ºÚÁϳԹÏÍø

ºÚÁϳԹÏÍø Logo     
Policy No: 2108
Responsible Office: Office of Institutional Effectiveness
Last Review Date: 05/04/2023
Next Required Review: 05/04/2028
Policy No: 2108
Responsible Office: Office of Institutional Effectiveness
Last Review Date: 05/04/2023
Next Required Review: 05/04/2028

Access and Use of Student & Employee Data


1. Purpose

This policy outlines the ºÚÁϳԹÏÍø’s (ºÚÁϳԹÏÍø) approach to access and responsible use of employee and student data; other policies may apply to specific data or databases. This policy refers to educational, research, and administrative use of non-aggregated personally identifiable student or employee information. To ensure that such access is authorized and based on the principles of need to know, that its use is appropriate, and that authorized access complies with ºÚÁϳԹÏÍø policies, standards and rules, and relevant state and federal laws.

2. Applicability

This Policy applies to University General Division, including any individual or group such as faculty, staff, student, student organization, or non-ºÚÁϳԹÏÍø researcher, vendor, or agency that wishes to access and use student or employee personally identifiable data.

3. Definitions

Non-aggregate Data:  includes identifying information such as student or employee names, emails, or J-numbers.

FERPA:  the Family Educational Rights and Privacy Act of 1974, is a federal law about releasing and accessing educational records. FERPA permits university officials to access and use student records for legitimate educational purposes. Click here for more information.

Legitimate Interest:  is a need to access, review, or use confidential data that arise within the scope of University employment and/or in the performance of authorized duties to perform an appropriate University research, educational, or administrative function.

Personally Identifiable Information:  is any representation of information that permits the identity of an individual to whom the information applies to be reasonably inferred by either direct or indirect means (i.e., name, email, J-number, etc.)

University Official:  is someone employed by the university and determined to have a legitimate interest in the student or employee records to perform appropriate tasks specific to their position description; perform tasks related to education or disciplinary action; to provide a service or benefit to the student, student’s family, employee, or employee’s family. The University may also designate an outside vendor as a University official for purposes of FERPA where access to student data is needed for the vendor to perform its contractual obligations to the University.

4. Policy Guidelines

The ºÚÁϳԹÏÍø's Chief Human Resources Officer or his or her delegate shall consider, for approval, requests for non-aggregated personally identifiable employee data for legitimate administrative, research, or non-research purposes. Requests for non-aggregated personally identifiable student data for legitimate administrative, research, or non-research educational purposes shall be considered by the Registrar or his or her delegate for approval to the extent the requests are consistent with the Family Educational Rights and Privacy Act (FERPA) and other federal or state provisions designed to protect the privacy of personal information.  Additionally, the University’s Institutional Review Board (IRB) has protocols that consider the requirements of FERPA and other federal or state provisions designed to protect the privacy of personally identifiable information that must also be considered.

The ºÚÁϳԹÏÍø employees must be authorized to access ºÚÁϳԹÏÍø student or employee data. Student and employee information may be provided to University officials conducting research projects approved by IRB. Approval of IRB does not imply or guarantee access to student or employee data.

  • Access to student and employee personally identifiable information must align with approved Banner security forms and requirements.
  • Access to student education records must comply with FERPA and applicable federal and state provisions designed to protect the privacy of personally identifiable information. The Registrar or his or her delegate must approve the use of non-aggregated personally identifiable student data for legitimate research purposes beyond the scope of FERPA.
  • Access to employee information must comply with applicable federal and state provisions designed to protect the privacy of personally identifiable information. The Chief Human Resources Officer or his or her delegate must approve the use of non-aggregated personally identifiable employee information for legitimate research purposes.

4.1  Access and Use of ºÚÁϳԹÏÍø Student Data

4.1.1  Student data shall be released only when job-related, need-to-know, and solely to the extent permitted by applicable federal or state law.

4.1.2  Student data shall be used solely for the approved research project or administrative purposes.

4.1.3  Student data shall not be disclosed to any unauthorized party or used beyond its intended purpose.

4.2  Access and use of ºÚÁϳԹÏÍø Employee Data

4.2.1  Employee data shall be released only when job-related, need-to-know, and solely to the extent permitted by applicable federal or state law.

4.2.2  Employee data shall be used solely for the approved research project or administrative purposes.

4.2.3  Employee data shall not be disclosed to any unauthorized party or used beyond its intended purpose.

5. Procedures

Student and employee data is not provided to the public, including individuals, businesses, and organizations outside of the university community.  

5.1  Employee Data Request

A request must be submitted to the Chief Human Resources Officer or his or her delegate to access and use employee personally identifiable data.

5.2  Student Data Request

A request must be submitted to the Registrar or his or her delegate to access and use student personally identifiable data.

5.3  Request Approval

Requests for employee and student data are evaluated on a case-by-case basis and are approved or denied by The Chief Human Resources Officer or Registrar (or their delegates, respectively). The timeliness of the request approval is dependent on the complexity of the request.

5.4  Data Use

Employee and student data are released for use by the requestor only. 

5.5  Third-party Applications

Using third-party applications (e.g., Survey Monkey or Qualtrics) to host data is acceptable. Careful attention should be paid to ensure employee and student record information is not collected or maintained by non-contracted vendors.

6. Enforcement

University employees must abide by the policies governing access and responsible use of student and employee personally identifiable data. Inappropriate access, use, or misuse of student and employee information violates University policy and state and federal laws. The end user is responsible for being aware of legal requirements for access to data, responsible use of data, and destruction of data when no longer needed. Failure to adhere to the requirements of this policy may result in discipline up to and including termination of employment or dismissal from ºÚÁϳԹÏÍø (see Staff Employee Handbook, Section 6.13 for further details). In addition to disciplinary action, offenders will be subject to possible referral of the violation to the proper authorities.

7. Related Documents

Links to related web pages and policies are provided below.

7.1 

7.2 

7.3 

7.4  Research Data Management Practices Policy

7.5  Information Systems Security Policy

7.6    (link to be updated when it is published to the Policy Library)

7.7  Confidential Data Protection Policy