Policies & Standards
Data Access Policy
Overview
Clark takes seriously its commitment to respect and protect the privacy of its students, alumni, faculty, staff, parents and friends, as well as to protect the confidentiality of information important to the University's academic and research mission. The University recognizes that the value of its data resources lies in their appropriate and widespread use. It is not the intent of this policy to create unnecessary restrictions to data access or use for those individuals who need to use the data in support of University business or academic pursuits.
Purpose/Statement
Clark University and its community members require reliable and continuous access to data to support the University's teaching, research and service mission. Hence, University Data is a valuable asset that must be maintained and protected. In addition, certain federal and state laws require that Clark University limit access to certain categories of data to protect the privacy of students, employees, and other members of our community.
The purpose of this policy is to:
- provide a structured framework for classifying and securing data from risks including, but not limited to, unauthorized destruction, modification, disclosure, access, use, and removal;
- define a consistent process to obtain necessary data access for conducting Clark University operations (including administration, research, and instruction);
- specify relevant mechanisms for delegating authority to accommodate this process at the unit level while adhering to appropriate controls, segregation of duties and other best practices;
- support compliance initiatives regarding FERPA, HIPAA, the Gramm Leach Bliley Act (GLBA), Mass Privacy Laws, other privacy and security requirements and best practices that address data access controls.
Applicability of this Policy
This policy applies to all centrally managed University Data and to all user-developed data sets and systems that may access these data, regardless of the environment where the data reside (including systems, servers, personal computers, laptops, portable devices, etc.). The policy applies regardless of the media on which data reside (including electronic, microfiche, printouts, CD, etc.) or the form they may take (text, graphics, video, voice, etc.).
Clark expects all employees, partners, consultants and vendors to abide by Clark's information security policies. If non-public information is to be accessed or shared with these third parties, they should be bound by contract to abide by Clark's information security policies.
Who Does this Policy Apply To
All faculty, staff and student employees as well as third-party contractors should be aware of the policy.
University Data Use
University Data shall be used only for the legitimate business of Clark University and only as required in the performance of specified job functions. Under no circumstances shall anyone use Confidential or Restricted University Data in any publication, seminar, or professional presentation, or otherwise release data, in any form, outside the University without prior written approval from the appropriate Data Manager and/or the appropriate executive officer(s). Publication or release of University Data that includes data about a student's academic work requires permission from the student. University Data must never be left on any system or in an area to which access is not controlled (i.e. a computer hard drive, USB drive, unlocked file drawers, etc.).
As a general principle of access, University Data (regardless of who collects or maintains it) shall be shared among those employees whose work can be done more effectively by knowledge of such information. Though the University must protect the security, confidentiality and privacy of data, the procedures to allow access should not unduly interfere with the efficient conduct of University business.
Type of Access
Query-only access enables the user to view, analyze, and download, but not change, University Data. Once information is downloaded, however, data can, but should not, be altered in word processing documents or spreadsheets. Downloaded information should be used and represented responsibly.
Maintenance access provides both query and update capability. Maintenance is defined as modify, add, delete and change. This capability is generally limited to the offices directly responsible for the collection and management of the data. This access is available to administrators and users who have an authorized need to maintain University Data in the routine performance of their job duties. Each user of University Data is assigned appropriate combinations of query-only and maintenance access to specific parts of the administrative information system. Type of access is determined by the respective Data Manager.
Data Ownership and Management
Data Managers are responsible for the accuracy and completeness of data files in their respective areas. Data Managers, often in collaboration with Information Technology Services, are also responsible for the maintenance and control of the administrative information system's validation and rules tables, processes which define how business is conducted at the University, and the integrity of all coding and data entry processes.
A Data Manager, usually a senior administrator of a major University office or department, may make University Data available to others within his or her purview for use and support of the University business functions. Data Managers shall define access control principles and restrictions on use and handling of the data for which they are assigned responsibility, consistent with Clark's Data Classification Policy. Data Managers shall also provide education and training to individuals with respect to access and manipulation of University Data.
Before granting access to data, the Data Manager shall be satisfied that protection requirements have been implemented and that a "need to know" is clearly demonstrated. By approving end-user access to University Data, the Data Manager consents to the use of this data within the normal business functions of administrative and academic offices. Access to University Data shall not be granted to persons unless there is an established "need to know".
Data Managers are required to review all security authorizations at least annually for their area and make additions or deletions as necessary.
The Data Managers for Clark University are as follows:
Data Type |
Primary Contact |
Secondary Contact |
Financial data |
Director of Financial Services |
Information Analyst (in Finance) |
Financial Aid data |
Director of Financial Aid |
Sr. Associate Director |
Student - Academic records |
University Registrar |
Associate Registrar |
Student -Prospect data - UG |
Director of Undergraduate Admissions |
Associate Director of Undergraduate Admissions |
Student -Prospect data - Grad |
Director of Graduate Admissions |
Associate Director of Graduate Admissions Operations |
Student - Judicial data |
Dean of Students |
TBD |
Students - Disability data |
Director of Student Accessibility Services |
Sr. Associate Dean of the College |
Students - Residential housing data |
Director of Residential Life and Housing |
Dean of Students |
Staff data |
Director of Human Resources |
Sr. Associate Director |
Faculty data |
Provost |
Assistant to the Provost |
Alumni/Donor data |
Director of Advancement Services |
Director of Alumni and Friends Engagement |
System/Log data |
Asst. VP for Information Technology |
VP for Information Technology and CIO |
Video surveillance data |
Chief, University Police |
VP for Government and Community Relations |
Counseling data |
Director of Counseling Services |
Dean of Students |
If the primary contact is not available, authorization may be granted by the secondary contact. All authorization requests attended to by the secondary contact must be communicated to the primary contact in an auditable way (e.g. cc via email) by the secondary contact.
Responsibility for Oversight
Except as otherwise specified in this Policy or as otherwise duly authorized by Clark, the Information Security Officer has responsibility for the interpretation, implementation and oversight of this Policy. The Information Security Officer will issue such administrative guidelines and procedures to facilitate Policy as may be reasonable and consistent with it. In accordance with otherwise applicable Clark policy or contract terms, Clark may also pursue disciplinary, or civil or criminal action, for Policy violations.
Policy Review and Changes
The Information Security Officer will periodically initiate review of this Policy to address regulatory developments and to reflect experience gained in its administration. Policy changes will be made in accordance with governance and applicable legal requirements.
Appeals
If a disagreement arises concerning the interpretation of this policy or a violation of this policy is suspected, a Data Access Review Board will be convened to resolve the issue. The Data Access Review Board is composed of at least three persons: the Information Security Officer (who is also the CIO), the Provost, and the Executive Vice President. The Director of Human Resources will be included in cases of suspected data security violations by faculty, staff or student employees. Appeals/violations shall state explicitly what is in dispute and be submitted in writing to the Information Security Officer. The Information Security Officer will then convene the Data Access Review Board to review and make a determination.
Violations
Violations of the policy may result in loss of data access privileges, administrative sanctions (including termination or expulsion) as outlined in applicable Clark University disciplinary procedures, as well as personal civil and/or criminal liability.
Created on: February 25, 2009
Last Reviewed: May 28, 2015
Authored by: VP for Information Technology and CIO
Reviewed by: Information Security Task Force
Approved by: Technology Steering Committee