UH System Policies and Procedures
- Board of Regents Policies
- Executive Policies
- + 1. General Provisions
- + 2. Administration
- + 3. Organization
- + 4. Planning
- + 5. Academic Affairs
- + 6. Tuition, Financial Assistance, and Fees
- + 7. Student Affairs
- + 8. Business and Finance
- + 9. Personnel
- + 10. Land and Physical Facilities
- + 11. Miscellaneous
- + 12. Research
- Abolished Procedures (Post Oct. 2014)
- Archived AP
UH‐Related Laws and Rules
- Hawaiʻi Revised Statutes (HRS) 304A
- Hawaiʻi Administrative Rules (HAR) Title 20
Administrative Procedure 2.215 Administrative Procedure 2.215
Mandatory Training and Continued Education Requirements for Data Users
Administrative Procedure Chapter 2, Administration
Administrative Procedure AP 2.215, Mandatory Training and Continuing Education Requirements for Data Users
Effective Date: February 2018
Prior Dates Amended: N/A
Responsible Office: Office of the Vice President for Academic Planning and Policy
Governing Board of Regents Policy: RP 2.202 Duties of the President
Review Date: February 2021
A. To describe the mandatory training and continuing education requirements for UH employees, students, and affiliates who are considered Data Users.
B. To protect the privacy and security of Institutional Data under the University’s stewardship.
C. To ensure compliance with federal and state laws, rules, and regulations (see list below), as well as all applicable University policies (e.g., Executive Policies EP 2.215, Institutional Data Governance and EP 2.214, Institutional Data Classification Categories and Information Security Guidelines)
1. Family Educational Rights and Privacy Act (FERPA)
2. Higher Education Act (HEA)
3. Health Insurance Portability and Accountability Act (HIPAA)
4. Hawai‘i Revised Statutes, Chapter 487N – Security Breach of Personal Information
5. Chapter 92F – Uniform Information Practices Act
6. PCI-DSS (Payment Card Industry Data Security Standard)
7. NIST SP 800-171 (National Institute of Standards and Technology Special Programs)
8. National Industrial Security Program (NISPOM)
9. Bioterrorism Special Agent Program
A. Data Sharing Request Process – A process that governs the release of Institutional Data and provides an understanding of how the data is being used, by whom, and where it is being copied and stored, and how it is being managed and protected.
b. Data Users – All UH employees, students, and affiliates who, in order to fulfill their job duties and responsibilities, require access to UH Institutional Data. Data Users are responsible for understanding and complying with applicable UH policies and procedures and federal and state laws dealing with Protected Data.
C. Executive Data Stewards – Executive Data Stewards exist at the system and campus levels. They are accountable for the use and management of Institutional Data at their respective campuses or within the Institutional Data Systems under their purview. Executive Data Stewards have the authority to grant and remove access privileges to Institutional Data Systems. For more information on Executive Data Stewards, refer to Executive Policy EP 2.215, Institutional Data Governance. A listing of Executive Data Stewards and associated System Executive Data Stewards is available at the following site. http://www.hawaii.edu/uhdatagov/stewards.pdf
D. General Confidentiality Notice (GCN) – One of two mandatory training and continuing education requirements for Data Users. The GCN outlines the responsibilities of Data Users with access to protected information. A UH username is required to access the GCN.
A GCN for individuals who do not have UH usernames (third parties) is also available.
E. Information Security Awareness Training (ISAT) – The second of two mandatory training and continuing education requirements for Data Users. ISAT covers the proper handling of protected information and related UH policies and procedures, and applicable federal and state laws and regulations.
F. Institutional Data Systems – UH systemwide repositories that collect and store data that are created, received, maintained and/or transmitted by the University of Hawai’i in the course of meeting its administrative and academic requirements (e.g., Banner Student Information System, PeopleSoft, Kuali Financial System, STAR, Laulima, etc.).
A listing of Institutional Data Systems and associated System Executive Data Stewards is available at the following site. Note the list is not intended to be all-inclusive of the University’s Institutional Data Systems, but rather, represents Institutional Data Systems that most likely contain protected data.
G. Legitimate educational interest – The basis for granting access to an education record, which involves performing an appropriate educational, research or administrative function of the University.
H. Protected Data – Institutional Data that are subject to security and privacy considerations (i.e., all non-public data). These data fall under the Institutional Data Classification Categories of “restricted,” “sensitive,” and “regulated.” For more information, refer to Executive Policy EP2.214, Institutional Data Classification Categories and Information Security Guidelines.
III. Administrative Procedure
1. This administrative procedure is applicable to:
a. Data Users who have access to Protected Data in bulk quantities, i.e., multiple records. This access may take the form of login privileges to one or more Institutional Data Systems where the Data User has electronic access to multiple/bulk records. Likewise, there are Data Users who may not have login privileges to an Institutional Data System but may still work with Protected Data. Both sets of users are subject to the mandatory training and continuing education requirements described below in section III-B.
b. Individuals who are requesting access to Institutional Data through the Data Sharing Request Process. The request for access may be related to fulfilling an administrative or academic work-related requirement or for research purposes. The Data Sharing Request Process applies to individuals who are requesting access to data that they do not normally have access to and therefore need someone else to provide the data to them.
2. This administrative procedure is not applicable to:
Data Users who have a view access to a single record at a time. For those with login privileges to an Institutional Data System, this means they can only query one record at a time.
B. MANDATORY TRAINING AND CONTINUING EDUCATION REQUIREMENTS
1. Data Users will need to complete the Information Security Awareness Training (ISAT) and General Confidentiality Notice (GCN) before being granted access to protected data.
a. Information Security Awareness Training (ISAT)
(1) Data Users with UH usernames must self-register and successfully complete the training modules.www.hawaii.edu/infosec/training.html
(2) Individuals who do not have UH usernames must contact the Data Governance Program to gain access to the training modules (firstname.lastname@example.org, 956-7487).
b. General Confidentiality Notice (GCN)
(1) Data Users with UH usernames must log in, read, and acknowledge the GCN.www.hawaii.edu/its/acer
(2) Individuals who do not have UH usernames must complete the Non-UH GCN version. http://www.hawaii.edu/uhdatagov/nonuh_gcn.pdf
c. Data Users requesting access privileges to a particular Institutional Data System for the first time may need to complete a request form for that particular Institutional Data System in addition to completing the SAT and GCN.
d. Requests for access to Protected Data for research purposes will be granted on a case by case basis as part of the Data Sharing Request Process.
2. Data Users will need to periodically renew their training and education requirements.
a. The ISAT must be re-taken every two years.
b. The GCN must be re-acknowledged annually.
c. An email notification from the System Executive Data Steward (or his or her designee) will be sent two months in advance to Data Users and their supervisors when an ISAT renewal and/or GCN re-acknowledgement are required. A final reminder will be sent to both parties a week in advance.
d. Access will be removed upon failure to complete either requirement within the specified expiration date(s).
C. EXECUTIVE DATA STEWARD ROLES AND RESPONSIBILITIES
1. System and Campus Executive Data Stewards have the authority to grant or remove access to Institutional Data under their purview. This includes granting or removing access privileges to an Institutional Data System. For more information on Executive Data Stewards, refer to Executive Policy EP 2.215, Institutional Data Governance. A listing of Institutional Data Systems and associated System Executive Data Stewards is available at the following site.http://www.hawaii.edu/uhdatagov/stewards.pdf
2. The System Executive Data Steward of an Institutional Data System (or his or her designee) is responsible for ensuring Data Users are current on their ISAT and GCN requirements. This responsibility involves notifying Data Users to re-take the training or re-acknowledge the GCN. The System Executive Data Steward will receive a report that indicates the status of each Data User. The System Executive Data Steward may appoint a designee to manage this function.
IV. Delegation of Authority
No Delegation of Authority found
V. Contact Information
Office of the Vice President for Academic Planning and Policy
Sandra Furuto, 956-7487, email@example.com
The following site lists the University of Hawai‘i executive policies, State of Hawai‘i Revised Statutes, and external regulations that relate to data governance and have information security implications.
VII. Exhibits and Appendices
No Exhibits and Appendices found
March 05, 2018
TopicsNo Topics found.