Service Description
The Data Governance Oversight Group (DGOG) provides guidance and consulting on appropriate uses of University (Enterprise) data, classification questions, direction to authoritative sources of specific data, training on data governance responsibilities, and other University Data-related topics.
Additionally, the DGOG handles or facilitate requests for review or approval of certain data uses (procurement of new software or IT services, development of campus systems, changes to data inclusion or use for existing systems, new use of regulated data such as SSN, or other activities implicating mainly sensitive (Tier 2/3) information that require specific review.)
Some requests for specific data from campus sources for unit-level reporting, and guidance on unit self-reporting/dashboard activities can also be handled through the DGOG (see Data Governance at UNC for resources and guidance and for more detail).
If you are not sure where to go for help with a University Data question, the DGOG is available as a way finder and guide. The DGOG has five service offerings tailored to various needs.
Find and Request Data – Use this if you are requesting data that you do not already have access to. This is the best option if you are looking for a report or for raw data. If you want to set up an integration between two platforms so that you can transfer data from one to another please select the “Other Review” service offering instead.
- Review of Purchases – Use this if you need a data governance review for a vendor or a tool that you are buying. This is the best one to select if a vendor is providing a service for you, you are purchasing a new piece of software, you are renewing a contract for software or services from a vendor, or you are engaging an independent contractor. If you know you also need a risk assessment, this is the best service offering to select.
- No SI Purchases – This service offering replaces No SI DPCs. Use this if you are making a purchase of an IT or data-related application, system, product, or service that does not have any sensitive information (Tier 2 or Tier 3) in scope. This service offering will route to your Senior Level IT Administrator for approval.
- Other Review – Use this if you need a data governance review, but you are not spending any money. Some common examples are: you are adding a plugin to an existing system, you are changing the scope of sensitive information in an existing system, you are making a major change to access to an existing system, or you are building a homegrown tool.
- Platform Plugins – This request is for IT staff with users in their unit who want to make 3rd party application integrations or plug-ins with an existing platform at the University, such as Microsoft 365 applications, Zoom, Canvas, or any other IT service “platform.” Please be aware that plug-ins that do the same things as features already in the platform or other plug-ins that have already been approved for us are not going to move forward.
This request will initiate the required reviews. The technical support team for the platform will do an analysis, the Information Security Office will do a risk assessment, and any other required reviews will occur.
In most cases a data protection agreement (DPA), and a negotiated license with the vendor will be required. Plug-ins to Microsoft 365, Zoom, and other platforms containing Protected Health Information are likely to require a Business Associate Agreement (BAA).
This is a resource-intensive request that must be handled by multiple (busy) groups and is likely to take two or more months.
Please note a 3rd party “plug-in” is any application (add-in, plug-in, connector) that connects to your platform account that is not part of the standard list of applications and/or features of that platform (like OneDrive, Teams, Zoom AI, etc.) offered through our contract with the platform vendor.
- Ask a Question – Use this if your needs do not fit any of the three options above. Some examples: asking a question purely out of curiosity; need help determining the tier of your data; looking for an existing application/system/IT tool that meets your needs. If you are asking “Do I need a review?” it is best to instead select one of the two review options.
- Contract Review – Use this if you need support from the Information Security Office or the Data Governance Oversight Group with reviewing a contract.
Audience
Employees
Requirements
Platform Plugins
These requests should be submitted by platform support or unit IT staff. If submitted by anyone else, a unit IT staff member should be listed as the responsible party on the request (consult with them first!).
Documentation
User/Customer Responsibilities
- Provide the best information available related to your request. Not all questions on the Service Request apply to your situation. You may provide as much or as little information as you choose in the initial request.
- Do not include any sensitive information of any kind in your service request! (A fulfiller will contact you if it’s necessary to communicate any Tier 2 or 3 information related to your request, simply note that you need to supply SI but do not attach or include it).
- Respond promptly and thoroughly to follow-up communications, provide the documentation or information needed to give you a response to your request.
Out of Scope
- Requests reporting data breach or other security incidents.
- Requests handled through specific offices of the University (see Data Governance at UNC for references to other types of data oversight and compliance and how to access those resources.)
- Requests for user access to specific systems (see the specific service/system which should have access provisioning methods available).
Other Important Info Worth Noting
DO NOT SUBMIT REPORTS OF KNOWN OR SUSPECTED DATA BREACH OR OTHER SECURITY INCIDENTS. If you believe that University Data may have been compromised, please call 919-962-HELP and ask for a critical response from a Security Analyst. Other information about reporting data malfeasance is available through the Office of Ethics and Policy or specific offices with responsibility for the data you are concerned with.
Platform Plugins
User/Customer Responsibilities
- Users will adhere to all policies and procedures that pertain to email, sensitive data and the use of UNC-provided software licenses.
- Users will contact the ITS Service Desk to report incidents and problems within the supported environment.
Out of Scope:
- Office 365 applications not provided by the University license.
- Client issues are to be handled by departmental support staff and/or Service Desk until systemic issues are found.
Documentation
See more at Datagov.unc.edu, safecomputing.unc.edu, and privacy.unc.edu
Expected Delivery
More than 2 weeks.
Platform Plugins - Several weeks.
Keywords
report, steward, privacy, security, access, vendor, procurement, third party, DPC, protection, DGOG, use agreement, BAA, PCI, PII, personally identifiable, HIPAA, release, PHI, advice, research, analysis, Tier, protected, CERTIFI, custodian classification, FERPA, Legacy, risk
Support
Request support at any time. Service is monitored during weekdays. If you suspect a security or other data issue please do not report that in this form. Call the Service Desk and request a critical ticket to a Security Incident Handler.
Hours of Operation
8:00am-5:00pm M-F only