Administrative Data Access
Information maintained by the University is a vital asset that will be available to all employees who have a legitimate need for it, consistent with the University’s responsibility to preserve and protect such information by all appropriate means. The University is the owner of all administrative data; individual units or departments may have stewardship responsibilities for portions of that data. The University intends that the volume of freely accessible data be as great as possible, given limitations of budget and applicable federal, state and local laws.
The value of data as an institutional resource is increased through its widespread use; is diminished through misuse, misinterpretation, or unnecessary restrictions to its access. The University does not condone the use of administrative data for anything but the conduct of University business. Employees accessing data must: observe requirements of confidentiality and privacy, comply with protection and control procedures, and accurately present the data in any use.
The University determines levels of access to administrative data according to principles drawn from various resources. State and federal law provides clear description of some types of information to which access must be restricted. In an academic community, ethical considerations are another important factor in determining access to administrative data.
Definition of Administrative Data
The University’s database consists of information critical to the success of the University as a whole. The University database is shared data and is managed within a conceptual framework. The University database is distributed across processing units both within and outside the University.
Data may be digital text, graphics, images, sound or video. The University regards data that is maintained in support of a functional unit’s operation as part of the University’s administrative database if they meet any of the following criteria:
If at least two administrative operations of the University use the data and consider the data essential;
If the University must ensure the integrity of the data to comply with legal and administrative requirements for supporting statistical and historical information externally;
If a broad cross section of users refers to or maintains the data; or If the University needs the data to plan.
Some examples of administrative data include student course grades, employee salary information, vendor payments, and the University’s annual report of facts (Red Book). Administrative data does not include personal electronic calendar information and similar material.
Data Administrators are individuals directly responsible for creating, maintaining, and using data to support the University’s operation and information needs within their functional area.
Responsibilities of Data Administrators
Data Administrators will assign each item of administrative data and each standard view for their area of responsibility to a security class. For example, data can be viewed by anyone; data can be viewed by a select few; or data is totally restricted.
The Data Administrators are also responsible for maintaining data integrity. They will determine the most reliable sources of data and regularly evaluate the quality of the data under their purview. Data Administrators will identify gaps and redundancies in the data and, to the extent possible, will ensure that only needed versions of each data element exist. They will also monitor the data for accuracy, integrity, and dependability, and where appropriate, will initiate action concerning these issues.
The Data Administrators, in consultation with the person assigned to administrative data security in Information Technology, will determine security requirements for their data and will be responsible for monitoring and reviewing security implementation and authorized access.
Data Administrators will also define the criteria for archiving the data to satisfy retention requirements.
Responsibilities of Information Technology Staff
Information Technology is ultimately responsible for defining and implementing polices and procedures to assure that data are backed up and recoverable. Information Technology is also responsible for carrying out the security identified by Data Administrators as well as system security. Some examples include redundancy plan, physical security of hardware, system interfaces, authentication and protocols.
Developing and applying standards and/or procedures for the management of institutional data and for ensuring that data are accessible to those who need it is another function that is carried out by Information Technology.
In cooperation with the Data Administrators a standard method for naming and defining data will be developed. Information Technology will help facilitate conflict resolution in data definitions, if it occurs.
Requests for Access
Access to legally restricted or limited access data by University employees requires that a formal request be made to the appropriate Data Administrator. All requests for exceptions to the data access policies must be made in writing to the Data Administrator. Email requests are acceptable. The request must specify the data desired and their intended use.
The Data Administrator must provide a written record of the reasons for denial of any access request. Email records are acceptable.
Members of the University community may appeal any data access decision. Appeals may be made to the appropriate Vice President.
Responsibilities of Users
University employees or persons with access to Administrative Data shall not:
Make unauthorized use of any information in files maintained, stored, or processed by Information Technology or permit anyone else to make unauthorized use of such information.
Seek personal benefit or permit others to benefit personally from any confidential information that has come to them by virtue of their work assignment.
Exhibit or divulge the contents of any record or report to any person except in the conduct of their work assignment and in accordance with University and departmental policies.
Knowingly include or cause to be included in any record or report a false, inaccurate or misleading entry
Operate or request others to operate any University equipment for one’s own personal gain or profit, for the personal gain or profit of others, or to satisfy personal curiosity.
Divulge personal ID’s or passwords for Administrative Data to unauthorized personnel.
Users will also comply with all reasonable protection and control procedures for administrative data to which they have been granted access.
All violations of these guidelines shall be reported to the Chief Information Officer immediately. The information provided will be investigated and if found to have credence, will be sent to the appropriate Vice President for handling through University policies and procedures.