Responsible Office: Office of the Provost
Originally Issued: March 2007
Revised: Not Applicable
Information is one of Georgia Health Sciences University’s most valuable resources and as such requires responsible management by all members of the GHSU community. This policy describes the roles, responsibilities, and classification for institutional data.All institutional data should be used with appropriate and relevant levels of access and with sufficient assurance of its security and integrity in compliance with existing laws, rules, and regulations.
2.0 ScopeThis policy addresses the handling of all forms of GHSU data for all members of the GHSU community; including staff, faculty, students, affiliates, volunteers or others.
2.1 Institutional Data Definition
A data element is considered institutional data if it originates or is in the custody and control of Georgia Health Sciences University.
Examples of institutional data include, but are not limited to:
- Elements supporting financial management
- Student curricula
- Student Educational Records
- Medical Data
- Human Research Data
- Personnel management
- Intellectual property
- Intellectual research property
- Capital equipment inventory
Information may be considered institutional data if it satisfies one or more of the following criteria:
- Data used for planning, managing, reporting, or auditing a major administrative function.
- Data referenced or used by an organizational unit to conduct institutional business.
- Data included in an official institutional administrative report.
- Data used for academic or research purposes.
- Data used to derive an element that meets the any of the criteria above.
3.0 Policy Data Management Structure
A data management structure is required at Georgia Health Sciences University to ensure proper handling of institutional data. This data management structure should consist of the following positions:
Data trustees are GHSU executives who have overall responsibility for all the data sets maintained by the units reporting to them. Institutional data trustees consist of the Provost, other Vice-Presidents and the Chief Information Officer (CIO). Individually the data trustees are accountable for all the data sets within their division. The CIO has the additional responsibility for ensuring an adequate and appropriate technical infrastructure is in place to support the data needs of the institution across all divisions.
The data trustees are responsible for ensuring that campus institutional data resources are used in ways consistent with the mission of Georgia Health Sciences University. The data trustees have the responsibility for the appointment and accountability of data stewards.
Data stewards, designated by the data trustees, are senior level officials who have planning and policy responsibilities for data in their functional areas. Data stewards, or their designees, are responsible for recommending policies, and establishing procedures and guidelines concerning the accuracy, privacy and integrity of the data subsets for which they are responsible. Individually, data stewards act as advisors to the data trustees and have management responsibilities for data administration issues in their functional areas.
They have overall responsibility for the data in the subsets overseen by all their designated data managers. These responsibilities include:
- Interpreting and implementing federal, state and GHSU policies and guidelines.
- Ensuring data quality and data definition standards are met.
Identifying the privacy level, such as unrestricted, sensitive, or confidential, for the data subsets.
- Establishing authorization procedures to facilitate appropriate data access as defined by campus data policy and ensuring security for that data.
- Resolving issues related to stewardship of data elements that cross multiple units or divisions. For example, Social Security number may have more than one data steward since it is collected or used in multiple systems, such as financial, human resources, and student systems.
- Developing standard definitions for data elements, including those that cross multiple units or divisions. For example, there should either be a single definition of “full-time employee” or new data elements should be created for each unique definition.
Data managers, designated by the data stewards, are generally operational managers within a functional area overseeing the data for a particular subject area. Data managers have day-to-day responsibility for managing administrative processes and establishing business rules for the transactional systems. They have operational responsibility for the data management activities related to the collection, maintenance, protection, and dissemination of data in their functional areas.
The data manager may authorize operational tasks to be performed by data users outside the units that report to the data manager. The data managers are accountable for the data subsets they manage, whether the data are collected or maintained directly by the data manager (or their staff), by data users in other units or by external sources.
- Reviewing and approving requests for access by other GHSU users, as defined by campus data policy.
- Determining the type of access given to GHSU users.
- Assuring compliance with federal, state and campus regulations regarding the release of, responsible use of, and access to, data.
- Training GHSU users in relevant regulations and proper understanding of data.
- Providing data definitions for each data element within the domain of their operational unit(s).
- Communicating any data definition or database changes to the appropriate data administrator.
- Ensuring the accuracy, privacy and integrity of the data they manage.
- Assisting in the design of data warehouse structures that contain data from their subject areas.
Data users are GHSU employees who have been granted authorization by the data managers to access institutional data. Authorization is granted for a specific level of access, as defined by the data management policies, solely for the conduct of institutional business.
- Following the policies and procedures established by the data stewards for responsible use of the GHSU data.Using institutional data only as required to conduct GHSU business.
- Ensuring the privacy of data by viewing and storing data, and the information derived from data, under secure conditions.
- Ensuring accuracy and timeliness of the data they enter or update.
- Collecting, preparing, entering or maintaining data for the authorized unit(s), if authorized by the data manager.
3.2 Data Classification
By default, all institutional data will be designated as internal data for use within GHSU or to satisfy institutional external reporting requirements to the USG Board of Regents (BOR), and to state, federal, or other external agencies. GHSU employees will have access to these data for use in the conduct of GHSU business. The permission to view or query institutional data should be granted to all data users for all legitimate institutional purposes.
As part of the data definition process, data stewards will assign each data element and each data view in institutional data to one of three categories: unrestricted, sensitive, and confidential.
Note: In some circumstances, as long as specific identifying data elements are removed, a data view may include elements of institutional data that would otherwise be sensitive or confidential.
All GHSU information is categorized into three main classifications:
Unrestricted Data is institutional data that have no access restrictions as available to the general public. These data will be designated as unrestricted or public data. (Example: Information on the public web site).
Sensitive Data is institutional data that is not legally protected, but should not be made public and should only be disclosed under limited circumstances. Users must be granted specific authorization to access since the data’s unauthorized disclosure, alteration, or destruction may cause perceivable damage to the institution.
The following are examples of sensitive data elements:
- All information identifiable to an individual (including students, staff, faculty, trustees, donors, and alumni) including but not limited to dates of birth, driver’s license numbers, employee and student id numbers, license plate numbers and compensation information.
- The University’s proprietary information including but not limited to intellectual research findings, intellectual property, financial data, and donor and funding sources.
Confidential/Regulated Data is institutional data for which there is a legal obligation not to disclose. These data elements require the highest levels of restriction due to the risk or harm that will result from disclosure or inappropriate use.
The following are examples of confidential data elements:
- Data not releasable under the Georgia Open Records Act or the Georgia Open Meetings Act
- All regulated data
o Social Security and credit card numbers
o Family Educational Rights and Privacy Act of 1974 (FERPA)
§ FERPA protects the rights of students by controlling the creation, maintenance, and access to educational records. It guarantees students’ access to their academic records while prohibiting unauthorized access by others.
o Health Insurance Portability and Accountability Act of 1996 (HIPAA)
§ Standards for securing protected health information in paper, electronic, and oral communication.
§ PHI is individually identifiable health information that is maintained or transmitted in any form or medium. Protected health information excludes individually identifiable health information in education records covered by the Family Educational Right and Privacy Act (FERPA)
o Gramm-Leach-Bliley Act (GLBA)
§ Provides limited privacy protections for private financial information. Additionally, the GLBA codifies protections against pretexting, the practice of obtaining personal information through false pretenses.
§ Implements rules concerning financial privacy notices and the administrative, technical and physical safeguarding of personal information
4.0 Related Documents
- GHSU Confidentiality Statement
- GHSU Ownership and Retention of Scholarly / Research Records
- GHSU Intellectual Property Policy – Faculty Manual
- GHSU Intellectual Property – Research Related Policy
- GHSU Conduct of Research Policy
- HIPAA – List of 18 Identifiers and definition of PHI
- FERPA Annual Notification
- FERPA Banner Security