Administrative Data Access
Effective: June 24, 1994 (President's Cabinet)
Table of Contents
- Definition of Administrative Data
- Roles and Responsibilities
- Requests for Access to University Administrative Data
- Definition of Important Terms
Information maintained by the University is a vital asset that will be available to all employees who have a legitimate need for it, consistent with the University's responsibility to preserve and protect such information by all appropriate means. The University is the owner of all administrative data; individual units or departments may have stewardship responsibilities for portions of that data. The University intends that the volume of freely accessible data be as great as possible, given limitations of budget.
The value of data as an institutional resource is increased through its widespread and appropriate use; its value is diminished through misuse, misinterpretation, unnecessary restrictions to its access, or failure to maintain quality. The University expressly forbids the use of administrative data for anything but the conduct of University business. Employees accessing data must observe requirements for confidentiality and privacy, must comply with protection and control procedures, and must accurately present the data in any use. In addition, the University and its employees do comply with applicable state and federal laws and regulations, including State ITRM standards and guidelines.
The University determines levels of access to administrative data according to principles drawn from various sources. State and federal law provides clear description of some types of information to which access must be restricted. In an academic community, ethical considerations are another important factor in determining access to administrative data (see Appendix A).
The University's data base consists of information critical to the success of the University as a whole. The University data base is shared data, managed within a conceptual framework. It is likely that the University data base will be distributed across processing units both within and outside the University. Specific types of data, such as research data and electronic mail "boxes," may be covered by specially tailored policies.
Data may be digital text, graphics, images, sound, or video. The University regards data that are maintained in support of a functional unit's operation as part of the University's administrative data base if they meet at least one of the following criteria:
- if at least two administrative operations of the University use the data and consider the data essential;
- if integration of related information requires the data;
- if the University must ensure the quality of the data to comply with legal and administrative requirements for supporting statistical and historical information externally;
- if a broad cross section of University employees refers to or maintains the data; or
- if the University needs the data to plan.
Some examples of admininstrative data include student course grades, patient records, employee salary information, vendor payments, and the University's annual Data Digest. Administrative data does not include personal electronic calendar information and similar material.
As part of their jobs, University employees take on various roles and responsibilities with respect to University administrative data. Under the guidance of various University leaders, some individuals fill stewardship roles spanning one or more data domains and others fill data access management roles for one or more specific information system, e.g., the Student Information System. In addition, all individuals granted access to administrative data are responsible for ensuring their use of such data complies with requirements outlined in the “Responsibilities of Data Users” section of this policy.
Legally Restricted or Limited-Access Data
Access to legally restricted or limited-access data (for definitions of the three categories of University administrative data, see Appendix A) by University employees, employees of University-related foundations, or non-U.Va. employees sponsored by a University manager requires that a formal request be made to the appropriate data access approver.
All requests for exceptions to data access policies must be made in writing to the data access approver. E-mail requests are acceptable. The request must specify the data desired and their intended use.
The data access approver must provide a written record of the reasons for denial of any request to access University administrative data. E-mail records are acceptable.
Members of the University community may appeal any decision that denies access to University administrative data. Appeals may be made to the appropriate data steward.
Use of administrative data only in the conduct of University business
The University expressly forbids the disclosure of unpublished administrative data or the distribution of such data in any medium, except as required by an employee's job responsibilities and approved in advance by the data access approver. In this context, disclosure means giving the data to persons not previously authorized to have any type of access to it. The University also forbids the use of any administrative data for one's own personal gain or profit, for the personal gain or profit of others, or to satisfy personal curiosity.
Maintenance of confidentiality and privacy
Users will respect the confidentiality and privacy of individuals whose records they access, observe any ethical restrictions that apply to data they access, and abide by applicable laws and policies with respect to accessing, using, or disclosing information. All data users having any access to legally restricted or limited-access data will formally acknowledge (by signed statement or some other means) their understanding of the level of access provided and their responsibility to maintain the confidentiality of data. Each data user will be responsible for the consequences of any misuse.
- Use of administrative data only in the conduct of University business
Protection of Data
Users will comply with all protection standards for administrative data to which they have been granted the ability to view, copy or download.
Accurate presentation of data
Users will be responsible for the accurate presentation of administrative data, and will be responsible for the consequences of any intentional misrepresentation of that data.
Maintenance of data quality
Users are responsible for notifying data stewards or data access approvers when they recognize that data is in error, incomplete, obsolete or missing.
Categories (of data): see Appendix A
Not sensitive -- see Appendix A
Highly sensitive -- see Appendix A
Moderately sensitive -- see Appendix A
Domain (of data): The entire collection of data for which a University employee assigned the role and responsibilities of an Executive Data Steward, Data Steward, or Deputy Data Steward is responsible. The data domain also includes rules and processes related to the data.
Quality (of data): In this context, quality is a collective characteristic that encompasses utility, objectivity, integrity, accuracy and completeness. Data quality is supported by presentation in an accurate, clear, complete, and unbiased manner, with sources identified in appropriate fashion, with potential sources of error identified, and with disclosure of the degree to which the data has been protected from unauthorized access or revision, from compromise through corruption, and from falsification.
Revisions: August 2012, October 2001, September 1996, August, 2012