Data Use and Protection Policy

  1. Purpose. Information in the form of data is a critical asset and essential to the operation of Owens Community College. The purpose of this rule is to ensure faculty, staff and students appropriately access and protect data from improper use or release and that Owens Community College is in compliance with all applicable federal, state and other laws, contracts, regulations and licenses.
  2. Definitions.
    1. Data at the College, includes but is not limited to: student records, personnel data, financial/accounting data, administrative records, institutional research, confidential legal or medical information, alumni and donor information. Data may include facts, files, records, reports, or any information meant only for internal use and/or is restricted, limited or public information. Such data and information may be in existing or archived form, or in physical or digital form.
    2. A data owner or steward is a College employee who is assigned planning and management-level responsibility for defined segments of institutional data and for data within their functional area. A data owner is responsible within their functional area for assigning and overseeing authorized data users, overseeing the establishment of data classification and processes, determining legal and regulatory requirements for data and promoting appropriate data use and data quality.
    3. A data user is any authorized College faculty, staff or student that accesses, modifies or handles data.
  3. Data classifications. A data owner should determine the data classification for institutional data in their area of responsibility.
    1. Public. Data that must be released under Ohio public record law or where the College unconditionally waives an exception to the
      public record law.
    2. Limited access. Data that may be released by the College if it chooses to waive exception to the Ohio public record law and places a condition or limitation on such release. A notification of unauthorized access is not required to any such victim or other outside entity. Examples include but are not limited to: College identification numbers, research data, intellectual property.
    3. Restricted. Data release is prohibited by federal law, state law, and/or contractual obligation. For data to be defined as restricted, a notification of unauthorized access is required to any such victim or other outside entity. Examples include but are not limited to:
      social security numbers, personal health information, driver’s license numbers.
  4. Responsibility.
    1. A data user must use and protect data in a manner consistent with all relevant standards and procedures of information technology
      services and the rules of the College.
    2. A data user must be aware of and comply with all applicable federal, state and other applicable laws, contracts, regulations and licenses. A data user may reference Owens Community College rule 3358:11-6-01 of the Administrative Code (information technology policy).
    3. A data user must understand the classification of the data being accessed and must protect the data appropriately, as based on the classification.
    4. A data user must only access or attempt to access data, as based on the authorization to use and then only use such in the manner and to the extent authorized.
    5. A data user must only provide data to another data user who is authorized to receive such data.
    6. A data user must not share or use accounts, passwords or other authentication mechanisms other than those that are assigned by the College .
  5. Non-compliance. Non-compliance with this rule and corresponding procedures may be subject to the Owens Community College rule 3358:11-5-52 of the Administrative Code (standards of conduct and disciplinary process policy and corresponding procedures) or the college’s student code of conduct.
  6. Implementation. The treasurer/chief financial officer or the chief information officer has the authority to promulgate procedures, guidelines and forms consistent with this rule.
  7. All users of information technology resources may reference definitions and standards for the College’s information technology services here.

Effective date: 12/14/2019

Promulgated under: 111.15
Statutory authority: 3358.08
Rule amplifies: 3358.08
Prior effective dates: N/A