Reviewing Requests

ADMINISTRATIVE PROCEDURE

Procedure for Reviewing Requests for Access to University Information for Internal Use

Procedure Contents

  • Related Policy
  • Entities Affected
  • Procedure Context
  • Procedure
  • Forms/Instructions
  • FAQ
  • Related Information
  • History

Effective Date:  22 October 2012

Last Updated:  14 April 2017

Responsible University Officer:

VP Technology/CIO

 

Procedure Owner:  J. Kelly Flanagan

(responsible for developing, implementing, &

   managing the procedure)

 

Procedure Contact:  Christine Tolman

 (First point of contact for procedure users)

  

 

RELATED POLICY:  

Information Security and Appropriate Use

ENTITIES AFFECTED BY THIS PROCEDURE: 

Any persons with responsibility for reviewing and approving requests for access to university information

PROCEDURE CONTEXT:

The value of information as an institutional resource is enhanced through appropriate use; its value is diminished through misuse, misinterpretation, or unnecessary restrictions to its access.  Therefore, permission to access institutional data should be granted to all authorized employees of the university for all legitimate university purposes.


PROCEDURE:

  1. Verify that the request is for a legitimate university purpose (as indicated by line leader’s approval).
  2. Clarify the request
    1. Is the requested information within your stewardship?
      1. If more than one information steward is a stakeholder, each steward will be given the opportunity to review the request for the specific information within their stewardship.
    2. If the requested information is data
      1. Have the specific data fields been identified?
      2. Has the type of access for each data field been described? (Read Only, Update, Delete, or Create)?
    3. How current does the information need to be?
    4. Are the authorizations for access for a single person or a group?
    5. What is the best way of delivering the information requested (web service, data mart, or data feed)?
  3. Determine whether the requested information is Public, Internal, Confidential, or Highly Confidential (see Information Classification table below).  Information that has not yet been classified is considered Confidential until a classification is proposed by the Information Steward and approved by the Information Trustee.
  4. Given the classification of the information requested, determine the access, usage, security, transmission, and storage requirements using the following table as a guide.

 

BYU INFORMATION CLASSIFICATION

 

Public

Internal

Confidential

Highly Confidential

Classification Description

 

Information which may, or must, be available to the  public and has been formally approved for public release

Information which is generally accessible within the University to those with a legitimate university purpose as allowed by statute, regulations, other legal obligations or mandates or policy; not intended for entities or persons outside the University. 

Information which requires special handling and controls specific to each work environment that limit access and use; may not be specifically protected by statute, regulations, or other legal obligations or mandates, but is considered by the University’s senior management to be private and confidential and as such must be protected against unauthorized use, access, disclosure, acquisition, modification, loss, or deletion.

Information which requires the strictest rules of handling and  usage; is protected and/or regulated by statutes, policies, or regulations; may also include information for which an Information Trustee has exercised his or her right to restrict access.

Examples

Course catalog, directory information including addresses (NOTE:  Individuals can request that access to their public information be restricted in which case it is treated as Restricted information.)

 

Full date of birth, ethnicity, donor contact information, contracts

Student Academic Record (FERPA), non-directory information, social security number, credit card number, health insurance policy ID number, driver license number

Access and Usage Restrictions

Available without restrictions for internal use.

Generally available to those within the University with a legitimate need and approved by their line manager.

Limited to those with a need to know and approved by their line manager and the information steward. 

Limited to those with a need to know as permitted by law or regulation and approved by their line manager and the information steward

Sharing Agreement

None

None

Required

Required

Training Requirements

None

As needed (e.g. FERPA, PCI)

As needed (e.g. FERPA, PCI)

As needed (e.g. FERPA, PCI)

Security Requirements

 

None

Verified compliance with BYU’s Basic Security Standards

Verified compliance with BYU’s Basic Security Standards

Verified compliance with BYU’s Enhanced Security Standards

Transmission Requirements

 

None

Good judgement to ensure the information is protected against unauthorized use, access, disclosure, acquisition, modification, loss or deletion.

BYU-approved encryption is strongly recommended when transmitting information through a network. 

 

Third party email services are discouraged for transmitting confidential information.

BYU-approved encryption is required when transmitting information through a network.

Third party email services are not authorized for transmitting Restricted information.

Restricted numbers may be masked instead of encrypted.

 

Storage Requirements

None

Good judgement to ensure the information is protected against unauthorized use, access, disclosure, acquisition, modification, loss or deletion.

BYU-approved encryption is strongly recommended and secure location.

 

Storage by third party (cloud) services is permitted (see Cloud Computing Guidelines for special considerations)

 

See BYU’s Basic Security Standards.

BYU-approved encryption is required for some data elements (e.g., credit card numbers).

 

Storage by third party (cloud) services permitted only if a contract approved by the university CIO is in place with the provider.  (See Acquiring Cloud Services procedure)

 

See BYU’s Enhanced Security Standards.

 

  1. Collaborate with the Information Requester to complete the Data Sharing Agreement by adding Terms of Use as suggested by the table above and any additional clarifications that are unique to your organization and the needs of the request.
  2. Once agreement is reached, the Information Steward and Information User record their approval of the documented Data Sharing Agreement.
  3. Access is granted and executed by the designated Information Systems Manager.
  4. The Data Sharing Agreement is added to the information governance repository for future reference.

 

FORMS/INSTRUCTIONS

The key online forms related to this procedure are:

  • Access Request Form
  • Data Sharing Agreement

FREQUENTLY ASKED QUESTIONS

There are no frequently asked questions for this procedure—yet.

RELATED INFORMATION

Access to Student Records Policy

Access to Student Records Procedure

Institutional Assessment and Analysis; Information/Study Request Policy

Computer and Electronic Communications General Use Policy

HISTORY

Original Effective Date:

22 October 2012

 

Superseded:

14 April 2017