POLICY TITLE: Institutional Data Access
POLICY #: IT - 19
DATE DRAFTED: 01/02/03
DATE POSTED for Review: 05/06/03
APPROVED DATE: 04/12/05
REVISION DATE: 07/07/04
BRIEF DESCRIPTION: To establish policy for the classification and use of University institutional data and the responsibilities for the protection of such data.
Introduction | Data Classification | Policy Statement | Data Handling | Related Policies | IT Policy Index
Institutional data that supports the mission of The University of Iowa is a vital asset, and is owned by the University. Institutional Data is shared data, managed within a conceptual framework. It is likely that Institutional Data will be distributed across processing units both within and outside of the University. Institutional data supports administrative operations of the University, is considered essential, and its quality must be ensured to comply with legal and administrative requirements.
Business Owners will assess risks and threats to data under their control and accordingly classify their data as public, internal, or restricted. Unless otherwise classified, institutional data is internal. University personnel may not broaden other parties’ access to institutional data without authorization from the Business Owner who is responsible for the data. This limitation applies to any and every means of copying, replicating, or otherwise propagating institutional data.
Access to institutional data varies according to the sensitivity of such data and use shall be limited to those defined for the classification to which it was assigned. Where the data is deemed to be of a confidential nature, access and use shall be limited to the purpose for which it was authorized. There are three levels of confidentiality which apply to institutional data:
Access to “Public” institutional data may be granted to any requester. Public data is not considered confidential. Examples of “Public” data include published “white pages” directory information, and academic course descriptions. The integrity of “Public” data must be protected, and the appropriate owner must authorize replication of the data. Even when data is considered “Public,” it cannot be released (copied or replicated) without appropriate approvals.
Access to “Internal” data must be requested from, and authorized by, the Business Owner who is responsible for the data. Data may be accessed by persons as part of their job responsibilities (role-based access). The integrity of this data is of primary importance, and the confidentiality of this data must be protected. Examples of “Internal” data include financial, project, human resources, and budget information.
Access to “Restricted” data must be controlled from creation to destruction, and will be granted only to those persons affiliated with the University who require such access in order to perform their job, or to those individuals permitted by law. The confidentiality of this data is of primary importance, although the integrity of this data must also be ensured. Access to restricted data must be requested from, and authorized by, the Business Owner who is responsible for the data. Examples of “Restricted” data include student registration, grades, and financial aid data, and research data. Access to this data may be further legally restricted by federal or state law.
Access to “Restricted-Health” data is controlled in the same fashion as “Restricted” data, but with the additional requirements that the location of all Protected Health Information (“PHI”) must be registered, release of PHI is restricted to the minimum necessary, Business Associate Agreements may be required for external sharing, and signed confidentiality agreements must be obtained before access is granted to Users. Examples of “Restricted-Health” data include medical records, health related research data, and other PHI.
-
The integrity of institutional data must be protected from unauthorized modification, destruction, or disclosure. Permission to access institutional data should be granted to all eligible University employees for legitimate university purposes.
-
Accessing confidential (i.e., Internal, Restricted, or Restricted-Health) institutional data, without proper authorization is prohibited. Where access to institutional data has been authorized, use of such data shall be limited to the purpose for which access to the data was authorized. Secondary use of institutional data, without adhering to the restrictions, is also not permitted.
-
University employees must take action to resolve or report to their management instances in which institutional data is at risk of unauthorized modification, disclosure, or destruction.
-
Business Owners must ensure that all decisions regarding the collection and use of institutional data are in compliance with the law and with University policy and procedure. Business Owners must also ensure that appropriate security practices are used to protect institutional data, including appropriate auditing mechanisms for monitoring data access.
-
All requests for access to restricted institutional data will be documented. Authorization for access to restricted institutional data comes from the Business Owner, and is made in conjunction with an authorization from the requestor’s department head or other authority.
-
Users will respect the confidentiality and privacy of individuals whose records they access, observe any ethical restrictions that apply to the data they access, and abide by applicable laws and policies with respect to accessing, using, or disclosing information.
|
Data Classification: |
|||
Requirements: |
Public |
Internal |
Restricted |
Restricted-Health |
Labels |
None |
None |
Mark “Restricted” |
Mark “Restricted” |
Access - Read Only |
No controls |
Role Based |
Individually Authorized |
Individually Authorized, signed confidentiality agreement |
Access – Write |
Role Based |
Role Based |
Individually Authorized |
Individually Authorized, signed confidentiality agreement |
Secondary Use |
As authorized |
As authorized |
Prohibited |
Prohibited |
Physical Data Storage |
No controls |
Non-public area |
Access controlled area |
Access controlled area |
External Data Sharing |
No controls |
Iowa Open Records Law |
Iowa Open Records Law; FERPA restrictions |
Business Associate Agreement |
Communication |
No controls |
Campus Mail; Encryption not required |
Confidential envelope; Encryption may be required for external transmission |
Confidential envelope; Encryption may be required for external transmission |
Data Tracking |
None |
None |
None |
Location must be registered in central repository |
Destruction |
No controls |
Recycle; Erase media |
Shred paper, Overwrite media |
Shred paper, Overwrite media |
Auditing |
No controls |
Log changes |
Log all changes |
Log all accesses and changes |
Workstation Placement |
No controls |
Non-public area |
Non-public area |
Access Controlled area |
Related Policies, References and Attachments:
This collection of University of Iowa Information Technology policies and procedures contain acceptable use, security, networking, administrative, and academic policies that have been developed to supplement and clarify University of Iowa policy.
They are incorporated into the University of Operations Manual (http://www.uiowa.edu/~our/opmanual/index.html) by reference, per the Policy on Acceptable Use of Information Technology Resources (http://www.uiowa.edu/~our/opmanual/ii/19.htm)
Nothing in this policy is intended to be in violation of FERPA or HIPAA requirements.