Information Technology Division
Computing & Communications Center

Data Access Policy

Purpose and Scope

Administrative data captured and maintained at Worcester Polytechnic Institute (WPI) are a valuable university resource. While these data may reside in different database management systems and on different machines, these data in aggregate form one unified digital campus. (UDC) The enterprise system contains data from multiple operational areas that need to be integrated in order to support institutional research, business analysis, reporting, and decision making.

The purpose of this Data Access Policy is to ensure the security, confidentiality and appropriate use of all data which is processed, stored, maintained, or transmitted on WPI computer systems and networks. This includes protection from unauthorized modification, destruction, or disclosure, whether intentional or accidental. By law and WPI policy, certain data is confidential and may not be released without proper authorization. This policy is intended to serve as a general overview on the topic and may be supplemented by other specific policies and regulations such as the Massachusetts Privacy Law, the Health Insurance Portability and Accountability Act (HIPAA), the Family Educational Rights and Privacy Act (FERPA), the Gramm Leach Bliley Act, and other federal or state regulations pertaining to the protection of information.

The Data Access Policy applies to members of the WPI community who have or are requesting access to WPI "business information". It applies not only to stored information but also to the use of the information in business and other processes.

Definitions

Business Information - Includes data related to the operations of WPI including but not limited to financial, employment, academic, intellectual property and other types of data.

Class - A group of access assignments that define a job function.

Data - A set of information used in a business process.

Query access - Access enabling the user to view but not update data.

Maintenance access - Access enabling the user to both view and update data. This access is limited to users directly responsible for the collection and maintenance of data.

Module - A collection of objects that support a business process.

Objects - Data that is organized in a logical fashion such as databases or database tables/views, file systems and directories, reports and forms.

Role - A collection of classes. Roles will be established based on job function. Specific capabilities will be assigned to each role. Each user will be assigned a role. Some users may be assigned several roles depending on specific needs identified by their division/department head and approved by the Data Steward(s).

System - A collection of modules. Systems at WPI include but are not limited to: Banner modules including Human Resources, Finance, Student, Financial Aid, Accounts Receivable, Alumni and Development, Operational Data Stores (ODS), Enterprise Data Warehouses (EDW), Luminis, fsaAtlas, and any other related or third-party interfaces to these systems.

Data Administration

Individuals must adhere to any applicable federal and state laws as well as WPI policies and procedures concerning storage, retention, use, release, and destruction of data.

All WPI data, whether maintained in the central database or captured by other data systems, including personal computers or other storage devices, remains the property of WPI and is covered by all WPI data policies. Access to and use of data should be approved only for legitimate WPI business. Data (regardless of how collected or maintained) will only be shared among those employees who have demonstrated a job related need to know.

Data administration is defined by the following roles:

Data Access Administrator - Database Administrator or appropriately assigned IT professional(s) in the CCC responsible for processing approved requests.

Data Owner - Data Owners are responsible for determining who should have access to data within their jurisdiction, and what those access privileges should be. Responsibilities for implementing security measures may be delegated, though accountability remains with the owner of the data.

Data Stewards - Data Stewards oversee data management functions related to the capture, maintenance and dissemination of data for a particular operational area. They are responsible for the general administration of user access to data within their area(s) of responsibility. Data Stewards are appointed by the respective Data Owner.

It is expected that the Data Steward has knowledge of the details associated with the objects, roles and classes (schemes) as it pertains to their area of responsibility within their module, or other related systems. Data Stewards without this knowledge will require training.

Steering Committee - The Data Access Working Group as assigned by Governance that works in a consultative role with modular data stewards. This group provides expertise for all data systems across the enterprise, and interacts as needed with the data stewards (i.e., HR, Student, Finance, Financial Aid, Alumni and Development data stewards, etc).

Users - Data users are individuals who access enterprise data in order to perform their assigned duties or fulfill their role in the WPI community.


ROLE MEMBERSHIP:

Data Owner Area of Responsibility Data Owner(s)
Banner General Governance Working Group
Student System (Admissions, Enrollment, & Registration) Vice President of Enrollment Management
Student System (Student Activities, & Residential Services) Vice President of Student Affairs & Campus Life
Student Financial Aid System Vice President of Enrollment Management
Finance System CFO & Executive Vice President of Finance & Operations
Human Resources System Vice President of Human Resources
Faculty Academic Records Provost & Sr. Vice President
Alumni and Development Vice President for Development & Alumni Relations

Data Steward Area of Responsibility Data Steward(s)
Banner General Data Stewardship Working Group
Student System (Admissions, Enrollment, & Registration) University Registrar
Director of Admissions
Director of Graduate Admissions
Student System (Student Activities, & Residential Services) Dean of Students
Director of Student Development
Director of Residential Servicse
Director of Athletics
Director/Nurse Practitioner
Director International Students/Schools
Director of Career Development
Director of Student Activities
Student Financial Aid System Director of Financial Aid
Finance System University Controller
Human Resources System Associate Director of Human Resources
Faculty Academic Records Director of Academic Operations
Accounts Receivable Director of Financial Services
Bursar
Payroll Controller
Associate Controller
Alumni and Development Development & Technology Specialist

Data Access Administrator(s)
Senior Database Administrator
Database Administrator
ERP Administrator
Assoc VP for IT & Assoc CIO

Supervisors will review the data access needs of their staff, with support of the data stewards and the Steering Committee, as it pertains to their job functions before requesting access via the Access Request Form.

Access to Data

Below are the requirements and limitations for all WPI divisions/departments to follow in obtaining permission for access to data.

For requests that the Data Stewards receive that are inter-modular, the Data Steward will forward the request to their Data Owner. The Data Owner of the requesting department will discuss the needs with the Data Owner of the module in which the access is being requested. On tacit approval of the Data Owners, the Data Stewards of the affected areas will create a role or class that is appropriate for the user and submit it to the Data Owner of the module that the access is being requested for approval. If the Data Owners cannot come to a consensus, the request will be brought before the Governance Working Group.

The use of generic accounts is prohibited for any use that could contain protected data.


Audits

Audits are done to ensure that an employee’s job is commensurate to their level of access. The definition of an audit will be included in the Data Access Audit Standard. Audits may result in changes to an employee’s data access.

An annual audit will be conducted by the Data Stewards, the analysis of which will be submitted to the Data Owner for approval.

Unscheduled audits will be conducted when any job, position and/or status changes.

Security

Methods to access data via electronic services are defined in the ERP System Security Standard.

Data Access Qualification Standard

Criteria for data access to specified data sets are defined in the Data Access Qualification Standard and defined by the modular Data Owner.


Revision History

Maintained by itweb
Last modified: Oct 19, 2009, 02:29 UTC
[WPI] [CCC] [Top]