By Kevin H. Souza. In 2018 the news media broke stories about the company Cambridge Analytica and its questionable business practices. News services reported that the company acquired personal data of Facebook users from an academic who had collected the data for research purposes and, in turn, sold or used the information. The case sparked a wakeup call regarding the privacy of information for individuals and institutions alike – and who decides when privacy is important and how to protect it.
As far back as 2001, the University of California, San Francisco (UCSF), founded an IT Governance body. When the Cambridge Analytica story broke, IT Governance had recently affirmed a guiding principle that UCSF values data as a strategic asset. Valuing our data as an asset means that data must be secured and carefully curated to serve the mission of UCSF and to empower its digital transformation.
IT Governance at UCSF
In spite of its officious name, UCSF IT Governance is a living, breathing, and functioning organizational body that brings stakeholders from departmental IT and central IT together for shared decision making on setting the IT priorities that impact UCSF’s strategic initiatives. In this article, I recap the history of IT Governance at UCSF and describe how it is improving the work of UCSF.
As an example of the immediacy and flexibility of the IT Governance process, the Analytica case inspired university leadership to charge IT Governance with a thorough review of the UCSF’s data-sharing policies and practices. A 90 day task force was appointed to review and recommend actions to protect UCSF data from risks associated with sharing it with external parties.
The task force proposed several recommendations, guided by the principle of “data as a strategic asset.” UCSF adopted these recommendations, and the IT Governance Committee on Enterprise Data and Analytics assumed oversight of a new safety net process. This process involved the review and approval of agreements to share data externally. The timing was right, and UCSF’s new protocols also aligned with the adoption of the systemwide Electronic Information Security Policy in September 2018.
IT Governance is composed of a steering committee (ITGSC) along with eight subcommittees that report directly to the chancellor through the chancellor’s executive team. IT Governance seeks to maximize the potential of patient care, research, administration, and education through the effective, efficient, and appropriate use of IT architecture, communication tools, information security, and data and analytics.
Brief History
IT Governance was founded in 2001 with the creation of the Administrative Systems Advisory Committee (ASAC). The charge of ASAC was to prioritize, fund, and oversee the implementation of much-needed enterprise administrative technologies. Over time a second IT governing board was added to focus on academic systems. Together these two boards developed a five-year strategic plan for the deployment of IT to support the administrative and academic enterprise. The boards also recommended that all health system and campus IT be consolidated under a single university chief information officer (CIO).
In 2010, Vice Chancellor and CIO Elazar Harel consolidated these two boards under a new IT Governance Steering Committee, with subcommittees in clinical, education, business systems, research, and architecture. “The goal is to move away from operating in silos and making decisions and investments ad hoc and without looking at the whole picture,” Harel said. “This governance structure will let us make decisions, set IT priorities, identify IT funding needs, and institute IT policies in a coordinated manner.”
This iteration of IT Governance reported jointly to the executive vice chancellor and provost, and the senior vice chancellor for administration and finance. In the years since, subcommittees on communications, security, and data and analytics were added, increasing the total to eight subcommittees.
IT Governance 2020
In fall 2017, I was appointed chair of IT Governance and embarked on a three-year plan to further transform and maximize the impact of IT Governance on the university’s priorities. Our goals were to
- clarify the authority of governance,
- strengthen its culture of leadership, and
- improve stakeholder representation and participation.
Authority of IT Governance
By that point, it had become unclear how IT Governance got its authority. Early in this process, we clarified that IT Governance was independent of central IT, and represented joint governance of both the central and departmental IT organizations. This structure better serves UCSF’s bi-modal IT environment. Also, the reporting structure was clarified so that IT Governance reports directly to the chancellor through the chancellor’s executive team (CET). This means that the CET gets regular updates on essential issues, such as the recent concern over the sharing of UCSF data with external institutions.
Culture of Leadership
In 2018 we developed a set of guiding principles for governance, established expectations for our membership, and established a culture of transparency and documentation. As chair of IT Governance, I formed a working group of all subcommittee chairs to draft a set of guiding principles for review and approval by the steering committee. Ultimately, the steering committee approved the following guiding principles:
1. Guiding Principles
- Accountability: Our committees are accountable for executing their charges and stewarding university resources appropriately.
- Communication: We must communicate the work of IT Governance throughout the organization.
- Community: The needs of the UCSF community will remain a vital component of all IT decisions.
- Data: We recognize that university data is an asset, and therefore we support a secure but accessible data environment.
- Diversity and Inclusion: We represent all mission areas and promote equitable representation in governance from all members of the UCSF community.
- Responsibility: We are responsible for the process of strategic IT decision making and the promotion of successful outcomes.
- Transparency: We will be transparent in our decision-making and use of resources.
We also established expectations, including a set of duties and professional behaviors, for the steering committee and subcommittee members. These responsibilities are communicated through a new member orientation. In turn, members are expected to convey the principles of IT Governance throughout their own organizations. Member expectations are as follows:
2. Duties
- Thoughtful Decision Making: Exercise care when you make a decision as a representative of UCSF. Try to represent the opinions of those you serve.
- Be Faithful to the Mission: Act in a way that is consistent with UCSF’s mission and honor the policies/laws that govern the university.
- Serve: Make decisions on IT infrastructure and services that improve the lives of those we serve.
- Demonstrate Loyalty: Give undivided allegiance when making decisions affecting UCSF and always act in the best interest of the institution.
- Representation: Represent UCSF to the world and the world to UCSF.
- Stewardship: Ensure that UCSF’s resources are well managed.
3. Behaviors
- Attend meetings and be present
- Be prepared and informed
- Speak your mind and ask hard questions
- Trust your gut – if it doesn’t feel right it probably isn’t
- Serve with integrity
- Practice servant leadership
- Assume positive intent
4. Governance focuses on…
- Policymaking, not policy implementation
- Decision making, not decision implementation
- Oversight, not day to day operations
- Governance, not informal processes
Representation and Membership
Since 2018, we have been reviewing the membership of all committees, revising it to be role-based. This review has entailed delineating the relevant stakeholders whose roles should always be represented on the committee and appointing these roles as ex officio, voting members. We also have identified the right types and numbers of at-large representatives. Established procedures govern how all membership positions are identified and appointed to the relevant committees. All appointments have term limits and designated voting rights. All of these processes have been implemented to help standardize IT in a thoughtful and strategic way.
The Future of Governance
While we began this transformation of IT Governance in 2018, our work continues to evolve. Each of the eight standing committees continues to ask essential questions about how they can best serve the institution. Most recently, the Communication Committee and the Committee on Business Technology underwent this careful review of their charge and membership.
I believe the next opportunity is for IT Governance to encourage and inform the digital transformation of processes that support those we serve –patients, faculty, staff, and learners. Because our governance process is aligned to the bi-modal IT environment we find at UCSF, I believe we are well positioned to lead this next transformation of how we work and serve our community. Visit the IT Governance at UCSF website to learn more.
Kevin H. Souza is associate dean for medical education, School of Medicine, University of California, San Francisco.
Great piece, Kevin. I’ve always looked at UCSF’s IT governance as one of the most mature I’ve seen in our environment. Thanks for sharing
T