|POLICY SOURCE: Data Integrity - Data Integrity Manual||POLICY NO: 1386|
|TITLE: Admin Electronic Information Policy||SUBMITTED BY: None Assigned|
|DATE: Apr 1, 2009||APPROVED BY: None Assigned|
Admin Electronic Information Policy
Purpose Information Access Definitions
Administrative Responsibility Module Managers
Access to Official University Records User Responsibility
This policy statement establishes measures for the protection, access, and use of Florida Tech's administrative, electronic information and equipment. It also defines the responsibilities of all who access and manage the data and equipment. Offices may have individual guidelines that supplement, but do not supplant or contradict this policy statement. Data entrusted to the university by other organizations (e.g., foundations and government agencies) are governed by terms and conditions agreed upon with those organizations. Specific issues not governed by such agreed terms shall be governed by this policy.
By law certain electronic, institutional data is confidential and may not be released without proper authorization. Employees should adhere to any applicable federal and state laws concerning storage, retention, use, release, and destruction of data.
All levels of administrative management shall ensure that, for their areas of accountability, each information system user knows his/her responsibilities as defined in this policy. Each system user shall read and understand this policy statement before accessing the system.
Electronic data is owned by the institution and is a vital university asset. All institutional data, whether maintained in the central database or copied into other data systems including microcomputers, remains the property of the university and is governed by this policy statement. Access to data is not approved for use outside an individual's official university responsibility.
Computerized, institutional data shall be used only for the legitimate business of Florida Tech. Administrative computing services and facilities shall be used only as required in the performance of job functions.
Supervising administrators shall ensure a secure office environment with regard to all institutional information systems. Administrators shall validate the access requirements of their staff according to job functions, before submitting requests for the provision of access.
Under no circumstances shall anyone use institutional electronic data (in detail or summary) in any publication, seminar, or professional presentation, or otherwise release data, in any form, outside the university without prior written approval from the appropriate module manager or the appropriate executive officer(s). Data should never be left on any system to which access is not controlled.
As a general principle of access, university data (regardless of who collects or maintains it) shall be shared among those employees whose work can be done more effectively by knowledge of such information. Although the university must protect the security and confidentiality of data, the procedures to allow access to data must not unduly interfere with the efficient conduct of university business.
All information systems owned by Florida Tech shall be constructed to assure that 1) accuracy and completeness of all system contents are maintained during storage and processing; 2) system capabilities can be re-established within an appropriate time after loss or damage by accident, malfunction, breach of security, or natural disaster; and 3) actual or attempted breaches of security can be detected promptly and controlled.
Access to Official University Records
The following outlines the requirements and limitations for all university departments to follow in obtaining permission for inquiry and update access to the university's official records and to impress upon all employees that data security is everyone's responsibility.
Employees are not to loan or share their access codes with anyone. If it is found that access codes are being loaned or shared, employees who are assigned access to records are subject to disciplinary action, up to and including immediate dismissal.
Departments should take steps to ensure that they have an alternate person assigned as backup for each office function, and that this individual has access to the system functions required to perform these back-up functions.
Departments may request access authorization for an employee by completing and submitting a System Access Authorization Request Form, (including the signed confidentiality statement) to the required module manager. The module manager will review and approve or deny the request. Once approved, the module manager will forward both copies to the Systems Training Coordinator for access update. If a request is questioned or denied, the requesting department will be contacted by the module manager.
Under no circumstances will access authorization be granted without written approval of the department head and the module manager. (For complete instructions see System Access Authorization Request Form.)
All employees are required to sign for the Employee Handbook, which indicates an agreement to abide by the university's policy on confidentiality.
Additionally, as each new system access is requested, the department must have the employee, temporary employee, or student worker sign the confidentiality agreement that is on the system access request form.
Temporary employees and student employees who are required to have access to online records must use a system access code defined specifically for the given role. A personal access code must be assigned with access limited to the specific function needed if update capability is required. This allows updates to be tracked to a specific user access code and a specific person.
Temporary employees and students will not be given update capability for financial transactions, HR/Payroll transactions, validation tables, and transactions that directly affect the student transcript (such as grades) unless specifically approved by the appropriate Module Manager.
It is the department manager's responsibility to ensure that system access is canceled for employees and students who no longer work in their area. This includes employees and students that have transferred to another department. A written notification to remove all access capabilities must be submitted to the Systems Training Coordinator immediately after employment transfer or termination.
Student access codes will automatically expire at the end of each term, and must be re-authorized by submitting a new system access request if continued access is required.
Human Resources will provide the Administrative Computing Office with a termination list on a monthly basis. This does not eliminate the department manager's responsibility to communicate terminations in a timely manner, but provides a back-up system to ensure that this closure occurs.
Any exceptions to the above policy must be requested in writing with justification and be approved by the Vice President for Financial Affairs and the module manager.
Information Access Definitions
Two types of access can be granted to users.
Query-only access enables the user to view, analyze, and download, but not change, institutional data. Once information is downloaded, however, data can, but should not, be altered in word processing documents or spread sheets. Downloaded information should be used and represented responsibly and accurately.
Maintenance access provides both inquiry and update capability. Update capability is generally limited to the offices directly responsible for the collection and management of the data. Update access is available to administrators and users who have an authorized need to change institutional data in the routine performance of their job duties.
Each user of administrative information is assigned appropriate combinations of query-only and maintenance access to specific parts of the administrative information system. The types of access are determined by the module managers.
A module manager, usually an administrator of a university office or department, may make data available to others within his or her purview for use and support of the unit's functions.
Before granting access to data, the module manager shall be satisfied that protection requirements have been implemented and that a "need to know" is clearly demonstrated. By approving end-user access to institutional data, the module manager consents to the use of this data within the normal business functions of administrative and academic offices. Access to institutional data shall not be granted to persons unless there is an established "need to know."
Module managers are responsible for the accuracy and completeness of data files in their areas. Misuse or inappropriate use by individuals will result in revocation of the user's access privileges. Module managers are also responsible for the maintenance and control of the administrative information system's validation and rule tables because these tables define how business is conducted at Florida Tech.
Florida Tech Module Managers:
Student Systems .................. Registrar
Finance Systems .................. Director of Business Services
Financial Aid Systems .................. Director of Financial Aid
Human Resources .................. Director of Human Resources
General Systems .................. Module Managers
Users should exercise due care in using the institution's electronic information systems, both the central institutional database and all departmental systems, to protect data files from unauthorized use, disclosure, alteration, or destruction. Each person is responsible for security, privacy, and control of his/her own data. Each user is responsible for all transactions occurring during the use of his/her log-in name and password.