An asset has value, is quantifiable, helps the organization achieve its strategic objectives, and requires specialized skills to develop and maintain it. Data meet all of these criteria. In order for the value data can bring to be realized, they must be inventoried, tracked, monitored and maintained, much like the physical assets of an organization. Data which are not managed introduce risk into the organization.
IT governance is the process that ensures the effective and efficient use of IT in enabling an organization to achieve its goals. It provides over-arching structure for aligning IT strategy with business strategy. By following a formal framework, organizations can produce measurable results toward achieving their strategies and goals. IT governance also takes stakeholders' interests into account, as well as the needs of staff and the processes they follow.
IT governance includes:
- Data governance: the deliberate act of formalizing the decision making around data within an organization. It includes the people, processes and structures involved in collecting, managing and using an organization's data.
- Project and portfolio governance: the selection, prioritization and control of an organization’s projects and programs in line with its strategic objectives and capacity to deliver. It includes:
- Program management: the management of portfolios and projects leading to a strategic goal or outcomes.
- Portfolio management: the management of multiple related projects within a program.
- Project management: the management of resources and the application of processes, methods, knowledge, skills and experience to achieve the project objective.
Data ownership and data stewardship are both aspects of data governance. While data governance provides an overarching structure for the formalization of decision making around data, data ownership ensures accountability for specific pieces of data or data sets; and data stewardship encompasses the intentional acts of formally managing data and the processes associated with over-seeing, or being accountable for, data.
Stated another way, data management policies and practices are adopted through the overarching data governance structure, data ownership ensures accountability for the data and associated policies and practices, and data stewardship ensures data-related work is performed according to those formally adopted policies and practices.
While each person in the agency who defines, produces and uses data has a certain level of accountability for how data are defined, produced and used, data stewards should be those who are subject matter experts in their respective data domains. Data stewards are recognized, identified, formalized and engaged according to their existing responsibilities.
Yes. Understanding the different types of data within the organization and how each should be managed is key to effective stewardship. By identifying the types of data that exist within the organization, what business or technical role the data plays according to its type, and who is responsible for stewarding the data, an organization is ensuring that all data is being managed appropriately and adding business value. The different types of data that may exist in an organization include:
- Master Data – the core data that is essential to operations in a specific business or business unit. (TechTarget)
- Transactional Data – the information recorded from transactions. A transaction is a sequence of information exchange and related work (such as database updating) that is treated as a unit for the purposes of satisfying a request. (TechTarget)
- Reference Data – are the data objects relevant to transactions, consisting of sets of values, statuses or classification schema. An example would be order statuses and their related codes, such as “canceled” and its related code, “CN,” required for reference purposes in an online order system. (TechTarget)
- Metadata – structured information that describes, explains, locates or otherwise makes it easier to retrieve, use or manage an information resource. It is data that provides information about data. (TechTarget)
- Historical Data – collected data about past events and circumstances pertaining to a particular subject. (TechTarget)
Data is owned by the enterprise rather than the individuals, divisions or programs within the enterprise. However, data management and use often falls within the organizational boundaries of specific divisions or program areas, at times spanning across multiple divisions or program areas. To ensure data is protected and used appropriately, it is necessary to designate data owners, who are accountable for specific data subject areas, and data stewards, who are responsible for working with data in accordance with adopted policies and practices, from divisions or programs to help ensure accountability for all data within the enterprise.
Assigning data ownership is large in scope. Broad classifications can be used in the beginning and then narrowed down as the organization and its data management efforts mature. For example, in the beginning perhaps ownership of all finance-related data is assigned broadly to the chief financial officer. However, as the organization begins to better understand the many ways finance data is collected and used, ownership may be parsed out to other departments or to specific offices within the Finance department, depending on who the subject matter experts are and the primary uses of the data. Data-related accountabilities may be tied to different levels of granularity of information such as:
- Content units (used in documents, web displays, reports, etc.).
- Data feeds.
- Data records.
- Raw data.
- Domains of data (for example, all data related to customers).
- Usage-related collections of data (for example, all fields appearing on a certain report, or all fields included in a compliance mandate such as HIPAA, HMDA or Sarbanes-Oxley).
- Specific data entities (for example, within a data feed, an entire customer record, including the customer’s ID, name and all related data).
- Data attributes (for example, only a certain preference flag within a customer record).
Yes. Data steward responsibilities should be tied to data-related processes and data flows as well as data quality and use. This ensures that data is handled appropriately, according to the policies and practices adopted, defined and documented by the data governance program. Data that is protected throughout its lifecycle (from creation through use and eventual archival or destruction) adds value to the organization and helps achieve strategic business goals. Alternatively, data that is mishandled because data processes are not defined and data flows are not understood is detrimental to the organization.
Yes. Some organizations base accountabilities on related data sets, such as data requiring compliance with certain laws, like HIPAA or the Home Mortgage Disclosure Act (HMDA). They put teams in place that are responsible for finding the data wherever it exists in the system, specifying rules for how and when the information is used and shared, and making sure those rules are followed.
Access to data should be assigned based on an individual’s role in the organization. Data should be classified based on privacy restrictions imposed by legal mandate or rule and/or organizational policy. Access to data should be granted based on those classifications and limited to only those who need access to fulfill their job requirements. The data classifications assigned should inform all decisions regarding data access, including who may have access to data; how individuals may access data; and how individuals may share and/or transport data.
Data use should be driven by business needs. The appropriate use of data should be overseen and defined by data owners. Data stewards provide guidance and guidelines to data users to ensure data is protected and represented accurately when it is used.
Metadata is information about data, technical and business processes, data rules and constraints, and logical and physical structures of the data used by an organization. When metadata is documented and made available, it allows data to be understood, located, verified, traced and consistently used and reused. By providing key information about an organization’s data, metadata allows data users to interact productively with the data assets, functions, processes and systems of an organization.
The short answer to this question is ALL data elements should be governed at the enterprise level. However, this is not practical for most organizations, particularly those new to governing data. Therefore, a manageable place to start is with those data elements that are deemed critical for business operations, decision-making and reporting purposes.
To determine which data elements are critical, it is necessary to engage subject matter experts within each line-of-business and organizational support function to identify the key business processes and their associated critical data elements. Focus can then be on governing this set of enterprise critical data at the enterprise level and to not boil the ocean.
Business needs drive data needs which, in turn, drive technology needs. Because the business roles within an organization are often subject matter experts with a deeper understanding of data, its definition and usage, as well as decision support, risk management and reporting, those roles should be central to the design and implementation of a data governance structure. These subject matter experts are aware of the ramifications of data quality issues on decision-making and the organization's ability to fulfill its mission, therefore, they should hold the responsibility of being data owners and data stewards. Technology and operations teams, on the other hand, function as data custodians. This is a trusted advisor and implementation role which ensures that the right systems, infrastructure and processes are in place to support and sustain data governance.
Once data quality issues are identified, a living document should be created to log and track them as well as recommended solutions, related rules and statutes, and necessary implementations for resolving the issue.
Organizations sustain data governance over time by building a structure that is reliant on formalized processes and documented procedures that are embedded in the organization's data culture, rather than on specific people. This is achieved by implementing a governance model, assigning roles and responsibilities, and rolling out organization-wide standards and policies related to data. Additionally, ensuring an appropriate escalation mechanism is in place and followed, proactively monitoring compliance to standards and policies, as well as communicating the value of the program to all stakeholders is key to program maturation over time and ultimately long-lasting success.
Data Sharing Agreement
The DSA is an agreement signed by nine Oklahoma state agencies which outlines the general terms and conditions for an exchange of data between state agencies or entities. It also includes a “Schedule A” form to outline the details of a specific data exchange or data exchange project. Use of the DSA provides a secure, streamlined method for sharing data among agencies.
- Department of Human Services
- Department of Corrections
- Office of Juvenile Affairs
- Health Care Authority
- Commission on Children and Youth
- State Department of Health
- Department of Rehabilitation Services
- State Department of Education
- Department of Mental Health and Substance Abuse Services
To provide a more efficient and effective way for participating agencies to share data as authorized by Oklahoma or federal law and regulations.
The DSA process provides a streamlined way for participating agencies to share data, in accordance with state and federal laws, without undertaking a lengthy legal review process for each specific data exchange requested.
It is an incorporated attachment to the DSA, used to document and provide detail about a specific data sharing project or exchange. A completed form is subject to all of the applicable provisions of the full DSA. Copies of signed form are maintained by each participating agency with a copy sent to the firstname.lastname@example.org.
The “Deliver Interoperable Solution Components Utilizing Shared Services (DISCUSS)” Committee is an Oklahoma Health and Human Services (HHS) Cabinet level advisory body. DISCUSS is organized by the Secretary of Health and Human Services in collaboration and under the authority of the State of Oklahoma Chief Information Officer. The role of DISCUSS is to champion large IT and shared interoperability services efforts among Oklahoma HHS Cabinet agencies.
Goals of DISCUSS include:
- To assist OMES-IS by ensuring information technology initiatives are based on State and Agency business strategies and requirements;
- To collaboratively share resources for the development, purchase, and implementation of information technology products, services, and technology frameworks; and
- To review and provide direction for HHS IT and shared services projects.
DISCUSS provides direction and review for HHS IT shared services projects and provides a central repository for completed “Schedule A” forms.
The Schedule A form should be signed by authorized agency representatives for each participating agency that elects to exchange data under the terms of the DSA. Signers may include the agency IT strategist, data stewards, or a member of the agency’s legal team.
DSA partners who wish to share data should include information relating to their specific data sharing project or initiative. This may include:
- Purpose of the data exchange
- How the shared data can be used
- Agency names
- Points of contact for participating agencies
- Information being requested
- Data variables being exchanged
- Confidential/secured manner to transport data
- Manner of storing data
- Tracking of released data
- Termination of schedule and return of data if applicable
The DSA or Schedule A may be modified at any time by written consent and may be terminated with a 30-day written notice by the terminating agency to the participating agencies.
The DSA does not modify existing data sharing agreements. However, Schedule A forms could be used to detail agreed upon changes, if so desired by the participating agencies.
Agencies may not divulge, disclose or communicate in any manner any data covered by the DSA to any third party without prior written consent of the other agencies participating in the DSA.
Whenever a determination has been made that any term of the DSA or related rule, procedure or policy are violated or reasonably appear to have been violated, the agency(ies) providing data must immediately suspend furnishing the data described in the associated DSA Schedule A form.
Immediate actions must be taken by the agency(ies) pursuant to 74 O.S. § 3113.1. In the event unencrypted personally identifiable information was acquired, or is reasonably believed to have been acquired, by an unauthorized person, the affected agency must immediately notify the owner or licensee in writing about the breach.
The DSA is not enforceable by law and does not attempt to provide modification of any laws or regulations. The DSA does not create any rights, and each agency is responsible for compliance with all applicable laws and regulations in the sharing of its own data.
There is no provision under the current DSA for additional partners to participate. However, other agencies are free to use the DSA as a template.
While the DSA does include some language commonly used in BAA or QSOA, such use may require a research data use agreement or Institutional Review Board.
No, because the Schedule A is an incorporated part of the overall agreement and is subject to all of the applicable provisions of the full DSA.
Contact the legal department of your state agency or of the participating agencies if you have questions about the implications of the DSA or to obtain a list of the current Points of Contact assigned to a DSA data exchange.