The University of Memphis

Data Access



POLICIES

Issued:  October 7, 2016
Responsible Official:  Chief Information Officer
Responsible Office:  Information Technology Services

Policy Statement


Policy Statement

Information is one of the University's most valuable assets.  Consistent with the University's obligation to preserve and protect such information by all appropriate means, it must be made available to all employees who have a valid business purpose for its use.  The University, as the owner of all data, has delegated its oversight to the Chief Information Officer (CIO).

The value of data as an institutional resource is increased through widespread and appropriate use; thus, the University intends that the volume of freely accessible data be as great as possible while recognizing its responsibility to appropriately secure the data.  Therefore, procedures established to protect University data cannot unduly interfere with the efficient conduct of University business and the need to conduct University business can not unduly interfere with the protection of University data.



Purpose


 

To establish procedures to protect institutional data and systems yet not unduly interfere with the effective conduct of University business.

To avoid unjustified barriers to accessing computerized institutional data and systems and to define roles and procedures related to such access.

 



Definitions


Enterprise Resource Planning (ERP) system

 A system designed to facilitate organizational efficiency through standardized business processes, storage, and presentation of data (e.g., Banner).


Official University Data

Data that are necessary to the success of the University as a whole, generally shared with others, and are likely to be distributed across organizational units within the University. Datasets contained in a university ERP or other university system (ex: University email accounts and file shares; Banner; college/unit specific databases, such as teacher certifications; etc.)


Data Steward University officials and agents of the University who have designated duties for collection, input, and maintenance responsibilities for data within their functional area.

Banner Security Officer

Individuals responsible for granting, modifying, and revoking security access to specific functional area datasets within the University ERP system (e.g., Banner Student, HR, Finance, Admissions, Financial Aid, Advancement, Foundation, etc.).


Database

A collection of information generally organized by tables, rows, and columns.  Examples of databases include Oracle, MS-SQL, MS-Access, and FileMaker Pro.  Many databases are relational databases which means that relationships can be established between tables and views to "link" data.


Data Warehouse

A database designed for analytical and information processing.  A read-only collection of data intended to answer business questions.  


Systems

 A collection of programs, services, or infrastructure hardware designed to provide specific functionality with regards to supporting University operations and/or data processing activities.  Examples include, but are not limited to, email, calendaring, file storage, report archival (e.g., e-print), reporting (e.g., Hyperion, Argos, Cognos, etc.), learning management (or course management) systems (e.g., ecourseware), ERP systems (e.g., Banner), and document imaging resources (e.g., Hyland/Matrix).



Procedures


Scope of Policy

 The scope of this policy is:

  • All data and systems supporting the business and operational needs of the University of Memphis.
  • Information and data in all forms, including but not limited to, information­ processing activities, computerized data (whether stored on university-managed servers and storage, storage area network, local servers, personal workstations, or vendor-provided infrastructures such as a “cloud”), and manually maintained data files regardless of where those files are stored.
  • All application, network, and operating system software used for computerized management of these data or systems.
  • Computerized data-processing activities related to research and instruction where the CISO determines that such activities should be covered by this policy.
  • All data and systems owned by or within the control of the University.

 


Violations

Violations of this policy may lead to disciplinary action by the University up to and including dismissal from the University.  Under certain circumstances, such violations may give rise to civil and/or criminal liability.


Access to Data

The University determines levels of access to data and systems according to principles drawn from various sources such as federal and state law, TBR and University regulations, and ethical considerations.  Individuals accessing University data and systems must observe requirements for confidentiality and privacy, must comply with protection and control procedures, and must accurately present the data in use. Users will be required to successfully complete security awareness and compliance training before access will be granted. All University data must be protected in accordance with policy UM1691 - Campus Data Security Policy.

In accordance with policy UM1382 - Separation from Employment Policy, supervisors are responsible for notifying Human Resources prior to employee separations to ensure timely removal of access to Banner, University-provided email, and other Universtiy resources.  Human Resources is responsible for updating appropriate personnel data in Banner and notifying Banner Security Officers and other relevant departments of employee separations on or before the last date of employment, or as soon as possible upon notification of employee separation. 

Banner Security Officers are responsible for maintaining procedures related to granting, modifying, and revoking access to Banner data.  Upon approval by the appropriate university official, Banner Security Officers are responsible for maintaining (including granting, modifying, and revoking) access to Banner systems (e.g., modules within Banner such as HR, Finance, Student, etc.).  Banner Security Officers are required to sign appropriate confidentiality agreements.  Banner Security Officers report to the following University officials: 

Banner Module

University Official

Student Records Data

Registrar

Financial Aid Data

Director of Financial Aid

Admissions Data

Director of Admissions

Finance Data

Director of Enterprise Application Services

Human Resources Data

Director of Enterprise Application Services

Alumni and Development Data

Director of Advancement Services

Foundation Data

Associate Vice President, U of M Foundation

Access to University data and systems is granted to individuals with whom the University has an active affiliation (e.g., students, faculty, staff, guests, vendors, etc.). Access may be granted or revoked by request of the CIO in consultation with University management. Examples of when access may be revoked include, but are not limited to:

  • situations that require immediate action to protect University data, systems, or individuals; or
  • in response to violations of University policies (such as UM1691 – Campus Data Security Policy, UM1535 – Acceptable Use of Information Technology Resources Policy, this policy, or other applicable University policies); or
  • changes in employment responsibilities upon which access is no longer required; or
  • upon termination of an individual’s active affiliation with the University (e.g., employment termination, retirement, graduation, end of vendor contract, death, etc.).

Access to Banner data will be revoked on or before the date of employee termination specified by Human Resources unless an appropriate future job contract has been loaded into Banner.  An exception to the removal of access may be granted to conduct University business for reasons such as, but not limited to coursework, grading, grade appeals, and research activities. Banner Security Officers are responsible for documenting exceptions to the removal of access to Banner data. Termination of access to other University IT systems is outlined on the IT Resource Access Termination Procedures page.

The University maintains data in a variety of databases and systems.  After completing appropriate screening, data stewards may access data on a "need to know" basis. Access to data is granted based on job responsibility and management’s approval. Frequently, the data thus accessed can be downloaded or exported to other applications such as desktop databases (i.e. Access), spreadsheets, text, or hypertext. All individuals who are granted access to University data are thereby obliged to treat the data according to the same security and privacy rules in force within the system of origination regardless of where it is stored. 

 


Copies of Official Data

Copies of official data are NOT official data. Data derived from copies or downloads shall not be used as substitutes for official records kept by the authorized data steward of the University. However, such information may be used to generate official reports on behalf of the University with the knowledge and permission of the official data steward. Such files and resulting reports are covered by the same constraints of confidentiality and privacy as the official records and must be protected according to the applicable data classification standard as defined in policy UM1691 - Campus Data Security Policy



FAQs


How frequently are data updated?

Each data source has its own schedule for updates.  In some systems requiring batch updates, this can be daily, weekly, or longer, but is usually daily.  Other systems, such as the Data Warehouse, have update cycles that coincide with the update cycles of the systems of origin and with known data availability needs.


What data are contained in the University's ERP system?

The ERP system is comprised of the following data systems:  Human Resources, Financial Records, Advancement, and Student.


What data are contained in the Data Warehouse?

Data contained in the warehouse are extracted from the ERP system database and other university administrative systems.


How can I find out where different data are contained?

You can either contact the University office that has primary responsibility for maintaining the data or Information Technology Services. 

The Data Warehouse facilitates integration of data so that University business questions are easier to answer. (Ex:  Questions about classroom success of specific students with specific financial aid.)  Data Warehouse, Office of Institutional Research, ePrint, and Matrix can be accessed through the University portal.


What data are contained in various databases?

"Local" (departmental) databases contain data critical to the academic or administrative mission of the college or administrative unit and must be protected by the same rules and security as that of the university's administrative systems.


How can I get access to institutional data?

Access to institutional data is a right reserved to data stewards who have need to utilize the data for benefit of the University.

To request access, contact the University office that has primary responsibility for maintaining the data.  


How do different database systems differ from each other?

Systems can differ in several important ways.  Three of the most common are: ease of accessibility, understandability of stored data, and tools provided for access.  In many of our administrative systems and other applications, the data are stored in relational databases with more easily understandable table formats and common file names, and a number of tools can be used to retrieve or analyze data.



Links


Human Resources/Finance Access

http://www.memphis.edu/bf/forms/


Student System Access

http://www.memphis.edu/registrar/forms


Information Technology Services

http://www.memphis.edu/its/about/index.php



Revision Dates


  UM1337 - Revised: October 7, 2016
UM1337 - Revised: February 2, 2016
UM1337 - Revised: June 9, 2015
UM1337 - Revised: February 12, 2015
UM1337 - Revised: March 18, 2008
UM1337 - Revised: January 14, 2004
Originally Issued: June 19, 2003


Subject Areas:

Academic Finance General Human Resources Information Technology Research Student Affairs
          XX     


back to editor