12.4 Data Access
Data stewards will work together to define a single set of procedures for requesting access to sensitive elements of institutional data, and to document these data access request procedures.
12.4.1 Data Access
Data stewards at the institution are responsible for developing and obtaining approval of data access procedures and approving all requests for data access via these procedures. It is recommended that such a process be developed that includes the following steps:
Requests for access must be made in writing to the appropriate functional data steward. Such requests must include approval by the requestor’s supervisor or management, and should be specific as to the data needed and the purpose for accessing the data. All requests are maintained for use in case of a need to audit access permissions.
Upon approval by the functional data steward, the request is forwarded to the data administration unit of the institution’s Information Technology (IT) department for technical implementation via provisioning of accounts, login ids, or view access.
The requestor will be notified of their access, and will be provided a copy of the institution’s Data Stewardship & Access Policy, the relevant functional guidelines for use, and any restrictions on the data, such as the Family Educational Rights and Privacy Act regulations.
All data access will be reviewed and renewed on an annual basis by each functional data steward to ensure that the access remains appropriate.
Note: Permission to access data does not necessarily imply permission to change data. Data stewards will ensure that the proper access rights, such as read, write, modify, or delete, are given to users who request data access.
12.4.2 Data Documentation
Data stewards are responsible for documenting the data maintained within their functional area. This documentation should include, at a minimum:
- Data name;
- Data description;
- Data sensitivity;
- Data location;
- Data retention; and,
- Data backup plan.
Data stewards also have responsibility for documenting the meta-data about their data so that users are aware of the definitions, restrictions, or interpretations, and other issues that ensure the correct use of the data.