10-02-04 Computer Data Administration

UNIVERSITY OF PITTSBURGH POLICY 10-02-04

CATEGORY:         SUPPORT SERVICES
SECTION:          Computing, Information, and Data
SUBJECT:          Computer Data Administration
EFFECTIVE DATE:   February 1, 2007 Revised
PAGE(S):          2

I.    SCOPE

      This policy establishes the responsibilities for collecting, maintaining, 
      regulating, and requesting on-line access to University computer data.  It 
      applies to all departments and responsibility centers requiring the use of 
      University computer data.

II.   POLICY

      Integrity and Availability of University Computer Data

      University computer data is defined as any information stored on a 
      University owned and maintained computer system.  This includes data 
      stored on computer hard disks, computer tapes, memory devices, optical 
      disks, and any other type of computer data storage media.

      Responsibility for collecting and/or processing accurate and complete 
      University computer data rests with University departments and 
      responsibility centers that have ownership of data stored on University 
      computer systems.

      Designation and Responsibilities of a Data Owner

      Ultimate data ownership legally rests with the University.  Departments 
      and responsibility centers must designate a “Data Owner” that will be a 
      steward of University data and responsible for:

      -     Maintaining documented records describing the storage location, the 
            use, and the protection of University computer data.  This includes, 
            but is not limited to, creating and maintaining an inventory of data 
            used by the department or responsibility center, documenting users 
            who have access to this data, and documenting controls used to 
            protect this data.

      -     Addressing the accuracy and completeness of University computer 
            data.

      -     Ensuring the availability of University computer data through the 
            use of data backup solutions.

      -     In coordination with department administrators, resolving all 
            discrepancies regarding University computer data concerning an 
            individual (student, faculty, staff).

      -     Reviewing and, if appropriate, approving requests for access to 
            University computer data in accordance with Policy 10-02-06, 
            University Administrative Computer Data (UACD) Security and Privacy.

      -     Establishing and maintaining standards regarding the collection 
            access, maintenance, use, dissemination, and protection of 
            University computer data.  These standards must align with 
            University policies involving computer data.

      -     Ensuring that submitted requests for access to University computer 
            data include the specific computer data required and the purposes 
            for which it will be used.

      A Data Owner may rely on the expertise of an Information Technology 
      professional to meet these requirements; however, the Data Owner is to be 
      held responsible for ensuring that these requirements are fully addressed.

      A Data Owner may be responsible for all data used by a department or 
      responsibility center, or for specific data sets.  Multiple Data Owners 
      may be designated by a department or responsibility center to address 
      multiple data sets within their areas of responsibility.

      Authorized Access to University Computer Data

      University computer data are considered proprietary information and will 
      be made available on a "need to know" basis to individuals requiring 
      knowledge of such data to perform their job responsibilities.  Data Owners 
      are responsible for verifying the access requirements  of their staff, and 
      for ensuring that all University computer data users within their areas of 
      accountability are aware of University policies applicable to maintaining 
      the integrity, availability and confidentiality of University computer 
      data.

      It is the responsibility of the requestor to affirm that the accessed 
      University computer data be used only as required in the performance of 
      their duties.

      Requests which are denied by the Data Owner may be appealed to the 
      appropriate senior officer for consideration.

      Reporting Violations of Computer Use Policy

      Violations of this policy should be reported immediately to the department 
      with responsibilities for the compliance with this policy, including Human 
      Resources, the Office of General Counsel, and CSSD.  Violations can also 
      be reported by sending e-mail to abuse@pitt.edu.  The University will 
      strive to maintain confidentiality to the extent possible consistent with 
      other obligations.

      Disciplinary Action

      Violations of this policy will result in appropriate disciplinary action, 
      which may include loss of computing privileges, suspension, termination, 
      or expulsion from the University, and legal action.

      Violations of any federal, state, or local law concerning the unauthorized 
      access or use of University computers and computing services will result 
      in the appropriate disciplinary action up to, and including termination 
      from the University.

III.  REFERENCES

      Policy 10-02-05, Computer Access and Use

      Policy 10-02-06, University Administrative Computer Data (UACD) Security 
      and Privacy