Public Access to University Information

• Updated: March 2006
• Primary Contact : Tracy Smith

It is the policy of the University to provide convenient and timely access to all public information at the University. To maximize convenience and curtail cost, the University will direct requesters whenever possible to existing sources of public information.

In determining whether information is public or nonpublic, the University follows state and federal privacy and records laws. The University's General Counsel will advise the appropriate University unit in determining the classification of University information and the application of state and federal law. The Records and Information Management Office, which reports to the General Counsel in this area, will be the initial resource for questions concerning classification and disclosure of data.

This policy applies to all information published by the University regardless of who created it or how it is distributed or maintained.

Certain University affiliates, such as the U foundations, legally are not a part of the University of Minnesota. Document requests should be made directly to those units.

The University adheres to the provisions of state and federal privacy and records laws. In so doing, the University:

• Increases the value of University information resources through widespread and appropriate use.
• Prevents the inappropriate and unauthorized disclosure of information and thereby avoids adverse legal consequences.

Providing efficient and effective access allows the University to minimize expenses related to record keeping and document production and maximize the resources devoted to the primary mission of the University.

• Obtaining Public Information

There are no forms associated with this policy.

Acceptable Use

This term consists of these related concepts:

• Information/data and systems may only be used by authorized individuals to accomplish tasks related to their jobs. Use of the information and systems for personal gain, personal business, or to commit fraud is prohibited.
• Information not classified as Public must be protected, and must not be disclosed without authorization. Unauthorized access, manipulation, disclosure, or secondary release of such information constitutes a security breach, and may be grounds for disciplinary action up to and including termination of employment.
Refer to the Administrative Policy: Acceptable Use of Information Technology Resources for related information.

Access

The ability to view information, and, when applicable, update or download it. Access is provided to individuals and groups of individuals based on State Statutes and University policy. Access to private or confidential data, and access which permits data updates or downloads requires specific permissions related to job responsibilities.

Alumnus

A member of the University of Minnesota Alumni Association, and either a graduate of the University of Minnesota who has attended the University for at least one year in a degree granting program, or one who has been an employee of the University of Minnesota.

Authenticate

A verification that substantiates persons are who they say they are. For purposes of this policy, people are considered authenticated members of the University community if they have an Internet ID (listed on the X.500 Directory), and are able to prove that they know the password associated with that Internet ID listing.

Authorized Individual

An employee, consultant, volunteer or other individual who needs access to University information to perform an activity on behalf of the University. The individual may have access to any class of information, according to policy.

Authorized University Official

For those seeking access to not-public information, or access to centrally-supported systems, it is the person designated by the Dean, Director or Department Head to function in an authorization role for information/data access purposes. In some cases, the employee's Supervisor may function as the designee. In other cases, a Key Contact is named. Also see "Supervisor".

Data

Information collected, stored, transferred or reported for any purpose, whether in computers or in manual files.

Database

A system which holds a collection of organized and labeled data. Databases usually contain information about a certain subject.

Data Custodian

Representatives of the University who are assigned responsibility to serve as a steward of University data in a particular area. They are responsible for developing procedures for creating, maintaining, and using University data, based on University policy and applicable state and federal laws.

Data Owner

Individuals, who in the course of carrying out the University's official business, serve as stewards of data in alignment with their function at the institution. This role is responsible for the accuracy of institutional data that they manage.

Data Warehouse

A collection of official University databases which hold data from transactions systems and other databases, for the purpose of reporting and queries.

Detailed Transactions

A record of an event, activity or request, expressed as data. Detailed transactions form an audit trail which becomes part of the official and legal history of the University, whether it be detailed records relating to research, students, or financial transactions. The procedures associated with this policy distinguish between detailed transaction systems, where individuals can affect the data through updating a record or entering a completely new transaction, and those systems from which individuals can report the results of detailed transactions.

Family Educational Rights & Privacy Act

Federal law (P.L. 93-568, 2) as amended in 1974 (with updates). Specifies rights and responsibilities of students and colleges regarding access to student data.

FormsNirvana (FN)

FormsNirvana is a Web-based forms generator which allows an authorized user to electronically enter, respond to, approve, and/or route requests, and create transactions.

• Electronic Grants Management System (EGMS) refers to the administrative application used to support the entire grants management process.

Information/Data Classifications

A determination that establishes the breadth of access to information. See Appendix B. Classification examples:

Public

Information/Data that is available to anyone who requests it, and who is willing to pay the costs associated with it.

Not-Public

A University of Minnesota term meant to include all Information/Data which is not Public (e.g. Private, Non-Public and Confidential).

Private

Information/Data about an individual that is available only to the subject and to anyone authorized by the subject or by law to see it. Private information/data that is not about an individual is called "non-public data" (e.g., trade secrets).

Confidential

Information/Data about an individual that is not available to the public or to the subject, but is available to authorized University employees, when necessary. Confidential information/data that is not about an individual is called "protected non-public data (for example, sealed bids).

Data on Decedents

This information is available to the spouse, child or parents. Private and confidential data on decedents is public 10 years after their death and 30 years after creation of data.

Information Technology Resources

Facilities, technologies, and information resources used for University information processing, transfer, storage, and communications. Included in this definition are computer labs, classroom technologies, computing and electronic communications devices and services, such as modems, e-mail, networks, telephones (including cellular), voice mail, fax transmissions, video, multimedia, and instructional materials. This definition is not all inclusive, but rather, reflects examples of University equipment, supplies and services.

Internet ID

An Internet ID (or X.500 ID) account allows access to the University's electronic information, including e-mail and other systems. Every student, faculty member, staff person, and affiliate of the University is given a unique Internet ID. Internet IDs for staff are created immediately after an individual's Human Resources paperwork is signed, and for new students, as part of the registration process. Accounts are set up as needed for affiliates of the University. (Also refer to "X.500 Directory" in this listing.)

Internet Services

Services provided by the University in its role as Internet Service Provider. These services include but are not limited to collaborative technologies and information storage. The services are provided based on the needs of the member of the University community.

Minnesota Government Data Practices Act

Legislation delineating how private data collected by Minnesota government entities is to be maintained and protected (including financial data).

Password

A code which unlocks an individual's system account. Passwords are associated with individual IDs or accounts through which an individual is granted access to a database, system or systems. While passwords may be initially granted by a University security administrator, in most cases, individuals are asked to change their passwords to a series of characters known only to themselves.

Proper Use

See "Acceptable Use"

Reports

Pre-made templates that contain data. "Reports" may refer to structured information and/or query capabilities.

Secondary Release

Authorized Users of University information have a responsibility for proper use of information both within and outside of the University. Authorized Users of information may use it only for their specific job responsibilities and not for any unauthorized secondary use, or for release to anyone else, unless specifically authorized. For example, position responsibilities may allow access to all the Public and Private information related to students. Some information on students is Public (name, address, dates of enrollment) and other is Private (transcripts, financial aid). Even though an individual may have access to this information, he or she may not use it for any unauthorized purpose, or release any of this information to a secondary source unless specifically permitted by job responsibilities. The Board of Regent's Student Records Policy defines under what circumstances student information may be released to an outside source. Secondary release must be related to a legitimate educational, administrative or research purpose, and it must be authorized. All applicable federal and state laws and University policy and procedures concerning storage, retention, use, release, transportation and destruction of information/data and systems must be followed.

Security Breach

Any action that results in the unauthorized access, alteration, destruction or disclosure of University information, or information systems, or the dissemination of information/data to unauthorized individuals.

Security Measures

Processes, software and/or hardware used by system and network administrators to assure confidentiality, integrity and availability of computers, networks and data belonging to the University and users of University computer and network resources. Security measures include the ability to review files for potential or actual policy violations and responsibility for investigation of security related issues.

Security Violations

Any action that does not comply with system security concepts, policies, processes, procedures or measures.

Sponsored Affiliate Account

An Internet ID (X.500 account) that is purchased for an affiliate of the University, such as a committee worker, volunteer, or contract worker. Departments may purchase sponsored accounts. The department is charged an annual fee for maintaining sponsored accounts.

Supervisor

Refers to the person to whom an individual directly reports. For those seeking access to not-public information, or access to centrally-supported systems, it is the person designated by the Dean, Director or Department Head to function in that role for information/data access purposes. Also see "Authorized University Official".

Table

For the purposes of this policy, "table" refers to a collection of adjacent fields in which official University information/data is stored, so that it may be viewed, updated or reported. May also refer to a file or a collection of records in a database.

Unauthorized Disclosure

The act of providing information to any source not specifically authorized to receive such information, whether inside or outside of the University community.

University Community

All students, faculty members, staff persons, alumni association members, and sponsored affiliates (e.g. consultants, volunteers, or committee workers) of the University.

University Information

Information collected, manipulated, stored, reported or presented in any format, on any medium, by any unit of the University.

X.500 Directory

The University's central electronic directory, which allows members of the University community to access the University's electronic information, including e-mail, other systems, and certain reports. Every student, faculty member, staff person, and affiliate of the University who is entered into the X.500 directory is given a unique X.500 user name/account called an "Internet ID". The X.500 Directory is the source for the Student-Staff Directory and on-line look up services.

University Data Custodian

Decide on the cost and benefit issues in creating public reports for dissemination.

Area Data Custodian

Assist with the completion of special requests for public information.

Application Data Custodian

Answer questions on routine requests for public information

General Public

View or Request Public information. Pay the costs of responding to requests for public information as provided by law.

General Counsel

Provide legal advice to University staff and decision makers to ensure compliance with state and federal law, including the proper classification of University Data.

Office of Information Technology

Develop security policies and procedures for implementing access to public and private information based on this policy and procedures.

Records and Information Management Office

Respond to requests for public information. Assist General Counsel in advising University staff and decision makers regarding access to University information. Maintain Appendix A: Examples of Public, Private, and Confidential Information.

• Examples of Public, Private and Confidential Information

Rates

The requester may be asked to pay the costs of responding to requests for public information as provided by law. Questions regarding cost should be directed to the Coordinator of Records and Information Management Office at 612-625-3497.

There is no FAQ associated with this policy.

• Board of Regents Policy: Student Records
• Administrative Policy: Internal Access to University Information
• Minnesota Government Data Practices Act - Minn. Stat. 13.01
• Family Educational Rights & Privacy Act
• Office of the Registrar Policies on Access to Student Records
• Computer Fraud and Abuse Act, 1986
• Electronic Communications and Privacy Act
• University Records and Retention Schedules

Effective:

January 1999