Printed on: 08/18/2018. Please go to http://policy.umn.edu for the most current version of the Policy or related document.

ADMINISTRATIVE PROCEDURE

Sharing Data with University Educational and Administrative Audiences

This procedure provides guidance on how and when members of the University community can share public or private unit record data and or aggregate-level data with audiences internal to the University. This procedure applies to all University providers of data, including individuals and units, including central units (e.g., Office of Institutional Research, central-work streams such as Human Resources, etc.), as well as colleges, departments and other units.

Individuals or units providing data in any form, including the secondary release of data, are responsible for the application of this procedure and its related policy (see Administrative Policy: Public Access to University Information).

The standard for sharing personally identifiable private student data is defined in the Regents Policy on Student Education Records. The policy defines “legitimate educational interest” as “an interest in reviewing student education records for the purpose of performing an appropriate University research, educational, or administrative function. The University uses the same definition of “legitimate educational interest” for sharing other private data on individuals within the University.

Definitions

Unit Record Data is considered non-aggregated data at the lowest level of detail (e.g., individual student or employee level data).

Public Data is defined by Minnesota Statutes as “data collected, created, received, maintained or disseminated by a government entity” unless classified as private by statute or federal law. For purposes of this procedure, public data are those data elements that are non-FERPA suppressed. All other data are considered private. For a list of public and private data elements see the list of examples provided through Administrative Policy: Public Access to University Information.

Providers refer to individuals responsible for providing data in any form to those audiences requesting either aggregated data or detail unit record data.

Internal audiences are defined as current University employees (non-student) who have a need to know for the purpose of performing appropriate University research, educational, or administrative function and whose work assignment reasonably requires access (see the below standard).

Out of Scope

Private data (e.g., HIPAA, social security numbers, PCI DSS) that is classified as Private-Highly Restricted as defined in Administrative Policy: Data Security Classification will not be shared in this manner and are out of scope for this procedure.

Those receiving requests (providers) from University of Minnesota faculty and researchers should be directed to the procedure for “Sharing Data with University Faculty and Researchers”.

Those receiving requests (providers) for data from external University audiences should be directed to the procedure for “Sharing Data with Audiences External to the University”.

Procedural Guidelines for Sharing Data with Internal Audiences

  1. Those requesting private data need to demonstrate a “legitimate educational interest”. At the discretion of the data owner or data provider and on a case by case basis; requests may require review and approval by the owner of the requested content.
  2. At the discretion of the data owner or provider, requests may require follow up with the respective department head, dean’s office or administrative office of those requesting data to determine appropriate use and to determine if requester’s work assignment reasonably requires access.
  3. Providers determine if the request is for public, private, or a combination of public and private data. For a list of public and private data elements see the appendix: Examples of Public, Private and Confidential Information in Administrative Policy: Public Access to University Information.
  4. If all data being requested are classified as public, providers may share the data with internal audiences in unit record form or in aggregate form no matter the cell size (see Table 1.0 below).
  5. Aggregate data that is classified as private may be shared with internal audiences assuming the requester has a business need to know to perform their job duties. (see Table 1.0 below).
  6. Those who do not meet the need to know requirement should be directed to the public reports available (see Administrative Procedure: Sharing Data with Audiences External to the University).
  7. The completion of an Access Request Form (ARF) will be required for those requesting access to private unit record data used for query/direct access to the Data Warehouse and other PeopleSoft sources and approved by the respective data owner.
  8. When sharing the data, providers should limit the data and reporting to the scope, depth and breadth that is consistent with the requester’s needs.
  9. Data suppression or masking is not needed for reporting containing only public data
  10. Data will be shared in a number of ways including following methods:
    1. Through the web (e.g., www.oir.umn.edu)
    2. Through ad hoc reporting requests
    3. Through secondary release via subsidiary reporting systems

Table 1.0 – Summarizing requirements for sharing data with audiences internal and external to the University including University faculty and researchers

A B C D
Public Data Private Data
Audiences to Share Data with Item Aggregate Unit Record Aggregate Unit Record
Internal Audiences (with need to know) 1 Yes Yes Yes ARF
Audiences External to the University 2 Yes Yes Suppression No
University of MN Faculty and Researchers 3 Yes Yes Case-by-case Case-by-case
Table Descriptions:
  1. 1D = Access Request Form (ARF) used by those requesting query access to data
  2. 2C = Suppression should be applied with no more than one private data element per aggregate
  3. 2D = Private unit record data will not be shared; however appeals can be sent to the OGC
  4. 3C = Requests will be reviewed on a case-by-case basis and may require a non-disclosure agreement
  5. 3D = Requests will be reviewed on a case-by-case basis and may require a non-disclosure agreement
General Notes:
  1. Suppression involves applying the rule of five to summarized data through the use of percentages, ranges or masking
  2. Unit Record Data refers to individual student and employee level data
  3. Aggregate refers to the summarization of unit record (detail) data
  4. OGC refers to the Office of the General Counsel

All questions about this procedure or how to apply it should be routed to Data Governance by sending an email to edmr@umn.edu.

Document Feedback