Responding to Requests for University Information, Policy on

Title: Responding to Requests for University Information, Policy on
Policy Owner: University Information Technology Services
Applies to: Faculty, Staff
Campus Applicability:
Effective Date: October 22, 2007
For More Information, Contact Assitant VP for IT Security, Policy & Quality Assurance
Contact Information: (860) 486-4357
Official Website: http://uits.uconn.edu/

 

Background and Reason for the Policy: The University of Connecticut views University data, in all its forms and throughout its life cycle, as an asset of the University.  As an asset, University data must be protected to meet both Federal and State laws such as:

  • the Family Rights and Privacy Act (FERPA),
  • the Health Insurance Portability and Accountability Act (HIPAA),
  • the Electronic Communications Privacy Act (ECPA),
  • the Gramm-Leach-Bliley Act and
  • the Freedom of Information Action (FOIA),

as well as to comply with the policies of the institution.

However, many employees may not understand all of the confidentiality rules for the data to which they have access.  In addition, there has not been a clear protocol for dealing with requests for University data.

 

Purpose of Policy: This policy is intended to direct employees of the University of Connecticut to whom requests for information may be made.

 

Expected Institutional Outcome: It is expected that this policy will provide the University community with a protocol for handling internal and external requests for University data.

 

Definitions:

  • Data Classification Policy:  See Data Classification Policy
  • Data Custodian: The entity/entities or office/offices that is/are delegated with the day-to-day operational-level responsibility of performing management functions for a defined portion of University data (i.e. specific administrative data sets) based on the definitions, procedures and guidelines developed by the Data Steward.
  • University Data:  Any recorded data or information relating to the University’s business prepared, owned, used, received, or retained by the University and its employees and agents, whether such data or information is handwritten, typed, tape-recorded, printed, photostatted, photographed or recorded by any other method.
  • External Requests: External requests are those made by individuals, agencies, groups or other entities outside of the University or by University members not acting in their official University capacity.
  • Internal Requests:  Internal requests are those made by a University office, a University employee, or a student.
  • Legitimate Business Purpose: A University Official has a Legitimate Business Purpose if the disclosure is relevant and necessary in the ordinary course of the requestor’s official duties and is related to the purpose for which the information was acquired.  Any University official who needs University Data in the course of performing instructional, supervisory, advisory, or administrative duties for the University has a Legitimate Business Purpose.
  • Official University Webpages: Official University of Connecticut webpages are those that have been created by the University, its campuses, colleges, schools, departments or other administrative unit, for University business.  Official University webpages clearly convey a relationship to the entire University and support and advance the University’s mission.
  • Publicly-Available:  Any information that is either published on one of the Official University webpages, the Undergraduate or Graduate Catalog, or other official University publication.
  • Non-publicly Available: Information that the employee gains by reason of employment with the University and that he/she knows or reasonably should know has not been made available to the general public.
  • University Official: A University Official is a University employee, administrator, officer, staff, professional, and any other individual who has been authorized by the University to act on behalf of the University.

Statement of Policy:

1. Internal Requests for Information:

  • Employees are permitted to disclose Publicly-Available University Data or to disclose Non-Publicly Available Data to a University Official with a Legitimate Business Purpose.  Employees may release information regarding individual student to that individual student.  All other requests should be referred as indicated below.
  • Requests for individual law student educational information or for lists of individual Law School student educational information should be referred to the Law School.
  • Requests for individual medical or dental student educational information or for lists of individual Medical School or Dental School student educational information should be referred to the University of Connecticut School of Medicine or School of Dentistry, respectively.
  • Requests for individual graduate student educational information by anyone other than the individual student, or for lists of individual graduate student educational information, should be referred to the Graduate School.
  • All other requests for student educational information by anyone other than the individual student, or for lists of individual student educational information, should be referred to the Registrar’s office.
  • Requests for individual employee personnel information by anyone other than the individual employee, or for lists of individual employee personnel information, should be referred to the Human Resources office.
  • Requests for summary University information should be referred to the Office of Institutional Research.
  • Requests for information concerning University purchases and procurement contracts should be referred to the Purchasing Department.
  • Requests for information on funded research should be referred to the Office of Sponsored Programs.
  • Requests for financial University data should be directed to the Chief Financial Officer.
  • Requests for information concerning University facilities should be directed to the Chief Operating Officer.
  • Requests for all other University Data should be directed to the appropriate Data Custodian. Please refer to the Table of Accountability for the appropriate Data Custodian.

 

2. External Requests for Information:

  • All external disclosures of University Data not defined as Publicly Available must comply with federal and state laws, as well as University policies.  University employees are only permitted to disclose University data to an external individual or entity that is Publicly Available except when permission has been given by those individuals whose information is being requested or under the exceptions listed below.
  • All requests for information from the news media should contact the Office of University Communications/University Relations, which will coordinate the response.
  • All requests for educational records concerning individuals other than oneself should be forwarded to the appropriate office:

–     University of Connecticut School of Medicine or School of Dentistry for records involving medical or dental students;

–    Law School for records involving law school students;

–    Registrar’s Office for records involving undergraduate or graduate students.

  • All requests for Student Employment Verifications and Student Job References should be directed to the Student Employment Office.
  • All requests for External Job References should be directed to Human Resources.
  • All court orders, subpoenas, warrants, or other legal instruments should be immediately forwarded to the Office of the Attorney General.
  • All other external requests for such information must be made in writing and referred to the University’s Privacy Officer.
  • A log of all external requests for information will be maintained by those offices that respond to such requests.

3. Exceptions:

  • Offices and employees who are responsible for regularly supplying the public with information pursuant to inquiries or requests need only refer the request to the University’s Privacy Office or the Attorney General’s office if the information is not usually communicated through that office or employee, or if the office or employee is unsure of the propriety of releasing the information.
  • Responses to questionnaires and surveys that require the provision of University aggregated data that has not been published should be directed to the Office of Institutional Research (OIR).  Each year, the OIR publishes statistical information which contain official University data and which is available from the OIR website.  Employees receiving such requests should use this published information as a primary source of information for completing questionnaires and surveys before sending them to the OIR for review.
  • If a request for information can be answered in its entirety from publicaly-available information, the information may be provided by an employee or office.

Responsibilities:

The President, and/or his designee(s), has overall responsibility for implementation and enforcement of this policy.

Review of this policy by the President and/or his designee(s) will occur biennially.

Violations of this policy will result in appropriate disciplinary measures in accordance with University Laws and Bylaws, General Rules of Conduct for All University Employees, applicable collective bargaining agreements, and the University of Connecticut Student Conduct Code.