Table of contents
Purpose
The University of Maryland's Institutional Data, by definition, practice, and intent, are University assets. Institutional Data are owned by the University of Maryland (UMD) and not by individual persons, Units, or departments of the University.
The Principles of the University’s Acceptable Use Policy, Privacy Policy, and Data Management Policy require careful consideration of the collection, access to, and use of institutional data. The mechanisms and controls for such use are the subject of this Standard.
This Standard addresses the University’s enterprise-level approach to granting approval to collect, access, or otherwise use data for individual employees as well as Unit-based access.
Scope
This Standard is applicable to all members of the University community and applies to all locations and operations of the University.
Definitions
Data Extract describes data retrieved from a data source and provided on request. Data Extracts do not grant continuing access to the system(s) storing a data set.
Data Trustee means individual UMD Vice Presidents. Data Trustees have overall responsibility for the collection of data subsets within their division.
Data Steward means a designated University official with operational responsibilities as further defined in UMD Policy VI-23.00(A).
Institutional Data describes data collected or processed for administrative purposes.
Institutional Project describes a project involving the collection or processing of Personally Identifiable Information (PII) that serves an administrative purpose at UMD and is not intended to be used for generalizable research.
Personally Identifiable Information (PII) means information that is created, received, processed, stored, or transmitted by or on behalf of the University that, alone or in combination with other information, enables the identification of an individual.
Role Based Access describes the provision of data to individuals to perform their job duties. This is the type of access used for regular querying of data warehouses and operational data systems.
System Owner means a University employee or Unit who is responsible for the operation, documentation, security, and maintenance of a University IT system.
Unit typically describes an administrative or academic department, but may also include colleges, labs, teams, institutes, or other designated groups as determined by University policy and practice.
Standard
This Standard addresses both Unit-level requests for access to or collection of data as well as individual requests for access to data in the ordinary course of business. Where an individual seeks access to data in order to perform their standard job duties, they will not submit a request for access as pursuant to Sections A-E below, and will instead be provisioned access to an appropriate role in accordance with Section F below.
A. Requests for existing data - data extracts
Where a Unit seeks access to a Data Extract for a new project or for an existing project that requires new data or has significantly changed the purpose or method for processing an existing Data Extract, they must use the process described in Section E below.
- Generalizable research studies subject to Institutional Review Board (IRB) review remain subject to this requirement. The UMD IRB reviews projects for compliance with Human Subjects Research Protections. It does not review or approve requests for existing Institutional Data pursuant to this Standard.
B. Requests for existing data - ongoing system access
Where a Unit seeks ongoing access to a system containing a data set for the purposes described above, the requesting Unit must coordinate with the relevant Information System Owner to determine what role changes may be most appropriate. Prior to granting or altering a role, the Information System Owner will consult with the Data Steward and other relevant stakeholders as required. Access to roles will be provisioned in accordance with section F. below.
C. Requests for collection of data
Where a Unit seeks to collect new data for an existing Institutional Project that requires new data, the same process in Section E should be used.
- Generalizable research studies subject to IRB review are not subject to Section C. of this standard, because generalizable research studies do not collect Institutional Data; they are instead governed by Human Subjects Research Protections.
D. Exempt requests
Activities that involve publicly available information, non-PII information about a population (ex., aggregated information), reports provided directly by UMD Office of Institutional Research, Planning, and Assessment (IRPA) or other Units, or other information subject to legal disclosure requirements (as appropriate), are exempt from review under this standard. This determination will be made by the Privacy Office and appropriate Data Steward(s).
E. Review
UMD Units that wish to create or access Institutional Data must submit a request through IRPA at irpa@umd.edu. IRPA will review the request and coordinate the administrative process of review and approval. Once a request has been submitted, IRPA will route the request to the Privacy Office, Security Office, and/or appropriate Data Steward(s). In the event that the request requires additional consultation, IRPA will facilitate the discussion of intended outcomes, availability of data, and appropriate methodology for analysis as well as any compliance, risk, privacy, or security concerns. Once consultation has completed, finalized requests will be reviewed by the Privacy Office, Security Office, and appropriate Data Steward(s).
The Privacy Office is responsible for determining whether a proposed project meets or violates privacy-related laws, regulations, policies, or contractual obligations.
The Security Office is responsible for determining whether a proposed project meets or violates cybersecurity-related laws, regulations, policies, or contractual obligations.
If the Privacy Office or Security Office determine that fulfilling the data access or use request is in violation of law, policy, or contract obligations, or that fulfilling the request creates an unacceptable risk to the institution, the request will be denied.
Data Steward(s) determine whether the request represents an otherwise unacceptable use of data or risk to the institution. Each Data Steward will make the criteria by which they make this determination available. If a Data Steward determines that a proposed project does not meet the relevant criteria, the request will be denied.
The Privacy Office, Security Office, and Data Steward(s) must all approve a request before access to data will be provided.
In the event that a Data Steward recommends approval of a project against the advice of the Privacy Office and/or Security Office, the Data Steward will submit a request to review the project to the relevant Data Trustee(s) for additional review and decision making.
F. Role based access
Where an individual requires access to a data set to perform their assigned job duties, UMD will follow the Role Based Access Control model developed and disseminated by the National Institute of Standards and Technology and the International Committee for Information Technology Standards whenever practical.
Data Stewards and System Owners will coordinate with UMD Division of Information Technology (DIT) and other appropriate stakeholders to determine a documented process for requesting additional roles or role modifications.
NOTE: Regardless of whether the scope of a role is restricted technologically, individuals remain responsible for ensuring they are not knowingly or deliberately accessing data for which they do not have a legitimate business or educational purpose.
Date of effect
This Standard becomes effective Oct 1, 2024.