Sharing Data with Audiences External to the University
This procedure provides guidance on how and when members of the University community can share public or private unit record data and or aggregate-level data with audiences external to the University. This procedure applies to all University providers of data, including individuals and units, including central units (e.g., Office of Institutional Research, central-work streams such as Human Resources, etc.), as well as colleges, departments and other units.
Individuals or units providing data in any form, including the secondary release of data, are responsible for the application of this procedure and its related policy (see Administrative Policy: Public Access to University Information).
Unit Record Data is considered non-aggregated data at the lowest level of detail (e.g., individual student or employee level data).
Public Data is defined by Minnesota Statutes as “data collected, created, received, maintained or disseminated by a government entity” unless classified as private by statute or federal law. For purposes of this procedure, public data are those data elements that are non-FERPA suppressed. All other data are considered private. For a list of public and private data elements see the appendix: Examples of Public, Private and Confidential Information provided through Administrative Policy: Public Access to University Information.
Providers refer to individuals responsible for providing data in any form to those audiences requesting either aggregated data or detail unit record data.
Out of Scope
Private data (e.g., HIPAA, social security numbers, PCI DSS) that is classified as Private-Highly Restricted as defined in Administrative Policy: Data Security Classification will not be shared in this manner and are out of scope for this procedure.
Those receiving requests (providers) for data from internal University audiences should be directed to Administrative Procedure: Sharing Data with Internal University Audiences.
Those receiving requests (providers) from University of Minnesota faculty and researchers should be directed to Administrative Procedure: Sharing Data with University Faculty and Researchers.
Procedural Guidelines for Sharing Data with External Audiences
- Providers receiving external (e.g., from media sources) requests for aggregate or unit record data must communicate with the appropriate University Office (e.g., University Relations News Service, Government & Community Relations) prior to releasing any data.
- Providers determine if the request is for public, private, or a combination of public and private data.
- If all of the data are classified as private and the requester is seeking unit record data, the provider may not share the data with external audiences and the provider should direct the requestor to the process specified under Administrative Policy: Public Access to University Information.
- If all of the data are classified as public, providers may share the data with external audiences in unit record form or in aggregate form no matter the cell size (see Table 1.0 below).
- Data suppression is not needed when using up to one private data element (e.g., age, citizenship, ethnicity, gender) per aggregate aggregated as follows:
- Data suppression or masking is required when private data exists and one or more of the summarized cell sizes are less than five (with the exception of item #5 above). For a list of public and private data elements see the appendix: Examples of Public, Private and Confidential Information in Administrative Policy: Public Access to University Information.
- When a given case requires data suppression, units should apply one of the following techniques when sharing private aggregate data.
- Ranges (see below) with no totals
- 1 – 5
- 6 – 10
- 11 – 15
- 16 – 20
- Over 20
- Percentages with no totals (mask rows/columns with 100%)
- Suppression of small cell sizes with no totals
- Ranges (see below) with no totals
- When sharing the data, providers should limit the data and reporting to the scope, depth and breadth that is consistent with the requester’s needs.
- Providers must keep a record of the data shared with external audiences.
- Data will be shared in a number of ways including the following methods:
- Through the web (e.g., www.oir.umn.edu)
- Through ad hoc reporting requests
- Through secondary release via subsidiary reporting systems
Table 1.0 – Summarizing requirements for sharing data with audiences internal and external to the University including University faculty and researchers
|Public Data||Private Data|
|Audiences to Share Data with||Item||Aggregate||Unit Record||Aggregate||Unit Record|
|Internal Audiences (with need to know)||1||Yes||Yes||Yes||ARF|
|Audiences External to the University||2||Yes||Yes||Suppression||No|
|University of MN Faculty and Researchers||3||Yes||Yes||Case-by-case||Case-by-case|
- 1D = Access Request Form (ARF) used by those requesting query access to data
- 2C = Suppression should be applied with no more than one private data element per aggregate
- 2D = Private unit record data will not be shared; however appeals can be sent to the OGC
- 3C = Requests will be reviewed on a case-by-case basis and may require a non-disclosure agreement
- 3D = Requests will be reviewed on a case-by-case basis and may require a non-disclosure agreement
- Suppression involves applying the rule of five to summarized data through the use of percentages, ranges or masking
- Unit Record Data refers to individual student and employee level data
- Aggregate refers to the summarization of unit record (detail) data
- OGC refers to the Office of the General Counsel
All questions about this procedure or how to apply it should be routed to Data Governance by sending an email to firstname.lastname@example.org.