Data Access Procedure

Category: Information Technology

Responsible Office: Information Security Office

Responsible Executive: Vice President and Chief Information Officer (VPCIO)

Date Established: July 6, 2013

Date Updated: April 6, 2018

On this page:

Summary

The Data Access Procedure:

  • Defines the roles, responsibilities, data management environment, and procedure for granting access to UB’ non-public data.
  • Applies to university data in hard copy and electronic format.
  • Supplements the Protection of University Data Policy and the Data Risk Classification Policy.

Individuals who access, retrieve, update, process, analyze, store, distribute, or in other manners use university data are responsible for securing and protecting the data in accordance with the Protection of University Data Policy and Data Risk Classification Policy.

The University at Buffalo is the data owner of all university data. Individual units or departments have stewardship responsibilities for portions of the data. Individuals are assigned data roles to access, retrieve, update, process, analyze, store, distribute, or in other manners use university data in order to carry out institutional business in keeping with the Data Risk Classification Policy.

All university data must be classified and protected in accordance with the Risk Classification Policy:

  • Non-public data is classified as Category 1- Restricted Data and Category 2 -Private Data.
  • Non-public data must be protected throughout its life cycle in a manner consistent with its classification.
  • Public data is classified as Category 3 data. Public data has no requirements for confidentiality, however, systems housing the data should take reasonable measures to protect its accuracy.

The Data Access Procedure does not apply to research data, scholarly work of faculty and students, and intellectual property.

Separate policies and procedures apply to HIPAA regulated data. Contact the Director of HIPAA Compliance (hipaa-compliance@buffalo.edu) for more information.

Guidelines

Data users who access, retrieve, update, process, analyze, store, distribute or in other manners use university data for the legitimate and documented conduct of university business must agree to the guidelines below. As applicable, Data Trustees and/or Data Stewards issue detailed guidelines for their respective data.

  1. Data Trustees and their delegates grant and revoke access to Category 1- Restricted Data and Category 2- Private Data (non-public) university data. Access is granted only to those with a legitimate business need for the data.
  2. Data access is renewed on an annual basis, or more often as needed.
  3. Data access is granted only for legitimate purposes and within the terms articulated in applicable university policies.
  4. Data access rights are non-transferable.
  5. Data Users are explicitly prohibited from releasing, sharing, or transmitting data to others, other than for the legitimate business purposes for which the data access was granted.
  6. Data Users are explicitly prohibited from using data for purposes other than those for which the data access was granted.
  7. Data Users must successfully complete Handling Data Safely, prior to receiving data access
  8. Access to Social Security Numbers (SSN) in UB InfoSource is highly restricted and granted only to employees with a specific legal or business need that cannot be met in another way.
  9. In order to request access to SSNs in UB InfoSource, individuals are required to complete the Social Security Number Data Access Request, stating the legal statute and/or business need for SSNs. A committee composed of several Data Trustees and the ISO reviews all SSN access requests.
  10. Extracts of data, data feeds, and data within shadow systems, extension systems, extender systems, or other applicable systems that store university data have the same classification level and utilize the same protective measures as the same data in the systems of record.
  11. Any shadow system, extension system, extender system, or other applicable system that university data must be disclosed to the appropriate data trustee and the ISO is required.
  12. Computer systems and devices used to support data must adhere to the specific, protective measures as set forth in the UB Minimum Security Standards for Desktops, Laptops, Mobile, and Other Endpoint Devices and the UB Minimum Server Security and Hardening Standards.

Definitions, Roles, and Responsibilities

Term Definition, Roles, and Responsibilities
Data Administration The responsibility for the activities of data administration, including detailed data definition, is shared among the Data Stewards, Data Managers, and the VPCIO.
Data Manager University officials and their staff with operational-level responsibility for information management activities related to the capture, maintenance, and dissemination of data. Data Stewards may delegate data administration activities to Data Managers.
Data Owner The University at Buffalo is the data owner of all university data; individual units or departments have stewardship responsibilities for portions of the data.
Data Steward
  • Assigned by Data Trustees.
  • Responsible for planning and policy-level responsibilities for data in their functional areas.
  • Have supervisory responsibilities for defined elements of institutional data.
  • May grant, renew, and revoke access to Data Managers and/or Data Users (as delegated by Data Trustees).
  • Develop and maintain clear and consistent procedures for data access and use in keeping with university policies.
  • Prevent unauthorized access to Category 1 Restricted Data and Category 2 Private Data.
  • Ensure that training and awareness of the terms of this procedure are provided.
  • Monitor compliance with this procedure.
Data Trustee
  • Senior leaders of the university (vice-presidents, vice-provosts, and deans) who have responsibility for areas that have systems of record.
  • Responsible for ensuring that data stewards, data managers, and data users in their respective area(s) are compliant with data governance principles.
  • Classify university data in accordance with the Data Risk Classification Policy.
  • Control university data by granting access, renewing access, and revoking access to Data Stewards, Data Managers, and/or Data Users. Data Trustees may delegate this responsibility to Data Stewards or Data Managers.
  • Assign Data Stewards who function as described above.
  • Data Trustees may work directly with Data Stewards, Data Managers, and/or Data Users.
Data Users
  • Individual with data access as granted by a Data Trustee or Data Steward.
  • Successfully complete Handling Data Safely, prior to receiving data access.
  • Access, retrieve, update, process, analyze, store, distribute, or in other manners use university data for the legitimate and documented conduct of university business.
  • Use data for the purposes in which access is granted.
  • Data Users who misuse data and/or illegally access data are subject to sanctions or penalties in accordance with employee relations policies. Sanctions or penalties are based on the standards outlined in university policy, state or federal regulations, and the appropriate collective bargaining agreements.
  • Comply with the Data Risk Classification Policy and secure Category 1-Restricted Data and Category 2 Private Data.
Information Security and Privacy Advisory Committee (ISPAC) ISPAC is responsible for evaluating, developing, and recommending information security and privacy policies, procedures, and operations vital to protecting and sustaining the university’s mission.
Information Security Officer (ISO) The ISO is responsible for development and delivery of enterprise information security strategy, governance, and policy in support of institutional goals. Information security incidents must be reported to the ISO.
Non-Public Data According to the Data Classification Risk Policy, Category 1- Restricted Data and Category 2- Private Data are considered non-public data.
Senior Management

Designated as the president, provost, vice provosts, executive vice presidents, vice presidents, associate vice presidents, and deans who are eligible for access to enterprise-wide aggregate and summary university data.

Senior management is authorized to delegate access of enterprise-wide aggregate and summary university data, as deemed appropriate.

Shadow system, extension system, extender system Small-scale databases and/or spreadsheets developed for and used by end users, outside the direct control of an organization's official information access, management, and/or security protocols.
University Data Defined as items of information that are collected, maintained, and utilized by the university for the purpose of carrying out institutional business. Includes centrally-stored data, as well as data generated and stored in university departments and decanal units All university data is required to have an identified Data Trustee.
Vice President and Chief Information Officer (VPCIO) The VPCIO provides leadership for development and delivery of information technology (IT) services to the university.  The VPCIO oversees an enterprise IT services organization, Computing and Information Technology (CIT), and works in partnership with UB’s schools, colleges and administrative IT units to enable a unified and productive IT experience for students, faculty and staff.

Compliance

Violations of this procedure will result in appropriate disciplinary measures in accordance with university policies, applicable collective bargaining agreements, and state and federal laws. For data regulated by the Health Insurance Portability and Act (HIPAA), refer to the applicable HIPAA policies or Director of UB HIPAA Compliance.

Contact Information

Office of the Vice President and Chief Information Officer
517 Capen Hall
Buffalo, NY 14260
Phone: 716-645-7979
Email: vpcio@buffalo.edu
Website: http://www.buffalo.edu/ubit.html

Information Security Office
201 Computing Center
Buffalo, NY 14260
Phone: 716-645-6997
Email: sec-office@buffalo.edu
Website: http://security.buffalo.edu  

Related Documents