The Committee of Data Stewards is responsible for recommending policies and establishing procedures and guidelines for university-wide management of institutional data. From time to time the Committee will issue notices in order to promote the appropriate dissemination, storage, use, and security of institutional data to those persons involved in managing and authorizing access to those data on a daily basis. The data managers are urged to share these notices with the end-users of university data within their functional areas.
Important Points:
- Data classified as restricted may be accessed only by those whose positions explicitly require such access.
- Except for elements labeled by IU as “directory ” information, student information is classified as restricted in accordance with Federal law. Among the many restricted data items are student identification number/SSN, grades, hours completed, GPA, current class schedule, date of birth, and parent name and address.
- The only employee data considered not restricted are name, department, rank, title, service date, and base payrate. Examples of restricted access employee information are SSN, benefits enrollment and use, date of birth, ethnic group, sex, payroll data, and home address.
- Data categorized as restricted should never be stored on individual employee workstations. The only appropriate departmental location for such data is a properly configured and managed server.
- When restricted access university data are stored on appropriate servers they should not include SSN unless they are keys to linking with other files.
- SSN must not be collected from individuals nor extracted from central systems and stored on departmental servers unless doing so is absolutely required to maintain the business functions of the office involved.
- To preserve human protection standards for survey research and FERPA requirements for non-directory student records, all program evaluation and assessment data should be stored in such a way that responses are not associated with individual names or SSN. Linkage files containing the association of protected data to individuals should be placed in different directories and with different naming conventions to obscure the connection and should be permanently deleted when no longer needed.
- Unattended workstations with access to directories containing restricted data should be logged off, locked, or otherwise made inaccessible to individuals without access rights.
References and Resources:
- Campus Registrars Offices or University Counsel will handle questions on the impact of the federal Family Educational Rights and Privacy Act (FERPA) on IU student record use. Updates to the official IU policy, “Release of Student Information Policy,” to broaden the definition of “school official” and to make e-mail address public, among others, are being implemented. As soon as these are published, a notice will be sent out among the university community. In the interim, the concepts are contained in the document, “Indiana University’s Annual Notification of Students Rights under FERPA,” available on-line at http://www.indiana.edu/~iues/ferpa.htm.
- The Committee of Data Stewards is currently working with the Information Technology Policy Office to identify criteria to help in assessing the levels of risk associated with the wide variety of server installations throughout the university.
- The university’s data administration policies and complete listing of the members of the Committee of Data Stewards are available at our Data Management pages. Members are ready to answer questions you may have regarding these policies and issues. To contact the Committee of Data Stewards, send an email to iudata@iu.edu.
