412-624-HELP

University Data Values and Principles

The purpose of this “Principles and Values” statement is to offer practical guidance to people with data practice roles or responsibilities at the University of Pittsburgh, with respect to whether, when, where, and how to acquire data, to store and preserve data, and to access, apply, and use data. The statement refers to data practices collectively as the “data lifecycle.” These principles and values were recommended by the Information Technology Advisory Committee and adopted by the University in May 2024.

“Data practices” means designing, implementing, managing, and continuing to oversee collecting, gathering, storing, using, and accessing data. The statement is intended to inform decision making as to data practices throughout the data lifecycle. It is not intended to dictate answers to specific questions of procurement, system design, or implementation, although data practices may implicate questions of those sorts.

The statement is directed to data practices at the University of Pittsburgh with respect to what the University refers to as “institutional” data. “Institutional” data practices means collecting, storing, using, and accessing data that is generated by “institutional” activities, such as student admissions, student advising, transportation, housing, finance, institutional advancement, and employment, or that is accessed for related “institutional” purposes.

The phrase “institutional” data distinguishes data practices in institutional settings from data practices in research settings and from data practices in teaching settings. Boundaries that separate those spheres of activity are not always clear, and they are not necessarily static. The statement should be applied and used pragmatically, with an eye to its spirit and functional utility, rather than formalistically.

Data practices, including access to data and data use, should be subject to systems or processes for ensuring compliance with these Principles. Individuals requesting data access or use should not play roles in deciding whether compliance is adequate.

Principles and Values

Each principle is stated at a relatively broad level of generality and is followed by one or more practices to illustrate how the principle should be implemented.

The University of Pittsburgh will:

  1. Promote beneficial and valuable data practices throughout the data lifecycle.
  • Best practices:  Everyone responsible for data practices, including their groups and organizations, should adhere to best and responsible practices as to data collection, curation, interpretation and use (e.g., validity, reliability, replicability).
  • Specificity: Data practices should have clearly defined present or potential social value.
  • Clarify and weigh stakeholder interests: Institutional interests, including economic and reputational interests, and interests of members and constituents of the institution should be clearly identified. Where the interests of members and constituents are inconsistent with the institution’s interests, greater weight should be given to the interests of members and constituents.
  • Connect value to stakeholders: Data practices should link assessments of value to identified stakeholders and/or stakeholder interests.
  1. Promote informed choice and consent with respect to data collection and use.
  • Disclosure: Before data about them is collected, and if conditions change, then throughout the data lifecycle, people should be provided with full, fair, clear, and understandable information about the character of the data to be collected, the purposes of the data collection, and the benefits and expected harms (if any) associated with associated data practices. Data practices should be disclosed to people specifically, in context, rather than as part of blanket or broad disclosures.
  • Consent:  People should be provided with fair and appropriate opportunities to consent to, or to refuse, collection of data about them or that relates to them.
  • Withdrawal of consent:  People should be able to change their minds and opt in or out of future data collection and, where possible, to opt out of future uses of previously-collected data.
  1. Promote personal privacy through its data practices.
  • Privacy in context:  Personal privacy should be protected on a contextually-appropriate and fair basis from intrusion, leaks, and/or disclosure through multiple strategies, including de-identification, aggregate reporting, and access being provided on a need-to-know basis when individual data points or results are being generated, used, or reported.
  1. Promote fairness and equity in and through its data practices.
  • Distribute benefits and burdens equitably:  Benefits and burdens or harms of data practices should not be borne disproportionately by any individual, group, unit, or subset of the University community without sound justification for that disproportionate treatment, and no person and no group should be targeted for data collection or analysis without sound justification.
  • Clarify and weigh stakeholder interests: Institutional interests, including economic and reputational interests, and interests of members and constituents of the institution should be clearly identified. Where the interests of members and constituents are inconsistent with the institution’s interests, greater weight should be given to the interests of members and constituents.
  1. Promote diversity and inclusion in and through its data practices.
  • Diversity in society:  Data practices should ensure that data are representative of the population(s) to which data analysis is applied.
  • Diversity in policymaking: Representatives of the range of members and constituents of the University, including those who are data sources, should participate in making and implementing policies and procedures concerning data practices.
  • Diversity in determining access and use:  Representatives of the range of members and constituents of the University should participate in determining who has access to data and for what uses or applications,  not only in the establishment of policies and procedures.
  1. Promote transparency in and through its data practices.
  • Policies:  Policies governing processes at each stage of the data lifecycle should be clear, understandable, documented and publicly accessible.
  • Practices:  Practices not rising to the level of formal policies likewise should be clear, understandable, and documented.
  • Descriptions:  Documented policies and practices should identify or direct responsible individuals to identify and document the data being collected, accessed, or analyzed; how the collection, access, or analysis is conducted; the purposes of the collection, access, or use (including its duration); and the justification for the collection, access, or use, including specification of relevant benefits and burdens or harms.
  • Oversight:  A process or processes should exist whereby individuals not associated with relevant data practice decisions oversee compliance with relevant data policies and practices and coordination with other potentially relevant policies and practices. Those include policies related to intellectual property law or to confidentiality mandated by law or by responsible scientific practice.
  1. Ensure data security and data integrity in and through its data practices.
  • Security throughout the data lifecycle:  Best and responsible practices should be followed to ensure the security and integrity of data and analyses based on data throughout the data lifecycle.
  • Policies and practices:  Policies and practices to anticipate and respond to intrusions, threats, and/or security breaches should be developed and documented, and responsible parties with adequate authority should be charged with implementing them and ensuring that appropriate reporting and remediation occurs.
  • Remediation: Data breaches must be reported promptly to individuals with both the authority and the responsibility for mitigating associated harms.
  1. Avoid or mitigate the harms of bias in and through its data practices.
  • Types of bias:  Bias—including but not limited to bias based on disability, race, color, religion, national origin, ancestry, genetic information, marital status, familial status, veteran status, sex, age, sexual orientation, or gender identity and expression—should be avoided in data practices, including in decision making regarding choices in collecting and not collecting data and in the development and/or use of algorithms applied to data.
  • Acknowledge bias:  Everyone responsible for data practices should take into account and acknowledge the limitations of data analyses, the potential for bias, and risks of group and individual harm.
  1. Avoid harmful data practices throughout the data lifecycle.
  • Harm to individuals and also harm to groups: Everyone responsible for data practices should ensure that those practices and associated data and reporting do not pose unnecessary, inappropriate, or unlawful risks of harm, cause harm to individuals or to groups, or impose unnecessary burdens on individuals or groups.
  • Continuing assessment:  Everyone responsible for data practices should be imaginative and reflective about benefits, burdens, harm, and risks of harm throughout the data lifecycle, not only when a data-related project is initiated or a data-related decision is made.
  1. Ensure that the benefits of data practices exceed the risks of harm of data practices.
  • Both macro and micro views:  Assessments of benefits and harms should be undertaken both in the aggregate, taking data practices as a whole, and with respect to separable elements of the data lifecycle (i.e., specific data practices). The potential benefits of each data practice must outweigh its risks.
  • Distribution: Benefits and harms should be distributed fairly and appropriately across groups of people and over time.
  • Continuing assessment:  Everyone responsible for data practices should be imaginative and reflective about benefits, burdens, harm, and risks of harm throughout the data lifecycle, not only when a data-related project is initiated or a data-related decision is made.