Ohio Admin. Code 3341-6-18 - Data use and protection
(A)
Policy statement
and purpose
(B)
Policy-definitions
(1)
Data - BGSU data includes, but is not limited to,
student records, personnel data, research data, BGSU financial data, BGSU or
department administrative records, alumni and donor information, library
circulation information, and medical information. Such information may be in
existing or archived form, or in physical or digital form. Data may include
facts, files, records, reports, or any information meant only for internal use
and /or subject to confidentiality agreements.
(2)
Data
owner/steward - university officials or their designees assigned planning and
policy-level responsibility for data within their functional areas, and
management responsibility for defined segments of institutional data. Data
owners are responsible within their functional areas for assigning and
overseeing authorized data users, overseeing the establishment of data
policies, determining legal and regulatory requirements for data, and promoting
appropriate data use and data quality.
(3)
Data users - any
authorized faculty, staff, or student at BGSU that accesses, modifies, or
handles data.
(C)
Policy
(1)
All data users must use and protect data in a manner
consistent with all relevant policies of BGSU.
(2)
All data users
must be aware of and comply with all applicable Federal, State, and other
applicable laws, contracts, regulations, and licenses.
(3)
BGSU data should
be given one of the following classifications by the data owner/steward
(a)
Public - data
that must be released under Ohio public records laws or where BGSU
unconditionally waives an exception to the public records law.
(b)
Limited access -
data BGSU may release if it chooses to waive exceptions to the public records
law and place conditions or limitations on such release. Notification of
unauthorized access is not required to the victims or other outside entities.
e.g. intellectual property, research data, BGSU ID numbers
(c)
Restricted - Data
release prohibited by federal laws, state laws, and/or contractual obligations.
For data to be defined as restricted, notification of unauthorized access is
required to the victims or other outside entities. e.g. social security
numbers, personal health information, driver's license numbers
(4)
All
data users must understand the classification of the data they are accessing
and protect the data appropriately based on the classification. (See data
resource summary for assistance with this step)
(5)
All data users
must only access or attempt to access data that they are authorized to use and
then use only in a manner and to the extent authorized.
(6)
Data users may
only provide data to other data users authorized to receive such
data
(7)
Related policies
(a)
Information
technology
Notes
Promulgated Under: 111.15
Statutory Authority: 3345
Rule Amplifies: 3345
State regulations are updated quarterly; we currently have two versions available. Below is a comparison between our most recent version and the prior quarterly release. More comparison features will be added as we have more versions to compare.
No prior version found.