University Information Technology - Tufts University

ISP - Information Roles and Responsibilities Policy

blue-brown dot - 12hx23wInformation Stewardship Clear dot Summaryblue-brown dot - 12hx23wFull Policyblue-brown dot - 12hx23wDownload PDF
blue-brown dot - 12hx23wUse of Institutional Systems Clear dot Summaryblue-brown dot - 12hx23wFull Policyblue-brown dot - 12hx23wDownload PDF
blue-brown dot - 12hx23wInformation Classification and Handling Clear dot Summaryblue-brown dot - 12hx23wFull Policyblue-brown dot - 12hx23wDownload PDF
blue-brown dot - 12hx23wInformation Roles and Responsibilities Clear dot Summaryblue-brown dot - 12hx23wFull Policyblue-brown dot - 12hx23wDownload PDF

Information Roles and Responsibilities Policy

Purpose

This policy establishes the roles and responsibilities that all members of Tufts community have for the appropriate management, use, and stewardship of institutional data at Tufts University.

Scope

All members of the Tufts community.
 

Policy Statement

Responsibilities

Members of the Tufts community manage and use institutional data to support their work. Using and managing institutional data comes with a variety of responsibilities, which this policy defines. All management and use of institutional data should represent Tufts’ values and mission and management expectations for ethical behavior.


Respect for Individual Privacy

Except as required by policy and law, all members of the university community are obligated to respect the privacy of others as noted in this policy and the Business Conduct Policy. Respecting the privacy of others includes not placing confidential or sensitive institutional data on institutional systems or other environments that are unfit or unauthorized for such purposes, or engaging in activities that unnecessarily expose institutional data to harm or unauthorized access.


Compliance

All members of the community are obligated to manage and use institutional data in a manner that is compliant with all applicable laws and regulations; university policies, procedures, and standards; and contracts and licenses. Members of the Tufts community are responsible for using and managing institutional data in a compliant manner regardless of the resource used to access or store the data—whether an institutional system, a Tufts community member’s privately owned resource, or a third-party resource.


Requirements of Other Jurisdictions

All members of the community who engage in electronic communications with persons in other states or countries or on other systems or networks may also be subject to the laws of those other states and countries and the rules and policies of external networks and systems. Users should ensure that their use of any particular resource is consistent with laws within those other jurisdictions. The best source of information to clarify these requirements is with the user’s academic or administrative manager.


Respect for Copyright

All members of the community must respect the work product and copyrights of others as noted in the Policy on Fair Use of Copyrighted Materials.


Priority of University Business

All members of the community are expected respect the priority of university business and keep the personal use of institutional systems to a minimum. Managers have the authority to limit the personal use of institutional systems.


Prohibition on Testing of Security Controls

Under management direction, the University performs routine testing and audits of its security controls to help ensure they are working as intended. Anyone who seeks to violate the legitimate privacy of others or gains unauthorized access to resources is in violation of this policy and any probing or testing of security controls is strictly prohibited. Violations will be investigated, will follow established internal disciplinary procedures and may be referred to external law enforcement agencies for further legal action.


Policy Violation

Depending on the circumstances, and in management’s sole discretion, members of the Tufts community who violate this policy may be denied access to institutional data and systems, and may be subject to other penalties and disciplinary action, both within and outside of the University. The University may refer suspected violations of applicable law to appropriate law enforcement agencies.

Roles

Members of the Tufts community play different roles in the use and management of institutional data. The table below defines these roles and associated responsibilities. Individuals are not to be formally assigned to particular roles (in fact, everyone has different roles for different types of institutional data). Rather, this policy is designed to help members of the community understand the interconnected framework of responsibilities for managing and using institutional data.

 Role  Description  Responsibilities & Rights
Information Owners Generally speaking, Tufts University is the information owner of institutional data. Faculty members are often information owners of their faculty materials. See the Policy on Rights and Responsibilities with Respect to Intellectual Property for more details on ownership rights. 
Information owners have the right and responsibility to manage and use institutional data appropriately, as defined by all applicable laws and regulations; university policies, procedures, and standards; and contracts and licenses.

Information owners may delegate the responsible management of their institutional data to information managers.
Information Managers The individuals charged by information owners to ensure the responsible management and use of institutional data.

Information managers are typically senior managers, senior administrators, and directors of schools, divisions, offices, and departments. Faculty members are the information managers of their faculty materials.
Information managers make the decisions and take the actions on behalf of the information owners needed to ensure the responsible and appropriate management and use of institutional data. Typical responsibilities of information managers include, but are not limited to:
  • Establish appropriate information management policies and procedures;
  • Identify the laws and regulations; University policies, procedures, and standards; and contracts and licenses that affect the institutional data under his or her care;
  • Identify the classification of institutional data under his or her care;
  • Determine the appropriate access and use of institutional data under his or her care;
  • Provide communications and education to information users on the appropriate use and care of institutional data;
  • Work with information custodians to establish and maintain trustworthy institutional systems.
Information managers may delegate some management activities to information custodians, usually for reasons of efficiency and effectiveness. Information managers may also appoint information stewards to undertake activities for the manager, including, but not limited to, surveying the location and state of information, developing and implementing information policies and procedures, and implementing protective measures.
Information Custodians

The entities or individuals charged by information managers to execute aspects of managing institutional data.

Information custodians are typically IT units that maintain and operate institutional systems in order to manage institutional data on behalf of information managers.

Information custodians make the decisions and take the actions needed to support the management function delegated by the information managers to the information custodians. Information custodians’ decision-making, actions, and responsibilities are limited to those delegated functions. Typical responsibilities of information custodians include, but are not limited to:

  • Maintain and operate institutional systems;
  • Ensure that institutional systems have the safeguards in place that are commensurate with confidentiality level of the institutional data held or accessed by the iinstitutional systems;
  • Manage access to institutional data appropriately;
  • Follow and implement information policies and procedures.
Information Users 

Individuals that access and use institutional data in support of their research, teaching, service, and administrative work.

Typically, information users are faculty, staff, and affiliates. 		Information users have the responsibility to access and use institutional data in an appropriate and compliant manner. In particular, information users have the responsibility to protect the personal information of information subjects in the institutional data they are accessing and using.
Information Subjects

The individuals that have information about them in institutional data.

Nearly all members of the Tufts community—students, faculty, staff, affiliates, alumni, and donors, plus non-matriculated students—are information subjects. 		Information subjects have the right to expect that information users, custodians, managers, and owners will manage and use the institutional data that contains information about them in an appropriate and compliant manner. In particular, information subjects have the right to expect that information users, custodians, managers, and owners will use reasonable efforts and resources to protect the subject’s personal information.

Roles Example

This example of an electronic student record of an Arts and Sciences undergraduate student in the student information system illustrates the roles for managing and using institutional data:

 Role  Tufts Community Members
Information Owners Tufts University
Information Managers Manger(s) in the Office of the Registrar, Arts, Sciences, and Engineering
Information Custodians Manager(s) in UIT

UIT maintains the student information system and manages the storage of the student records on behalf of the Office of the Registrar.
Information Users 
The student
Office of the Registrar staff
The student’s advisor
The student’s professors

The student’s professors only have the right to see a portion of the record. The Office of the Registrar manages who has the right to access and use the student records and under what conditions.
Information Subjects
The student 

Review Entities  

Information Stewardship Committee
Information Technology Advisory Council
Information Technology Leadership Forum
University Library Council
Institutional Compliance Executive Committee

Approval Date

September 15, 2011

Effective Date

September 20, 2011

Executive Sponsor

David Kahle, Vice President for Information Technology and Chief Information Officer

Policy Managers

  • University Information Technology
  • Digital Collections and Archives
  • University Counsel

Responsible Offices

  • University Information Technology
  • Digital Collections and Archives
  • University Counsel
For general questions, contact infopolicy@tufts.edu.

Revision

The University reserves the right to change this policy from time to time. Proposed changes will normally be developed by the policy managers with appropriate stakeholders. The review entities have sole authority to approve changes to this policy.

Distribution

http://uit.tufts.edu/?pid=789


Related Policies

blue-brown dot - 12hx23wInformation Stewardship Policy
blue-brown dot - 12hx23wUse of Institutional Systems Policy

blue-brown dot - 12hx23wInformation Classification and Handling Policy

blue-brown dot - 12hx23wBusiness Conduct Policy

blue-brown dot - 12hx23wPolicy on Fair Use of Copyrighted Materials

blue-brown dot - 12hx23wPolicy on Rights and Responsibilities with Respect to Intellectual Property

 

Printed from: http://uit.tufts.edu/?pid=789