Category: Information Technology
Responsible Office: Information Security Office
Responsible Executive: Vice President and Chief Information Officer (VPCIO)
Date Established: July 6, 2013
Date Updated: January 16, 2020
The Data Access Procedure:
Individuals who access, retrieve, update, process, analyze, store, distribute, or in other manners use university data are responsible for securing and protecting the data in accordance with the Protection of University Data Policy and Data Risk Classification Policy.
The University at Buffalo is the data owner of all university data. Individual units or departments have stewardship responsibilities for portions of the data. Individuals are assigned data roles to access, retrieve, update, process, analyze, store, distribute, or in other manners use university data in order to carry out institutional business in keeping with the Data Risk Classification Policy.
All university data must be classified and protected in accordance with the Risk Classification Policy:
The Data Access Procedure does not apply to research data, scholarly work of faculty and students, and intellectual property.
Separate policies and procedures apply to HIPAA regulated data. Contact the Director of HIPAA Compliance (firstname.lastname@example.org) for more information.
Data users who access, retrieve, update, process, analyze, store, distribute or in other manners use university data for the legitimate and documented conduct of university business must agree to the guidelines below. As applicable, Data Trustees and/or Data Stewards issue detailed guidelines for their respective data.
|Term||Definition, Roles, and Responsibilities|
|Data Administration||The responsibility for the activities of data administration, including detailed data definition, is shared among the Data Stewards, Data Managers, and the VPCIO.|
|Data Manager||University officials and their staff with operational-level responsibility for information management activities related to the capture, maintenance, and dissemination of data. Data Stewards may delegate data administration activities to Data Managers.|
|Data Owner||The University at Buffalo is the data owner of all university data; individual units or departments have stewardship responsibilities for portions of the data.|
|Data Steward|| |
|Data Trustee|| |
|Data Users|| |
|Information Security and Privacy Advisory Committee (ISPAC)||ISPAC is responsible for evaluating, developing, and recommending information security and privacy policies, procedures, and operations vital to protecting and sustaining the university’s mission.|
|Information Security Officer (ISO)||The ISO is responsible for development and delivery of enterprise information security strategy, governance, and policy in support of institutional goals. Information security incidents must be reported to the ISO.|
|Non-Public Data||According to the Data Classification Risk Policy, Category 1- Restricted Data and Category 2- Private Data are considered non-public data.|
|Senior Management|| |
Designated as the president, provost, vice provosts, executive vice presidents, vice presidents, associate vice presidents, and deans who are eligible for access to enterprise-wide aggregate and summary university data.
Senior management is authorized to delegate access of enterprise-wide aggregate and summary university data, as deemed appropriate.
|Shadow system, extension system, extender system||Small-scale databases and/or spreadsheets developed for and used by end users, outside the direct control of an organization's official information access, management, and/or security protocols.|
|University Data||Defined as items of information that are collected, maintained, and utilized by the university for the purpose of carrying out institutional business. Includes centrally-stored data, as well as data generated and stored in university departments and decanal units All university data is required to have an identified Data Trustee.|
|Vice President and Chief Information Officer (VPCIO)||The VPCIO provides leadership for development and delivery of information technology (IT) services to the university. The VPCIO oversees an enterprise IT services organization, Computing and Information Technology (CIT), and works in partnership with UB’s schools, colleges and administrative IT units to enable a unified and productive IT experience for students, faculty and staff.|
Violations of this procedure will result in appropriate disciplinary measures in accordance with university policies, applicable collective bargaining agreements, and state and federal laws. For data regulated by the Health Insurance Portability and Act (HIPAA), refer to the applicable HIPAA policies or Director of UB HIPAA Compliance.