Access and Authorization to Information Systems
Scope
This procedure is used for authorizing access to information in Geneseo's various databases and logs including Banner, Human Resources, phone logs, email logs, Canvas logs and others. It covers requests for any database or service managed by CIT. Example requests include: adding application accounts, providing query/update access to given application forms or screens, providing access to reports or data extracts, providing information to third parties, providing information as part of an investigation and others.
The Geneseo Banner Steering Committee recommends that any other department that provides access to information follow this authorization policy or implement a policy specific to their situation. Institutional Reporting and Human Resources, are specific example of departments that fulfill information requests.
Procedure
1. If access is being provided to information for someone directly affiliated with Geneseo, CIT will consult the office designated as the data custodian. Geneseo affiliations include the following examples: faculty, non-academic employees, Campus Auxiliary Services, Foundation, students, SUNY or New York State agencies, and others. It does not include third-party vendors. The offices and contacts for data custodians are listed in the following table:
Data Custodians
| Data Subject Area | Office | Contacts |
|---|---|---|
| Alumni - Demographics (name, address, phone, email), Activities, Giving History | Advancement | Lynn Myers |
| Applicant and Recruit | Admissions | Margaret Foster |
| Employee | Human Resources | Julie Briggs |
| Financial Aid | Financial Aid | Susan Romano |
| NCAA Athletic Standing | Intercollegiate Athletics | Danielle Drews |
| Student Academics, Demographics including names, addresses, phones, emails and student data not otherwise specified | Registrar | Keely Soltow |
|
Student Activities and Organizations (e.g. athletics, greek organizations, clubs) (this area is somewhat shared and depends on topic area) |
Student and Campus Life Advancement |
Chip Matthews Lynn Myers |
| Student Disability Information | Disability Services | Amy Fisk |
| Student Financial Information including billing and payments | Student Accounts | Sandy Argentieri |
| Student Housing | Residence Life | Sarah Frank |
| Student ID Photos | Campus Auxiliary Services | Pam Connor |
| Student Medical Record | Health and Counseling | Karen Mack |
| Student/Employee CAMP Email | CIT | Sue Chichester |
2. If the information is being provided to a third-party other than a New York State agency (e.g. SUNY), CIT will require approval from the campus risk manager and FOIL officer. Approval will also be required from the appropriate data custodians as specified above.
3. If access is being requested for students PII (personally identifiable information) fields protected by federal or state law such as social security number (SSN) approval will be required from the Dean of Students and the Registrar. This specific procedure was established in 2008 to limit access to SSN within the application and all reporting processes. Access is only provided if warranted based on the person's job role (i.e. need to know). Examples include: payroll functions, financial aid, records management responsibilities, required for NYS systems, sole means to identify student in third party system (e.g. NYS Teacher Certification database).
4. Access to data protected under FERPA also requires approval by the designated campus FERPA officer. Examples of data protected under FERPA include the following:
- grades
- test scores
- I.D. numbers or social security numbers
- financial records
- class schedules
- semester, cumulative, or major GPA
- housing information
- conduct records (or results of reviews)
- date and place of birth
- enrollment status
- class attendance information
Review FERPA and release of student information for more details. In general it is recommended to review requests with the campus FERPA officer before releasing any student information.
5. Requests for information from CIT managed database information and logs as part of an investigation must be made directly to the CIO or CIO's designee. Requests will only be acted upon from University Police with subpoena, the Dean of Students regarding students, the Director of Human Resources regarding employees, and the President or the President's designee.