Policy No: 2108
Responsible Office: Office of Institutional Effectiveness
Last Review Date: 05/04/2023
Next Required Review: 05/04/2028
|
Access and Use of Student & Employee Data
1. Purpose
This policy outlines the University of South Alabama’s (USA) approach to access and responsible use of employee and student data; other policies may apply to specific data or databases. This policy refers to educational, research, and administrative use of non-aggregated personally identifiable student or employee information. To ensure that such access is authorized and based on the principles of need to know, that its use is appropriate, and that authorized access complies with USA policies, standards and rules, and relevant state and federal laws.
2. Applicability
This Policy applies to University General Division, including any individual or group such as faculty, staff, student, student organization, or non-USA researcher, vendor, or agency that wishes to access and use student or employee personally identifiable data.
3. Definitions
Non-aggregate Data: includes identifying information such as student or employee names, emails, or J-numbers.
FERPA: the Family Educational Rights and Privacy Act of 1974, is a federal law about releasing and accessing educational records. FERPA permits university officials to access and use student records for legitimate educational purposes. Click here for more information.
Legitimate Interest: is a need to access, review, or use confidential data that arise within the scope of University employment and/or in the performance of authorized duties to perform an appropriate University research, educational, or administrative function.
Personally Identifiable Information: is any representation of information that permits the identity of an individual to whom the information applies to be reasonably inferred by either direct or indirect means (i.e., name, email, J-number, etc.)
University Official: is someone employed by the university and determined to have a legitimate interest in the student or employee records to perform appropriate tasks specific to their position description; perform tasks related to education or disciplinary action; to provide a service or benefit to the student, student’s family, employee, or employee’s family. The University may also designate an outside vendor as a University official for purposes of FERPA where access to student data is needed for the vendor to perform its contractual obligations to the University.
4. Policy Guidelines
The University of South Alabama's Chief Human Resources Officer or his or her delegate shall consider, for approval, requests for non-aggregated personally identifiable employee data for legitimate administrative, research, or non-research purposes. Requests for non-aggregated personally identifiable student data for legitimate administrative, research, or non-research educational purposes shall be considered by the Registrar or his or her delegate for approval to the extent the requests are consistent with the Family Educational Rights and Privacy Act (FERPA) and other federal or state provisions designed to protect the privacy of personal information. Additionally, the University’s Institutional Review Board (IRB) has protocols that consider the requirements of FERPA and other federal or state provisions designed to protect the privacy of personally identifiable information that must also be considered.
The University of South Alabama employees must be authorized to access University of South Alabama student or employee data. Student and employee information may be provided to University officials conducting research projects approved by IRB. Approval of IRB does not imply or guarantee access to student or employee data.
- Access to student and employee personally identifiable information must align with approved Banner security forms and requirements.
- Access to student education records must comply with FERPA and applicable federal and state provisions designed to protect the privacy of personally identifiable information. The Registrar or his or her delegate must approve the use of non-aggregated personally identifiable student data for legitimate research purposes beyond the scope of FERPA.
- Access to employee information must comply with applicable federal and state provisions designed to protect the privacy of personally identifiable information. The Chief Human Resources Officer or his or her delegate must approve the use of non-aggregated personally identifiable employee information for legitimate research purposes.
4.1 Access and Use of University of South Alabama Student Data
4.1.1 Student data shall be released only when job-related, need-to-know, and solely to the extent permitted by applicable federal or state law.
4.1.2 Student data shall be used solely for the approved research project or administrative purposes.
4.1.3 Student data shall not be disclosed to any unauthorized party or used beyond its intended purpose.
4.2 Access and use of University of South Alabama Employee Data
4.2.1 Employee data shall be released only when job-related, need-to-know, and solely to the extent permitted by applicable federal or state law.
4.2.2 Employee data shall be used solely for the approved research project or administrative purposes.
4.2.3 Employee data shall not be disclosed to any unauthorized party or used beyond its intended purpose.
5. Procedures
Student and employee data is not provided to the public, including individuals, businesses, and organizations outside of the university community.
5.1 Employee Data Request
A request must be submitted to the Chief Human Resources Officer or his or her delegate to access and use employee personally identifiable data.
5.2 Student Data Request
A request must be submitted to the Registrar or his or her delegate to access and use student personally identifiable data.
5.3 Request Approval
Requests for employee and student data are evaluated on a case-by-case basis and are approved or denied by The Chief Human Resources Officer or Registrar (or their delegates, respectively). The timeliness of the request approval is dependent on the complexity of the request.
5.4 Data Use
Employee and student data are released for use by the requestor only.
5.5 Third-party Applications
Using third-party applications (e.g., Survey Monkey or Qualtrics) to host data is acceptable. Careful attention should be paid to ensure employee and student record information is not collected or maintained by non-contracted vendors.
6. Enforcement
University employees must abide by the policies governing access and responsible use of student and employee personally identifiable data. Inappropriate access, use, or misuse of student and employee information violates University policy and state and federal laws. The end user is responsible for being aware of legal requirements for access to data, responsible use of data, and destruction of data when no longer needed. Failure to adhere to the requirements of this policy may result in discipline up to and including termination of employment or dismissal from USA (see Staff Employee Handbook, Section 6.13 for further details). In addition to disciplinary action, offenders will be subject to possible referral of the violation to the proper authorities.
7. Related Documents
Links to related web pages and policies are provided below.
7.1 FERPA
7.2 HIPPA
7.3 HRSA
7.4 Research Data Management Practices Policy
7.5 Information Systems Security Policy
7.6 Survey & Research Recruitment Policy (link to be updated when it is published to the Policy Library)