University of Pittsburgh Institutional Data Review Committee Charter

1. Preamble

This Charter establishes the University of Pittsburgh Institutional Data Review Committee (IDRC). It is authorized by the Vice Chancellor and Chief Information Officer (VC/CIO) upon the recommendation of the Information Technology Advisory Committee, and will serve at the VC/CIO’s discretion. This Charter outlines the purpose, relevant background, scope, responsibilities, composition, and operations of the Committee.

2. Background and Purpose

Institutional Data is a critical University asset and consists of all data (excluding research data) generated as work product created, stored, sent, or received by any and all members of the University community. Institutional Data is generated throughout the University and is collected, stored, managed, and analyzed on a wide range of University enterprise and departmental computer systems and is controlled by a large number of data stewards, whose positions place them in the position of deciding for what purposes, when, and by whom the Institutional Data for which they are responsible may be used. Without central guidance, data stewards must develop their own standards for making important decisions about Institutional Data. Use of this data is hampered when standards conflict or are too restrictive.

To address these problems, the Data Governance Subcommittee (DGS) of the Information Technology Advisory Committee (ITAC) made two important recommendations, which were endorsed by the ITAC on May 12, 2022. The first recommendation is to adopt a set of Data Principles and Values (Appendix) to guide the University community in making decisions about Institutional Data. The second is to establish a data governance team, now called the IDRC.

3. Responsibilities

The specific responsibilities of the IDRC are to:

• Create and maintain standards and procedures to be followed by all members of  the University community for collection, storage, use, and management of Institutional Data.
• Work with Pitt Information Technology to design and implement a mechanism by which members of the University community and data stewards can apply online for data use permissions in situations where use cases fall outside the guidelines already established by the Committee.
• Review, in consultation with relevant University data stewards, requests for access to Institutional Data not already covered by the University’s Federated Authorization process at: https://technology.pitt.edu/services/federated-authorization-community.
• Review requests involving Institutional Data that fall outside established data access request process and/or outside the Data Values and Principles. The Committee will consult with relevant offices such as the Office of University Counsel where needed to ensure that the requested use also conforms to applicable policies, laws, and regulations and will communicate its decisions to requesters in writing.
• Establish an appeals process to reconsider previous decisions in light of new information submitted by the requester in support of any application which the Committee has rejected.
• Engage the ITAC and its Data Governance Subcommittee for advice on adjustments to the Data Values and Principles identified as desirable through the Committee’s efforts.
• Communicate the Data Values and Principles, standards, and procedures to the University community via public website.

4. Composition:

Membership will initially include data stewards from major operating areas of the University, members of the University Offices of Compliance and Investigations, Internal Audit, University Counsel, and other administrative offices as appointed by the CIO. Members will serve two-year renewable terms.

5. Operations

The Committee will meet as often as needed to carry out its responsibilities, but at least once per calendar quarter.

6.  Amendment and Termination

Any amendments to this Charter must receive the endorsement of the ITAC and the approval of the CIO or designee.

This Committee will be re-evaluated within one year after the date of this Charter’s approval unless otherwise directed by the CIO.

This Charter was endorsed by the ITAC and approved by the VC/CIO on June 11, 2023.

[Signature]

Appendix: Institutional Data Principles and Values

The purpose of this “Principles and Values” statement is to offer practical guidance to people with data practice roles or responsibilities at the University of Pittsburgh, with respect to whether, when, where, and how to acquire data, to store and preserve data, and to access, apply, and use data. The statement refers to data practices collectively as the “data lifecycle.”

“Data practices” means designing, implementing, managing, and continuing to oversee collecting, gathering, storing, using, and accessing data. The statement is intended to inform decision making as to data practices throughout the data lifecycle. It is not intended to dictate answers to specific questions of procurement, system design, or implementation, although data practices may implicate questions of those sorts.

The statement is directed to data practices at the University of Pittsburgh with respect to what the University refers to as “institutional” data. “Institutional” data practices means collecting, storing, using, and accessing data that is generated by “institutional” activities, such as student admissions, student advising, transportation, housing, finance, institutional advancement, and employment, or that is accessed for related “institutional” purposes.

The phrase “institutional” data distinguishes data practices in institutional settings from data practices in research settings and from data practices in teaching settings. Boundaries that separate those spheres of activity are not always clear, and they are not necessarily static. The statement should be applied and used pragmatically, with an eye to its spirit and functional utility, rather than formalistically.

Data practices, including access to data and data use, should be subject to systems or processes for ensuring compliance with these Principles. Individuals requesting data access or use should not play roles in deciding whether compliance is adequate.

Principles and Values

Each principle is stated at a relatively broad level of generality and is followed by one or more practices to illustrate how the principle should be implemented.

The University of Pittsburgh will:

1. Promote beneficial and valuable data practices throughout the data lifecycle.

• Best practices:  Everyone responsible for data practices, including their groups and organizations, should adhere to best and responsible practices as to data collection, curation, interpretation and use (e.g., validity, reliability, replicability).
• Specificity: Data practices should have clearly defined present or potential social value.
• Clarify and weigh stakeholder interests: Institutional interests, including economic and reputational interests, and interests of members and constituents of the institution should be clearly identified. Where the interests of members and constituents are inconsistent with the institution’s interests, greater weight should be given to the interests of members and constituents.
• Connect value to stakeholders: Data practices should link assessments of value to identified stakeholders and/or stakeholder interests.

2. Promote informed choice and consent with respect to data collection and use.

• Disclosure: Before data about them is collected, and if conditions change, then throughout the data lifecycle, people should be provided with full, fair, clear, and understandable information about the character of the data to be collected, the purposes of the data collection, and the benefits and expected harms (if any) associated with associated data practices. Data practices should be disclosed to people specifically, in context, rather than as part of blanket or broad disclosures.
• Consent:  People should be provided with fair and appropriate opportunities to consent to, or to refuse, collection of data about them or that relates to them.
• Withdrawal of consent:  People should be able to change their minds and opt in or out of future data collection and, where possible, to opt out of future uses of previously-collected data.

3. Promote personal privacy through its data practices.

• Privacy in context:  Personal privacy should be protected on a contextually-appropriate and fair basis from intrusion, leaks, and/or disclosure through multiple strategies, including de-identification, aggregate reporting, and access being provided on a need-to-know basis when individual data points or results are being generated, used, or reported.

4. Promote fairness and equity in and through its data practices.

• Distribute benefits and burdens equitably:  Benefits and burdens or harms of data practices should not be borne disproportionately by any individual, group, unit, or subset of the University community without sound justification for that disproportionate treatment, and no person and no group should be targeted for data collection or analysis without sound justification.
• Clarify and weigh stakeholder interests: Institutional interests, including economic and reputational interests, and interests of members and constituents of the institution should be clearly identified. Where the interests of members and constituents are inconsistent with the institution’s interests, greater weight should be given to the interests of members and constituents.

5. Promote diversity and inclusion in and through its data practices.

• Diversity in society:  Data practices should ensure that data are representative of the population(s) to which data analysis is applied.
• Diversity in policymaking: Representatives of the range of members and constituents of the University, including those who are data sources, should participate in making and implementing policies and procedures concerning data practices.
• Diversity in determining access and use:  Representatives of the range of members and constituents of the University should participate in determining who has access to data and for what uses or applications,  not only in the establishment of policies and procedures.

6. Promote transparency in and through its data practices.

• Policies:  Policies governing processes at each stage of the data lifecycle should be clear, understandable, documented and publicly accessible.
• Practices:  Practices not rising to the level of formal policies likewise should be clear, understandable, and documented.
• Descriptions:  Documented policies and practices should identify or direct responsible individuals to identify and document the data being collected, accessed, or analyzed; how the collection, access, or analysis is conducted; the purposes of the collection, access, or use (including its duration); and the justification for the collection, access, or use, including specification of relevant benefits and burdens or harms.
• Oversight:  A process or processes should exist whereby individuals not associated with relevant data practice decisions oversee compliance with relevant data policies and practices and coordination with other potentially relevant policies and practices. Those include policies related to intellectual property law or to confidentiality mandated by law or by responsible scientific practice.

7. Ensure data security and data integrity in and through its data practices.

• Security throughout the data lifecycle:  Best and responsible practices should be followed to ensure the security and integrity of data and analyses based on data throughout the data lifecycle.
• Policies and practices:  Policies and practices to anticipate and respond to intrusions, threats, and/or security breaches should be developed and documented, and responsible parties with adequate authority should be charged with implementing them and ensuring that appropriate reporting and remediation occurs.
• Remediation: Data breaches must be reported promptly to individuals with both the authority and the responsibility for mitigating associated harms.

8. Avoid or mitigate the harms of bias in and through its data practices.

• Types of bias:  Bias—including but not limited to bias based on disability, race, color, religion, national origin, ancestry, genetic information, marital status, familial status, veteran status, sex, age, sexual orientation, or gender identity and expression—should be avoided in data practices, including in decision making regarding choices in collecting and not collecting data and in the development and/or use of algorithms applied to data.
• Acknowledge bias:  Everyone responsible for data practices should take into account and acknowledge the limitations of data analyses, the potential for bias, and risks of group and individual harm.

9. Avoid harmful data practices throughout the data lifecycle.

• Harm to individuals and also harm to groups: Everyone responsible for data practices should ensure that those practices and associated data and reporting do not pose unnecessary, inappropriate, or unlawful risks of harm, cause harm to individuals or to groups, or impose unnecessary burdens on individuals or groups.
• Continuing assessment:  Everyone responsible for data practices should be imaginative and reflective about benefits, burdens, harm, and risks of harm throughout the data lifecycle, not only when a data-related project is initiated or a data-related decision is made.

10. Ensure that the benefits of data practices exceed the risks of harm of data practices.

• Both macro and micro views:  Assessments of benefits and harms should be undertaken both in the aggregate, taking data practices as a whole, and with respect to separable elements of the data lifecycle (i.e., specific data practices). The potential benefits of each data practice must outweigh its risks.
• Distribution: Benefits and harms should be distributed fairly and appropriately across groups of people and over time.
• Continuing assessment:  Everyone responsible for data practices should be imaginative and reflective about benefits, burdens, harm, and risks of harm throughout the data lifecycle, not only when a data-related project is initiated or a data-related decision is made.