University of Minnesota
University Relations
http://www.umn.edu/urelate
612-624-6868
University of Minnesota
POLICY LIBRARY
POLICY
University of Minnesota
University of Minnesota
University M logo on red background
ADMINISTRATIVE POLICY
Home : Administration & Operations : Compliance and Legal

Internal Access to University Information

Effective Date: August 1997
Last Update: June 2008
Responsible University Officer:
  • Vice President for Information Technology
Policy Owner:
  • Vice President for Information Technology
Policy Contact:

Printed on: . Please go to http://policy.umn.edu for the most current version of the Policy or related document.

POLICY STATEMENT

This policy applies to any and all information the University has regardless of who created it or how it is distributed or maintained.

The University will provide all employees with the information they need in order to carry out their responsibilities, in as effective and efficient a manner as possible.

All University employees will have access to University reports of public information.

Access to private information will be limited to authorized individuals whose jobs reasonably require it, as determined by an appropriate approval process, and to those persons authorized to have access by state or federal law. Access to confidential information (for example, law enforcement investigations, civil investigations, etc.) will be limited according to law. The University's General Counsel will advise the appropriate University unit in determining the classification of University information and the application of state and federal law. The Records and Information Management Office, which reports to the General Counsel in this area, will be the initial resource for questions concerning classification and disclosure of data.

REASON FOR POLICY

The University adheres to the provisions of state and federal privacy and records laws. In so doing, the University:

  • Increases the value of University information resources through widespread and appropriate use.
  • Prevents the inappropriate and unauthorized disclosure of information and thereby avoids adverse legal consequences.

Providing efficient and effective access allows the University to minimize expenses related to record keeping and document production and maximize the resources devoted to the primary mission of the University.

PROCEDURES

FORMS/INSTRUCTIONS

In support of this policy, each of the U areas which administer access have paper, Web and/or electronic forms and instructions associated with their processes. Further information may be obtained from the Web sites listed above. The key forms related to this policy are:

APPENDICES

FREQUENTLY ASKED QUESTIONS

There are no frequently asked questions for this policy.

ADDITIONAL CONTACTS

Subject
Contact
Phone
Fax/Email
Primary Contact(s)
612-625-1505
Overall
University Data Custodian
612-626-9414
612-625-9841
Financial Systems
Director, Controller's Office
612-624-1617
Human Resources/Payroll
Director, Office of Human Resources
612-624-1370
612-626-8924
Student Systems
Director, Office of the Registrar
612-625-8098
612-626-1754
Public or Private Data
Coordinator, Records and Information
612-625-3497
 
Public or Private Data
Office of General Counsel
612-624-4100
 
Data Security Policy and Access Process/Central Systems
Manager, OIT Data Security
612-624-6098
Data Security Policy
Director, OIT Assurance
612-625-1505
612-626-0076
U Directory-Internet ID Access (X.500 Directory Access)
Manager, Enterprise Internet Solutions
612-626-8343
612-626-7593

DEFINITIONS

Acceptable Use
This term consists of these related concepts:
  • Information/data and systems may only be used by authorized individuals to accomplish tasks related to their jobs. Use of the information and systems for personal gain, personal business, or to commit fraud is prohibited.
  • Information not classified as Public must be protected, and must not be disclosed without authorization. Unauthorized access, manipulation, disclosure, or secondary release of such information constitutes a security breach, and may be grounds for disciplinary action up to and including termination of employment.
  • Refer to the Administrative Policy: Acceptable Use of Information Technology Resources for related information.
Access
The ability to view information, and, when applicable, update or download it. Access is provided to individuals and groups of individuals based on State Statutes and University policy. Access to private or confidential data, and access which permits data updates or downloads requires specific permissions related to job responsibilities.
Alumnus
A member of the University of Minnesota Alumni Association, and either a graduate of the University of Minnesota who has attended the University for at least one year in a degree granting program, or one who has been an employee of the University of Minnesota.
Authenticate
A verification that substantiates persons are who they say they are. For purposes of this policy, people are considered authenticated members of the University community if they have an Internet ID (listed on the X.500 Directory), and are able to prove that they know the password associated with that Internet ID listing.
Authorized Individual
An employee, consultant, volunteer or other individual who needs access to University information to perform an activity on behalf of the University. The individual may have access to any class of information, according to policy.
Authorized University Official
For those seeking access to not-public information, or access to centrally-supported systems, it is the person designated by the Dean, Director or Department Head to function in an authorization role for information/data access purposes. In some cases, the employee's Supervisor may function as the designee. In other cases, a Key Contact is named. Also see "Supervisor".
Data
Information collected, stored, transferred or reported for any purpose, whether in computers or in manual files.
Database
A system which holds a collection of organized and labeled data. Databases usually contain information about a certain subject.
Data Custodian
Representatives of the University who are assigned responsibility to serve as a steward of University data in a particular area. They are responsible for developing procedures for creating, maintaining, and using University data, based on University policy and applicable state and federal laws.
Data Owner
Individuals, who in the course of carrying out the University's official business, serve as stewards of data in alighnment with their function at the institution. This role is responsible for the accuracy of institutional data that they manage.
Data Warehouse
A collection of official University databases which hold data from transactions systems and other databases, for the purpose of reporting and queries.
Detailed Transactions
A record of an event, activity or request, expressed as data. Detailed transactions form an audit trail which becomes part of the official and legal history of the University, whether it be detailed records relating to research, students, or financial transactions. The procedures associated with this policy distinguish between detailed transaction systems, where individuals can affect the data through updating a record or entering a completely new transaction, and those systems from which individuals can report the results of detailed transactions.
Family Educational Rights & Privacy Act
Federal law (P.L. 93-568, 2) as amended in 1974 (with updates). Specifies rights and responsibilities of students and colleges regarding access to student data.
FormsNirvana (FN)
FormsNirvana is a Web-based forms generator which allows an authorized user to electronically enter, respond to, approve, and/or route requests, and create transactions.
  • Electronic Grants Management System (EGMS) refers to the administrative application used to support the entire grants management process.
Information/Data Classifications
A determination that establishes the breadth of access to information. See Appendix B. Classification examples:
Public
Information/Data that is available to anyone who requests it, and who is willing to pay the costs associated with it.
Not-Public
A University of Minnesota term meant to include all Information/Data which is not Public (e.g. Private, Non-Public and Confidential).
Private
Information/Data about an individual that is available only to the subject and to anyone authorized by the subject or by law to see it. Private information/data that is not about an individual is called "non-public data" (e.g., trade secrets).
Confidential
Information/Data about an individual that is not available to the public or to the subject, but is available to authorized University employees, when necessary. Confidential information/data that is not about an individual is called "protected non-public data (for example, sealed bids).
Data on Decedents
This information is available to the spouse, child or parents. Private and confidential data on decedents is public 10 years after their death and 30 years after creation of data.
Information Technology Resources
Facilities, technologies, and information resources used for University information processing, transfer, storage, and communications. Included in this definition are computer labs, classroom technologies, computing and electronic communications devices and services, such as modems, e-mail, networks, telephones (including cellular), voice mail, fax transmissions, video, multimedia, and instructional materials. This definition is not all inclusive, but rather, reflects examples of University equipment, supplies and services.
Internet ID
An Internet ID (or X.500 ID) account allows access to the University's electronic information, including e-mail and other systems. Every student, faculty member, staff person, and affiliate of the University is given a unique Internet ID. Internet IDs for staff are created immediately after an individual's Human Resources paperwork is signed, and for new students, as part of the registration process. Accounts are set up as needed for affiliates of the University. (Also refer to "X.500 Directory" in this listing.)
Internet Services
Services provided by the University in its role as Internet Service Provider. These services include but are not limited to collaborative technologies and information storage. The services are provided based on the needs of the member of the University community.
Minnesota Government Data Practices Act
Legislation delineating how private data collected by Minnesota government entities is to be maintained and protected (including financial data).
Password
A code which unlocks an individual's system account. Passwords are associated with individual IDs or accounts through which an individual is granted access to a database, system or systems. While passwords may be initially granted by a University security administrator, in most cases, individuals are asked to change their passwords to a series of characters known only to themselves.
Proper Use
See "Acceptable Use"
Reports
Pre-made templates that contain data. "Reports" may refer to structured information and/or query capabilities.
Secondary Release
Authorized Users of University information have a responsibility for proper use of information both within and outside of the University. Authorized Users of information may use it only for their specific job responsibilities and not for any unauthorized secondary use, or for release to anyone else, unless specifically authorized. For example, position responsibilities may allow access to all the Public and Private information related to students. Some information on students is Public (name, address, dates of enrollment) and other is Private (transcripts, financial aid). Even though an individual may have access to this information, he or she may not use it for any unauthorized purpose, or release any of this information to a secondary source unless specifically permitted by job responsibilities. The Board of Regent's Student Records Policy defines under what circumstances student information may be released to an outside source. Secondary release must be related to a legitimate educational, administrative or research purpose, and it must be authorized. All applicable federal and state laws and University policy and procedures concerning storage, retention, use, release, transportation and destruction of information/data and systems must be followed.
Security Breach
Any action that results in the unauthorized access, alteration, destruction or disclosure of University information, or information systems, or the dissemination of information/data to unauthorized individuals.
Security Measures
Processes, software and/or hardware used by system and network administrators to assure confidentiality, integrity and availability of computers, networks and data belonging to the University and users of University computer and network resources. Security measures include the ability to review files for potential or actual policy violations and responsibility for investigation of security related issues.
Security Violations
Any action that does not comply with system security concepts, policies, processes, procedures or measures.
Sponsored Affiliate Account
An Internet ID (X.500 account) that is purchased for an affiliate of the University, such as a committee worker, volunteer, or contract worker. Departments may purchase sponsored accounts. The department is charged an annual fee for maintaining sponsored accounts.
Supervisor
Refers to the person to whom an individual directly reports. For those seeking access to not-public information, or access to centrally-supported systems, it is the person designated by the Dean, Director or Department Head to function in that role for information/data access purposes. Also see "Authorized University Official".
Table
For the purposes of this policy, "table" refers to a collection of adjacent fields in which official University information/data is stored, so that it may be viewed, updated or reported. May also refer to a file or a collection of records in a database.
Unauthorized Disclosure
The act of providing information to any source not specifically authorized to receive such information, whether inside or outside of the University community.
University Community
University faculty, staff, and students, as well as any others (e.g., alumni) are considered a part of the University community. The General Counsel may designate other members of the University Community.
University Information
Information collected, manipulated, stored, reported or presented in any format, on any medium, by any unit of the University.
X.500 Directory
The University's central electronic directory, which allows members of the University community to access the University's electronic information, including e-mail, other systems, and certain reports. Every student, faculty member, staff person, and affiliate of the University who is entered into the X.500 directory is given a unique X.500 user name/account called an "Internet ID". The X.500 Directory is the source for the Student-Staff Directory and on-line look up services.

RESPONSIBILITIES

University Data Custodian
  • Provides policy direction and oversight regarding access to University information.
  • Ensures appropriate and consistent procedures related to accessing data, across the organization.
  • Decides how U information will be treated (e.g. any restrictions for viewing, printing, copies, etc.).
  • Assembles appropriate constituent groups to examine specific data issues crossing organizational and system boundaries, while balancing the needs and desires of the constituent groups, within legal and data security policy constraints.
  • Ensures consistency in the look and feel of system components used (e.g. Data Warehouse documentation).
  • When needed, resolves problems that arise at the Data Custodian and Application Data Custodian levels.
Data Custodian
  • Participates with the University Data Custodian, other Data Custodians, OIT Assurance, OIT/CCO Data Security and legal representatives, in the development of University data access policy and procedures.
  • Interprets Data Access policy as it relates to their functional area(s) of responsibility.
  • Advises the Application Data Custodians, Authorized University Officials and Data Owners on data access policy as it relates to their areas of responsibility.
  • Establishes appropriate processes and procedures for access to information stored within the systems for which they are responsible, in cooperation with others responsible within the organization.
Application Data Custodian
  • Interprets Data Access policy as it relates to the applications for which they have responsibility, in cooperation with their Data Custodian and/or the University Data Custodian.
  • Advises Authorized University Officials, Data Owners and others on access policy and procedures as it relates to their applications.
  • Establishes appropriate processes and procedures for access to information stored within the systems for which they are responsible, in cooperation with others responsible within the organization.
  • May authorize data access, or grant system access based on the authorization of others, in accordance with University policy and access processes. If functioning as an Authorized University Official, system administration responsibilities should be performed by another individual or area.
  • Monitors access based on University policy.
Authorized Individual
  • Understands and adheres to this policy, as well as the "Acceptable Use of Information Technology Resources" policy, which includes User Rights and Responsibilities.
  • Discusses access needs with Supervisor or other Authorized University Official, including changes to access when their job changes or they move to a different unit.
  • Reports security violations to Supervisor or an Authorized University Official.
General Counsel
  • Provides legal advice, including data classification advice, to Data Custodians and other University personnel, to ensure compliance with state and federal law.
  • Participates in groups convened by the University Data Custodian.
Office of Information Technology
  • Establishes security policies and measures to protect information/data and systems.
  • Provides security policy advice to the University Data Custodian, the Data Custodians, the Application Data Custodians and/or Authorized University Officials.
  • Establishes assurance standards and methods in support of information/data access processes.
  • Establishes, develops, implements and manages the organization's access processes, systems and procedures, in coordination with the Data Custodians, Application Data Custodians, and other security and system administrators.
Authorized University Officials and/or Supervisors
  • Understands and adheres to this policy, as well as the "Acceptable Use of Information Technology Resources" policy, which includes User Rights and Responsibilities.
  • Seeks data access advice from Data Custodians, Application Data Custodians to determine appropriate staff access.
  • Discusses access needs with staff, including changes to access when their job changes, or when they move to a different unit. Approves access to not-Public data on Web reports, within Data Warehouse Tables and within detailed transactions systems such as PeopleSoft. (Refer to "not-Public" definition, and the Administrative Procedure: Getting Access to U Information.)
  • Retrieves security tokens and notifies OIT/CCO Data Security of all staff transfers, leaves, moves and terminations. (Refer to AR002 procedures.)
  • Reports security violations to Data Custodians, Application Data Custodians and/or OIT/CCO Data Security.
Records and Information Management Office
  • Fulfills requests for public information that cannot be met through existing reports and other materials.
  • Assists General Counsel in advising University staff and other decision-makers regarding access to University information.
  • Maintains Appendix B, specifically, the section on what U information is classified as Public or Not Public.

RELATED INFORMATION

HISTORY

Amended:
July 2008 - Updated for EFS rollout. Forms, Definitions, responsibilities, and Contacts sections updated.
Amended:
December 2001 - Updated Appendix A, Added link to OIT Data Security page to Related Information.
Amended:
July 2000 - Added new procedures that supercede former procedures: 2.5.2.1-3. Expanded Definitions and Responsibilities sections. Updated Appendices, Contacts and Related Information Sections. Deleted last paragraph in policy statement.
Amended:
January 1998 - Statement and reason were revised to say all University employees will have access to University reports of public information. Access to private information will be given to those whose jobs require it. More public information will be published on the Web. The procedures associated with the policy will be revised to reflect these changes. Responsible Officer changed from Coordinator of Records and Information to University Data Custodian, and Responsible Office from Records and Information Management to Institutional Research and Reporting.
Effective:
August 1997
Superceded:
Administrative Systems Security Policy

Document Feedback

Did this document successfully answer your questions?

Additional comments: (2000 character limit)

Email Address: (so we can respond to your questions)

© 2013 Regents of the University of Minnesota. All rights reserved.
The University of Minnesota is an equal opportunity educator and employer.
Last modified on December 10, 2013