Purpose and Scope
Administrative data captured and maintained at Worcester Polytechnic Institute (WPI) are a valuable university resource. While these data may reside in different database management systems and on different machines, these data in aggregate form one unified digital campus. (UDC) The enterprise system contains data from multiple operational areas that need to be integrated in order to support institutional research, business analysis, reporting, and decision making.
The purpose of this Data Access Policy is to ensure the security, confidentiality and appropriate use of all data which is processed, stored, maintained, or transmitted on WPI computer systems and networks. This includes protection from unauthorized modification, destruction, or disclosure, whether intentional or accidental. By law and WPI policy, certain data is confidential and may not be released without proper authorization. This policy is intended to serve as a general overview on the topic and may be supplemented by other specific policies and regulations such as the Massachusetts Privacy Law, the Health Insurance Portability and Accountability Act (HIPAA), the Family Educational Rights and Privacy Act (FERPA), the Gramm Leach Bliley Act, and other federal or state regulations pertaining to the protection of information.
The Data Access Policy applies to members of the WPI community who have or are requesting access to WPI "business information". It applies not only to stored information but also to the use of the information in business and other processes.
Definitions
Business Information - Includes data related to the operations of WPI including but not limited to financial, employment, academic, intellectual property and other types of data. Class - A group of access assignments that define a job function. Data - A set of information used in a business process. Query access - Access enabling the user to view but not update data. Maintenance access - Access enabling the user to both view and update data. This access is limited to users directly responsible for the collection and maintenance of data. Module - A collection of objects that support a business process. Objects - Data that is organized in a logical fashion such as databases or database tables/views, file systems and directories, reports and forms. Role - A collection of classes. Roles will be established based on job function. Specific capabilities will be assigned to each role. Each user will be assigned a role. Some users may be assigned several roles depending on specific needs identified by their division/department head and approved by the Data Steward(s). System - A collection of modules. Systems at WPI include but are not limited to: Banner modules including Human Resources, Finance, Student, Financial Aid, Accounts Receivable, Alumni and Development, Operational Data Stores (ODS), Enterprise Data Warehouses (EDW), Luminis, fsaAtlas, and any other related or third-party interfaces to these systems.
Data Administration
Individuals must adhere to any applicable federal and state laws as well as WPI policies and procedures concerning storage, retention, use, release, and destruction of data.
All WPI data, whether maintained in the central database or captured by other data systems, including personal computers or other storage devices, remains the property of WPI and is covered by all WPI data policies. Access to and use of data should be approved only for legitimate WPI business. Data (regardless of how collected or maintained) will only be shared among those employees who have demonstrated a job related need to know.
Data administration is defined by the following roles:
Data Access Administrator - Database Administrator or appropriately assigned IT professional(s) in the CCC responsible for processing approved requests. Data Owner - Data Owners are responsible for determining who should have access to data within their jurisdiction, and what those access privileges should be. Responsibilities for implementing security measures may be delegated, though accountability remains with the owner of the data. Data Stewards - Data Stewards oversee data management functions related to the capture, maintenance and dissemination of data for a particular operational area. They are responsible for the general administration of user access to data within their area(s) of responsibility. Data Stewards are appointed by the respective Data Owner. It is expected that the Data Steward has knowledge of the details associated with the objects, roles and classes (schemes) as it pertains to their area of responsibility within their module, or other related systems. Data Stewards without this knowledge will require training. Steering Committee - The Data Access Working Group as assigned by Governance that works in a consultative role with modular data stewards. This group provides expertise for all data systems across the enterprise, and interacts as needed with the data stewards (i.e., HR, Student, Finance, Financial Aid, Alumni and Development data stewards, etc). Users - Data users are individuals who access enterprise data in order to perform their assigned duties or fulfill their role in the WPI community.
Role Membership
| Data Owner Area of Responsibility | Data Owner(s) |
|---|---|
| Banner General | Governance Working Group |
| Student System (Admissions, Enrollment, & Registration) | Vice President of Enrollment Management |
| Student System (Student Activities, & Residential Services) | Vice President of Student Affairs & Campus Life |
| Student Financial Aid System | Vice President of Enrollment Management |
| Finance System | CFO & Executive Vice President of Finance & Operations |
| Human Resources System | Vice President of Human Resources |
| Faculty Academic Records | Provost & Sr. Vice President |
| Alumni and Development | Vice President for Development & Alumni Relations |
| Data Steward Area of Responsibility | Data Steward(s) |
|---|---|
| Banner General | Data Stewardship Working Group |
| Student System (Admissions, Enrollment, & Registration) | University Registrar, Director of Admissions, Director of Graduate Admissions |
| Student System (Student Activities, & Residential Services) | Dean of Students, Director of Student Development, Director of Residential Services, Director of Athletics, Director/Nurse Practitioner, Director International Students/Schools, Director of Career Development, Director of Student Activities |
| Student Financial Aid System | Director of Financial Aid |
| Finance System | University Controller |
| Human Resources System | Associate Director of Human Resources |
| Faculty Academic Records | Director of Academic Operations |
| Accounts Receivable | Director of Financial Services, Bursar |
| Payroll | Controller, Associate Controller |
| Alumni and Development | Development & Technology Specialist |
| Data Access Administrator(s) |
|---|
| Senior Database Administrator |
| Database Administrator |
| ERP Administrator |
| Assoc VP for IT & Assoc CIO |
Supervisors will review the data access needs of their staff, with support of the data stewards and the Steering Committee, as it pertains to their job functions before requesting access via the Access Request Form.
Access to Data
Below are the requirements and limitations for all WPI divisions/departments to follow in obtaining permission for access to data.
- Supervisors must request access authorization for each user under their supervision by completing and submitting an Access Request Form to the Data Steward for the area the data resides in.
- Based on reasonable business need, the Data Steward will recommend access approval or denial to the Data Owner and document the decision of the Data Owner.
- Data Stewards will communicate to the Data Owner when access is granted or denied and the reasons for denial.
- Data Stewards may need to create new roles or classes OR adjust existing roles or classes. These changes must be approved by the Data Owner.
- Approved requests will be forwarded to the Data Access Administrator for processing. Data Access Administrator may request clarification of the request in light of technical requirements.
For requests that the Data Stewards receive that are inter-modular, the Data Steward will forward the request to their Data Owner. The Data Owner of the requesting department will discuss the needs with the Data Owner of the module in which the access is being requested. On tacit approval of the Data Owners, the Data Stewards of the affected areas will create a role or class that is appropriate for the user and submit it to the Data Owner of the module that the access is being requested for approval. If the Data Owners cannot come to a consensus, the request will be brought before the Governance Working Group.
The use of generic accounts is prohibited for any use that could contain protected data.
Audits
Audits are done to ensure that an employee's job is commensurate to their level of access. The definition of an audit will be included in the Data Access Audit Standard. Audits may result in changes to an employee's data access.
An annual audit will be conducted by the Data Stewards, the analysis of which will be submitted to the Data Owner for approval.
Unscheduled audits will be conducted when any job, position and/or status changes.
Security
Methods to access data via electronic services are defined in the ERP System Security Standard.
Data Access Qualification Standard
Criteria for data access to specified data sets are defined in the Data Access Qualification Standard and defined by the modular Data Owner.
Revision History
- September 23, 2009 - Submitted by Data Access Working Group (DAWG) and approved by Governance Working Group (GWG).