Printer Friendly

Utah Valley University
Policies and Procedures

Title Institutional Data Management and Access Number 445
Section Facilities, Operations, and Information Technology Approval Date Oct 14,2004
Subsection Information Technology Effective Date Oct 14,2004
I. Policy
POLICY
  1. Philosophy
    Information maintained by the institution is a vital asset that will be available to all employees who have a legitimate need for it, consistent with the institution's responsibility to preserve and protect such information by all appropriate means. The institution is the owner of all administrative data; individual units or departments may have stewardship responsibilities for portions of that data. The institution intends that the volume of freely accessible data be as great as possible, given limitations of budget. The value of data as an institutional resource is increased through its widespread and appropriate use; its value is diminished through misuse, misinterpretation, or unnecessary restrictions to its access. The institution expressly forbids the use of administrative data for anything but the conduct of institution business. Employees accessing data must observe requirements for confidentiality and privacy, must comply with protection and control procedures, and must accurately present the data in any use. The institution determines levels of access to administrative data according to principles drawn from various sources. State and federal law provides clear description of some types of information to which access must be restricted. In an academic community, ethical considerations are another important factor in determining access to administrative data.
  2. Definition of Administrative Data
    The institution's data base consists of information critical to the success of the institution as a whole. The institution data base is shared data, managed within a conceptual framework. It is likely that the institution data base will be distributed across processing units both within and outside the institution. Data may be digital text, graphics, images, sound, or video. The institution regards data that are maintained in support of a functional unit's operation as part of the institution's administrative data base if they meet any of the following criteria:
    1. if at least two administrative operations of the institution use the data and consider the data essential;
    2. if integration of related information requires the data;
    3. if the institution must ensure the integrity of the data to comply with legal and administrative requirements for supporting statistical and historical information externally;
    4. if a broad cross section of users refers to or maintains the data; or
    5. if the institution needs the data to plan
      Some examples of administrative data include student course grades, employee salary information, vendor payments, and the institution's Fact Book. Administrative data does not include personal electronic mail, calendar information and similar material.
    • Data Stewards and Custodians
      Data Stewards are senior institution officials who have planning and policy-level responsibility for data within their functional areas. Data Stewards as a group (the Committee of Data Stewards, chaired by the Assistant VP of Information Technology and including the Director of Institutional Research or their designee) are responsible for recommending policies, procedures, and guidelines for institution-wide data administrative activities. The Data Stewards assign data elements to categories of administrative data and recommend sets of administrative data for digital "publication" (see Categorization of Data 4:1, below). Data Custodians are those individuals directly responsible for creating, maintaining, and using data to support the institution's operation and its information needs.
    • Responsibilities of Data Stewards, Data Custodians, and Data Management Group
      1. Categorization of Data
        General administrative data are all data that are not either legally restricted or judged by Data Stewards to be limited-access data. Data Stewards will assign each item of administrative data and each standard view of that data to one of three categories: general administrative, limited-access, or legally restricted. Legally restricted data are those data found upon review by the GRAMA officer to require restrictions on access under the law. Limited access data are data that the Data Stewards judge to require special procedures for access. Criteria for assignment of data to this category will be developed by the Data Stewards and reviewed annually. Digitally published data are those that the institution makes available for unlimited access through such computer services as the institution website. Data Stewards may designate some data and data views in the general administrative category for digital publication.
      2. Definition of Data
        The Data Stewards and Data Custodians will establish procedures for initial definition and change of data elements within their data entity. Data Custodians will provide data descriptions for directories that will let data users know what shareable data are available, what the data mean, and how to access the data. Data definitions will be:
        1. based on actual usage,
        2. made according to institution standards as set by the respective Data Stewards,
        3. modified only through approved procedures as set by the respective Data Stewards, and
        4. reviewed on a timely basis and kept current

      3. Definition of Data Extracts and Data Views
        The Data Stewards will work with Data Custodians and data users to define useful and meaningful schedules for creation of standard data extracts (data snapshots that are captured at a fixed point in time). The Data Stewards will work with the Data Custodians to define standard views of administrative data, in order to aggregate data from multiple sources, to segment data into smaller and more manageable subsets, or to segregate data according to confidentiality or similar characteristics. A data view is a logical entity typically assembled using current data from the primary storage location at the time the view is requested.
      4. Development of Access Policies and Procedures
        The term "access" means to read or view administrative data. Access does not include the ability to create or modify data. Creation and modification can only be done by the Data Steward, the Data Custodian, or their designate. Each Data Custodian will be individually responsible for establishing data access procedures that are unique to a specific information resource or set of data elements. These procedures will ease access and will ensure data security.
      5. Promotion of Accurate Interpretation and Responsible Use
        Data Stewards will develop policy to promote the accurate interpretation and responsible use of administrative data. Data Custodians are responsible for making known the rules and conditions that could affect the accurate presentation of data. Persons who access data are responsible for the accurate presentation of that data. Data Custodians will support users in the use and interpretation of administrative data, primarily through documentation, but also in the form of consulting services.
      6. Maintenance of Data Integrity
        The Data Custodians will determine the most reliable sources of data and regularly evaluate the quality of the data entity. They will determine responsibilities for data capture and maintenance to ensure data integrity. The Data Custodians will identify gaps and redundancies in the data and, to the extent possible, will ensure that only needed versions of each data element exist. They will specify data control and protection requirements to be observed by data processors and users. The Data Custodians will monitor the data for accuracy, integrity, and dependability, and where appropriate, will initiate action concerning these issues.
      7. Determination of Security Requirements
        The Data Stewards, in consultation with the Network, Infrastructure and Security Committee (NISC), will determine security requirements for administrative data and will be responsible for monitoring and reviewing security implementation and authorized access.
      8. Establishment of Archiving Procedures
        The Data Stewards and Data Custodians will define the criteria for archiving the data to satisfy retention requirements.
      9. Establishment of Disaster Recovery Procedures
        Information Technology Services (ITS) is ultimately responsible for defining and implementing policies and procedures to assure that data are backed up and recoverable. The Data Stewards will play an active role in assisting ITS in this responsibility. With the Data Stewards' advice, ITS will develop a workable plan for resuming operations in the event of a disaster, including recovery of data and restoration of needed computer hardware and software.
      10. Responsibilities of the Data Management Group
        The Data Management Group develops and applies standards for the management of institutional data and for ensuring that data are accessible to those who need it. The Assistant VP of Information Technology chairs the Data Management Group and works very closely with this group on formulation of data policies, standards, and procedures. Information Technology Services (ITS) works with the Data Stewards to establish long-term direction for effectively using information resources to support institution goals and objectives. ITS creates logical data models of applications. These models are ultimately used to create an institution-wide data model that cross-references data across applications and encourages data sharing. ITS develops a standard method for naming and defining data. It also facilitates conflict resolution in data definitions. ITS makes institutional data available to authorized users in a manner consistent with established data access rules and decisions. It develops views of data as directed by the data committees. The group ensures that the technical integrity of the data is maintained and, in conjunction with the Network, Infrastructure and Security Committee (NISC), that data security requirements are met.

    • Requests for Access
      1. Legally Restricted or Limited-Access Data Access to legally restricted or limited-access data by institution employees or employees of institution-related foundations requires that a formal request be made to the appropriate Data Steward.
      2. Exceptions All requests for exceptions to data access policies must be made in writing to the Data Steward. E-mail requests are acceptable. The request must specify the data desired and their intended use.
      3. Denial The Data Steward must provide a written record of the reasons for denial of any access request. E-mail records are acceptable.
      4. Appeal Members of the institution community may appeal any data access decision. Appeals may be made to the appropriate Vice President

    • Responsibilities of Users
      1. Use of administrative data only in the conduct of institution business. The institution expressly forbids the disclosure of unpublished administrative data or the distribution of such data in any medium, except as required by an employee's job responsibilities and approved in advance by the Data Steward. In this context, disclosure means giving the data to persons not previously authorized to have access to it. The institution also forbids the access or use of any administrative data for one's own personal gain or profit, for the personal gain or profit of others, or to satisfy personal curiosity.
      2. Maintenance of confidentiality and privacy. Users will respect the confidentiality and privacy of individuals whose records they access, observe any ethical restrictions that apply to data to which they have access, and abide by applicable laws and policies with respect to access, use, or disclosure of information. All data users having access to legally restricted or limited-access data will formally acknowledge (by signed statement or some other means) their understanding of the level of access provided and their responsibility to maintain the confidentiality of data they access. Each data user will be responsible for the consequences of any misuse.
      3. Protection of data. Users will comply with all reasonable protection and control procedures for administrative data to which they have been granted access.
      4. Accurate presentation of data. Users will be responsible for the accurate presentation of administrative data, and will be responsible for the consequences of any intentional misrepresentation of that data.
    Cara O'Sullivan, Policy Officer | mailto:cara.osullivan@uvu.edu | (801) 836-7355
    Utah Valley University • 800 West University Parkway • Orem, UT 84058 • (801) 863-INFO (4636) • Rights & Responsibilities | © 2013 UVUFeedback/Report Errors