28 Survey Results: Survey Questions and Responses Data that includes identifiers must be kept on a certain platform and can’t be shared but only with certain individuals. FERPA laws are applied in the use of all such data. Handling institutional data must comply with IRB and FERPA requirements. Institutional data must be stored in such a way as to ensure that the data is secure and that access is limited to authorized users. Reference the university’s data management policy for more information. Institutional data requests happen on ad-hoc basis and depending on the type of information requested, we might be asked to follow certain protocols on how to store and use the data, especially if the data includes identifiers. IRB approval Just the usual stipulations around confidentiality and privacy. There is an information management policy. Must be secure using standard computer security practices. Personally identifiable information must be reported. Privacy and security Privacy restrictions The Office of Information Technology requires an explanation of how data is to be used and limits access based on the use case. The university stipulates that we cannot share data provided to us. Further, we must store that data on a separate, secured server. These are handled on a per-project basis through the Institutional Review Board process. These offices and policies cover stipulations, including Institutional Research Board, HIPPA, and FERPA. Training is required to use student-level data. Student data is kept in secure server environments. We are exploring what policies we would like to put in place in order to protect privacy and confidentiality and determine what information would be useful not only to share, but to receive back. We are very limited in what we can acquire. Currently, we get patron status data and academic department only. We have data-related policies at the central level for institutional data, and we must comply with those policies. We have to honor FERPA and student/employee-initiated privacy blocks. We have to comply with the university’s data sensitivity framework controls. We provide a dataset collected using IRB approvals and this dataset is provided with requested data points and returned to the library. We anonymize the dataset and retain and manage it using FERPA and IRB requirements. We regularly partner with Institutional Research. IR will not give us any institutional data unless we have conferred with IRB about the study and followed their protocols for approval/exemption. IR does not provide stipulations in a formal manner, but generally we must keep study participants’ identities private. To directly email users and ask that they participate in studies, we need names/emails, which means that we are not able to receive truly anonymous data (receiving anonymous data would be the Libraries’ preference).