UIndy Data Access and Acceptable Use Policy

Responsible Office: Information Technology

Effective Date: May 1, 2023

Overview

The University of Indianapolis shall approve access to Sensitive Institutional Data to ensure that access to sensitive data is authorized, that sensitive data with a need for protection are used appropriately, and that authorized access complies with University policies and relevant state and federal laws.

Objective / Purpose

This policy outlines requirements for granting and revoking access to Sensitive Institutional Data.

Scope

This policy applies to access to Sensitive Institutional Data maintained by the University or a party acting on the behalf of the University. This policy does not apply to data or records that are personal property of a member of the University community, research data, or data created and/or kept by individual employees or affiliates for their own use. This policy does not apply to situations in which the University is legally compelled to provide access to information.

Policy

 

Data Stewards Approve Access to Sensitive Institutional Data

Access to Sensitive Institutional Data is approved by designated Data Stewards. Data Stewards shall grant access in compliance with University Policies and all relevant regulations (e.g. FERPA, HIPAA and GLBA). Data Stewards shall grant access only to those employees, affiliates, and systems that need the access to perform their job duties or mission. Data Stewards are designated by the dean, vice president, or unit head of the unit that originates the data. In the case that a Data Steward is not designated, the data in question are owned by the dean, vice president, or unit head of the unit that originates the data

Vice Presidents Retain the Right to Approve All Access to SSN Data

Access to Social Security Number (SSN) data shall not be granted to an employee unless approval has been granted by a university Vice President.

Data Stewards are Responsible for Procedures for Requesting, Approving, and Revoking Access

1. Data Stewards shall ensure that procedures for requesting and approving access to Sensitive Institutional Data exist and are followed. Data Stewards shall also implement procedures for regularly auditing access to Sensitive Institutional Data, at least annually, and revoking access immediately (no greater than 3 days) when it is no longer needed or authorized. Procedures may vary from Data Steward to Data Steward as necessary to accommodate different departmental mission/resources/etc. and different groups of Data Users. However, all procedures shall include sufficient tracking for requests, approvals, and revocations such that authorized access to Sensitive Institutional Data is auditable.
2. In certain situations, such as termination for cause, the data steward must consider revoking access of individuals who are being terminated prior to the individuals being notified.

Only Authorized Users Shall Access Sensitive Institutional Data

All access by individuals to Sensitive Institutional Data shall be controlled by reasonable measures to prevent access by unauthorized users. 

Data Stewards May Delegate Approval Responsibilities to a Trusted Designee

A Data Steward may delegate the ability to approve access to Sensitive Institutional Data to trusted individuals in designated roles; referred to as a Data Manager. A Data Steward may delegate by creating procedures through which the Data Manager may approve access by employees that have certain pre-approved roles and responsibilities. Data Stewards retain the responsibility for ensuring that all access to Sensitive Institutional Data is authorized, appropriate, and complies with relevant legal requirements; the responsibility does not transfer to the designated Data Managers.

External Third-Party Access to Sensitive Institutional Data Shall be Governed by Contractual Agreement

Access to Sensitive Institutional Data by external parties shall be governed by individual contractual agreement and reviewed annually. Such contractual agreements shall be approved by the Office of the General Counsel and by the appropriate designated Data Steward.

Acceptable Use of Data

 

Sensitive Institutional Data stored electronically must only be stored, transmitted, or processed on computers employing the following controls:

1. All Sensitive Institutional Data should be encrypted in transit. 
   1. Email containing sensitive data: Use either Virtru or Google Confidential Mode. Email sent to and from uindy.edu email addresses sufficiently satisfies this requirement.
   2. Sharing Word or Excel documents with sensitive data: Use password protection on the document.
   3. Sharing Google Drive folders, Sheets, Docs with sensitive data:  Share only with the specific individuals who need access.
   4. Transmission of other file types: Use secure protocols such as SFTP or HTTPS.
2. Computers must have an anti-virus system installed and latest signatures applied.
3. Computers and systems must have authentication required to log in.
4. All operating system and third party software must be up-to-date.

Highly Sensitive Data stored electronically must only be stored, transmitted, or processed on a UIndy Supplied Computer

1. University-supplied laptops and workstations satisfy all standard control requirements and must be used when storing, processing, or transmitting Highly Sensitive Data.
2. Storing or processing Highly Sensitive Data on a personal computer, USB, or other removable media storage device is prohibited.
3. Email containing Highly Sensitive Data must always be sent using Virtru or Google Confidential Mode even when sent between uindy.edu emails.
4. Sharing Word or Excel documents with Highly Sensitive Data: Use password protection on the document.

Appropriate Use

1. Access to information may only be used in conjunction with the role of the employee and the purpose for which the access was granted.
2. Data users must keep all data and information to which their role gives access in the strictest confidence and may not be shared with people not authorized to possess, access, view, or know it.
3. Use of data and any data collection for profit or any other personal purposes is strictly prohibited.
4. To prevent conflicts of interest, employees enrolled in a class or who might enroll at the University at any time in the future, may not use access to any sensitive data or information in connection with any application to or participation in any University academic program, and employees are not authorized to use system access to view any information or data concerning students, faculty, or staff of any academic program or courses in which they are enrolled. If job responsibilities require exceptions to this policy, employees must disclose this conflict of interest to their supervisor.

Enforcement and Implementation

 

Roles and Responsibilities

1. Each University department is responsible for implementing, reviewing, and monitoring internal policies, practices, etc. to assure compliance with this policy.
2. The Chief Technology Officer is responsible for enforcing this policy.

Consequences and Sanctions

1. Violation of this policy may incur the same types of disciplinary measures and consequences as violations of other University policies, including progressive discipline up to and including termination of employment, or, in the cases where students are involved, reporting of a Student Code of Conduct violation.
2. Violation of this policy may also result in termination of contracts or commitments to vendors and other affiliates. Legal action may be pursued where appropriate.

Definitions

Access - Flow of information between a store of data and a user, system, or process. A user, system, or process is considered to have access to data if it has one or more of the following privileges: the ability to read or view the data, update the existing data, create new data, delete data, or the ability to make a copy of the data. Access can be provided either on a continual basis or, alternatively, on a one-time or ad hoc basis. Transferring any data from one party to another in any medium is tantamount to permitting access to those data.

Institutional Data - Those data, regardless of format, maintained by the University of Indianapolis or a party acting on behalf of the University for reference or use by University units. Institutional Data does not include data that is personal property of a member of the University community, research data, or data created and/or kept by individual employees or affiliates for their own use. Examples of Institutional Data include organizational charts, course information, faculty biographies, and enterprise directory records.

Sensitive Institutional Data - Those Institutional Data that contain information that can be classified as "sensitive." Some examples of Sensitive Institutional Data include Institutional Data that are FERPA-protected student education records such as grades, GPA, rosters, attendance records, etc., financial records, payroll information, and human resources records.

Highly Sensitive Data - Those Institutional Data that contain information that, if exposed, can lead to identity theft and/or are subject to regulatory or legal requirements.  Examples of such data include name paired with Social Security numbers, date of birth, credit card numbers, drivers license number, military identification, passport number, financial account information, and protected health information.

Data Steward - The individual responsible for the data. The Data Steward is usually the dean, vice president, or unit head of the university unit that creates or originates the Institutional Data. See related policies and procedures for more information on Data Stewardship.

Data User - An individual that has been authorized to access data for the performance of his/her job duties.

Data Manager - The individuals designated by the Data Stewards to be responsible for the day-to-day management of Institutional Data. 

Related Policies and Procedures

• Data Stewards
• Data Standards Manual

Tech Guides with instructions on how to:

• Secure your Shared Drive
• Request or remove access to Banner Admin Pages

Examples of Systems in Scope

• Banner Admin
• Google Shared Drives (including those for departmental or committee My UIndy files)
• Success Slate
• Admissions Slate
• Cognos
• Campus Cloud (Administrator access to Mobile App)
• My UIndy Editor Access
• Handshake
• Raiser’s Edge
• ARMS
• Delegated departmental email accounts
• Any systems containing Sensitive Institutional Data

Policy History

• May 1, 2023 - First publication
• July 1, 2024 - Revised title and added Section on Appropriate Use