Home | Search | Contacts

Administrative Electronic Information Policy

Purpose

This policy statement establishes measures for the protection, access, and use of Portland Community College's administrative, electronic data and equipment. It also defines the responsibilities of all who access and manage these data and equipment. Offices may have individual guidelines that supplement, but do not supplant or contradict, this policy statement. Data entrusted to the college by other organizations (e.g., foundations and government agencies) are governed by terms and conditions agreed upon with those organizations. Specific issues not governed by such agreed terms shall be governed by this policy.

Administrative Responsibility

All administrative electronic data should be treated as confidential, other than data which has been designated as approved for release to the public. By law certain electronic institutional data are confidential and may not be released without proper authorization. Employees and other authorized users should adhere to any applicable federal and state laws concerning storage, retention, use, release and destruction of data.

All levels of administrative management shall ensure that, for their areas of accountability, each information system user knows his/her responsibilities as defined in this policy. Each system user shall read and understand this policy statement before access to the system is provided.

Electronic data are owned by the institution and are a vital college asset. All institutional data, whether maintained in the central database or copied into other data systems including microcomputers, remain the property of the college and are governed by this policy statement. Access to data is not approved for use outside an individual's official college responsibility.

Computerized, institutional data shall be used only for the legitimate business of Portland Community College. Central computing services and facilities shall be used only as required in the performance of job functions. Personal use of institutionally owned microcomputers shall be limited and requires the prior permission of the employee's administrative head or supervisor.

Supervising administrators shall ensure a secure office environment with regard to all institutional information systems. Administrators shall validate the access requirements of their staff according to job functions, before submitting requests for the provision of access.

Under no circumstances shall anyone use institutional electronic data (in detail or summary) in any publication, seminar, or professional presentation, or otherwise release data, in any form, outside the college without prior written approval from the appropriate data custodian and the appropriate executive officer(s). Data should never be left on any system to which access is not controlled.

As a general principle of access, college data (regardless of who collects or maintains it) shall be shared among those employees whose work can be done more effectively by knowledge of such information. Though the college should protect the security and confidentiality of data, the procedures to allow access to data must not unduly interfere with the efficient conduct of college business.

All information systems owned by Portland Community College shall be constructed to ensure that: (1) accuracy and completeness of all system contents are maintained during storage and processing; (2) system capabilities can be reestablished within an appropriate time upon loss or damage by accident, malfunction, breach of security, or natural disaster; and (3) actual or attempted breaches of security can be detected promptly. All who use institutional data have the right to expect them to be accurate.

Information Access Definitions

Two types of access can be granted to users.

• Inquiry-only access enables the user to view, analyze and download, but not change, institutional data. Once information is downloaded, however, data can, but should not, be altered in word processing documents or spread sheets in a way that misrepresents the information derived from these data. Downloaded information should be used and represented responsibly.
• Update access provides both inquiry and update capability. Update capability is generally limited to the offices directly responsible for the collection and management of the data. Update access is available to administrators and users who have an authorized need to change institutional data in the routine performance of their job duties.

Each user of administrative information is assigned appropriate combinations of inquiry-only and update access to specific parts of the administrative information system. The types of access are determined by the data custodians (see definition below).

Data Custodians

A data custodian, usually an administrator of a major college unit (office or department), may make data available to others within his or her purview for use and support of the unit's functions.

Before granting access to data, the data custodian shall be satisfied that protection requirements have been implemented and that a "need to know" is clearly demonstrated. By approving end-user access to institutional data, the data custodian consents to the use of these data within the normal business functions of administrative and academic offices. Access to institutional data shall not be granted to persons unless there is an established "need to know".

Data custodians are ultimately responsible for the accuracy and completeness of data in their areas. They are also responsible for maintenance and control of the administrative information system Data entry forms, query forms, reports and programs will be grouped into user profiles that represent what is needed to perform a general set of related tasks. Each profile has a custodian who can grant access by an end-user to an entire profile of programs. In addition to having access to a profile, a user can also be granted permission by the custodian to use a single form, report or program.

In most cases, the name of the object (form, report or program) will indicate who the custodian is. Most finance objects begin with the letter "F" and the custodian is in Financial Services. Human resources objects begin with "P" and the custodians are located in Human Resources. The custodian for all financial aid objects, beginning with "R", will be in the Financial Aid Office. All general objects, beginning with "G" will be governed by Information Technology Services. Other portions of the Banner system (e.g. student) will not be assigned custodians based on the Banner module, but by the PCC office that has primary responsibility over the information or process. See the Banner Form and Report Access Request for specific information about who the custodians are.

If you are within the PCC network, please review the list of the current custodians.

Information Users

Individuals are responsible for understanding all data elements that are used. If a person does not understand the meaning of a data element, s/he should consult the appropriate data custodian or his/her representative. Users should exercise due care in using the institution's electronic information systems, both the central institutional database and all departmental systems, to protect data files from unauthorized use, disclosure, alteration, or destruction. Each person is responsible for security, privacy, and control of his/her own data. Each user is responsible for all transactions occurring during the use of his/her login and password. Any user who believes that his/her login and password have been used by another person shall promptly notify his/her administrative head or supervisor or the appropriate data custodian.

It is a violation of college policy, and may be a crime, for employees and other users to attempt to gain access to administrative electronic data which they do not need to perform their job functions or to which they are not authorized to have access.

Information Technology Services

Within the limit of his/her approved job description, the Director of Information Technology Services shall oversee the implementation of this policy statement, review requests for exceptions to the policy, and manage disputes concerning use and stewardship of centralized electronic institutional data and institution-wide information systems.

The Information Technology Services office shall ensure that a variety of security measures are in place. It shall maintain the institutional database(s) and insure data security, integrity, and availability to all who have been granted access to it. Central database system(s) backup will be performed on a regular basis. A disaster recovery plan will be negotiated to minimize the disruption caused when the central computing facility is inoperative. Regular upgrade and maintenance of hardware and software will occur to protect and enhance the college's information. The cost of data protection should be commensurate with the value of data and the legal implications governing the potential loss of such data.

Information Technology Services shall provide education and training to individuals with respect to access and manipulation of institutional data.

Information Technology Services shall process requests for data access through data custodians and serve as the initial point of conflict resolution in instances where requests for access conflict with this policy.

Policy Violations

Appropriate college procedures shall be followed in reporting any breach of security or compromise of safeguards. Any person engaging in unauthorized use, disclosure, alteration, or destruction of college data in violation of this policy shall be subject to appropriate disciplinary action, including dismissal for serious or repeated violations.