PURPOSE

These guidelines are established to provide quality and consistency for data entry and conversion. They also define the responsibilities of everyone accessing and managing the data and equipment. Offices are permitted to establish individual guidelines that supplement, but do not supplant or contradict, these guidelines. Data entrusted to Weber State University by other organizations (e.g., Foundations and Governmental agencies) is governed by terms and conditions agreed upon with those organizations. Specific issues not governed by such agreed terms shall be governed by the guidelines set forth in this document.

With the goal of ensuring database integrity and easy, professional, cost-effective communication University wide, these guidelines will direct users to:

Avoid creation of duplicate records for a single entity;
Provide complete name/address information in a timely manner, with an audit trail of changes;
Use standard entry to facilitate consistent reports and searches;
Share effective processing discoveries and problem-resolution tasks with other team members;
Use Postal Services recommended mailing address setup and procedures;
Take advantage of database capabilities, data integration and workflow analysis.

ADMINISTRATIVE RESPONSIBILITY

In accordance with the Family Education Rights and Privacy Act (FERPA), 1974, as amended, and to ensure maximum safeguards against indiscriminate distribution of information contained in a student’s personal records at Weber State University, only authorized Weber State University personnel will disclose information of a confidential nature. That is, information not normally available to the general public will be provided only to the students themselves, or to a third party upon receipt of an original written release signed by the student concerned.

Certain exceptions to FERPA include authorized University personnel acting within the student's legitimate interest; organizations conducting studies for educational and governmental agencies; accrediting agencies; appropriate persons in case of health or safety emergencies; agencies or office in connection with a student's applications for financial aid; governmental officials as identified by Public Law 93-380; and an appropriate official in response to a court order or subpoena.

Without a signed release, the University can make only "directory information" available for public use in campus directories, publicity of events, honors, and the like. The following constitutes directory information: Name, Address, Phone, Date of Birth, Dates and Terms of Attendance, Full/Part Time, Major Field of Study, Degrees and/or Certificates Earned, and Academic Honors Received.

All levels of management shall ensure their areas of accountability so that each information system user knows his/her responsibilities. Employees must adhere to any applicable Federal and State laws covering storage, retention, use, release, and destruction of data.

Electronic data is owned by Weber State University and is a vital asset. All institutional data, whether maintained in the central database or copied into other data systems, including microcomputers, remains the property of Weber State University. Access to data is not approved for use outside an individual’s official Weber State University responsibility. Computerized, institutional data shall be used only for the legitimate business of Weber State University. Institutional computing services and facilities shall be used only as required in the performance of job functions.

Text Box: Section II

Supervising administrators shall ensure a secure office environment with regard to all institutional information systems. Administrators shall validate the access requirements of their staff according to job functions, before submitting requests for the provision of access. Under no circumstances shall anyone use institutional electronic data (in detail or summary) in any publication, seminar, or professional presentation, or otherwise release data in any form outside Weber State University, without prior written approval from the appropriate data custodian (see page 7.) Data should never be left on any system to which access is not controlled.

As a general principle of access, Weber State University data (regardless of who collects or maintains it) shall be shared among those employees whose work can be done more effectively by knowledge of such information. Although the University must protect the security and confidentiality of data, the procedures to allow access to data must not unduly interfere with the efficient conduct of University business.

All information systems owned by Weber State University shall be constructed to assure that:

1. Accuracy and completeness of all system contents are maintained during storage and processing.

2. System capabilities can be re-established within an appropriate time after loss or damage by accident, malfunction, breach of security, or natural disaster.

3. Actual or attempted breaches of security can be detected promptly and controlled.

4. All who use institutional data have the right to expect the data to be accurate.

ACCESS TO OFFICIAL WEBER STATE UNIVERSITY RECORDS

University departments/divisions will observe the following requirements and limitations when obtaining permission for inquiry and update access to Weber State University’s official records. The need to maintain data security is everyone’s responsibility and must be impressed upon all employees.

Access will be awarded only after appropriate tailored training is received and the University’s Confidentiality Agreement has been signed. Entries to Lynx general entity (person or non-person) tables affect the overall integrity of the database used by all Lynx modules. Failure to abide by the guidelines outlined in this manual for creating and maintaining general entity records will result in loss of access. (Cherrie Nelson’s Team – How is this being handled now?)

Employees must not loan or share their login codes or passwords with anyone. If it is found that login codes are being loaned or shared, employees who are assigned access to records are subject to disciplinary action.

Departments/divisions should take steps to ensure that they have an alternate person assigned as backup for each office function, and that this individual has access to the system functions required to provide backup support. Every department/division will maintain a current list of primary and secondary users for the various module functions.

Departments/divisions may request access authorization for an employee by completing and submitting a System Access Authorization Request to the appropriate data custodian. If a request is questioned or denied, the data custodian will contact the requesting department/division. If a request is approved, the data custodian will forward the request electronically to Information Technology Database Administration. Once access is granted by Database Administration, appropriate tailored training must be conducted and acknowledged by the data custodian’s signature before access is granted to the production database. Under no circumstances will access authorization be granted without approval of the department/division head, the module data custodian, and Data Administration. The Lynx Access Request Form may be obtained from the Information Technology division or its manager or at http://www.weber.edu/accounting >>> LYNX Request From).

Workflow will be used to notify the appropriate person of forms to view, approve, or disapprove. The notification process is done through GroupWise.

Update access provides both inquiry and update capability. Update capability is generally limited to the offices directly responsible for the collection and management of the data. Update access is available to administrators and users who have an authorized need to change institutional data in the routine performance of their job duties.

Each user of administrative information is assigned the appropriate combinations of inquiry-only and update access to specific parts of the Lynx administrative information system. The types of access are determined by the data custodians.

DATA CUSTODIANS

A data custodian, usually an administrator of a Weber State University office or department, may make data available to others within his or her department for use and support of the unit’s functions.

Before granting access to data, the data custodian shall be satisfied that the protection requirements have been implemented and a “need to know” is clearly demonstrated. By approving end-user access to institutional data, the data custodian consents to the use of this data within the normal business functions of administrative and academic offices. Query (inquiry) access to institutional data will be broadly available throughout the institution.

Data custodians (or designees) are responsible for the accuracy and completeness of data files in their areas. Misuse or inappropriate use by individuals will result in revocation of access privileges. Data custodians are also responsible for coordinating maintenance and control of the Lynx administrative information system’s validation and rule tables and for conferring with other data custodians on impending changes. The validation and approval of software releases is the responsibility of Information Technology. These tables and processes define how business is conducted at Weber State University and all satellite locations.

Data Custodians

Area of Responsi-bility	Financial Aid Module	Student Module	Finance Module	A/D Module	Human Resources Module	Payroll
WSU (Main & Davis Campus)	Director of Financial Aid	Registrar – Bruce Bowen?	Comptroller	Director of Alumni Development Services	AVP Human Resources	Payroll Manager
Continuing Education	Same as above	Same as above	Same as above	Same as above	Same as above	Same as above
WSU Online (WEB CT?)	Same as above	Same as above	Same as above	Same as above	Same as above	Same as above
Satellite Campuses	Same as above	Same as above	Same as above	Same as above	Same as above	Same as above

Eliminate Area of Responsibility as a column, outline in text above?

General Person Record Custodians:

Order of Precedence	Area of Responsibility	General Module
1	Employee	Human Resources & Payroll
2	Employment Applicant	Human Resources
3	Vendor	Purchasing and AP
4	Student on Financial Aid	Director, Financial Aid
5	Student	Registrar Office
6	Third Party Billing	Accounts Receivable
7	Donor	Development Office
8	Alumnus	Alumnus Development
9	Student Applicant (Undergraduate & Graduate)	Admissions Office
10	Friend of WSU	Development

A general record (person or non-person) may have more than one active/current association with the University (i.e., employee, student, vendor and donor). When general record data needs to be updated or corrected, refer to the “Order of Precedence” column to determine the association with the highest precedence (lowest number). Notify the appropriate offices to make the needed change. GUASYST will display general record associations. (Need to define what this process will be and get it into a training manual/appendix)

INFORMATION USERS

Users are responsible for understanding all data elements that are part of the General Person record. If a person does not understand the meaning of a data element, he/she should consult online help or the appropriate training manual. (A data dictionary is being generated.) Users will exercise due care in using the institution’s information systems, both the central institutional database and all departmental systems, to protect data files from unauthorized use, disclosure, alteration, or destruction. Each user is responsible for security, privacy, and control of his/her own data. Each user is responsible for all transactions occurring during the use of his/her login and password.

The department/division must have all employees, temporary employees, or student workers sign the Confidentiality Agreement (See Appendix H). All employees who require access to online records must use a system login code defined specifically for that employee. This will allow updates to be tracked to a specific user login code and a specific person.

Any exceptions to the above guidelines must be requested in writing with justification and be approved by the data custodians.

INFORMATION ACCESS

Query (Inquiry) only access enables the user to view, analyze, and download, but not to change institutional data. However, once information is downloaded, data can be (but should not be) altered in word processing documents or spreadsheets. Downloaded information should be used and represented responsibly and accurately. Any reports generated from downloaded data must be labeled “unofficial.”

CONFIDENTIAL FLAG

Because of FERPA regulations regarding the confidentiality of student records, this flag is critical.

The Confidential Flag, which is set on the XXXPERS screen, will be added by the Registrar’s Office or Human Resources and may be used by other offices, such as Alumni/Development. A warning message box will appear the first time the record is viewed, and the confidential information will be visible on every form related to the individual.

This Flag indicates that a person wants all or part of his/her record kept confidential, some or all of personal information blocked from the Campus Directory, and/or some or all information NOT to be published in other documents. (See Below)

CONFIDENTIAL INFORMATION INDICATOR

(Is there something higher than FERPA that can be added so this becomes a statement for General Person as well as General Student records?)

In accordance with FERPA, if a person wishes to have his/her information marked “confidential”, this field is checked. When information is marked confidential, no directory information is to be released. A person’s confidential request is entered on the Person Form XXXAPERS. The following constitutes directory information: Name, Address, Phone, Date of Birth, Dates and Terms of Attendance, Full/Part time, Major Field of Study, and Degrees and/or Certificates Earned, and Academic Honors Received. If the Confidentiality indicator is not (or is ‘null’), the directory information that will be released is limited to Name, Address, Phone, Date of Birth, Dates and Terms of Attendance, Full/Part time, Major Field of Study, and Degrees and/or Certificates Earned, and Academic Honors Received. For Alumni/Development, this means that the person should not be included in any published alumni directory. A person’s confidential request is entered on the Person Form XXAPERS.(from version 1/12/04)

III. Record Creation Guidelines