Information Technology Services

Data Access Policy

Overview

Clark takes seriously its commitment to respect and protect the privacy of its students, alumni, faculty, staff, parents and friends, as well as to protect the confidentiality of information important to the University's academic and research mission. The University recognizes that the value of its data resources lies in their appropriate and widespread use. It is not the intent of this policy to create unnecessary restrictions to data access or use for those individuals who need to use the data in support of University business or academic pursuits.

Purpose/Statement

Clark University and its community members require reliable and continuous access to data to support the University's teaching, research and service mission. Hence, University Data is a valuable asset that must be maintained and protected. In addition, certain federal and state laws require that Clark University limit access to certain categories of data to protect the privacy of students, employees, and other members of our community.

The purpose of this policy is to:

  1. provide a structured framework for classifying and securing data from risks including, but not limited to, unauthorized destruction, modification, disclosure, access, use, and removal;
  2. define a consistent process to obtain necessary data access for conducting Clark University operations (including administration, research, and instruction);
  3. specify relevant mechanisms for delegating authority to accommodate this process at the unit level while adhering to appropriate controls, segregation of duties and other best practices;
  4. support compliance initiatives regarding FERPA, HIPAA, the Gramm Leach Bliley Act (GLBA), Mass Privacy Laws, other privacy and security requirements and best practices that address data access controls.

Applicability of this Policy

This policy applies to all centrally managed University Data and to all user-developed data sets and systems that may access these data, regardless of the environment where the data reside (including systems, servers, personal computers, laptops, portable devices, etc.). The policy applies regardless of the media on which data reside (including electronic, microfiche, printouts, CD, etc.) or the form they may take (text, graphics, video, voice, etc.).

Clark expects all employees, partners, consultants and vendors to abide by Clark's information security policies. If non-public information is to be accessed or shared with these third parties, they should be bound by contract to abide by Clark's information security policies.

Who Does this Policy Apply To

All faculty, staff and student employees as well as third-party contractors should be aware of the policy.

University Data Use

University Data shall be used only for the legitimate business of Clark University and only as required in the performance of specified job functions. Under no circumstances shall anyone use Confidential or Restricted University Data in any publication, seminar, or professional presentation, or otherwise release data, in any form, outside the University without prior written approval from the appropriate Data Manager and/or the appropriate executive officer(s). Publication or release of University Data that includes data about a student's academic work requires permission from the student. University Data must never be left on any system or in an area to which access is not controlled (i.e. a computer hard drive, USB drive, unlocked file drawers, etc.).

As a general principle of access, University Data (regardless of who collects or maintains it) shall be shared among those employees whose work can be done more effectively by knowledge of such information. Though the University must protect the security, confidentiality and privacy of data, the procedures to allow access should not unduly interfere with the efficient conduct of University business.

Type of Access

Query-only access enables the user to view, analyze, and download, but not change, University Data. Once information is downloaded, however, data can, but should not, be altered in word processing documents or spreadsheets. Downloaded information should be used and represented responsibly.

Maintenance access provides both query and update capability. Maintenance is defined as modify, add, delete and change. This capability is generally limited to the offices directly responsible for the collection and management of the data. This access is available to administrators and users who have an authorized need to maintain University Data in the routine performance of their job duties. Each user of University Data is assigned appropriate combinations of query-only and maintenance access to specific parts of the administrative information system. Type of access is determined by the respective Data Manager.

Data Ownership and Management

Data Managers are responsible for the accuracy and completeness of data files in their respective areas. Data Managers, often in collaboration with Information Technology Services, are also responsible for the maintenance and control of the administrative information system's validation and rules tables, processes which define how business is conducted at the University, and the integrity of all coding and data entry processes.

A Data Manager, usually a senior administrator of a major University office or department, may make University Data available to others within his or her purview for use and support of the University business functions. Data Managers shall define access control principles and restrictions on use and handling of the data for which they are assigned responsibility, consistent with Clark's Data Classification Policy. Data Managers shall also provide education and training to individuals with respect to access and manipulation of University Data.

Before granting access to data, the Data Manager shall be satisfied that protection requirements have been implemented and that a "need to know" is clearly demonstrated. By approving end-user access to University Data, the Data Manager consents to the use of this data within the normal business functions of administrative and academic offices. Access to University Data shall not be granted to persons unless there is an established "need to know".

Data Managers are required to review all security authorizations at least annually for their area and make additions or deletions as necessary.

The Data Managers for Clark University are as follows:

Data Type

Primary Contact

Secondary Contact

Financial data

Director of Financial Services

Information Analyst (in Finance)

Financial Aid data

Director of Financial Aid

Sr. Associate Director

Student - Academic records

University Registrar

Associate Registrar

Student -Prospect data - UG

Director of Undergraduate Admissions

Associate Director of Undergraduate Admissions

Student -Prospect data - Grad

Director of Graduate Admissions

Associate Director of Graduate Admissions Operations

Student - Judicial data

Dean of Students

TBD

Students - Disability data

Director of Student Accessibility Services

Sr. Associate Dean of the College

Students - Residential housing data

Director of Residential Life and Housing

Dean of Students

Staff data

Director of Human Resources

Sr. Associate Director

Faculty data

Provost

Assistant to the Provost

Alumni/Donor data

Director of Advancement Services

Director of Alumni and Friends Engagement

System/Log data

Asst. VP for Information Technology

VP for Information Technology and CIO

Video surveillance data

Chief, University Police

VP for Government and Community Relations

Counseling data

Director of Counseling Services

Dean of Students

If the primary contact is not available, authorization may be granted by the secondary contact. All authorization requests attended to by the secondary contact must be communicated to the primary contact in an auditable way (e.g. cc via email) by the secondary contact.

Responsibility for Oversight

Except as otherwise specified in this Policy or as otherwise duly authorized by Clark, the Information Security Officer has responsibility for the interpretation, implementation and oversight of this Policy. The Information Security Officer will issue such administrative guidelines and procedures to facilitate Policy as may be reasonable and consistent with it. In accordance with otherwise applicable Clark policy or contract terms, Clark may also pursue disciplinary, or civil or criminal action, for Policy violations.

Policy Review and Changes

The Information Security Officer will periodically initiate review of this Policy to address regulatory developments and to reflect experience gained in its administration. Policy changes will be made in accordance with governance and applicable legal requirements.

Appeals

If a disagreement arises concerning the interpretation of this policy or a violation of this policy is suspected, a Data Access Review Board will be convened to resolve the issue. The Data Access Review Board is composed of at least three persons: the Information Security Officer (who is also the CIO), the Provost, and the Executive Vice President. The Director of Human Resources will be included in cases of suspected data security violations by faculty, staff or student employees. Appeals/violations shall state explicitly what is in dispute and be submitted in writing to the Information Security Officer. The Information Security Officer will then convene the Data Access Review Board to review and make a determination.

Violations

Violations of the policy may result in loss of data access privileges, administrative sanctions (including termination or expulsion) as outlined in applicable Clark University disciplinary procedures, as well as personal civil and/or criminal liability.


Created on: February 25, 2009
Last Reviewed: May 28, 2015

Authored by: VP for Information Technology and CIO
Reviewed by: Information Security Task Force
Approved by: Technology Steering Committee