The Institutional Data Access and Authorization Standard was issued March 1. The procedure takes effect on July 1, 2021 for new systems, application, and institutional data products, while existing systems, application, and institutional data products have until July 1, 2022 to reach compliance.
The procedure outlines processes and requirements related to policy statement number four of the Institutional Data Policy, which states, “Access to protected institutional data shall be authorized and managed to protect individual privacy, maintain promised confidentiality, and ensure appropriate access and use. Access to institutional data will be controlled by reasonable physical, technical, and administrative measures to prevent unauthorized access. Access will be granted based on authorization provided by the applicable institutional data steward or stewards based on appropriateness of an individual’s role and the intended use. Authorization and access will be documented, reviewed, modified, and terminated in accordance with all applicable laws and UW System and university policies, procedures, and standards. Protected institutional data may only be accessed for business purposes within the scope of an individual’s university duties.”
The Institutional Data Access and Authorization Standard provides details that make implementation of the policy statement possible, including policy authorization requirements, the access request and authorization processes, how authorization decisions are made, when access would be authorized based on the risk level of the data, automatic role-based authorization processes, how shared and service account access must be managed, obligations, responsibilities, and more.
Procedures and standards that accompany the Institutional Data Policy are being released on a rolling basis as they are drafted and approved. They provide the additional detail and requirements needed to effectuate the policy statements.