ITC Departmental Pages: Committees: Data Stewards: Administrative Data Access Policy

Help

About

ITC Services Directory
Contact Info • Feedback Form
Site Info • Page Updated: 2008-01-07
© 2008 by the Rector and Visitors of the University of Virginia

Standards & Policy

Disclaimer
P3P Privacy Policy
Accessibility: WAI • 508
Web Standards: XHTML • CSS

University of Virginia

Information Technology and Communication

108 Cresap Road

P.O. Box 400217

Charlottesville, Virginia, 22904-4217 USA

The information contained on the University of Virginia’s Department of Information Technology and Communication (ITC) website is provided as a public service with the understanding that ITC makes no representations or warranties, either expressed or implied, concerning the accuracy, completeness, reliability or suitability of the information, including warrantees of title, non-infringement of copyright or patent rights of others. These pages are expected to represent the University of Virginia community and the State of Virginia in a professional manner in accordance with the University of Virginia’s Computing Policies.

ITC Departmental Pages: Committees: Data Stewards: Administrative Data Access Policy

Data Stewards

ITC Data Stewards Committee: Administrative Data Access Policy Administrative Data Access Policy

Approved June 24, 1994
President's Cabinet
Revised September 1996

1.0: Philosophy
2.0: Definition of Administrative Data
3.0: Data Stewards and Custodians
4.0: Responsibilities of Data Stewards, Data Custodians, and ITC's Data Management Group
5.0: Requests for Access
6.0: Responsibility of Users
Associated Material: List of Data Stewards

1.0: Philosophy

Information maintained by the University is a vital asset that will be available to all employees who have a legitimate need for it, consistent with the University's responsibility to preserve and protect such information by all appropriate means. The University is the owner of all administrative data; individual units or departments may have stewardship responsibilities for portions of that data. The University intends that the volume of freely accessible data be as great as possible, given limitations of budget.

The value of data as an institutional resource is increased through its widespread and appropriate use; its value is diminished through misuse, misinterpretation, or unnecessary restrictions to its access. The University expressly forbids the use of administrative data for anything but the conduct of University business. Employees accessing data must observe requirements for confidentiality and privacy, must comply with protection and control procedures, and must accurately present the data in any use.

The University determines levels of access to administrative data according to principles drawn from various sources. State and federal law provides clear description of some types of information to which access must be restricted. In an academic community, ethical considerations are another important factor in determining access to administrative data.

2.0: Definition of Administrative Data

The University's data base consists of information critical to the success of the University as a whole. The University data base is shared data, managed within a conceptual framework. It is likely that the University data base will be distributed across processing units both within and outside the University. Separate policies exist for academic research data and electronic mail correspondence.

Data may be digital text, graphics, images, sound, or video. The University regards data that are maintained in support of a functional unit's operation as part of the University's administrative data base if they meet any of the following criteria:

if at least two administrative operations of the University use the data and consider the data essential;
if integration of related information requires the data;
if the University must ensure the integrity of the data to comply with legal and administrative requirements for supporting statistical and historical information externally;
if a broad cross section of users refers to or maintains the data; or
if the University needs the data to plan.

Some examples of admininstrative data include student course grades, employee salary information, vendor payments, and the University's annual Data Digest. Administrative data does not include personal electronic calendar information and similar material.

3.0: Data Stewards and Custodians

Data Stewards are senior University officials who have planning and policy-level responsibility for data within their functional areas (see list in Appendix A). Data Stewards as a group (the Committee of Data Stewards, chaired by the manager of the ITC data management group and including the Director of Institutional Studies as a permanent member) are responsible for recommending policies, procedures, and guidelines for University-wide data administrative activities. The Data Stewards assign data elements to categories of administrative data and recommend sets of administrative data for digital "publication" (see Categorization of Data, below).

Data Custodians are those individuals directly responsible for creating, maintaining, and using data to support the University's operation and its information needs.

4.0 Responsibilities of Data Stewards, Data Custodians, and ITC's Data Management Group

4.1: Categorization of Data

Data Stewards will assign each item of administrative data and each standard view of that data to one of three categories: general administrative, limited-access, or legally restricted. Legally restricted data are those data found upon review by the General Counsel to require restrictions on access under the law. Limited access data are data that the Data Stewards judge to require special procedures for access. Criteria for assignment of data to this category will be developed by the Data Stewards and reviewed annually. General administrative data are all data that are not either legally restricted or judged by Data Stewards to be limited-access data.

Data Stewards may designate some data and data views in the general administrative category for digital publication. Digitally published data are those that the University makes available for unlimited access through such computer services as the Grounds-Wide Information Service (GWIS).

4.2: Definition of Data

The Data Stewards and Custodians will establish procedures for initial definition and change of data elements within their data entity.

Data Custodians will provide data descriptions for directories that will let data users know what shareable data are available, what the data mean, and how to access the data.

Data definitions will be:

based on actual usage,
made according to University standards,
modified only through approved procedures, and
reviewed on a timely basis and kept current.

4.3: Definition of Data Extracts and Data Views

The Data Stewards will work with Data Custodians and data users to define useful and meaningful schedules for creation of standard data extracts (data snapshots that are captured at a fixed point in time).

The Data Stewards will work with the Data Custodians to define standard views of administrative data, in order to aggregate data from multiple sources, to segment data into smaller and more manageable subsets, or to segregate data according to confidentiality or similar characteristics. A data view is a logical entity only, typically assembled from the most current data from their primary storage location at the time they are requested.

4.4: Development of Access Policies and Procedures

The term "access" means to read or view administrative data. Access does not include the ability to create or modify data. Creation and modification can only be done by the Data Custodian, the Data Steward, or their designate.

Each Data Custodian will be individually responsible for establishing data access procedures that are unique to a specific information resource or set of data elements. These procedures will ease access and will ensure data security.

4.5: Promotion of Accurate Interpretation and Responsible Use

Data Stewards will develop policy to promote the accurate interpretation and responsible use of administrative data.

Data Custodians are responsible for making known the rules and conditions that could affect the accurate presentation of data. Persons who access data are responsible for the accurate presentation of that data.

Data Custodians will support users in the use and interpretation of administrative data, primarily through documentation, but also in the form of consulting services.

4.6: Maintenance of Data Integrity

The Data Custodians will determine the most reliable sources of data and regularly evaluate the quality of the data entity. They will determine responsibilities for data capture and maintenance to ensure data integrity.

The Data Custodians will identify gaps and redundancies in the data and, to the extent possible, will ensure that only needed versions of each data element exist. They will specify data control and protection requirements to be observed by data processors and users.

The Data Custodians will monitor the data for accuracy, integrity, and dependability, and where appropriate, will initiate action concerning these issues.

4.7: Determination of Security Requirements

The Data Stewards, in consultation with the ITC security team, will determine security requirements for administrative data and will be responsible for monitoring and reviewing security implementation and authorized access.

4.8: Establishment of Archiving Procedures

The Data Stewards and Custodians will define the criteria for archiving the data to satisfy retention requirements.

4.9: Establishment of Disaster Recovery Procedures

ITC is ultimately responsible for defining and implementing policies and procedures to assure that data are backed up and recoverable. The Data Stewards will play an active role in assisting ITC in this responsibility.

With the Data Stewards' advice, ITC will develop a workable plan for resuming operations in the event of a disaster, including recovery of data and restoration of needed computer hardware and software.

4.10: Responsibilities of the ITC Data Management group

Data Management develops and applies standards for the management of institutional data and for ensuring that data are accessible to those who need it. The manager of the Data Management group chairs the Data Stewards' committee and works very closely with this committee on formulation of data policies, standards, and procedures.

Data Management works with the Data Stewards to establish long-term direction for effectively using information resources to support University goals and objectives.

Data Management creates logical data models of applications. These models are ultimately used to create an institution-wide data model that cross-references data across applications and encourages data sharing.

Data Management develops a standard method for naming and defining data. It also facilitates conflict resolution in data definitions.

Data Management makes institutional data available to authorized users in a manner consistent with established data access rules and decisions. It develops views of data as directed by the data committees. The group ensures that the technical integrity of the data is maintained and, in conjunction with the ITC Security Team, that data security requirements are met.

5.0: Requests for Access

5.1: Legally Restricted or Limited-Access Data

Access to legally restricted or limited-access data by University employees or employees of University-related foundations requires that a formal request be made to the appropriate Data Custodian.

5.2: Exceptions

All requests for exceptions to data access policies must be made in writing to the Data Custodian. E-mail requests are acceptable. The request must specify the data desired and their intended use.

5.3: Denial

The Data Custodian must provide a written record of the reasons for denial of any access request. E-mail records are acceptable.

5.4: Appeal

Members of the University community may appeal any data access decision. Appeals may be made to the Data Steward.

6.0: Responsibilities of Users

6.1: Use of administrative data only in the conduct of University business

The University expressly forbids the disclosure of unpublished administrative data or the distribution of such data in any medium, except as required by an employee's job responsibilities and approved in advance by the Data Custodian. In this context, disclosure means giving the data to persons not previously authorized to have access to it. The University also forbids the access or use of any administrative data for one's own personal gain or profit, for the personal gain or profit of others, or to satisfy personal curiosity.

6.2: Maintenance of confidentiality and privacy

Users will respect the confidentiality and privacy of individuals whose records they access, observe any ethical restrictions that apply to data to which they have access, and abide by applicable laws and policies with respect to access, use, or disclosure of information. All data users having access to legally restricted or limited-access data will formally acknowledge (by signed statement or some other means) their understanding of the level of access provided and their responsibility to maintain the confidentiality of data they access. Each data user will be responsible for the consequences of any misuse.

6.3: Protection of data

Users will comply with all reasonable protection and control procedures for administrative data to which they have been granted access.

6.4: Accurate presentation of data

Users will be responsible for the accurate presentation of administrative data, and will be responsible for the consequences of any intentional misrepresentation of that data.

For: