Location: Bowdoin / IT / FYI / Information Security / Security For / Roles and Responsibilities

Information Security

Get Help

Submit Help Ticket 24/7

Live Chat

x3030 or 207-725-3030
x5050 or 207-721-5050

Roles and Responsibilities

Data Trustees
Data Owners
Data Custodians
Data Consumers

Data Trustees

Data Trustees are senior college officials or their designees who have planning, policy-level and management responsibility for data within their functional areas.  Data Trustees work with the Chief Information Officer (CIO) to ensure that the appropriate resources (staff, technical infrastructure, etc) are available and to ensure proper planning and policies are in place to support the data needs of the entire college.

Data Trustee responsibilities include:

  • Assigning and overseeing Data Owners
  • Overseeing the establishment of data policies in their areas
  • Determining legal and regulatory requirements for data in their areas
  • Promoting appropriate use and data quality

Institutional Data covered includes, but is not limited to:

Institutional Data Type

Data Trustee


Senior VP for Investments

Budget and Planning
Financial (General Ledger, Procurement, Accounts Payable, Payroll)
Student Billing and Accounts Receivable
Facilities and Space Management
Human Resources (Compensation, Benefits)

Senior VP for Finance and Administration and Treasurer

Residential Life
Student Health

Dean of Student Affairs

Student Records
Course Records
Academic Research

Dean for Academic Affairs

Fund Raising
Alumni Relations

Senior VP for Planning and Development

Student Admissions
Student Aid

Dean of Admissions and Student Aid

Learning Management

Chief Information Officer

Data Owners

Data Owners are college officials having direct operational-level responsibility for the management of one or more types of data.  Data Owners are assigned by the Data Trustee and are generally associate deans, associate vice presidents, directors or managers.

Data Owner Responsibilities include:

  • Interpreting and assuring compliance with Federal, State, and College policies and regulations regarding the release of, responsible use of, and access to college data.
  • Assigning data classification labels using the college's data classification methodology.
  • Data Compilation - When data classified at varying levels is brought together as a data set to create information, the data owner must examine each data element and ensure that the data is classified at the level of the most secure data element in the set. For instance, if one data element is classified as Public and another is classified as Restricted, the entire data set must be classified as Restricted and secured accordingly.
  • Ensuring that there is a process that includes verifying and documenting any data or information shared between external agencies or departments. The data must be classified and protected according to agreed upon classification methodologies and data treatment requirements to avoid unintentional disclosure.
  • In conjunction with Information Security, ensure that confidential information, or information that could be used directly or indirectly to identify an individual, is protected.
  • Establishing any restrictions on downloading, exporting or remote access of data. This is normally done in conjunction with IT staff so that they can configure the security elements of the infrastructure to assist in preventing unauthorized access.
  • Work with Information Security to develop access criteria and guidelines for each classification label or level. As the level moves from Public to Restricted, the requirements for accessing the data also increase.
  • Authorize and recertify access to the data.
  • Ensure that individuals with visibility to Restricted data have completed required training and agreed to confidentiality statements.

Data Custodians

Data Custodians are Information Technology or computer system administrators responsible for the operation and management of systems and servers which collect, manage, and provide access to college data.  Data Custodians must be authorized by the appropriate Data Owner or the CIO.

Data Custodian responsibilities include:

  • Maintaining physical and system security and safeguards appropriate to the classification level of the data in their custody.
  • Complying with applicable college computer security standards.
  • Maintaining Disaster Recovery plans and facilities appropriate to business needs and adequate to maintain or restart operations in the event systems or facilities are impaired, inaccessible or destroyed.
  • Managing Data Consumer access as authorized by appropriate Data Owners.
  • Following data handling and protection policies and procedures established by Data Owners and Information Security.
  • Complying with all federal and state laws, regulations, and policies applicable to the institutional data in their custody.

Departments that develop databases and/or systems from college data and then provide access to this data to other users are considered Data Custodians.  These Data Custodians must be authorized by the appropriate Data Owner, approved to further redistribute college data and must implement the minimum required safeguards for the source data as prescribed by the Data Owner and Information Security.

Data Consumers

Data Consumers are the individual college community members who have been granted access to college data in order to perform assigned duties or in fulfillment of assigned roles or functions at the college.  This access is granted solely for the conduct of college business.

Data Consumers' responsibilities include:

  • Following the policies and procedures established by the appropriate Data Owner and Information Security.
  • Complying with federal and state laws, regulations, and policies associated with the college data used.
  • Using college data only as required for the conduct of college business within the scope of employment.
  • Implementing safeguards prescribed by appropriate Data Owners for Restricted Data.
  • Reporting any unauthorized access or data misuse to Information Security or the appropriate Data Owner for remediation.

A Data Consumer whose work duties require access to Restricted Data must accept and complete the confidentiality statement.

Document author:
Last modified:
Oct 02, 2009