Confidentiality of Information and Research Data

I. Introduction

Ethical, legal, and professional responsibility rules require appropriate management of institutional information and research data by all stewards and custodians (confidentiality). This policy establishes the foundational roles and rules of information management.

II. Policy Statement

All information and data stewards and custodians will abide by ethical, legal, and professional responsibility rules in the maintenance and appropriate use of institutional information and research data.

III. To Whom This Policy Applies and Responsibilities

1. This policy applies to every person (employee, volunteer, etc.) who has access, manages, or manipulates institutional information and research data.
2. Institutional Information and Data Stewards
   1. Scope: Stewards have the highest level of responsibility for administering the privacy, security, and regulatory compliance of data sets under their purview (e.g., education records, human resources, financial data).
   2. Authority/Responsibility: Information and data stewards authorize access and deactivation of individual custodians with a business need to access, manage, or manipulate institutional information and research data.
   3. Stewards must provide training in the proper handling and management of institutional information and research data for custodians under their authority.
3. Institutional Information and Data Custodians
   1. Scope: Custodians are any individuals (employees, volunteers, etc.) who access, manage, or manipulate institutional information or research data.
   2. Authority/Responsibility: Custodians must follow campus policy and stewardship rules for handling of institutional information and research data.

IV. Standards

This policy requires adherence to ethical, legal, and professional standards, including, but not limited to: 

1. Institutional need-only access, management, and manipulation of institutional information and research data (i.e., no "administrative voyeurism").
2. Disclosure of institutional information and research data in compliance with law, campus policy, and stewardship rules.
3. The obligation not to facilitate the violation of administrative policies or the circumvention of technical or physical safeguards by others.

V. Related Documents

• ITS-007: Policy Document

VI. Related Policies

• ITS-001: Acceptable Use of Information Technology Resources Policy
• ITS-006: Information Security Policy

The UMass campuses strive to maintain consistent IT policies. The Confidentiality of Institutional Information and Research Data Policy and related documents have been adopted with permission from UMass Amherst.