data access policy
TRANSCRIPT
-
7/31/2019 Data Access Policy
1/6
Data Access Policy
-
7/31/2019 Data Access Policy
2/6
Organizational
Function
UGA Information Assurance Policy
Number
MM-YYYY-
Prog/Sys/Issue
Policy
Category
Program Policy Issue Date 03-01-2011
Effective
Date
06-01-2011
Subject UGA Data Access Policy
Review On In Review
Office of
Primary
Responsibility
UGA Office of Information Security Authorized
By
University Security
Committee
Address University of Georgia Computer Services Annex
Athens, Georgia 30602-1911
Responsible
Official
Brian Rivers
Distribution University-wide Phone 706-524-3106
Fax 706-524-0349
On-Line
Publication
https://infosec.uga.edu/policies/ Web infosec.uga.edu
Status Draft
-
7/31/2019 Data Access Policy
3/6
The University of Georgia (UGA) shall approve access to Sensitive Institutional Data in order
to ensure that access to sensitive data is authorized, that sensitive data with a need for
protection are used appropriately and that authorized access complies with the UGA Privacy
Policyand relevant state and federal laws.
This policy governs access to Sensitive Institutional Data. Requests for records by the public
are outside of the scope of this policy and shall be handled by the Open Records Manager inthe UGA Office of Public Affairs. This policy does not supersede circumstances in which the
University is legally compelled to provide access to information.
Institutional Data shall be classified in accordance with the UniversitysInformation
Classification Standardto ascertain the level of sensitivity and criticality of the data beforeaccess is granted. Those granting access to Institutional Data must understand the
classification and any legal requirements for protection.
Access to Sensitive Institutional Data is approved by UGA designated Data Stewards. Data
Stewards shall grant access in compliance with the UGA Privacy Policyand all relevant
regulations (e.g. FERPA, HIPAA and GLBA). Data Stewards shall grant access only to those
employees, affiliates, and systems that need the access to perform their job duties or mission.
Data Stewards are designated inAppendix A - Data Stewards and Trusted Designees. In the
case that a Data Steward is not designated, the data in question are owned by the dean, vice
president, or unit head of the unit that originates the data.
https://infosec.uga.edu/policies/classification.phphttps://infosec.uga.edu/policies/classification.phphttps://infosec.uga.edu/policies/classification.phphttps://infosec.uga.edu/policies/classification.phphttps://infosec.uga.edu/policies/dataappendixA.phphttps://infosec.uga.edu/policies/dataappendixA.phphttps://infosec.uga.edu/policies/dataappendixA.phphttps://infosec.uga.edu/policies/dataappendixA.phphttps://infosec.uga.edu/policies/classification.phphttps://infosec.uga.edu/policies/classification.php -
7/31/2019 Data Access Policy
4/6
Access to Social Security Number (SSN) data may be granted to an employee unless
approval has been granted by a university Senior Vice President or a Senior Vice Presidents
designee.
Data Stewards must ensure that procedures for requesting and approving access to Sensitive
Institutional Data exist and are followed. The procedures for requesting and approving
access will necessarily vary from Data Steward to Data Steward and among groups of Data
Users. However, all procedures shall include sufficient tracking for requests, approvals, and
expiration of approvals such that authorized access to Sensitive Institutional Data is
auditable.
All access by individuals to Sensitive Institutional Data shall be authenticated and authorized
by reasonable measures to prevent access by unauthorized users.
Data Users must responsibly use data for which they have access including only using the
data for its intended purpose and respecting the privacy of members of the university
community. Data Users must maintain the confidentiality of personally identifiable sensitive
data in accordance with thePrivacy Policyand theGuidelines for Handling Sensitive
Information. Authorized access to Sensitive Institutional Data does not imply authorization
for copying, further dissemination of data, or any use other than the use for which the
employee was authorized. The Data Steward retains the right to approve and grant access to
Sensitive Institutional Data.
A Data Steward may delegate the ability to approve access to Sensitive Institutional Data to
trusted roles. A Data Steward may delegate by creating procedures through which the
designee may approve access by employees that have certain pre-approved roles and
responsibilities. Data Stewards retain the responsibility for ensuring that all access to
Sensitive Institutional Data is authorized, appropriate, and complies with relevant legal
requirements. Trusted Designees are enumerated inAppendix A - Data Stewards and
Trusted Designees.
https://infosec.uga.edu/policies/privacy.phphttps://infosec.uga.edu/policies/privacy.phphttps://infosec.uga.edu/policies/privacy.phphttps://infosec.uga.edu/policies/sensitiveinfo.phphttps://infosec.uga.edu/policies/sensitiveinfo.phphttps://infosec.uga.edu/policies/sensitiveinfo.phphttps://infosec.uga.edu/policies/sensitiveinfo.phphttps://infosec.uga.edu/policies/dataappendixA.phphttps://infosec.uga.edu/policies/dataappendixA.phphttps://infosec.uga.edu/policies/dataappendixA.phphttps://infosec.uga.edu/policies/dataappendixA.phphttps://infosec.uga.edu/policies/dataappendixA.phphttps://infosec.uga.edu/policies/dataappendixA.phphttps://infosec.uga.edu/policies/sensitiveinfo.phphttps://infosec.uga.edu/policies/sensitiveinfo.phphttps://infosec.uga.edu/policies/privacy.php -
7/31/2019 Data Access Policy
5/6
Access to Sensitive Institutional Data by external parties shall be governed by individual
contractual agreements or memoranda of understanding if the third party is a governmental
organization. Such contractual agreements shall be approved by the UGA Office of Legal
Affairs and by the appropriate UGA designated Data Steward.
Enforcement of this policy is the responsibility of the Office of the Chief Information
Officer.
Each University department/unit is responsible for reviewing and monitoring internal
procedures, reports, and other documents to assure compliance with the UGA Data Access
Policy.
Any student, faculty or staff member found to have violated this policy shall be subject to
disciplinary action, up to and including termination of employment or expulsion from the
University. Violation of this policy may result in termination of contracts or commitments
to vendors and other affiliates. Legal action may be pursued where appropriate.
The Office of the Chief Information Officer, in cooperation with the University Security
Committee, will review this policy on an annual basis.
This policy may also be used for auditing purposes by the UGA Office of Internal Audit (IT
Audit) team.
-
7/31/2019 Data Access Policy
6/6
Flow of information between a store of data and a user, system, or process.A user, system, or process is considered to have access to data if it has one or more of
the following privileges: the ability to read or view the data, update the existing data,create new data, delete data or the ability to make a copy of the data. Access can be
provided either on a continual basis or, alternatively, on a one-time or ad hoc basis.
Transferring any data from one party to another in any medium is tantamount to
permitting access to those data.
Those data, regardless of format, maintained by the University ofGeorgia (UGA) or a party acting on behalf of UGA for reference or use by multiple
University units. Institutional Data does not include data that is personal property of
a member of the University community, research data, or data created and/or kept by
individual employees or affiliates for their own use. Examples of Institutional Data
include student education records, payroll records, human resources records, and
enterprise directory records.
Those Institutional Data that contain information thatcan be classified as sensitive using the UGA Information Classification Standard.
Some examples of Sensitive Institutional Data include Institutional Data that are
personally identifiable in nature and contain Social Security Numbers, Credit Card
Numbers or other financial account numbers, HIPAA protected health information,
or FERPA protected student education records. The individual responsible for the data. The Data Steward is usually
the dean, vice president, or unit head of the university unit that creates or originates
the Institutional Data.
An individual that has been authorized to access data for the performanceof his/her job duties.
Any data which can be classified as Sensitive Information using theUGA Information Classification Standard.
Privacy Policy Information Classification Standard Guidelines for Handling Sensitive Information Data Stewards and Trusted Designees
https://infosec.uga.edu/policies/privacy.phphttps://infosec.uga.edu/policies/privacy.phphttps://infosec.uga.edu/policies/classification.phphttps://infosec.uga.edu/policies/classification.phphttps://infosec.uga.edu/policies/sensitiveinfo.phphttps://infosec.uga.edu/policies/sensitiveinfo.phphttps://infosec.uga.edu/policies/dataappendixA.phphttps://infosec.uga.edu/policies/dataappendixA.phphttps://infosec.uga.edu/policies/dataappendixA.phphttps://infosec.uga.edu/policies/sensitiveinfo.phphttps://infosec.uga.edu/policies/classification.phphttps://infosec.uga.edu/policies/privacy.php