Main Menu
SPARCS - Topic Of The Week

Why are Data Inventories Important?

A data inventory is used to help all areas of the university manage impacts and risks associated with their work activities involving personal data. This collaborative process is essential to our Privacy, Cybersecurity, and Compliance programs, and it supports our office’s goal of building awareness about the university’s Privacy Principles and Security Standards.

A data inventory helps all areas of the university:

  • Aggregate essential information for strategic, tactical, and operational decisions.
  • Identify and document the accountable and responsible individuals for the business processes, systems, and third-party relationships through an enterprise-wide data inventory.
  • Inventory and map the flow of data across the University and with third parties.
  • Create a common understanding about where, how, and why personal data are processed (e.g., collected, used, managed etc.).
  • Evaluate how the use of personal data aligns with the University’s Privacy Principles and addresses our academic, humanitarian, ethical, and legal obligations.

While individual institutions may have varying approaches for conducting such inventories, the process has several commonalities, and generally follows the below steps:

  1. Designate a person or team to be responsible for the following activities:
    • Conducting and maintaining an inventory with standard information on what data is collected, by whom, in what formats, and for what purposes.
    • Evaluating the quality of the data, including how it is generated, how often it is updated, any issues that arise with its generation and aggregation, and its consistency across departments/offices/schools/campuses.
    • Developing plans to standardize data collected across the institution when needed.
    • Coordinating with the procurement and legal departments to analyze contracts or agreements with third parties (regardless of whether they are commercial vendors, other academic institutions, funding bodies, or governments) to understand the contractual obligations of each party connected with data and data analytics on campus.
  2. Plan your approach and get a general project plan:
    • Identify who will be involved.
    • Develop workflows: Identify existing items to be inventoried and gather information to complete records.
    • Create, complete, and maintain inventory records.
  3. Create records:

    • Identify existing items that need to be inventoried by your unit

      1. What business processes involve personal data?
      2. What systems involve personal data? Does your unit own or use the system?
      3. What third parties are involved?
      4. Vendors?
      5. Who do you share data with?
      6. Who do you receive data from?


      TIP: If you own or administer a system, you will need to ensure you document it as discussed above; if you don’t own or administer a system, but you do use it, link your use of the system to the relevant record created by the unit that owns the third-party relationship or system. This is critically important, because your purpose for collecting data may not be the same as another user of the same system. 

      For UMD employees seeking specific guidance, instructions on filling Data Inventory sheets and a Frequently Asked Questions (FAQ) article are available.

  4. Update periodically:
    • Please review and update your records on a regular basis. This includes updating records when a contract expires and when systems move from design to production or to decommissioned status.
    • To ensure that the data inventory can assess risk accurately, the Privacy Office will send reminders to validate your records (timing to be determined).
Off
Back to Top