclosure agreements, or Federal Tax Information (FTI).  Confidential Data does not include FERPA-protected Data, enrollment data, or other data routinely handled by University employees.

Data Custodians: Data Custodians have specific tasks associated with data storage and security. Persons and entities employed or performing work for the University, including, but not limited to, staff, faculty, student workers, contractors, and volunteers, can be Data Custodians. Data Custodians are responsible for adhering to all regulations, rules, and procedures associated with their tasks. Data Custodians must notify the Data Trustees of any issues that create operational risk, a compliance violation, or misuse of institutional data, including those not in their immediate control.  

Data Management Committee (DMC): The DMC establishes the principles, rules, and standards for collecting, verifying, and distributing institutional data. The DMC also conducts an annual assessment of the institution’s data needs and makes recommendations for adjustments in policy, procedures, and resources to the President. The DMC also reviews appeals of rulings related to access and use of institutional data. The Chief of Staff and Data Management Officer (DMO) co-chair the committee and include the CDO, Chief Audit Executive, Director of Compliance, Chief FERPA Officer, Director of IRB, Director of Institutional Evaluation, Research, and Planning, and Vice Presidents (or their designees).

Data Management Officer (DMO): The DMO identifies the institution’s data warehouses and establishes procedures to ensure efficient access and appropriate use of institutional data for planning and continuous improvement. The DMO is appointed by the University President.

Data Stewards: Data Stewards, identified as User in Section X, Chapter 1, are institutional employees and representatives with access to institutional data, including documents, reports, spreadsheets, databases, data tools, and data warehouses. Persons and entities employed or performing work for the University, including, but not limited to, staff, faculty, student workers, contractors, and volunteers, can be Data Stewards. Data Stewards should have access to data needed to complete the responsibilities of their role. Data Stewards must have prior authorization or standing authorization to share data controlled by other units. Data Stewards must also be aware of and adhere to all rules and regulations that govern the data they access and use. 

Data Trustees: Senior administrators are Trustees of institutional datasets pertaining to their responsibilities and area(s) of authority. Data Trustees are responsible for establishing a procedure to collect, verify, secure, and allow for the use of data under their control. To fulfill their responsibilities, Data Trustees must be aware of the policies, regulations, and rules that govern the storage, security, and distribution of data under their control. Data Trustees must work with the CDO and DMC to assess and improve the quality, access, and use of data within their control.

FERPA-protected Data: FERPA-protected data are contained within student education records and are subject to privacy protections under the Family Educational Rights and Privacy Act (FERPA).  UTEP’s definition of educational records is provided in the Handbook of Operating Procedures Section II, Chapter 6.

UTEP Information Security Office - Minimum Security Standards for Systems

April 16, 2025