Information, in all forms, is a strategic asset to the University System of Georgia (USG), including each USG institution, the University System Office [(USO), including the Shared Services Center (SSC)], the Georgia Public Library Service, (GPLS), and the Georgia Archives. The purpose of this section is to provide guidelines for the management and access to data, which is critical to the administration of USG participant organizations.
The following definitions of shall, will, must, may, may not, and should are used throughout this Handbook.
- Shall, Will, and Must indicate a legal, regulatory, standard, or policy requirement. Shall and Will are used for persons and organizations, and Must for inanimate objects.
- May indicates an option.
- May Not indicates a prohibition.
- Should indicates a recommendation that, in the absence of an alternative providing equal or better protection from risk, is an acceptable approach to achieve a requirement. The focus of should statements generally is more outcome-based; i.e., an alternate method to achieve the requirement may be developed assuming it is documented as effectively managing risk.
Implementation and Compliance
|Section Number||Section Name||Compilation Date||Published Date||Compliance Date||Revision Date(s)|
|9.1||Purpose||January 2005||January 2005 to Business Procedures Manual
May 2014 to IT Handbook
|January 2005||May 2014|
|9.2||Data Management Structure||January 2005||January 2005 to Business Procedures Manual
May 2014 to IT Handbook
|January 2005||May 2014|
|9.3||Data Classification||January 2005||January 2005 to Business Procedures Manual
May 2014 to IT Handbook
|January 2005||May 2014|
|9.4||Data Access||January 2005||January 2005 to Business Procedures Manual
May 2014 to IT Handbook
|January 2005||May 2014|
|9.5||Privacy and Security||January 2005||January 2005 to Business Procedures Manual
May 2014 to IT Handbook
|January 2005||May 2014|
While USG participant organization information may reside in paper format, in different database management systems, or on different machines, these data, in the aggregate, may be thought of as forming a single, logical database. These data will be called institutional data. This section will describe the roles and responsibilities of stewardship for, and procedures for establishing access to, institutional data.
It is the desire of the USG that all institutional data be used with appropriate and relevant levels of access and with sufficient assurance of its security and integrity in compliance with existing laws, rules, and regulations. The goal of this section is to provide reasonable guidance to USG participant organizations to increase the value and security of data by use of appropriate guidelines, procedures and methods.
Material in this section has been taken from the following sources:
- Georgia State University, Data Stewardship and Access Policy for University Information
- University of Maryland, Baltimore County. UMBC Data Management Structure 6/18/2003, draft version
9.1.1 Scope and Restrictions
This section applies to institutional data only, as defined below, and is intended to improve access to these data by employees for conducting organization business. In all cases, applicable statutes, laws, rules, and regulations that guarantee either protection or accessibility of organizational records will take precedence over this section. While this section is especially pertinent to information stored electronically, it is applicable to all information, such as paper, microform, and video, as well as the content of confidential meetings and conversations.
This section does not apply to notes and records that are the personal property of individuals in the participant organization community and is not directed to data whose primary purpose is scholarly; e.g., instructional material, research notes, etc.
The scope of this section is to have broad application, particularly with respect to data and information resources, which have impact on organizational operation. Data that may be managed locally may also have significant impact if it is used in a manner that can impact organization operations. It is expected that the intent of this section be extended in analogous manner to all data and information used at all operational levels of the participant organization.
9.1.2 Institutional Data Definition
A data element is considered institutional data if it provides support to, and meets the needs of, units of the institution. Examples of institutional data include, but are not limited to, many of the elements supporting financial management, student curricula, payroll, personnel management, and capital equipment inventory.
Information may be considered institutional data if it satisfies one or more of the following criteria:
- Data used for planning, managing, reporting, or auditing a major administrative function;
- Data referenced or used by a participant organization to conduct organization business;
- Data included in an official participant organization administrative report; or,
- Data used to derive an element that meets any of the criteria above.
9.1.3 System Data Definition
A data element is considered system data if it is created by the USO and used by the USO for official purposes. Examples of system data include, but are not limited to, institutional enrollment information, financial information, and data warehouse information.
Information may be considered system data if it satisfies one or more of the following criteria:
- Data included in the USG Data Warehouse;
- Data that serve the policy development of the Board of Regents (BoR);
- Data that inform decisions for, or operating, planning, managing, or auditing a major administrative function of, the USG; and,
- Data used to produce USG reports for internal and external constituencies.
A data governance and management structure is required at each USG institution, the USO, the GPLS, and the Georgia Archives. The data management structure will demonstrate accountabilities for the data assets of the entity to ensure proper use and handling of data being read, created, collected, reported, updated or deleted.
The data management structure should identify the offices/positions (including identifying incumbent) responsible for fulfilling the roles defined herein.
9.2.1 Data Governance and Management Committee (USO and USG Participant Organizations)
A Data Governance and Management Committee is responsible for defining and managing implementation of the policies and procedures for the data governance and management functions at the USO and at each USG participant organization.
Specific responsibilities include, but are not necessarily limited to the following:
- Defining data management roles and responsibilities herein and in other policy and procedure documentation;
- Collating and maintaining documentation pertaining to data governance and management policy and procedure in a centralized and easy-to-access location for the participant organization staff;
- Identifying the Data Governance and Management Committee structure and membership; and,
- Assisting the chairs of the functional committees to ensure effectiveness.
9.2.2 Data Owner
The individual participant organization is responsible for all data being read, created, collected, reported, updated, or deleted by offices of the organization. As the chief executive officer, the president of the USG institution or the head of other USG participant organizations is identified as the data owner of the institutional data.
The USO is responsible for all data being read, created, collected, reported, updated or deleted by offices of the USO collective. As the chief executive officer, the USG Chancellor is identified as the data owner of the USO data.
Data owners have the responsibility for the identification, appointment and accountability of Data trustees.
Data owners will inform the participant organization’s Data Governance and Data Management Committee of their data trustee appointments including office, name, and contact information of the incumbent.
9.2.3 Data Trustees
Data trustees, designated by the data owner, are executives of the USG participant organizations who have overall responsibility for the data being read, created, collected, reported, updated or deleted by the units reporting to them. These positions/offices would normally be cabinet-level positions reporting directly to the entity data owner.
Responsibilities of the data trustees include, but are not necessarily limited to:
- Ensuring that data accessed and used by units reporting to them is done so in ways consistent with the mission of the office and participant organization;
- The identification, appointment and accountability of data stewards within the functional area(s) for which they are responsible. The data trustees will inform the participant organization’s Data Governance and Data Management Committee of their data trustees appointments, including office, name, and contact information of the incumbent;
- Participating as a member of the strategic data governance and management committee; and,
- Communicating concerns about data quality to the data owner.
The participant organization’s chief information officer (CIO) and the information security officer (ISO), as defined in Sections 1.1 and 5.2.2 of this Handbook, respectively, whether or not designated as data trustees, have the responsibility for ensuring that a technical infrastructure is in place to support the data needs and assets, including availability, delivery, access, and security across the entirety of their operational scope.
The data trustees of the USG participant organizations are normally the counterpart of the other.
9.2.4 Data Stewards
Data stewards, designated by the data trustees, are offices/positions responsible for the data being read, used, created, collected, reported, updated or deleted, and the technology used to do so, in their functional areas. Positions held by the data stewards normally would report directly to the data trustee. Data stewards recommend policies to the data trustees, and establish procedures and guidelines concerning the access to, completeness, accuracy, privacy, and integrity of the data for which they are responsible. Individually, data stewards act as advisors to the data trustees and have management responsibilities for data administration issues in their functional areas. Depending on the size and complexity of a functional unit, it may be necessary, and beneficial, for a designated data steward to identify associate data stewards to manage and implement the stewardship process.
Responsibilities of the data stewards include, but are not necessarily limited to:
- Ensuring data quality and data definition standards are met.
- Identifying the privacy level as unrestricted, sensitive, or confidential, for functional data within their area(s) of supervision/direction.
- Establishing authorization procedures with the USG participant organization’s Data Governance and Data Management Committee and/or CIO to facilitate appropriate data access as defined by institutional/office data policy and ensuring security for that data.
- Developing standard definitions for data elements created and/or used within the functional unit. The data definition will extend to include metadata definitions as well as the root data element definition.
- Working with the USG participant organization’s Data Governance and Data Management Committee, identifying and resolving issues related to stewardship of data elements, when used individually or collectively, that cross multiple units or divisions. For example, the individual data element “Social Security Number” may have more than one data steward since it is collected or used in multiple systems, such as financial, human resources, and student systems. Resolving stewardship issues for “Full-time Student” would be an example of using multiple data elements collectively to garner the informational item.
- Participating as a member of the functional data governance and management committee(s) as appointed by the data trustee.
- Communicating concerns about data quality to the data trustees.
Depending on the size and compliment of the office for which the data steward is responsible, the data steward should assume or delegate steward-type roles to define the accountabilities and responsibilities that go with each data action occurring within the functional area, to wit: data definition, data collection, data reading, data creation, and so on.
Examples of these roles and associated responsibilities would likely include, but not necessarily be limited to, the following:
- Data Definer is responsible for:
- Defining data in the best interest of the organization;
- Making the definition of data available to the organization; and,
- Communicating concerns about data quality to the data steward or data trustees.
- Data Creator is responsible for:
- The accuracy of data being captured, created or entered;
- The timeliness of data being captured, created or entered;
- Defining the processes by which the technologies capture, create, or enter the data to be used; and,
- Communicating concerns about data quality to the data steward or data trustees
- Data Reader is responsible for:
- The integrity/security of data being read/used; and,
- Communicating concerns about data quality to the data steward or data trustees.
By default, all institutional data will be designated as internal data for use within a participant organization or to satisfy external reporting requirements to the USG BoR, and to state, federal, or other external agencies. Employees will have access to these data for use in the conduct of participant organization business. These data, while available within the participant organization, are not designated as open to the general public unless otherwise required by law. The permission to view or query institutional data should be granted to all data users for all legitimate participant organization purposes.
As part of the data definition process, data stewards will assign each data element and each data view in institutional data to one of three categories: unrestricted, sensitive, and confidential.
Note: In some circumstances, as long as specific identifying data elements are removed, a data view may include elements of institutional data that would otherwise be sensitive or confidential.
9.3.1 Unrestricted Data
Where appropriate, data stewards may identify institutional data elements that have no access restrictions as available to the general public. These data will be designated as unrestricted or public data.
9.3.2 Sensitive Data
Where necessary, data stewards may specify institutional data elements as sensitive data for which users must obtain specific authorization to access since the data’s unauthorized disclosure, alteration, or destruction will cause perceivable damage to the participant organization.
The specification of data as sensitive should include reference to the legal or externally imposed constraint that requires this restriction, the categories of users typically given access to the data, and under what conditions or limitations access is typically given.
9.3.3 Confidential Data
Where required, data stewards may identify institutional data elements as confidential, for which the highest levels of restriction should apply due to the risk or harm that may result from disclosure or inappropriate use.
This includes information whose improper use or disclosure could adversely affect the ability of the participant organization to accomplish its mission, records about individuals requesting protection under the Family Educational Rights and Privacy Act of 1974 (FERPA), or data not releasable under the Georgia Open Records Act or the Georgia Open Meetings Act.
Data stewards will work together to define a single set of procedures for requesting access to sensitive elements of institutional data, and to document these data access request procedures.
9.4.1 Data Access
Data stewards at the participant organization are responsible for developing and obtaining approval of data access procedures and approving all requests for data access via these procedures. It is recommended that such a process be developed that includes the following steps:
- Requests for access must be made in writing to the appropriate functional data steward. Such requests must include approval by the requestor’s supervisor or management, and should be specific as to the data needed and the purpose for accessing the data. All requests are maintained for use in case of a need to audit access permissions.
- Upon approval by the functional data steward, the request is forwarded to the data administration unit of the participant organization’s Information Technology (IT) department for technical implementation via provisioning of accounts, login ids, or view access.
- The requestor will be notified of their access, and will be provided a copy of the participant organization’s Data Stewardship & Access Policy, the relevant functional guidelines for use, and any restrictions on the data, such as the Family Educational Rights and Privacy Act regulations.
- All data access will be reviewed and renewed on an annual basis by each functional data steward to ensure that the access remains appropriate.
Note: Permission to access data does not necessarily imply permission to change data. Data stewards will ensure that the proper access rights, such as read, write, modify, or delete, are given to users who request data access.
9.4.2 Data Documentation
Data stewards are responsible for documenting the data maintained within their functional area. This documentation should include, at a minimum:
- Data name;
- Data description;
- Data sensitivity;
- Data location;
- Data retention; and,
- Data backup plan.
Data stewards also have responsibility for documenting the meta-data about their data so that users are aware of the definitions, restrictions, or interpretations, and other issues that ensure the correct use of the data.
USG participant organizations should focus on two critical areas as they consider protection of institutional data: privacy and security. Privacy deals with the classification and release of protected data, while Security deals with the protection or confidentiality, integrity, and availability of data.
The protection of institutional data is governed by a growing collection of federal and state laws relating to privacy and security. All USG participant organizations are morally, and now legally, responsible for the protection and integrity of the data they create and maintain at their organizations. Through a number of legal statutes and regulations, participant organizations now have a legal responsibility for protection of student, employee, and faculty information.
A participant organization is responsible for complying with all current laws and regulations concerning data privacy and security. The participant organization should identify an individual or group that will have responsibility for compliance with new regulations.
The following sections describe the major current laws that effect educational institutions and organizations. Due to the rapid changes in information technology and privacy requirements, however, new laws are being introduced at a rapid pace. Each USG participant organization must be vigilant and stay aware of new legal requirements in the Privacy and Security areas.
Reference: IT Security for Higher Education: A Legal Perspective. White paper produced for Educause by Kenneth D. Salomon, Peter C. Cassat, Briana E. Thibeau Dow, Lohnes & Albertson, PLLC, March 20, 2003
9.5.1 Family Education Rights and Privacy Act (FERPA)
The primary law that governs the privacy of educational information is the Family Education Rights and Privacy Act (FERPA), 20 U.S.C. § 1232g(b).
FERPA is the keystone federal privacy law for educational institutions. FERPA generally imposes a cloak of confidentiality around student educational records, prohibiting institutions from disclosing “personally identifiable education information,” such as grades or financial aid information, without the student’s written permission. FERPA also grants to students the right to request and review their educational records and to make corrections to those records. The law applies with equal force to electronic records as it does to those stored in file drawers.
Generally, institutions must have written permission from the student in order to release any information from a student’s education record. However, FERPA does allow institutions to disclose those records, without consent, to the following parties or under the following conditions (34 CFR § 99.31):
- School officials with legitimate educational interest;
- Other schools to which a student is transferring;
- Specified officials for audit or evaluation purposes;
- Appropriate parties in connection with financial aid to a student;
- Organizations conducting certain studies for or on behalf of the school;
- Accrediting organizations;
- To comply with a judicial order or lawfully issued subpoena;
- Appropriate officials in cases of health and safety emergencies; or,
- State and local authorities, within a juvenile justice system, pursuant to specific State law.
Institutions may disclose, without consent, “directory” information, such as a student’s name, address, telephone number, date and place of birth, honors and awards, and dates of attendance. However, institutions must tell students about directory information and allow students a reasonable amount of time to request that the school not disclose directory information about them.
Institutions must notify parents and eligible students annually of their rights under FERPA. The actual means of notification, such as a special letter, student handbook, or newspaper article, is left to the discretion of each institution.
While violations of FERPA do not give rise to private rights of action, the U.S. Secretary of Education has established the Family Policy Compliance Office, which has the power to investigate and adjudicate FERPA violations and to terminate federal funding to any institution that fails to substantially comply with the law.
9.5.2 Health Insurance Portability and Accountability Act of 1996 (HIPAA)
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) was enacted to protect the rights of patients and participants in certain health plans. In 2000, the federal Department of Health and Human Services adopted copious regulations granting consumers the right to receive written notice of the information practices of entities subject to HIPAA.
Colleges and universities that are affiliated with health care providers are considered covered entities, and participant organizations must provide written notice of their affiliated health care provider’s electronic information practices. Most employer-sponsored health plans also are considered to be “entities” subject to HIPAA. As a result, various compliance obligations are imposed on colleges and universities that sponsor and administer such plans.
HIPAA generally requires covered entities to:
- Adopt written privacy procedures that describe, among other things, who has access to protected information, how such information will be used, and when the information may be disclosed;
- Require their business associates to protect the privacy of health information;
- Train their employees in their privacy policies and procedures;
- Take steps to protect against unauthorized disclosure of personal health records; and,
- Designate an individual to be responsible for ensuring the procedures are followed.
9.5.3 Electronic Communications Privacy Act (ECPA)
The Electronic Communications Privacy Act (ECPA) broadly prohibits the unauthorized use or interception by any person of the contents of any wire, oral or electronic communication. Protection of the “contents” of such communications, however, extends only to information concerning the “substance, purport, or meaning” of the communications.
In other words, the ECPA likely would not protect from disclosure to third parties information such as the existence of the communication itself or the identity of the parties involved. As a result, the monitoring by institutions of students’ network use or of network usage patterns, generally, would not be prohibited by the ECPA, as long as the substance of the communication was not made public.
The ECPA will come into play when an institution is forced to monitor or intercept student, faculty, or employee electronic communications such as e-mail. The effect of the law may depend on the type of person being monitored and the person’s association with the institution, as a student, faculty member, or employee, and whether the communication system is considered a public or private system.
The ECPA also contains specific exceptions allowing disclosures to law enforcement agencies under certain circumstances.
9.5.4 USA Patriot Act
The USA Patriot Act can effect educational institutions in many ways. Probably the most significant effect is that it potentially prohibits institutions from revealing the very existence of a law enforcement investigation. All institutions should ensure that they have worked with their legal staff to produce written procedures on how to deal with law enforcement information requests. Any institution employee faced with a request from law enforcement should follow these procedures.
9.5.5 TEACH Act
The TEACH Act relaxes certain copyright restrictions to make it easier for accredited nonprofit colleges and universities to use technology materials in educational settings. Institutions that want to take advantage of the relaxed copyright restrictions must limit “to the extent technologically feasible” the transmission of such content to students who actually are enrolled in a particular course, and they must use appropriate technological means to prohibit the unauthorized retransmission of such information.
In other words, the TEACH Act may require institutions to implement technical copy protection measures and to authenticate the identity of users of electronic course content.
9.5.6 Gramm - Leach - Bliley Act (GLBA)
The Gramm – Leach – Bliley Act (GLBA), enacted in 1999, was largely directed at financial institutions and creates obligations to protect customer financial information. However, it has been determined that colleges and universities are also covered by the act.
The GLBA has two major sections: privacy and security. The Federal Trade Commission’s (FTC) regulations implementing the GLBA specifically provide that colleges and universities will be deemed to be in compliance with the privacy provisions of the GLBA if they are in compliance with FERPA. Therefore, GLBA privacy requirements should not affect educational institutions. They should therefore focus mainly on the security sections of the GLBA.
The information security, or Safeguard, section has five major requirements that a USG participant organization must follow:
- Designate one or more employees to coordinate the security safeguards;
- Identify and assess the risks to customer information in each relevant area and evaluate the effectiveness of the current safeguards;
- Design and implement a safeguards program and regularly monitor and test it;
- Select appropriate service providers and contract with them to implement safeguards; and,
- Evaluate and adjust the program in light of relevant circumstances or the results of testing.
9.5.7 Computer Fraud and Abuse Act (CFAA)
The Computer Fraud and Abuse Act (CFAA) criminalizes unauthorized access to a “protected computer” with the intent to obtain information, defraud, obtain anything of value or cause damage to the computer. A “protected computer” is defined as a computer that is used in interstate or foreign commerce or communication or by or for a financial institution or the government of the United States. A participant organization may use this law when there has been a break-in of their computer systems.