Sharing Data with University Faculty and Researchers
This procedure provides guidance on how and when members of the University community can share public or private unit record data and or aggregate-level data with University of Minnesota faculty and researchers. This procedure applies to all University providers of data, including individuals and units, including central units (e.g., Office of Institutional Research, central-work streams such as Human Resources, etc.), as well as colleges, departments and other units.
Individuals or units providing data in any form, including the secondary release of data, are responsible for the application of this procedure and its related policy (see Administrative Policy: Public Access to University Information).
The standard for sharing personally identifiable private student data is defined in the Regents Policy on Student Education Records. The policy defines “legitimate educational interest” as “an interest in reviewing student education records for the purpose of performing an appropriate University research, educational, or administrative function (see below examples). The University uses the same definition of “legitimate educational interest” for sharing other private data on individuals within the University.
Example 1: When a University Researcher is doing sponsored research (i.e., under a grant or a contract with the University) they are performing a “University research function.” In those cases the “legitimate educational interest” is met, data can be shared without the need for further approval.
Example 2: When a University researcher is not doing sponsored research, the researcher should get approval from a department head or dean’s office, to validate that the person is performing a “University research, educational, or administrative function.”
In all cases where the research is subject to the Institutional Review Board (IRB), the researcher must follow IRB requirements. However, the IRB doesn’t determine the “legitimate educational interest”, so the above rules should apply.
Unit Record Data is considered non-aggregated data at the lowest level of detail (e.g., individual student or employee level data).
Public Data is defined by Minnesota Statutes as “data collected, created, received, maintained or disseminated by a government entity” unless classified as private by statute or federal law. For purposes of this procedure, public data are those data elements that are non-FERPA suppressed. All other data are considered private. For a list of public and private data elements see the list of examples provided through Administrative Policy Public Access to University Information.
Providers refer to individuals responsible for providing data in any form to those audiences requesting either aggregated data or detail unit record data.
Out of Scope
Private data (e.g., HIPAA, social security numbers, PCI DSS) that is classified as Private-Highly Restricted as defined in Administrative Policy: Data Security Classification will not be shared in this manner and are out of scope for this procedure.
Those receiving requests (providers) for data from internal University audiences should be directed to the procedure for “Sharing Data with Internal University Audiences”.
Those receiving requests (providers) for data from external University audiences should be directed to the procedure for “Sharing Data with Audiences External to the University”.
Procedural Guidelines for Sharing Data with University Faculty/Researchers
- Providers determine if the request is for public, private, or a combination of public and private data.
- Data classified as public may be shared with University faculty and researchers in unit record as well as aggregate form no matter the cell size (see Table 1.0 below).
- Those requesting private data need to demonstrate a “legitimate educational interest” that is consistent with the above definitions. Requests will be reviewed and approved on a case by case basis by the owner of the requested content or by the provider.
- At the discretion of the data owner or data provider, requests may require a written description on how the data will be used and stored along with a non-disclosure agreement.
- When possible providers should leverage existing public reports prior to further action.
- Data and reporting shared with a given requester should be limited in scope, depth and breadth that is consistent with the requester’s needs.
- Depending on the requirements of a given request, unit record data classified as private should be de-identified prior to sharing. If private data can’t be de-identified a non-disclosure agreement may be necessary.
- Data suppression or masking is required when private data exists and one or more of the summarized cell sizes are less than five (with the exception of item #7 above). For a list of public and private data elements see Administative Policy: Public Access to University Information.
- When a given case requires data suppression, units should apply one of the following techniques when sharing private aggregate data.
- Ranges (see below) with no totals
- 1 – 5
- 6 – 10
- 11 – 15
- 16 – 20
- Over 20
- Percentages with no totals (mask rows/columns with 100%)
- Suppression of small cell sizes with no totals
- Ranges (see below) with no totals
- When sharing the data, providers should limit the data and reporting to the scope, depth and breadth that is consistent with the requester’s needs.
- Data will be shared in a number of ways including the following methods:
- Through the web (e.g., www.oir.umn.edu)
- Through ad hoc reporting requests
- Through secondary release via subsidiary reporting systems
Table 1.0 – Summarizing requirements for sharing data with audiences internal and external to the University including University faculty and researchers
|Public Data||Private Data|
|Audiences to Share Data with||Item||Aggregate||Unit Record||Aggregate||Unit Record|
|Internal Audiences (with need to know)||1||Yes||Yes||Yes||ARF|
|Audiences External to the University||2||Yes||Yes||Suppression||No|
|University of MN Faculty and Researchers||3||Yes||Yes||Case-by-case||Case-by-case|
1. 1D = Access Request Form (ARF) used by those requesting query access to data
2. 2C = Suppression should be applied with no more than one private data element per aggregate
3. 2D = Private unit record data will not be shared; however appeals can be sent to the OGC
4. 3C = Requests will be reviewed on a case-by-case basis and may require a non-disclosure agreement