Information Technology Services

Brandeis University Data Access Protocol

Purpose

This protocol outlines requirements for granting and revoking access to confidential, restricted and regulated data. Its purpose is to ensure that access to confidential, restricted and regulated data is authorized and that data with a need for protection are used appropriately in compliance with Brandeis Data Governance Policy and relevant state and federal laws.

Context

This protocol is part of the Data Governance Program established by the Brandeis Data Governance Policy document. Definitions of university data are found in the Data Governance Policy Document, and definitions of public, confidential, restricted and regulated data are found in the Brandeis Data Classification Standard, also a part of the Data Governance Program.

Scope

This protocol applies to access to confidential, restricted and regulated data maintained by the university or a party acting on the behalf of the university. This protocol does not apply to data or records that are personal property of a member of the university community, research data or data created and/or kept by individual employees or affiliates for their own personal use. Requests for records by the public are outside of the scope of this protocol and shall be handled by the program director for University Records Management. This protocol also does not apply to situations in which the university is legally compelled to provide access to information.

This protocol applies to all who use university data, including employees and volunteers, whether full or part time, including administrative staff, contracted and temporary workers, consultants, interns and student employees working on a Brandeis System with the ability to access university data.

Protocol Statements

• University data are classified by data trustees in accordance with the Brandeis Data Classification Standard to identify the level of confidentiality needs and legal requirements for the data before access is granted.
• Access to confidential, restricted and regulated data is approved by designated data trustee.
  • Data trustees grant access in compliance with the Brandeis Data Governance Policy and all relevant regulations (e.g., FERPA, HIPAA).
  • Data trustees grant access only to those employees, affiliates and systems that need access to perform their job duties or mission.
• Data trustees ensure that procedures for requesting and approving access to confidential, restricted and regulated data exist and are followed.
  • Data trustees implement procedures for regularly auditing access to confidential, restricted and regulated data and revoking access when it is no longer needed or authorized.
  • Procedures may vary from data trustee to data trustee as necessary to accommodate different data trustee mission/resources/etc. and different groups of data stewards and data users.
    • All procedures should include sufficient tracking for requests, approvals and revocations such that authorized access to confidential, restricted and regulated data is auditable.
    • All procedures related to access to data housed within the same system should be consistent.
    • Procedures for access requests for centralized systems will be proposed for adoption by data trustees and data stewards, following their review and approval.
    • As workflow related to the access request is defined and implemented, attempts should be made to minimize the number of steps required.
• Data users must responsibly use data for which they have access, including only using the data for its intended business purpose and respecting the privacy of members of the university community.
  • Data users must maintain the confidentiality data in accordance with the all applicable laws and the Brandeis Data Classification Standard.
  • Authorized access to confidential, restricted and regulated data does not imply authorization for copying, further dissemination of data, or any use other than the use for which the employee was authorized by the data trustee.
  • Individuals receiving approved data access must acknowledge the Brandeis University Nondisclosure Agreement.
  • Educational materials are being developed as part of the Data Governance Program to ensure that individuals receiving data access understand the Brandeis data classifications and what can/cannot be shared.
• A data trustee may delegate the ability to approve access to confidential, restricted and regulated data to data stewards within their domains.
  • A data trustee may delegate by creating procedures through which data stewards may approve access by employees that have certain pre-approved roles and responsibilities.
  • Access decisions should be based on roles and responsibilities and not evaluated on an individual basis.
• Access to confidential, restricted and regulated data by external parties shall be governed by individual contractual agreement or memoranda of understanding if the third party is a governmental organization. Such contractual agreements shall be approved by Brandeis General Counsel and by the appropriate data trustee.
• As part of the implementation of the protocol, audit and compliance protocol statements will be incorporated into this document.
• The Office of Chief Information Officer is responsible for enforcing this protocol.
  • Violation of this protocol may incur the same types of disciplinary measures and consequences as violations of other university policies, including progressive discipline up to and including termination of employment, or, in the cases where students are involved, reporting of a Student Code of Conduct violation.
  • Violation of this protocol may also result in termination of contracts or commitments to vendors and other affiliates. Legal action may be pursued where appropriate.

Definitions

Access

Flow of information between a store of data and a user, system or process. A user, system or process is considered to have access to data if it has one or more of the following privileges: the ability to read or view the data, update the existing data, create new data, delete data or the ability to make a copy of the data. Access can be provided either on a continual basis or alternatively on a one-time or ad hoc basis. Transferring any data from one party to another in any medium is tantamount to permitting access to those data.

Brandeis Systems

Systems of record for Brandeis administrative and academic functions which house university data, including Workday, Slate, Moodle, Salesforce, Explorance Blue and other systems which integrate with these systems.

Relevant Policies and Standards

• Brandeis Data Governance Policy
• Brandeis Data Classification Standard
• Brandeis University Nondisclosure Agreement

Protocol Owner

• Information Technology Services

Version History