Campuses:

ADMINISTRATIVE POLICY

Internal Access to & Sharing University Information
Responsible University Officer: Vice President for Information Technology
Policy Owner: Vice President for Information Technology
Policy Contact: Brian Dahlin

POLICY STATEMENT

The University provides authorized individuals access to information they need to carry out work responsibilities.

Data custodians must limit access to University information classified as private data to those individuals whose work responsibilities require it. Employees and departments must follow the appropriate approval processes to request access to non-public information.

Individuals authorized by their job responsibilities to share University data with internal audiences must follow the procedures related to sharing University data, including instructions on aggregating data where appropriate.

The Records and Information Management Office is a resource for questions concerning disclosure of information.

REASON FOR POLICYRETURN TO TOP

The University adheres to state and federal privacy and records laws. In so doing, the University:

  • Increases the value of University information resources through widespread and appropriate use.
  • Prevents the inappropriate and unauthorized disclosure of information and thereby avoids adverse legal consequences.

Subject
Contact
Phone
Fax/Email
Primary Contact(s)
612-625-1505
Financial Systems
Director, EFS Customer Support, Controller's Office (Data Custodian)
612-624-1617
Information Security
University Chief Information Security Officer
612-625-1505
Health Information and HIPAA
HIPAA Privacy Officer
612-625-5844
Human Resources/Payroll
Director, Office of Human Resources (Data Custodian)
612-626-1629
Student Systems
University Registrar (Data Custodian)
612-625-2803
Disclosure of Data
Coordinator, Records and Information Management Office; or Office of the General Counsel
612-625-3497
612-624-4100
Institutional Analysis
University Data Custodian
612-625-6792

DEFINITIONSRETURN TO TOP

Access
The ability to view information, and, when applicable, update or download it.
Application Data Custodian
Representative of the University who is assigned responsibility to serve as a steward of the application or system on which the data resides.
Authorized Individual
An employee, consultant, volunteer or other individual who needs access to University information to perform an activity on behalf of the University.
Data
Information collected, stored, transferred or reported for any purpose, whether electronically or on hard copy.
Data Custodian
Representative of the University who is assigned responsibility to serve as a steward of University data in a particular area.
Data Owner
An individual with primary authority and accountability for specified information (e.g., a specific business function) or type of data. This individual is responsible for delegating responsibility to appropriate Data Custodians and ensuring the accuracy, integrity and timeliness of the data.
Privacy Officer
The individual responsible for setting the security classifications for a broad type of data (e.g., HIPAA, PCI DSS, FERPA) across the university or set of data (e.g., research set), and developing procedures for creating, maintaining, and using assigned University data, consistent with University policy and all applicable state and federal laws.
Security Violations
Any action that does not comply with system security concepts, policies, processes or procedures.
Supervisor
The person to whom an individual directly reports. For those seeking access to information not published publicly, or access to centrally supported systems, it is the person designated by the Dean, Director or Department Head to function in that role for information/data access purposes.
Unauthorized Disclosure
The act of providing information to any source not specifically authorized to receive such information, whether inside or outside of the University community.
University Data Security Classifications
Classification of data to ensure appropriate security controls are in place.
  • PublicUniversity data that by law are available to the public upon request.Private-RestrictedUniversity data that by law are not public and are available within the institution only to those with a legitimate need to know, but are not so highly sensitive that the loss of confidentiality, integrity, or availability would cause significant personal, institutional, or other harm, and no law, regulation, or contract requires a higher level of security.Private-Highly RestrictedUniversity data that are not public and are available within the institution only to those with a legitimate need to know, and (1) are so highly sensitive that the loss of confidentiality, integrity, or availability of the data could cause significant personal, institutional, or other harm; (2) by law or regulation require high-level security controls; or (3) by contract require high-level security controls.
University Data Custodian
Representative of the University who is assigned responsibility to serve as a steward of University data when data crosses organizational and system boundaries.
University Information
Information collected, manipulated, stored, reported or presented in any format, on any medium, by any unit of the University.

RESPONSIBILITIESRETURN TO TOP

University Data Custodian
  • Provides policy direction and oversight regarding access to University Information.
  • Ensures appropriate and consistent procedures related to accessing data, across the organization.
  • Decides how University Information will be treated (e.g., any restrictions for viewing, printing, copies).
  • Assembles appropriate constituent groups to examine specific data issues crossing organizational and system boundaries, while balancing the needs and desires of the constituent groups, within legal and data security policy constraints.
  • When needed, resolves problems that arise at the Data Custodian and Application Data Custodian levels.
Data Custodian
  • Participates with the University Data Custodian, other Data Custodians, University Information Security, Privacy Officers and legal representatives, in the development of University data access policy and procedures.
  • Advises the Application Data Custodians, Supervisors and Data Owners on data access as it relates to their areas of responsibility.
  • Establishes appropriate processes and procedures for access to information stored within the systems for which they are responsible, in cooperation with others responsible within the organization.
Application Data Custodian
  • Advises Supervisors, Data Owners and others on access and procedures as it relates to their applications.
  • Establishes appropriate processes and procedures for access to information stored within the systems for which they are responsible, in cooperation with others responsible within the organization.
  • May authorize data access, or grant system access based on the authorization of others, in accordance with University policy and access processes. When performing this function, system administration responsibilities must be performed by another individual or area.
  • Monitors access based on University policy.
Technical Staff
  • Establishes, develops, implements and manages the organization's access processes, systems and procedures in coordination with the Data Custodians, Application Data Custodians and other security and system administrators.
Authorized Individual or Employee
  • Reviews access needs with Supervisor.
  • Submits access request to Supervisor.
  • Maintains the integrity and confidentiality of information.
  • Reports security violations to Supervisor.
Supervisor
  • Reviews access needs with staff.
  • Reviews and submits access requests.
  • Requests access changes for those they have authorized.
    • Changes in job responsibilities.
    • Transfers within the University.
    • Termination from the University.
  • Reports security violations to Data Custodians, Application Data Custodians and/or the group that manages access to the system or application.
General Counsel
  • Provides legal advice, including information classification to Data Custodians and other University personnel, to ensure compliance with state and federal laws.
Records and Information Management Office
  • Serves as the responsible authority and data practices compliance official under the Minnesota Government Data Practices Act and fulfills requests for public information that cannot be met through existing reports and other materials.
  • Assists General Counsel in advising University staff and other decision-makers regarding access to University Information.
Privacy Officer
  • Participates with the University Data Custodian, other Data Custodians, University Information Security and legal representatives, in the development of University data access policy and procedures.
Office of Information Technology - University Information Security
  • Establishes security policies and standards to protect information/data and systems.
  • Provides security policy advice to Supervisors and other offices.

RELATED INFORMATIONRETURN TO TOP

Related Policies

Related Laws

  • Minnesota Government Data Practices Act - MS. 13.01 et. seq.
  • Family Educational Rights and Privacy Act of 1974
  • Computer Fraud and Abuse Act of 1986
  • Electronic Communications and Privacy Act of 1986
  • USA PATRIOT Act of 2001

Related Administrative Procedures

Related Appendices

Related Instructions

Amended:
August 2015 - Added procedures for sharing University data with internal audiences, faculty and researchers and external audiences.
Amended:
March 2015 - Comprehensive Review. Minor Revision. Updated policy statement; revised procedure, definitions and responsibilities; eliminated the Providing Access to University Information procedure; changed ownership of Examples of Public, Private and Confidential Information appendix to Public Access to University Information policy.
Amended:
July 2008 - Updated for EFS rollout. Forms, Definitions, responsibilities, and Contacts sections updated.
Amended:
December 2001 - Updated Appendix A, Added link to OIT Data Security page to Related Information.
Amended:
July 2000 - Added new procedures that supercede former procedures: 2.5.2.1-3. Expanded Definitions and Responsibilities sections. Updated Appendices, Contacts and Related Information Sections. Deleted last paragraph in policy statement.
Amended:
January 1998 - Statement and reason were revised to say all University employees will have access to University reports of public information. Access to private information will be given to those whose jobs require it. More public information will be published on the Web. The procedures associated with the policy will be revised to reflect these changes. Responsible Officer changed from Coordinator of Records and Information to University Data Custodian, and Responsible Office from Records and Information Management to Institutional Research and Reporting.
Effective:
August 1997
Superceded:
Administrative Systems Security Policy

Document Feedback

Date Revised

August 2015

Date Effective

August 1997