The University of Wisconsin Oshkosh
Policy # [####]
Data Access and Data Security Policy (GEN 1.3.(2).)

Original Issuance Date: MMMM DD, YYYY
Last Revision Date: MMMM DD, YYYY
Next Review Date: MMMM DD, YYYY







GEN 1.3.(2). Data Access and Data Security Policy.
(1) Policy.

This policy secures and protects operational data (defined below) stored on and accessible by University-owned computing systems and used by University employees and students in support of the educational mission of the University. In so doing, it ensures that:

(a) The University is able to meet its record-keeping and reporting obligations as required by state and federal law, the Board of Regents, and UW System Administration;

(b) The University is able to comply with the Family Educational Rights and Privacy Act of 1974 (FERPA, or the Buckley Amendment) and other statutes and policies protecting the rights of individuals;

(c) The University is able to comply with the Wisconsin Public Records Statutes and other laws and policies providing for access to data;

(d) University data integrity and accuracy are consistently maintained;

(e) Authorized individuals are assured of timely and reliable access to necessary data; and

(f) Unauthorized individuals are denied access to computing resources or other means to retrieve, modify or transfer data.

This policy also addresses the issue of the rights and responsibilities of authorized persons in the handling, security and protection of University data. In view of the fact that security measures may introduce additional overhead in terms of time and effort, the objective of this policy is to ensure secure data while minimizing impediments to their access.

The Chief Information Officer for Information Technology (IT) is responsible for the implementation of this policy.

(2) Scope.

The policies and guidelines established herein govern the management and accessibility of University operational data regardless of the environment in which they reside. The term ‘operational data’ is meant to encompass only those data which are necessary for the daily execution of the University’s mission. This may include, but is not restricted to, administrative data, student and payroll records, personnel records, and accounting information. The environment in which these data are found may include, but are not limited to, the central mainframe, campus network servers, personal computers, and any other medium (printouts, screen dumps, microfiche, etc.).

This policy applies to all employees of the University, students, alumni, and authorized persons with interests in specialized segments of the University, such as Institutional Research, University Facilities, Employee/Student/Alumni data, or Education/Instruction.

(3) Data Ownership and Accountability.

(a) The University of Wisconsin Oshkosh.

The University of Wisconsin Oshkosh retains the exclusive right and use of all computer assets, including data. Within this context, it is considered the Legal Custodian of all University data.

(b) Specific Roles.

A list of current appointees to those positions referenced in the following sections are available online or from the IT Office.

Legal Custodian.
An administrative officer within the University, given responsibility by the Chancellor, according to state statutes, for managing specific information resources within a functional area.

Pursuant to c. 19.33(4), Wisconsin Statutes, and in accordance with the Wisconsin Public Records Statutes, the Chancellor must designate Legal Custodians of specific records. These individuals perform in a supervisory or managerial capacity and are responsible for the data residing in a designated system.

In addition to those duties defined by the relevant statutes, additional University responsibilities of the Legal Custodian may include:

a. Overseeing the creation and disposition of the data records for which he/she has been assigned responsibility;
b. Determining what data are appropriate for distribution and update;
c. Determining the validity of all requests for access to, and update capability for, area-specific data or applications;
d. Periodically reviewing the current set of access capabilities granted to all individuals on the system to ensure that the status is current and accurate; and
e. Overseeing the activities of all Data Stewards assigned to their functional area.

Data Steward.
An individual appointed by a Legal Custodian to manage a subset of the data designated as being within the area of responsibility of that Custodian. A Data Steward is the person primarily responsible for the accuracy, privacy, and integrity of University data. All University data must have an identified Data Steward.

In support of the Legal Custodian, responsibility for managing specific categories of data is assigned to Data Stewards. With regard to data access and security, these Data Stewards have the authority and responsibility to:

a. Assist the Legal Custodian with evaluation and approval of requests for access to records, in accordance with the Wisconsin Public Records Law and the Buckley Amendment;
b. Define and approve the degree and nature of access to their data;
c. Coordinate with the IT Office for adequate backup of data; and
d. Coordinate the creation and purging of data in a manner consistent with current record-keeping policies and regulations.

Data Security Officer.

The Data Security Officer has responsibility for implementing, monitoring, and coordinating the standards, procedures, and guidelines necessary to administer access to University data.

Specifically, the Security Officer has the responsibilities to:

a. Install, maintain, and operate data security software;
b. Maintain records indicating the identity of each Data Steward who has the responsibility for granting user access to data and the scope of his/her granting authority;
c. Implement the control of user access to University data, as determined by Data Stewards or Legal Custodians;
d. Review data security procedures within individual units as needed, disseminating information regarding access requests, security awareness, passwords, virus protection, and the reporting of security violations;
e. Create and maintain policy regarding the responsible usage of computing resources and outline the proper conduct expected of all data users;
f. Maintain current data access authorization records. This will entail the creation of new records in response to valid requests for data access, the removal of records for users transferring to another functional unit or leaving the University, and the modification of existing records to accommodate a name change or additional job requirements;
g. Establish and monitor system activity accounting and audit trail records in a manner consistent with University and Internet guidelines; and
h. Serve as de facto Data Steward for data items not assigned to other stewards, until such time as an individual can be permanently designated.

Database Administrator.
The Database Administrator (DBA) has responsibility for the management of and implementation of access to all data contained within the University database management system. The DBA is to act as the administrator of the information resource in accordance with established policies and procedures, but will in no sense dictate the usage of University data, nor determine individual access rights to data elements, records, or files contained within the database. This will remain the responsibility of the Data Stewards.

Data User.
A Data User is any individual requiring access to University data in the course of meeting the requirements of his/her position or an educational curriculum. All departmental units and individuals have the responsibility to ensure the following:

a. Privacy and confidentiality of data are maintained in a manner consistent with the laws and regulations relating to those data;
b. Every effort is made to assure and maintain the accuracy of data;
c. Data are correctly and appropriately used as defined by, but not limited to, applicable state and federal law. Sanctions for the inappropriate use of data are also defined by these regulations;
d. Data security is not compromised by the sharing of user access IDs or passwords;
e. Proper records management disposal methods are used when data are considered no longer valid or useful; and
f. Online conduct and utilization of computing resources is consistent with the guidelines set forth in the University of Wisconsin Oshkosh Acceptable Use of Computing Resources Policy.

Several departments operate turnkey, third-party, in-house-developed systems on individual PCs, local area networks or other hardware. The departments have complete responsibility for these systems, to include the above plus:

a. Securing computing resources, computer rooms, department office areas, and other work areas; and
b. Establishing policies, procedures, and standards for security and maintenance of software and data, such as backup policies and procedures.

(4) Proper Management of Data.

(a) Data Capture.

1. The Legal Custodian is responsible for complete, accurate, valid, and timely data capture. These responsibilities may be delegated to Data Stewards.
2. Electronic data should be captured at or near their creation points, as identified by the Legal Custodian.

(b) Data Storage.

1. An official data storage location for each data element should be identified by the Legal Custodian.
2. Data element names, formats, and values should be consistent with University standards.
3. Archiving requirements and strategies for storing historical data should be determined by the Legal Custodian, in coordination with the IT Office.

(c) Data Validation and Correction.

1. The accuracy of any data element may be questioned by any authorized data user. The data user has the responsibility to help correct the perceived problem by supplying as much detailed information regarding correct usage of the data as is possible.
2. The Legal Custodian or delegated Data Steward is responsible for responding to questions and correcting verified inconsistencies in data elements.
3. Upon written identification and notification of erroneous data, corrective measures should be taken as soon as possible to correct the cause of the error; correct the data in the official data storage location, and notify users who have received or accessed erroneous data, of the changes.

(d) Data Accessibility.

Legal Custodians are responsible for providing accessible, meaningful, and timely University data. This activity may be assigned to Data Stewards or other University officials, within the confines of predefined authorization guidelines.

Accessibility to University data may be considered any of the following:

1. Hard copy reports issued by various administrative offices;
2. Access through the University communications infrastructure; and
3. Data downloaded and accessed from a unit/departmental computer or downloaded to an individual user’s personal computer. If University data are downloaded to a college or department, the responsibility for implementing, monitoring, and enforcing University data access and resource usage policies shall reside with the College Dean or Departmental Chair authorized to receive the data.

(e) Data Security.

1. All University data should be secured, with access granted to a data user on a “need-to-know” basis, and within the confines of predefined access guidelines and security requirements. The Legal Custodian, through the Data Stewards, has the ultimate responsibility for determining security requirements and access authorization.
2. All users of University data must be cognizant of the level of access they have been provided, and of their responsibility to maintain the inherent privacy and integrity of those data. Effective data security is not possible without the cooperation of users who understand the reasons for data security and comply with established security measures.

(f) Data Disposal.

1. The Legal Custodian is responsible for determining what data within the functional area are to be retained and for how long. This authority may be delegated to a Data Steward.
2. At the point at which data are considered no longer useful or legally required, they must be removed from general access in a manner consistent with their content and medium. Disk-based datasets may be archived to tape and moved off-site or deleted. 3. Tapes may be erased and reused or permanently archived. Reports and printouts may be recycled as is, or shredded prior to disposal, depending on legal or institutional requirements.
3. Users are responsible for the proper disposal of data residing on individual personal computers.

(g) Data Documentation.

Documentation of data elements is the ultimate responsibility of the Legal Custodian. This information should be provided to the IT Office, which will oversee its archival and general availability. All data documentation so gathered will be maintained in machine-readable format in a University Data Dictionary. In essence, IT is the Data Steward for the University Data Dictionary.

(h) Data Disputes.

Due to the common occurrence of some data elements within several University systems, questions may arise as to the precedence of ownership or responsibility for those data elements. A typical example might be a social security number, which is frequently used by Enrollment Management, Human Resources, Financial Aids, and others. In this instance, the data element may be considered to have more than one Data Steward. If the Data Stewards are unable to arrive at a consensus as to the appropriate use of a data element, a meeting of the responsible parties will be convened by a designated representative of the IT Office in an effort to resolve the data dispute.

(5) Procedures.

In the course of creating and administering controlled access to University data, various procedures must be defined and formalized. These procedures, listed below, with an accompanying explanatory cover page and their relevant forms, are available from the IT Office.

(a) Requesting Authorization for Data Access.

(b) Modifying Existing Data Access Authorization.

(c) Managing Systems for Employee Turnover.

(d) Reporting Breaches of Data Security.

(e) Requesting Computer System Activity Information.

(f) Providing sanctions for Unauthorized Data Access or Disclosure.