Skip to body

Campus Notices

What is a Data Custodian?

The Security Services department recently developed policies that introduced a data governance framework to Central Washington University. This framework was built on the concept of a system of decision rights and accountabilities for information-related processes, executed according to agreed-upon models. In other words, a framework that defines decision-making and authority for our institutional data [1].

The reason for introducing a data governance framework revolves around several key concepts, such as:

  • Increasing consistency and confidence in decision making;
  • Improving data security;
  • Designating accountability for information quality;
  • Reduce operational friction;
  • Reduce costs and increase effectiveness through coordination of efforts; and
  • Ensure transparency of processes [2].

The Security Services department has detailed the high-level data governance framework in a series of policies that are available on the Central Washington University website. The policy that deal primarily with the topic of data governance is titled CWUP 2-70-010 Information Security and Privacy Roles and Responsibilities. In reviewing this policy, you will note several new terms and concepts and one of them is the Data Custodian. 

This is a very important role in the overall governance framework and the policy states that they “are responsible for the safe custody, transport, and storage of institutional data.” The next question then becomes: who are these Data Custodians and what do they do? For the most part, the Data Custodians work within the Information Services and Organizational Effectiveness departments and they are responsible for ensuring our institutional data are available throughout our campus.

An example of a Data Custodian is Jillana Hernandez, the Director of ITS Applications in the Enterprise Application Service department. In this role, she is responsible for ensuring the day-to-day confidentiality, integrity, and availability of the core business applications that we all use every day in our jobs. While some of this responsibility is shared with other functional areas, the policy specifically states that Data Custodians will “support and manage the day-to-day confidentiality, integrity, and availability of the information systems for which they are responsible.”

This creates an environment where the Data Custodians have the necessary decision-making authority to respond to daily demands and issues without creating operational bottlenecks. However, there is still an obligation on their part to ensure they make these decisions within the established framework. To that end, the policy details this requirement by stating that Data Custodians need to be “accountable for operational decisions about the use and management of an information systems in accordance with established business rules and policies.”

I encourage you to take a few minutes and review the policies discussed in this article. You can easily access them by following the link below, which leads to the University resources and reports website. If you are interested in learning more about data governance, I have also included a few links with more information on the topic.

Best Regards,

Andreas Bohman, CISO


Policy Link:

Data Governance Definition:

Data Governance Institute:


[1] -

[2] -

Notice Type: