Data Access Policy

1.0 Overview

The University of Georgia (UGA) shall approve access to Sensitive Institutional Data in order to ensure that access to sensitive data is authorized, that sensitive data with a need for protection are used appropriately and that authorized access complies with the UGA Privacy Policy and relevant state and federal laws.

2.0 Objective / Purpose

This policy outlines requirements for granting and revoking access to Sensitive Institutional Data.

3.0 Scope

This policy applies to access to Sensitive or Restricted data maintained by the University or a party acting on the behalf of the University. This policy does not apply to data or records that are personal property of a member of the University community, research data, or data created and/or kept by individual employees or affiliates for their own use. Requests for records by the public are outside of the scope of this policy and shall be handled by the Open Records Manager in the UGA Office of Public Affairs. This policy also does not apply to situations in which the University is legally compelled to provide access to information.

4.0 Policy

4.1 Institutional Data Shall be Classified

Institutional Data shall be classified in accordance with the Data Classification and Protection Standard to identify the level of confidentiality needs, legal requirements, and minimum standard protections for the data before access is granted.

4.2 Data Stewards Approve Access to Sensitive Institutional Data

Access to Sensitive Institutional Data is approved by UGA designated Data Stewards. Data Stewards shall grant access in compliance with the UGA Privacy Policy and all relevant regulations (e.g. FERPA, HIPAA and GLBA). Data Stewards shall grant access only to those employees, affiliates, and systems that need the access to perform their job duties or mission. Data Stewards are designated in Appendix A - Data Stewards and Trusted Designees (below). In the case that a Data Steward is not designated, the data in question are owned by the dean, vice president, or unit head of the unit that originates the data.

4.3 Senior Vice Presidents Retain the Right to Approve All Access to SSN Data

Access to Social Security Number (SSN) data shall not be granted to an employee unless approval has been granted by a university Senior Vice President or a Senior Vice President's designee.

4.4 Data Stewards are Responsible for Procedures for Requesting, Approving, and Revoking Access

Data Stewards shall ensure that procedures for requesting and approving access to Sensitive Institutional Data exist and are followed. Data Stewards shall also implement procedures for regularly auditing access to Sensitive Institutional Data and revoking access when it is no longer needed or authorized. Procedures may vary from Data Steward to Data Steward as necessary to accommodate different Data Steward mission/resources/etc. and different groups of Data Users. However, all procedures shall include sufficient tracking for requests, approvals, and revocations such that authorized access to Sensitive Institutional Data is auditable.

4.5 Only Authorized Users Shall Access Sensitive Institutional Data

All access by individuals to Sensitive Institutional Data shall be controlled by reasonable measures to prevent access by unauthorized users.

4.6 Data Users Shall Use Sensitive Institutional Data Responsibly

Data Users must responsibly use data for which they have access including only using the data for its intended purpose and respecting the privacy of members of the university community. Data Users must maintain the confidentiality data in accordance with the all applicable laws, the UGA Privacy Policy and the Data Classification and Protection Standard. Authorized access to Sensitive Institutional Data does not imply authorization for copying, further dissemination of data, or any use other than the use for which the employee was authorized. The Data Steward retains the right to approve and grant access to Sensitive Institutional Data.

4.7 Data Stewards May Delegate Approval Responsibilities to a Trusted Designee

A Data Steward may delegate the ability to approve access to Sensitive Institutional Data to trusted individuals in designated roles. A Data Steward may delegate by creating procedures through which the designee may approve access by employees that have certain pre-approved roles and responsibilities. Data Stewards retain the responsibility for ensuring that all access to Sensitive Institutional Data is authorized, appropriate, and complies with relevant legal requirements; the responsibility does not transfer to designees. Trusted Designees are enumerated in Appendix A - Data Stewards and Trusted Designees.

4.8 External Third-Party Access to Sensitive Institutional Data Shall be Governed by Contractual Agreement

Access to Sensitive Institutional Data by external parties shall be governed by individual contractual agreement or memoranda of understanding if the third party is a governmental organization. Such contractual agreements shall be approved by the UGA Office of Legal Affairs and by the appropriate UGA designated Data Steward.

5.0 Enforcement and Implementation

5.1 Roles and Responsibilities

Each University department/unit is responsible for implementing, reviewing and monitoring internal policies, practices, etc. to assure compliance with this policy.

The Office of Chief Information Officer is responsible for enforcing this policy.

5.2 Consequences and Sanctions

Violation of this policy may incur the same types of disciplinary measures and consequences as violations of other University policies, including progressive discipline up to and including termination of employment, or, in the cases where students are involved, reporting of a Student Code of Conduct violation.

Violation of this policy may also result in termination of contracts or commitments to vendors and other affiliates. Legal action may be pursued where appropriate.

6.0 Definitions

Access - Flow of information between a store of data and a user, system, or process. A user, system, or process is considered to have access to data if it has one or more of the following privileges: the ability to read or view the data, update the existing data, create new data, delete data or the ability to make a copy of the data. Access can be provided either on a continual basis or, alternatively, on a one-time or ad hoc basis. Transferring any data from one party to another in any medium is tantamount to permitting access to those data.

Institutional Data - Those data, regardless of format, maintained by the University of Georgia (UGA) or a party acting on behalf of UGA for reference or use by multiple University units. Institutional Data does not include data that is personal property of a member of the University community, research data, or data created and/or kept by individual employees or affiliates for their own use. Examples of Institutional Data include student education records, payroll records, human resources records, and enterprise directory records.

Sensitive Institutional Data - Those Institutional Data that contain information that can be classified as either "sensitive" or "restricted" using the UGA Data Classification and Protection Standard. Some examples of Sensitive Institutional Data include Institutional Data that are personally identifiable in nature and contain Social Security Numbers, Credit Card Numbers or other financial account numbers, HIPAA protected health information, or FERPA protected student education records.

Data Steward - The individual responsible for the data. The Data Steward is usually the dean, vice president, or unit head of the university unit that creates or originates the Institutional Data.

Data User - An individual that has been authorized to access data for the performance of his/her job duties.

7.0 References

• Privacy Policy
• Policies and Regulations
• Georgia Open Records Act (O.C.G.A. 50-18-70)
• UGA Open Records Requests and Procedures
• Data Classification and Protection Standard
• Guide to Performance Management
• Student Code of Conduct

Appendix A - Data Stewards and Trusted Designees