Information and Infrastructure Assurance at Indiana University

• UIPO
• >>University Data Management
• >> Policies and Guidelines
• >> DM-01

• Policy
  DM-01
• Status
  Draft for CDS Review, January 2008
• Source
  University Information Policy Office

Scope

This policy applies to all users of Indiana University information technology resources regardless of affiliation, and irrespective of whether those resources are accessed from on-campus or off-campus locations.

This policy applies to all institutional data, and is to be followed by all those who capture data and manage administrative information systems using university assets.

Rationale

Although all data captured using university assets are resources of the university, they vary in their relevance to the university’s administrative processes. This policy is intended to apply to those data which are critical to the university’s administration, regardless of whether the data is used or maintained by administrative or academic units.

Therefore, standard principles of data management should be applied to maintain the value and ensure the effective use of the data. Common principles and standards must be applied uniformly and as part of a coordinated effort.

This policy serves as a statement of objectives for managing institutional data.

Policy Statement

The value of data as an institutional resource is increased through its widespread and appropriate use; its value is diminished through misuse, misinterpretation, or unnecessary restrictions to its access.

The permission to access institutional data should be granted to all eligible employees of the university for all legitimate university purposes.

Employees are expected to access institutional data only in their conduct of university business, to only access the data needed to perform their jobs, to respect the confidentiality and privacy of individuals whose records they may access, to observe any ethical restrictions that apply to the data to which they have access, and to abide by applicable laws or policies with respect to access, use, or disclosure of information. Employees should not disclose data to others except as required by their job responsibilities, use data for their own or others’ personal gain or profit, or access data to satisfy personal curiosity.

Standards and procedures are to be developed to conform to the objectives embodied in this policy.

Procedures

Determination of relation to mission:
If the relationship of a use of information technology resources to the university's mission is unclear, the University Information Technology Policy Office (ITPO) or regional campus Chief Information Officers (CIOs) will coordinate with campus administration and the unit involved. These groups will determine whether the activity is an appropriate use of university information technology resources and supports the mission of the university.

Determination of incidental personal use:
The senior management of each university department or other administrative unit is authorized to define and publish the acceptable level and nature of incidental personal use by members of the unit. An employee's supervisor may require the employee to cease or limit any incidental personal use that hampers job performance or violates university policy. University technology service providers will always place a higher priority on support of university-related activities over any form of incidental personal use.

Consultation:
The University Information Technology Policy Office (ITPO) and/or regional Chief Information Officers (CIOs) are available to provide consultation or advice related to technology use or misuse to any university, campus, or unit administrators or individual personnel.

Definitions

Access to institutional data:
refers to the permission to view or query institutional data; permission does not necessarily imply delivery or support of specific methods or technologies of information access.

Data administration:
is the function of applying formal guidelines and tools to manage the university's information resource.

Eligible employees:
are faculty, staff, and administrators holding full-time appointments at Indiana University, or other employees specifically designated as eligible to access institutional data by the head of their department, division, school, or campus.

Institutional data is defined as such if it meets one or more of the following criteria:

• It is relevant to planning, managing, operating, or auditing a major administrative function of the university.
• It is referenced or required for use by more than one organizational unit.
• It is used to derive a data element that meets these criteria.

Institutional data falls into three general categories:

• University-internal: May be accessed by all eligible employees of the university, without restriction, in the conduct of university business. This should be the default classification for all data.
• Limited-access: Legal, ethical, or other constraints prevent access without specific authorization; selective access may be granted.
• Public: No restrictions at all; available for public access

Sanctions

Failure to comply with Indiana University information technology policies may result in sanctions relating to the individual's use of information technology resources (such as suspension or termination of access, or removal of online material); to the individual's employment (up to and including immediate termination of employment); to the individual's studies within the university (such as student discipline in accordance with applicable university policy); civil or criminal liability; or any combination of these.

Related Policies, Laws, and Documents

• Indiana University Policy on Student Records
• Indiana University Release of Student Information Policy
• Family Education Rights and Privacy Act
• Standards for Policy on Data Management

Campuses, schools, colleges, departments, and other administrative units may have issued local policies and standards governing the appropriate use of information technologies deployed specifically to support that unit's activities. Managers of information technology services may have issued service-level polices and standards governing the appropriate use of their services. In order to understand and adhere to these requirements, users of these resources are responsible for consulting with appropriate unit or service staff.

Responsible Organization

Maintained and revised as necessary by the University Information Policy Office under the direction of approved data management committees.

Campus registrars or University Counsel will handle questions about the impact of FERPA on IU student record use.

Office of the Vice President for Information Technology
University Information Policy Office

Policy History

Reformatted by the University Information Policy Office in 2007 and merged with the Indiana University Committee of Data Stewards’ “Data Administration Issues Notice”, “Data Distribution and Storage Issues Notice”, and “Permission to Access Institutional Data” documents.

An initial Policy to Access Data was approved by the University Operations Cabinet in October, 1991, and distributed by the Office of the President in December, 1991.

Original document approved by the Administrative Computing Advisory Committee (ACAC) March 21, 1991 and the ACAC Data Administration Subcommittee on February 14, 1991.

top