Close
Staff: All employees of, and other individuals working at, UCL, including agency workers, honorary staff, emeritus staff, visiting staff, external collaborators, contractors and consultants, and the staff and directors of UCL’s subsidiary companies. This includes postgraduate students who are employed temporarily or permanently as staff.
Student: Any individual registered as a student at UCL.
Data Owner: A senior member of staff, accountable for overarching strategy and policy setting for information and data within their area of business. Accountable for seeking assurance from Data Stewards, Information Custodians and System Custodians that suitable controls are in place to mitigate risks to their data. Responsible for ensuring other roles are assigned where applicable.
Data Steward: A subject matter expert for an area of structured data held within a university IT system. Responsible for ensuring effective management of the data and resolving any quality issues.
Information Custodian: Responsible to the Data Owner for one or more of the following in relation to information and data in their business area: Access management; Classification; Risk management; Retention; Records management.
System Custodian: A technical administrator for a System. Responsible for ensuring security risk are managed within the system. Responsible for providing assurance to the Data Owner that suitable controls are in place to mitigate risks to their data.
System: Any environment that is used in relation to data, such as: network; application; infrastructure; platform; system; appliance; device; service.
Further information
Information security roles
The information security roles defined in the Information Security Policy are Staff, Student, User, Data Owner, Data Steward, Information Custodian and System Custodian. They have a special significance in relation to the Information Security Policy, enabling each member of the UCL community to understand their information security responsibilities. Former UCL students, usually referred to as alumni, are also members of the UCL community, and have the same information security role as students. The meaning of “User” in the context of the policy is defined in the Scope section as follows.
“This Policy applies to Staff, Students and all other computer, network, or information users authorised by UCL or any of its departments (or equivalent) (collectively referred to as Users)”.
The information security role titles or definitions are not recognised or implemented consistently across UCL, and members of the UCL community typically have two or more of them at any one time. For example, everyone at UCL is a user in some sense, and many staff members have actual roles that encompass one or more of the other information security roles, whether or not they are reflected in their job titles or descriptions. However, it is important for everyone reading the Information Security Policy to understand which information security roles they have, and how to incorporate the associated responsibilities into their activities as students or staff members.
Data related roles
The roles of Data Owner, Data Steward and Information Custodian can be understood differently in different parts of UCL, depending on where in UCL they work and the type of data or information involved. There are no universally recognised definitions of data and information, but generally speaking, the term “data” refers to structured information stored in spreadsheets, databases and other digital formats that support procedural or programmatic information retrieval.
UCL’s Data Governance Operating Model includes the Data Owner, Data Steward and System Custodian roles, but the Model is limited to certain types of data related to the operation of UCL as an institution, and excludes, for example, research data.https://www.ucl.ac.uk/advanced-research-computing/research-data-stewardship
System Custodian role
A system can only have one System Custodian, although there may be two or more people with elevated privileges who can carry out administrative operations on it.
A System Custodian in ISD is usually a Service Operation Manager, who typically has responsibility for a number of systems involved in the operation of an IT service. System Custodians outside ISD might have other role titles such as “IT Manager” or “System Manager”.
Further questions
If you have any questions that haven't been answered by the information on this page, please don’t hesitate to ask the Information Security Group.