Data Access Policy

Category: Information Technology

Responsible Office: Information Security Office

Responsible Executive: Vice President and Chief Information Officer (VPCIO)

Date Established: July 6, 2013

Date Updated: September 10, 2024

The Data Access Policy defines the roles, responsibilities, data management environment, and procedures for granting access to UB’ non-public data.

The University at Buffalo (UB, university) is committed to protecting and maintaining university data by ensuring individuals who access, retrieve, update, process, analyze, store, distribute or in other manners use university data do so for legitimate and documented university business purposes.

The University at Buffalo is the owner of all university data. Individual units or departments have stewardship responsibilities for portions of the data, with assigned Data Stewards and Data Trustees who designate data roles to carry out institutional business in keeping with the Data Risk Classification Policy.

All university data must be classified and protected in accordance with the Data Risk Classification Policy.

• University data which is not publicly available is classified as Category 1- Restricted Data or Category 2 -Private Data.
  • Category 1 and Category 2 data must be protected throughout its life cycle in a manner which is consistent with its classification.
• Publicly available data is classified as Category 3 data.
  • Category 3 data has no requirements for confidentiality, however, systems housing the data should have reasonable measures in place to protect its accuracy.
• Processing, review, use, and storage of Category 1 and/or Category 2 data may only occur within:
  • UB managed computer assets and environments (both physical and virtual) specified for use for the data classification in question.
  • Systems and services for which UB has contracted for the storage, use or maintenance of Category 1 or Category 2 data.
• Data Trustees and Data Stewards grant access to data only to the extent which the Data User requires it to perform assigned duties and responsibilities (“need to know” access). “Need to know” access is determined by the Data Steward, based upon information provided by the Data Manager, as follows:
  • Identify the Data User’s assigned duties and responsibilities and evaluate how these relate to the data that is the subject of the request.
  • Determine which specific aspects of the data are directly relevant to the Data User’s duties and responsibilities (e.g., which data elements, functions).
  • Grant access only to those aspects of the data that are directly relevant to the User’s work-related requirements. The Data Steward confirms that the Data Manager is in an appropriate position to evaluate the “need to know” and the level and type of access requested. The Data Steward ensures that individuals who will have access to Data sign a confidentiality agreement that assures compliance with university policies and procedures and appropriate safeguards.
    • Data access is evaluated for renewal or removal on a semi-annual basis, or more often as needed.
    • Data access rights are non-transferable.
• Any system which houses, uses or accesses UB data must be implemented through UB’s existing software and web-based services review process to ensure university data is properly managed throughout the data lifecycle.
• Approved systems will be documented within an approved software list, in a way which enables an understanding of the system’s function, the institutional data which it holds, and how it fits into UB’s overall institutional data architecture and university data governance.
• Data Users are prohibited from:
  • Releasing, sharing, or transmitting data to unauthorized users.
  • Using data for purposes other than those for which the data access was granted.
  • Copying, photographing, recording, recreating or in any way reproducing the data outside of the identified systems.
• Data Users must successfully complete Handling Data Safely, prior to receiving data access.
• Access to Social Security Numbers (SSN) is granted only to employees with a specific legal or business need that cannot be met in another way.
• Data Users who request access to SSN’s are required to complete the Social Security Number Data Access Request, stating the legal statute and/or business need for SSNs. A committee composed of several Data Trustees and the ISO reviews all SSN access requests.
• Extracts of data, data feeds, and data within shadow systems, extension systems, extender systems, or other applicable systems that store Category 1 or Category 2 data have the same classification level and utilize the same protective measures as the same data in the systems of record.
• Any shadow system, extension system, extender system, or other applicable system that Category 1 or Category 2 data must be disclosed to the appropriate data trustee and the ISO is required.
• Computer systems and devices used to support data must adhere to the UB Minimum Security Standards for Desktops, Laptops, Mobile, and Other Endpoint Devices and the UB Minimum Server Security and Hardening Standards.

The Data Access Policy applies to university data in hard copy and electronic format and supplements the Protection of University Data Policy as well as the Data Risk Classification Policy.

Separate policies and procedures apply to HIPAA regulated data. Contact the Director of HIPAA Compliance (hipaa-compliance@buffalo.edu) for more information.

Violations of this policy will result in appropriate disciplinary measures in accordance with university policies, applicable collective bargaining agreements, and state and federal laws. For data regulated by the Health Insurance Portability and Act (HIPAA), refer to the applicable HIPAA policies or Director of UB HIPAA Compliance.

Back to Top

Data Administration: The responsibility for the activities of data administration, including detailed data definition, is shared among the Data Stewards, Data Managers, and the VPCIO.

Data Type: A specific and distinguishable data item or element which can be categorized under UB’s Data Risk Classification Policy and protected accordingly.

Non-Public Data: According to the Data Classification Risk Policy, Category 1- Restricted Data and Category 2- Private Data are considered non-public data.

Senior Management: Designated as the president, provost, vice provosts, executive vice presidents, vice presidents, associate vice presidents, and deans who are eligible for access to enterprise-wide aggregate and summary university data. Senior management is authorized to delegate access of enterprise-wide aggregate and summary university data, as deemed appropriate.

Shadow system, extension system, extender system: Small-scale databases and/or spreadsheets developed for and used by end users, outside the direct control of an organization's official information access, management, and/or security protocols.

Third Party: Any entity which is legally separate from the University at Buffalo, but who the university may partner with when conducting business

University Data: Items of information which are collected, maintained, and utilized by the university for the purpose of carrying out institutional business. Includes centrally stored data, as well as data generated and stored in university departments and decanal units All university data is required to have an identified Data Trustee.

Back to Top

Data Manager: University officials and their staff with operational-level responsibility for information management activities related to the capture, maintenance, and dissemination of data. Data Stewards may delegate data administration activities to Data Managers.

Data Owner: The University at Buffalo owns all university data, while individual units or departments may have stewardship responsibility for portions of such data. The Data Owner is responsible for:

• Administering activities delegated by data stewards.
• Maintaining physical and system security and safeguards appropriate to the classification level of the data in their custody.

Data Steward: University official who has planning and policy-level responsibilities for data in their functional areas. Data Stewards are assigned by the Data Trustee and responsible for:

• Adhere to the principles of least privilege and minimum-necessary.
• Creation and maintenance of data documentation, including data dictionaries, data flow diagrams and data lineage.
• Develop and maintain clear and consistent procedures for data access and use in keeping with university policies.
• Educate faculty, staff, and students on data-related matters.
• Ensure that training and awareness of the terms of this policy are provided.
• Ensuring data in their functional area is accurate, consistent, and reliable.
• Have supervisory responsibilities for defined elements of institutional data.
• Implementation and enforcement of data policies, standards, and practices.  This includes definition of data ownership, access controls, data classification and data lifecycle management.
• Maintenance of metadata – information about data elements, their definitions, and relationships.
• Management of data security in privacy, in conjunction with the ISO.
• May grant, renew, and revoke access to Data Managers and/or Data Users (as delegated by Data Trustees).
• Monitor compliance with this policy.
• Prevent unauthorized access to Category 1 Restricted Data and Category 2 Private Data.
• Reporting concerns and possible incidents to management for proper institutional evaluation and response.
• Responsible for planning and policy-level responsibilities for data in their functional areas.

Data Trustee: Senior leader of the university (i.e., vice president, vice provost, dean) who has responsibility for areas that have systems of record. Data Trustees are responsible for:

• Assignment and oversight of data stewards.
• Adhere to the principles of least privilege and minimum-necessary.
• Classify university data in accordance with the Data Risk Classification Policy.
• Control university data by granting access, renewing access, and revoking access to Data Stewards, Data Managers, and/or Data Users. Data Trustees may delegate this responsibility to Data Stewards or Data Managers.
• Ensure that Data Stewards in their area are compliant with data governance principles.
• Establishment of data policies within their functional areas.
• Legal and regulatory compliance specific to their domain.
• Promotion of data quality and use.
• Report concerns and possible incidents to management for proper institutional evaluation and response.
• Responsible for ensuring that data stewards, data managers, and data users in their respective area(s) are compliant with data governance principles.
• Senior leaders of the university (vice-presidents, vice-provosts, and deans) who have responsibility for areas that have systems of record.

Data User: An individual who needs and uses university data as part of their assigned duties or to fulfill their role in the university community, with access as granted by a Data Trustee or Data Steward. Data users are responsible for:

• Access, retrieve, update, process, analyze, store, distribute, or in other manners use university data for the legitimate and documented conduct of university business.
• Adhere to the principles of least privilege and minimum-necessary.
• Comply with the Data Risk Classification Policy and secure Category 1-Restricted Data and Category 2 Private Data.
• Data Users who misuse data and/or illegally access data are subject to sanctions or penalties in accordance with employee relations policies. Sanctions or penalties are based on the standards outlined in university policy, state or federal regulations, and the appropriate collective bargaining agreements.
• Follow appropriate safeguards to protect data based on its classification.
• Following all university policies, procedures, and standards related to data security classification and security level, including applicable federal and state laws.
• Implementing appropriate safeguards to protect data.
• Maintaining the confidentiality, integrity, and availability of university data.
• Reporting concerns and possible incidents to management for proper institutional evaluation and response
• Successfully complete Handling Data Safely, prior to receiving data access.
• Use data for the purposes in which access is granted.

Information Security Officer( ISO): The ISO is responsible for:

• Conducting periodic security reviews of systems approved for storing and handling protected data
• Development and delivery of enterprise information security strategy, governance, and policy in support of institutional goals. Information security incidents must be reported to the ISO.
• Reviewing and approve departmental collection, storage, and transmission of data when necessary, according to its classification.
• Serving on the Cloud Services Review Committee.

Information Security and Privacy Advisory Committee (ISPAC): ISPAC is responsible for evaluating, developing, and recommending information security and privacy policies, procedures, and operations vital to protecting and sustaining the university’s mission.

Records Management Officer:

• Determines appropriate record disclosures pertaining to FOIL requests.

Vice President and Chief Information Officer (VPCIO):

The VPCIO provides leadership for development and delivery of information technology (IT) services to the university.  The VPCIO oversees an enterprise IT services organization, Computing, and Information Technology (CIT), and works in partnership with UB’s schools, colleges, and administrative IT units to enable a unified and productive IT experience for students, faculty, and staff.

Back to Top

Office of the Vice President and Chief Information Officer
Phone: 716-645-7979
Email: vpcio@buffalo.edu

Information Security Office
Phone: 716-645-6997
Email: sec-office@buffalo.edu

Records Management Office
Phone: 716-645-1786

Back to Top

University Links:

• Data Risk Classification
• Data Governance 
• Deleting Data Securely from Devices
• Desktop/Laptop Security by Disk Encryption
• Freedom of Information Law (FOIL) 
• Handling Data Safely Training
• Mobile Communication Devices
• Protection of University Data Policy 
• Records Management 
• Record Retention and Disposition
• Safety and Security Camera Applicable Use Policy
• Social Security Number Policy
• Social Security Number (SSN) Access Request Procedure
• Social Security Number (SSN) Usage Guidelines
• Standards for Protecting Category 2 - Private Data 
• Storing Restricted Data in UBbox
• Technology Guidance for Remote Computing and Telecommuting
• Tips for Protecting UB Data When Working with Vendors or Others
• UB Information Technology 
• ps-advice/business-center/privacy-and-security/gramm-lUB Information Technology - Information Security Office 
• UB Minimum Security Standards for Desktops, Laptops, Mobile and Other Endpoint Devices
• UB Minimum Server Security and Hardening Standards
• UBIT Policy, HIPAA, FERPA and the Breach Notification Act
• UBIT Guidance to UB’s Data Protection Categories
• UBIT Standard for Protecting University Data
• University Administrative Information Systems: Access to Information Compliance Form
• What is Restricted Data?

Related Links:

• Family and Educational Rights and Privacy Act (FERPA)
• FIPS 140-2
• Freedom of Information Law (“FOIL”)
• Gramm-Leach-Bliley Act 
• Health Information Privacy - Summary of the HIPAA Privacy Rule 
• National Institute of Standards and Technology (NIST) 800-171 Rev. 2 Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations 
• National Institute of Standards and Technology (NIST) - Standards for Security Categorization of Federal Information and Information Systems (FIPS 199) 
• New York State Freedom of Information Law 
• New York State Information Security Policy  
• New York State Office of Information Technology Services Breach Notification 
• New York State Office of Information Technology Services Information Classification Standard 
• New York State Office of Information Technology Services Information Security Policy 
• Privacy Act of 1974
• Protected Health Information (HIPAA regulated) 
• State University of New York Privacy Policy
• U. S. Department of Education Family Educational Rights and Privacy Act (FERPA) 

Back to Top