This procedure defines how and when members of the University community can share public or private unit record data and or aggregate-level administrative data with audiences internal to the University. This procedure applies to all University providers of data, including individuals and units. Units include, but are not limited to central units (e.g., Office of Institutional Research, central-work streams such as Human Resources, etc.), colleges, departments, centers, and programs.
Individuals or units providing data in any form, including the secondary release of data, are responsible for the application of this procedure and its related policy (see Administrative Policy: Public Access to University Information).
The standard for sharing personally identifiable private student data is defined in the Regents Policy on Student Education Records. The policy defines “legitimate educational interest” as “an interest in reviewing student education records for the purpose of performing an appropriate University research, educational, or administrative function. The University uses the same definition of “legitimate educational interest” for sharing other private data on individuals within the University.
Out of Scope for this Procedure
Private data (e.g., health information (HIPAA or ePHI), social security numbers, PCI DSS) that is classified as Private-Highly Restricted as defined in Administrative Policy: Data Security Classification will not be shared in this manner and are out of scope for this procedure.
Those receiving requests (providers) from University of Minnesota faculty and researchers should be directed to Administrative Procedure: Sharing Data with University Faculty and Researchers.
Those receiving requests (providers) for data from external University audiences should be directed to Administrative Procedure: Sharing Data with Audiences External to the University.
Procedure for Sharing Data with Internal Audiences
- Those requesting private data need to demonstrate a “legitimate educational interest”. At the discretion of the data owner or data provider and on a case by case basis; requests may require review and approval by the owner of the requested content.
- At the discretion of the data owner or provider, requests may require follow up with the respective department head, dean’s office or administrative office of those requesting data to determine appropriate use and to determine if requester’s work assignment reasonably requires access.
- Providers determine if the request is for public, private, or a combination of public and private data. For a list of public and private data elements see the appendix: Examples of Public, Private and Confidential Information in Administrative Policy: Public Access to University Information.
- If all data being requested are classified as public, providers may share the data with internal audiences in unit record form or in aggregate form no matter the cell size (see Table 1.0 below).
- Aggregate data that is classified as private may be shared with internal audiences assuming the requester has a business need to know to perform their job duties. (see Table 1.0 below).
- Those who do not meet the need to know requirement should be directed to the public reports available (see Administrative Procedure: Sharing Data with Audiences External to the University).
- The completion of an Access Request Form (ARF) will be required for those requesting access to private unit record data used for query or direct access to the Data Warehouse and other PeopleSoft sources. The request must be approved by the respective data owner.
- When sharing the data, providers should limit the data and reporting to the scope, depth and breadth that is consistent with the requester’s needs.
- Data suppression or masking is not needed for reporting containing only public data
- Data will be shared in a number of ways, including the following methods:
- Through the web (e.g., oir.umn.edu)
- Through ad hoc reporting requests
- Through secondary release via subsidiary reporting systems
|Data Type/Level of Detail
|Internal Audiences (with need to know)
|University of MN Faculty and Researchers
|Audiences External to the University
|Public Data - Aggregate
|Public Data - Unit Record
|Private Data - Aggregate
|Requests will be reviewed on a case-by-case basis and may require a non-disclosure agreement (DOCX)
|Suppression should be applied with no more than one private data element per aggregate
|Private Data - Unit Record
|Access Request Form (ARF) used by those requesting query access to data
|Requests will be reviewed on a case-by-case basis and may require a non-disclosure agreement
|Private unit record data will not be shared; however appeals can be sent to the OGC
- Suppression involves applying the rule of ten to summarized data through the use of percentages, ranges or masking
- Unit Record Data refers to individual student and employee level data
- Aggregate refers to the summarization of unit record (detail) data
- OGC refers to the Office of the General Counsel
All questions about this procedure or how to apply it should be routed to Data Governance by sending an email to [email protected].