Printed on: 03/25/2025. Please go to policy.umn.edu for the most current version of the document.
University of Minnesota  Procedure

Sharing Data with Audiences Internal to the University

Sidebar

Expand all

Sidebar

Table of Contents

TOC placeholder

Governing Policy

Questions?

Please use the contact section in the governing policy.

Leave Feedback

This procedure defines how and when members of the University community can share administrative data at a unit record or summary level with faculty, researchers, educational, and administrative audiences internal to the University. This procedure applies to all University providers of administrative data, including individual employees and units. Units include, but are not limited to central units (e.g., University Data and Institutional Reporting, Office of Human Resources), colleges, departments, centers, and programs. Determination of sharing data should be based on an individuals’ status as a School Official and their associated business need (see definitions below).

Individuals, groups, or units providing administrative data in any form, including any secondary distribution or sharing of data beyond the initial recipient to colleagues, are responsible for the application of this procedure and its related external procedure (see Administrative Procedure: Sharing Data with Audiences External to the University).

Individuals or units sharing data with audiences external to the University, School Officials in the University who do not have a business need, or other individuals affiliated with the University who are not School Officials, should refer to Administrative Procedure: Sharing Data with Audiences External to the University.

Examples of Sharing Data Internal to the University

  • Example 1 (Sponsored Research)*: A University Researcher is requesting data for sponsored research (e.g., under a grant or a contract with the University). This is a “University research function” and the University Researcher is a School Official.  The University Researcher must:
    • Provide a written description of their business need (how the data will be used in the context of the project) and work with the data provider to identify the minimum data necessary to meet that business need.
    • For data about people, provide documentation of IRB review (approval/exemption granted letter) or documentation from the IRB that the project does not require IRB review. Documentation can be requested by submitting a Determination Form (docx).
    Once the above requirements are met, minimum necessary data can be shared without the need for further approval from the data custodians.
  • Example 2 (Non-Sponsored Research)*: A University Researcher is requesting data for non-sponsored research. The University Researcher must:
    • Provide a written description of their business need (how the data will be used in the context of the project).
    • Provide written approval from a department head or dean’s office to validate that the person is performing in the capacity of School Official with a business need.
    • Work with the data provider to identify the minimum data necessary to meet the business need.
    • For data about people, provide documentation of IRB review (approval/exemption granted letter) or documentation from the IRB that the project does not require IRB review. Documentation can be requested by submitting a Determination Form.
    Once the above requirements are met, minimum necessary data can be shared without the need for further approval from the data custodians.
  • Example 3 (Administrative): An administrative staff member (e.g., support staff, director) requesting data to support University activities directly tied to their job duties would be serving as a School Official. The administrative staff member must:
    • Provide a written description of their business need (how the data will be used in the context of the project).
    • Work with the data provider to identify the minimum data necessary to meet the business need.
    Once the above requirements are met, minimum necessary data can be shared without the need for further approval from the data custodians.

* In all cases where the research is subject to the Institutional Review Board (IRB), the researcher must follow IRB requirements. However, the IRB alone does not determine business need, so the procedure rules still apply. Data providers should work with the requester to determine the minimum data necessary to meet the business need for their research.

Out of Scope for this Procedure

  • Private-Highly Restricted data (e.g., health information (HIPAA or ePHI), social security numbers, cardholder data as defined by PCI DSS, financial data as defined by GLBA), as defined in Administrative Policy: Data Security Classification, will not be shared in this manner and are out of scope for this procedure. All questions about information regarding Private-Highly Restricted data should be routed to the appropriate data owner (See Data Classification Owner/Custodian Table appendix).
  • Data shared with organizations in which the University of Minnesota has either formal data sharing agreements in place (e.g., University of Minnesota Foundation) or is subject to state/federal agency regulatory requirements.
  • Faculty research data, data obtained by faculty members for the purposes of academic research. This procedure only applies to administrative data the University generates and collects (e.g. sponsored awards information, student records, employee records, financial transactions).

Procedure for Sharing Data with Internal Audiences

Internal audiences requesting data need to demonstrate they are acting as a School Official and have a business need for the data prior to receiving the data. Individuals sharing the data should consult with the data custodian if the data provider isn’t sure if the requester is acting as a School Official with a business need. Requests for data may require follow up with the requester’s respective department head, dean’s office, or administrative office to determine appropriate use and if the requester’s work assignment or job duties reasonably requires the data.

The following processes should be applied by the data provider whenever a request for data is received or data is being accessed with the intent to share with a School Official (faculty, researchers, educational, and administrative personnel) who has a business need. If the intent is to share with an individual not identified as a School Official, or a School Official who does not have a business need for the data, Administrative Procedure: Sharing Data with Audiences External to the University applies.

  • Determine that the requester or intended audience(s) is an internal audience and that the use case is to support the requester’s role as a School Official.
    • If yes, continue.
    • If no, Administrative Procedure: Sharing Data with Audiences External to the University applies.
  • Determine that the requester has a business need (may include confirming job duties or the task being performed) for the data and contact the requester for more information if needed.
    • If yes, continue.
    • If the School Official does not have a business need, Administrative Procedure: Sharing Data with Audiences External to the University applies.
  • Review if and how the requester intends to share the data with anyone other than themselves.
    • If there is no additional sharing intended, continue.
    • If there is additional sharing intended:
      • internal to the University (such as colleagues, project teams), continue and inform the requester they are responsible for following this procedure upon the dissemination of the data to other internal audiences.
      • external to the University (if intent is to ultimately share with external audiences), Administrative Procedure: Sharing Data with Audiences External to the University applies.
    • Determine if the request is for the purposes of conducting research; if the data being requested is about people, the requester must provide documentation of IRB review (approval/exemption granted letter) or documentation from the IRB that the project does not require IRB review. Documentation can be requested by submitting a Determination Form (docx).
    • Evaluate the data being requested and determine the minimum data necessary to meet the business need, including:
      • The grain of the data requested (unit record data vs. summary). Personally identifiable data should be de-identified unless there is a business need for unit record identifiable data.
      • The data security classification of each data element being shared. See the Appendix: Data Classifications by Type.
      • Determine if the requester has the appropriate data access roles and/or has completed the required data trainings to receive specific data types (e.g., FERPA training).
    • Determine if an Memorandum of Understanding (MOU) is required (see University Data & Institutional Reporting guidelines). See: Form UM 1893: Memorandum of Understanding (MOU): Sharing Private Data with Audiences Internal to the University
    • Keep a record of the request and data shared in a secure location in accordance with University storage and retention guidelines (see Data Storage and Backup & Recovery Standard and Digital Storage Options).
Data Classification and Sharing Information
Data Classification/Summary Level Sharing with School Officials with Business Need
Public Data Can be shared at the unit record or summary level which is determined to be the minimum level of detail which meets the business need.
Private-Restricted Data - All Summary Levels

Can be shared at a summary level which is determined to be the minimum level of detail which meets the business need. 

  • Complete an MOU if required
Private-Restricted Data - Unit Record

Can be shared at a unit record level if it is determined to be the level of detail which meets the business need. 

  • Recipient(s) must have completed relevant training, e.g., FERPA, or have a data access role required for the type of data being shared, and 
  • Complete an MOU if required
Private-Highly Restricted Not to be shared (See Out of Scope Section)

Definitions

Administrative Data
Data that the University centrally collects and maintains to support the operations of the University (does not include faculty’s research data).
Business Need (for Data)
The need an individual has to access and use administrative data in their capacity as a School Official. When evaluating business need, a data provider will determine the minimum data necessary to meet the business need. For example:
  • Has business need: Department administrator working with a department chair to understand the impact of curriculum changes on educational outcomes like grades.
  • Does not have business need: Department communications professional requesting a list of students who took a class in their department who are majoring in other departments so they can contact them about switching majors.
School Official (University Official)
A person employed by the University in an administrative, supervisory, academic, research, or support staff position (including law enforcement unit personnel and health staff); a person or company with whom the University has contracted to perform an institutional service or function in accordance with law; a person serving on the Board of Regents; or a student serving on a University committee or otherwise assisting another school official in performing institutional tasks. (See Board of Regents Policy: Student Education Records).
Data Security Classification
A simple and high level means of identifying the level of security and privacy protection to be applied to a Data Type or Data Set and the scope in which it can be shared. For a list of public and private data elements see the appendix: Examples of Public, Private and Confidential Information provided through Administrative Policy: Public Access to University Information. University of Minnesota classifications are listed in Administrative Policy: Data Security Classification.
Summary Data
Unit record (detail) data summarized in grouping of data. (e.g. number of students in a college).
Unit Record Data
Non-aggregated data at the lowest level of detail regardless of whether it includes personal identifiers (e.g., an individual student enrollment, an individual employee’s position data).

All questions about this procedure or how to apply it should be routed to Data Governance by sending an email to [email protected].