Responsibility for Maintenance: Office of Institutional Planning, Assessment and Research (IPAR); Compliance; Information Technology Services (ITS)
Date of most recent changes: June 17, 2024
I. Policy Statement
The purpose of this policy is to define a framework for classifying and handling institutional data and data reports. The policy establishes appropriate controls and processes for the production and dissemination of institutional data and reports based on level of sensitivity, privacy, and criticality to Onondaga Community College (OCC).
II. Reason for Policy
The College is responsible for ensuring the accuracy of institutional data and reports, for protecting the privacy of students and employees, and for complying with all regulations and guidelines regarding the classification, collection, handling, and dissemination of institutional data.
In the context of information security, data classification is based on the impact to the College should that data be disclosed, altered, or destroyed without authorization. Thus, the classification of data helps determine appropriate security controls for safeguarding that data and positions the College to remain in compliance with current and emerging privacy laws and regulations.
The objectives of this policy are:
- To increase the College’s capacity to interpret data and draw inferences from data in order to inform planning, evaluation, decision-making, and resource allocation;
- To comply with applicable federal, state and local laws, as well as guidelines and regulations established by federal and state agencies regarding data reporting and privacy protection;
- To clarify responsibilities and procedures regarding the collection, analysis, and dissemination of institutional data;
- To ensure the accuracy of institutional data and reports;
- To ensure that limited institutional resources are invested in the production of high-quality data and reports that meet external accreditation and reporting requirements and support institutional decision-making.
III. Applicability of the Policy
This policy is applicable to all employees and third-party agents of the College, as well as any other College-affiliates who are authorized to access institutional data. Members of the College working with or using institutional data in any manner must comply with federal, state and local laws, all applicable College policies and procedures, and all applicable contracts and licenses. In particular, all users of institutional data must adhere to the Federal Family Educational Rights and Privacy Act (FERPA) guidelines. This policy does not apply to New York State Freedom of Information Law (FOIL) requests.
This policy does not apply to the dissemination or publication of general information about the activities of the College or responses to inquiries from the media, which are guided by the College’s Policy on Communications and Public Relations.
IV. Related Documents
- Onondaga Community College Policy C1 Compliance with the Family Educational Rights And Privacy Act (The “Buckley Amendment”)
- Foil and Open Meetings Law Compliance – Policy B5
- Authorization to Release Students’ Education Records - Policy C11
- HIPAA Privacy Policy - I12
- Certification of Financial Statements - Policy G12
- Communications and Public Relations - Policy B4
- Institutional Compliance - Policy B17
V. Contacts
Subject | Office Name | Telephone Number | Email/URL |
---|---|---|---|
Institutional and Operational Reporting | Office of Institutional Planning, Assessment and Research
Information Technology Services | (315) 498-2500
(315) 498-2686 |
|
Ensuring compliance | Compliance | (315) 498-2172 | delanda@sunyocc.edu |
VI. Definitions
Data Definitions
Institutional Data
Institutional data is any data related to the business of the College, including, but not limited to financial, personnel, student, alumni, communication, and physical resources. It includes data maintained at the department level as well as centrally, regardless of the media or system on which they reside. Institutional data includes records that are stored on-premises or online by software service providers. Institutional data referring to College and community members can include personally identifiable as well aggregated, anonymous, and other non-identifiable data.
All institutional data is classified into one of three classifications: Restricted, Private, or Public.
All institutional data not explicitly classified as Restricted or Public data should be treated as Private data.
Restricted Data
Data should be classified as Restricted when the unauthorized disclosure, alteration, or destruction of that data could cause a significant level of financial or legal risk to the College. The highest level of security controls should be applied to Restricted data.
Restricted data includes but is not limited to:
- Data protected by state or federal privacy regulations and confidentiality agreements;
- Items listed as private information in the New York State Security Breach and Notification Act such as bank account/credit card/debit card numbers, Social Security numbers, financial information, state-issued driver license numbers, and state-issued non-driver identification numbers;
- HIPAA protected health information (PHI);
- Administrative authentication credentials;
- Passport numbers;
- Documents protected by attorney-client privilege;
- Personal data collected from individuals in the European Union (EU);
Note: Restricted data may be exempt from disclosure/release under the New York State Freedom of Information Law (FOIL). The Security Breach and Notification Act requires the College to disclose any breach of the Restricted data to the affected individuals.
Private Data
Data should be classified as Private when the unauthorized disclosure, alteration, or destruction of that data could result in a moderate level of risk to the College. Private data is relevant to internal operations and is not readily available to the public. A reasonable level of security controls should be applied to Private data.
Private data includes but is not limited to:
- College non-public data such as FERPA-protected student records;
- College business records;
- OCC IDs;
- Licensed software;
- Public safety information;
- HR employment data;
- Collective bargaining negotiating/contract data;
- Protected data related to research;
- Intellectual property;
- Any non-public data that would generally require a FOIL request prior to release.
Note: The New York State General Business Law 899-aa requires the College to disclose any breach of Private data to the affected individuals.
Public Data
Public data is general-access data, such as that which is available on unauthenticated portions of the College website. This data may be freely disclosed and available to the public at little or no risk to the College. Public data has no requirements for confidentiality and is releasable under FOIL.
Report Definitions
Data reports are curated presentations of raw data collected and organized into a digestible format. Data reports are classified into three types: External Institutional Reports, Internal Institutional Reports, and Operational Reports.
External Institutional Reports
External Institutional Reports are the official College reports that fulfill reporting requirements
for government agencies (local, state, SUNY, and federal), contractual, grant, accreditation, and any other non-OCC entity.
Internal Institutional Reports
Internal Institutional Reports are the official College reports on admissions, enrollment, retention, graduation rates, degree completions and financial aid that are shared among campus constituencies.
Operational Reports
Operational Reports include data elements used internally at the department level to support routine operations.
Roles and Responsibilities Definitions
Data Trustee: A data trustee is a senior college administrator with significant responsibility for an operational area that uses a system/application serving as an authoritative source of data relied upon by the campus community.
Data Owner: A data owner has legal ownership of either functional or enterprise-wide data. The data owner has the ability to create, edit, modify, share and restrict access to the data. The owner also has the ability to assign, share or surrender all of his/her privileges to a third party.
Data Managers: A data manager holds operational-level responsibility for data management activities related to the dissemination of student and employee data, and for the documentation of departmental procedures and internal controls to ensure the accuracy of access to data, and the data used for external and internal institutional reports.
Data Steward: A data steward is a staff member with oversight responsibility for a subset of the College’s data. The steward is typically a functional end user within an operational area who is deemed an expert regarding data managed by the operational area.
Data Custodian: A data custodian is a data administrator who is responsible for some aspect of the management and operation of any of the systems that serve as sources of institutional data.
Data User: A data user is an individual who has access to College data as part of assigned duties or in fulfillment of assigned roles or functions within the college community. Data Users include Data Processors and Data Readers
- Data Reader: Is a staff with read only access to data in his/her functional area.
- Data Processor: Individuals that are authorized by data custodians to enter, modify, or delete data.
Executive Council: The Executive Council will serve as the oversight committee for planning and policy-level responsibilities for College data. Executive Council, as a group, works collaboratively with the Data Governance Council (DGC), Office of Institutional Planning, Assessment, and Research (IPAR), and Information Technology Services (ITS) to establish overall policy and procedures for management and access to the institutional data of the College.
Data Governance Council (DGC): The Data Governance Council serves as OCC’s steering committee for policy on data classification, security, integrity, access, quality, and monitoring. It addresses issues related to data and information management across the OCC campus.
Administrative Systems Oversight Team (ASOT): ASOT will provide vetting, oversight, and guidance to the data stewards as needed for decisions on proposed business process and/or policy changes relating to data classification, prior to presentation of these proposed changes to the executive council. ASOT will be the advisor to the Assistant Vice President of ITS, on matters of access and security.
The ASOT memberships is comprised of data stewards with representation from the following business areas:
- Admissions
- Academic Affairs
- Alumni & Donor
- Student Affairs
- Finance
- Financial Aid
- Human Resources
- Institutional Planning, Assessment & Research
- Information Technology Services (CORE data and network system information)
- Student Accounts
VII. Procedures
- Maintaining appropriate access to data;
- Assistance with compiling and analyzing documentation regarding data collection, analysis, and reporting responsibilities of departments;
- Identifying areas where responsibilities may require agreement between two or more departments;
- Identifying potential data inconsistencies or inaccuracies;
- Institutional /operational reporting recommendations.
Each division/department is responsible for developing and documenting departmental procedures and internal controls to ensure appropriate access to data and the accuracy of data used for external and internal institutional reports.
Division/departments must provide IPAR with the list of Data Owners responsible for reviewing the accuracy of data collected by the division/department and provided to IPAR for external and internal institutional reporting purposes.
External Institutional Reporting
- The Office of the President and the Office of Institutional Planning, Assessment, and Research (IPAR) are the only offices authorized to submit institutional data or reports to external entities. No other office may disseminate institutional data that is not publicly available to an external entity.
- Each College division head is responsible for providing the Office of Compliance with an annual list of institutional data and reports required for compliance with federal, state, or local agencies.
- Each Division’s list of institutional reporting requirements for the subsequent academic year will be submitted to the Office of Compliance by July 30 each year. Each Division’s list will include the name and contact information for the requesting agency, report purpose, due dates, information required, location of document, and College contact.
- The Office of Compliance is responsible for maintaining a summary listing of all institutional reports submitted to external entities, for selectively reviewing such reports prepared by other departments, and providing recommendations that will ensure report timeliness, consistency, and accuracy.
- The Office of Compliance will compile and maintain a database of external institutional reports routinely required and post a calendar of annual report deadlines by August 31 for the subsequent academic year.
Internal Institutional/Operational Reporting
- IPAR is responsible for creating and maintaining a summary listing of all internal institutional reports prepared by IPAR / ITS and other departments used for institutional decision-making.
2. Each College division head is responsible for confirming the list of institutional reports annually.
- New internal institutional reports must be validated by IPAR / ITS and approval by the Data Governance Council for College use.
- Operational data / reports are the responsibility of the designated functional area.
Requests for Institutional/ Operational Data, Reports and Studies
- All requests for institutional / operational data, reports and studies must be submitted through the Institutional Data Request form. The request form will be reviewed and vetted by IPAR / ITS and possible additional review and approval from the Data Governance Council.
- All requests for new institutional data, reports, and studies that are not included in the annual calendar of internal or external institutional reports must be submitted through this process.
- For operational reporting, the processing of the request will include reaching out to appropriate data owners when data or access is from another function area.
VIII. Forms/Online Processes
- Institutional Data Request Form | Onondaga Community College (sunyocc.edu)
- Inventory/Calendar of Institutional Reports
- Informer Reporting (sunyocc.edu)
IX. Violation of this Policy
Violations of this policy may result in the immediate suspension and/or revocation of information technology resources privileges. Students may also be subject to disciplinary action in accordance with the Student Code of Conduct, and employees may also be subject to disciplinary action in accordance with appropriate bargaining unit agreements and/or for violation of the College’s Computing Statement of Responsibility agreement. Violations of state and/or federal laws in the use of the College’s data may also result in criminal prosecution of the individual student/employee and/ or civil liability for the individual student/employee.
Approved by the OCC Board of Trustees June 27, 2023
Updated and approved by the President June 17, 2024