ITS Data Access Policy
1. Overview
The University of Akron (°µºÚ±¬ÁÏ) shall approve access to Protected Institutional Data (defined below) to ensure that access to sensitive data is authorized, that sensitive data with a need for protection are used appropriately, and that authorized access complies with all applicable federal and state laws, University Rules, and ITS’ Data Classification Standards, policies and procedures.
2. Purpose
This policy outlines requirements for accessing and handling Protected Institutional Data.
3. Scope
This policy applies to all Protected Institutional Data maintained by °µºÚ±¬ÁÏ or a party acting on behalf of the university. This policy does not apply to data or records that are personal property of a member of the university community.
4. Definitions
- Data Owner – The individual or group who has accountability and authority to make decisions about a specific set of data. The Data Owner is responsible for the function or functions that collect and use the information, determines the levels of protection for the information, makes decisions on appropriate use of the information, and determines the appropriate classification of the information. This role generally falls to a functional administrative or academic area, such as the Registrar, Human Resources, or the offices of the CFO and Provost.
- Data Steward – The person who is identified by the Data Owner to act, and to approve or deny access to data, on behalf of the Data Owner.
- Data Custodian – The persons or unit responsible for implementing controls the Data Owner identifies. This role often includes Information Technology Services or departmental technology support.
- Data User – Any person who interacts with the data. This includes people or programs that create, update, read, or delete information.
- External Third Party – Any organization, vendor, contractor, or partner operating on behalf of the university.
- Incident Response Team – The individuals responsible for investigating data breaches and other information security incidents. These individuals may include, but are not limited to °µºÚ±¬ÁÏ Information Security Services, °µºÚ±¬ÁÏ Office of General Counsel, and local, state, and federal law enforcement agencies.
- Institutional Data – Any information or data that is gathered, analyzed, or published by any department of the University of Akron in support of its mission(s).
- Protected Institutional Data – Any information classified as more restricted than Public Use by the Data Owner, or appointed Data Steward(s), according to ITS Data Classification Standards.
5. Policy
- Institutional Data Shall be Classified
- Institutional data shall be classified in accordance with ITS Data Classification Standards to identify the level of confidentiality required, legal requirements, and minimum standard protections for the data before access is granted.
- Data that has yet to be classified shall be treated as Protected Institutional Data until the Data Owner, or their appointed Data Steward(s), assigns a classification.
- Institutional Data Shall be Stored Properly
- Institutional data shall be stored in accordance with ITS Secure Access and Data Storage Standards to prevent unauthorized access to, or loss of, institutional data.
- Only Authorized Users Shall Have Access to Protected Institutional Data
- Data Owners maintain authority over the collection and use of the associated data relevant to their functional role and responsibility. Only Data Owners, or their appointed Data Stewards, may authorize access to Protected Institutional Data.
- Data Users must only access or attempt to access data that they are authorized to use.
- Data Users must understand the classification of the data they are accessing and are responsible for ensuring the security and privacy of the associated Protected Institutional Data by using reasonable measures to prevent access by unauthorized users.
- External Third Parties must ensure that only authorized employees and/or contractors have access to Protected Institutional Data in accordance with the data being shared via contractual agreement.
- Data Users Shall Use Protected Institutional Data Responsibly
- Data Users must responsibly use data for which they have access, including only using the data for its intended purposes and respecting the privacy of members of the university community.
- Data Users and External Third Parties must maintain the confidentiality of data in accordance with all applicable laws and regulations, University Rules, ITS Data Classification Standards, and ITS Secure Access and Data Storage Standards.
- Authorized access to Protected Institutional Data does not imply authorization for copying, further dissemination of data, or any use other than the use for which the employee was authorized.
- External Third-Party Access
- Access to Protected Institutional Data by external parties shall be governed by individual contractual agreement or memoranda of understanding .
- Such agreements shall be approved by the University of Akron Office of General Counsel and by the appropriate Data Owner or their appointed Data Steward(s).
- Unauthorized Disclosure of Protected Institutional Data
- Unauthorized access to, or disclosure of, Protected Institutional Data must be reported to the Chief Information Security Officer (CISO) immediately by submitting an email to security@uakron.edu or by calling the ITS Help Desk at (330) 972-6888.
- All university personnel shall fully cooperate with Incident Response Team to quickly address the situation and minimize risk to the university.
6. Policy Compliance
- Roles and Responsibilities
- Each university department/unit is responsible for implementing, monitoring, reviewing and updating its internal policies and practices to ensure compliance with this Policy.
- External Third Parties are responsible for ensuring compliance with this policy, as well as the stipulations outlined in the associated contractual agreement.
- The Chief Information Officer is responsible for enforcing this policy.
- Non-Compliance
- An employee or student who knowingly violates this Policy or any other University policy applicable to data security, and/or in any way intentionally breaches the confidentiality of Protected Institutional Data, may be subject to appropriate disciplinary action or sanctions.
- External Third Parties will be subject to stipulations outlined in the associated contractual agreement.
- Exceptions
- Any exception to this policy must be submitted in writing to the Data Owner and include substantiated justification for the exception.
- The Data Owner shall have the final approval to the exception request.
- Any appeal to the Data Owner's decision shall be directed to the Data Access Compliance Board for review.
- The Data Access Compliance Board's ruling shall be final, and no further escalation shall be permitted.
7. Related Documents
University Rule 3359-11-08: Policies and Procedures for Student Records
University Rule 3359-11-10: Acceptable Use Policy
University Rule 3359-11-10.3: Information Security and System Integrity Policy
University Rule 3359-11-10.4: Customer Information Security Policy
University Rule 3359-11-10.6: Social Security Number Use Policy
University Rule 3359-11-10.8: Identity Theft Detection, Prevention, and Mitigation Policy
University Rule 3359-11-19: Policies and Procedures for Release, Privacy, and Security of Selected Health Information
ITS: Data Classification Standards
ITS: Information Security Incident Reporting & Response Policy
ITS: Secure Access and Data Storage Standards
8. Policy History
Approval Authority: Chief Information Officer
Policy Manager: Chief Information Security Officer
Effective Date: 03/01/2023
Prior Effective Dates: 06/09/2021
Review Date: 06/01/2023