effective 1/2012

Purpose

The value of data as an institutional resource is increased through its widespread and appropriate use; its value is diminished through misuse, misinterpretation, unnecessary restrictions to its access, or failure to maintain data quality or integrity.

The purpose of this policy is to define access, controls, and protection of the college’s administrative data. Administrative data maintained by the institution is a vital information asset that will be available to all employees who have a legitimate need for it, consistent with the institution’s responsibility to preserve and protect the integrity of the data and to ensure the privacy of sensitive data.

The institution is the owner of all administrative data; individual units or departments have stewardship responsibilities for data domains or portions of the data.

Designated Albright College data domains, data trustees, and data stewards are listed in Appendix A – (Listing of Albright College Data Trustees and Data Stewards) of this policy. Adjustments to Appendix A will be incorporated as necessary over time, as additional enterprise data management systems are implemented, or as organizational and staffing changes warrant. Such changes will not be deemed a revision to this policy.

 

Applicability

Administrative data captured and maintained at Albright College are a valuable college resource. While these data may reside in different database management systems and on different machines, these data in aggregate may be thought of as forming one overarching, enterprise administrative database.

This policy applies to all users of Albright’s administrative database environment.

 

Policy

Access to non-public administrative data is granted only via the appropriately designated Albright College Data Steward.

By authorizing access to designated categories of administrative data, Data Stewards are acknowledging a legitimate user need for information access, as well as appropriate training and understanding on the part of the requesting user to ensure ongoing administrative data integrity, quality, protection, and privacy. In addition to authorizing new administrative data access requests, Data Stewards are responsible for an annual review of user security access to their respective data domains.

By receiving access to designated categories of administrative data, the requesting data user is acknowledging responsibility for adherence to all relevant Albright policies, procedures, standards and guidelines.

The college has defined three levels of data classification for administrative data:

• Public Data
• Restricted Data
• Highly Sensitive Data

Additional safeguards and protocols exist to further protect both Restricted and Highly Sensitive data, as appropriate.

 

Data Classifications

Public Data – General administrative data that are intentionally made public are classified as Public Data. This includes all general administrative data that are not legally restricted or judged by Data Stewards to be limited access data. Examples of Public Data include the Albright Master Course Schedule as well as faculty, staff and student directory data. Public Data are often readily available on Albright’s public website.

Restricted Data – By default, all administrative data not explicitly defined as either Highly Sensitive or Public are classified as Restricted Data. Examples of Restricted Data include student grades and faculty/staff salaries.

Appropriate safeguards, including data access authorization and approvals by Data Stewards, must exist for all data that the college is obligated to protect, whether by law, contract, or college policy. Secure credentials are required to access restricted university data. Standards or guidelines governing the access, release, distribution and dissemination of restricted data by individuals authorized to access it is controlled and administered by the designated Data Stewards.

Highly Sensitive Data – Highly Sensitive Data are by definition restricted and include personal information that can lead to identity theft if exposed or disclosed in an unauthorized manner. Specifically, the college defines the following as Highly Sensitive Data:

The first name or first initial and last name in combination with and linked to any one or more of the following data elements about the individual:

• Social security number
• Driver’s license number or state identification card number issued in lieu of a driver’s license number
• Passport number; or
• Financial/banking account number, credit card number, or debit card number.

Electronic Storage of Highly Sensitive Data Procedures – Additional safeguards and protocols exist to ensure Albright constituent privacy and to protect Highly Sensitive Data from unauthorized exposure. Like Restricted Data, access to Highly Sensitive Data may only be authorized by Data Stewards. Further, Highly Sensitive Data must not be stored or kept on any non-network storage device or media. Prohibited storage media includes storage on desktop computers, laptop computers, PDAs, cell phones, USB drives, thumb drives, memory cards, CDs, DVDs, local external hard drives and other USB devices unless specifically approved encryption methodologies have been utilized.

Further, Highly Sensitive data cannot be distributed, including via e-mail or e-mail attachment, unless via approved encrypted means.

Exceptions to the procedures for the electronic storage of Highly Sensitive Data must be approved by the appropriate division Vice President in consultation with the Chief Technology Officer. Approved exception requests will be documented to ensure the implementation of acceptable data encryption protocols.

 

RESPONSIBILITY OF DATA TRUSTEES, DATA STEWARDS AND DATA USERS

Data Trustee: Data Trustees are the senior College officials (typically at the level of Vice President) who have planning and policy-level responsibilities for data within their functional areas and management responsibility for defined segments of institutional data, or data domains. The Data Trustees, as a group, are responsible for overseeing the establishment of data management policies and procedures and for the assignment of data management accountability. Data Trustees typically serve as the executive sponsors of technology projects involving institutional data management.

Data Trustees work with the Chief Technology Officer to prioritize data management related projects and to ensure that the appropriate resources are available to support the data needs of the College.

Data Trustee responsibilities include:

• Assigning and overseeing Data Stewards
• Overseeing the establishment of data policies in their areas
• Determining legal and regulatory requirements for data in their areas
• Promoting and ensuring appropriate data use and data quality
• Addressing institutional data issues that a.) potentially compromise data integrity, reliability, privacy or b.) potentially limit or reduce institutional effectiveness or efficiency

Data Stewards: Data Stewards are appointed by Data Trustees. Data Stewards have primary responsibility for the accuracy, integrity, privacy, and security of the College Data under his/her stewardship. They have overall responsibility for appropriate system use and data maintenance procedures within their areas, including the administration of any additional policies or procedures to govern the use of legally protected, restricted or sensitive college data. Additional responsibilities include:

• Communicating with and educating data users on appropriate use and protection of institutional data
• Developing and documenting procedures for requesting and authorizing access to restricted administrative data.
• Testing, approving, and authorizing the production implementation (or ‘go-live’) of new, upgraded, or updated software programs pertaining to administrative data management and software systems (such as PowerCampus, PowerFaids, Great Plains, and Millenium, etc.).
• Working with Information Technology Services and appropriate Records Management officials to determine data retention requirements and archiving strategies for storing and preserving historical operational data.
• Working with ITS and the Data Management Group to ensure that a common set of data definitions is consistently used and applied, to facilitate data-driven decision making, to enhance the ability for automated system interfaces, and to generally improve the electronic exchange of data across the enterprise.
• Assure data integrity, respond to questions about the accuracy of data, and correct inconsistencies.
• Assure data collection is complete, accurate, valid, timely, and that data are maintained as close as is possible to the source or creation point of the data.
• Establish and maintain business rules regarding the manipulation, modification, or reporting of administrative data elements and for creating derived elements in support of accurate data integration efforts, automated business process improvement projects, or other college planning and assessment efforts.
• Work with Information Technology Services to monitor and periodically review (at least once annually) individual user security profiles and authorized data access.