134 Data Security Policies UNIVERSITY OF MINNESOTA Sharing Data with University Educational and Administrative Audiences https://policy.umn.edu/operations/internalaccess-proc04 University of Minnesota https://twin-cities.umn.edu/ 612-625-5000 Printed on: 08/07/2018. Please go to http://policy.umn.edu for the most current version of the Policy or related document. ADMINISTRATIVE PROCEDURE Sharing Data with University Educational and Administrative Audiences Related Policy: Internal Access to and Sharing University Information This procedure provides guidance on how and when members of the University community can share public or private unit record data and or aggregate-level data with audiences internal to the University. This procedure applies to all University providers of data, including individuals and units, including central units (e.g., Office of Institutional Research, central-work streams such as Human Resources, etc.), as well as colleges, departments and other units. Individuals or units providing data in any form, including the secondary release of data, are responsible for the application of this procedure and its related policy (see Administrative Policy: Public Access to University Information). The standard for sharing personally identifiable private student data is defined in the Regents Policy on Student Education Records. The policy defines “legitimate educational interest” as “an interest in reviewing student education records for the purpose of performing an appropriate University research, educational, or administrative function. The University uses the same definition of “legitimate educational interest” for sharing other private data on individuals within the University. Definitions Unit Record Data is considered non-aggregated data at the lowest level of detail (e.g., individual student or employee level data). Public Data is defined by Minnesota Statutes as “data collected, created, received, maintained or disseminated by a government entity” unless classified as private by statute or federal law. For purposes of this procedure, public data are those data elements that are non-FERPA suppressed. All other data are considered private. For a list of public and private data elements see the list of examples provided through Administrative Policy: Public Access to University Information. Providers refer to individuals responsible for providing data in any form to those audiences requesting either aggregated data or detail unit record data. Internal audiences are defined as current University employees (non-student) who have a need to know for the purpose of performing appropriate University research, educational, or administrative function and whose work assignment reasonably requires access (see the below standard). Out of Scope Private data (e.g., HIPAA, social security numbers, PCI DSS) that is classified as Private-Highly Restricted as defined in Administrative Policy: Data Security Classification will not be shared in this manner and are out of scope for this procedure. Those receiving requests (providers) from University of Minnesota faculty and researchers should be directed to the procedure for “Sharing Data with University Faculty and Researchers”. Those receiving requests (providers) for data from external University audiences should be directed to the procedure for “Sharing Data with Audiences External to the University”. Procedural Guidelines for Sharing Data with Internal Audiences