Information Technology

Information Technology Policies and Procedures

Print this page | E-mail this page

A045 COMPUTER ACCESS AND CONFIDENTIALITY

Untitled Document

Revised 1/11/07
                                                                     

BACKGROUND

The University has established an institution-wide system of computer data and information. University employees and faculty members are given certain types of access to certain databases consistent with their position and job responsibilities.

 

POLICY

Authorized system users and restricted access system users must keep information obtained from system access confidential except as otherwise necessary to perform the task assigned. In all instances authorized system users and restricted access system users are responsible for having knowledge of and complying with all laws and University policies relative to confidentiality.

 

DEFINITIONS

Authorized system user:  A person who has been given a sign-on access code by the appropriate data custodian. Such access may be restricted to certain limited information (see below).

 

Restricted access code system user:  A person who has been given a sign-on access code, but who is restricted to limited information.

 

PROCEDURE

I.  Guidelines for Access to Data Bases

1.  Regular full-time and regular part-time employees should be provided

     access to information on the University's computer system only on a

     need-to-know basis.  Such limitations must be consistent with

     University policy and applicable law. For example, if student

     information is involved, such access must be consistent with the

     Family Educational Rights and Privacy Act (Buckley Amendment)

     (20 USC 1232g). If patient information or medical records are

     involved, such access must be consistent with applicable University

     policy and Florida and Federal Statutes (i.e., HIPPA). Access to

     personnel records is also limited by University policy and by

     applicable law. Except in limited circumstances, students, student

     assistants and part-time (other than regular part-time) employees

     of the University shall not be permitted to have access to

     confidential information residing in the various applications.

 

2.  Students and part-time (other than regular part-time) employees

     may be allowed to have only limited access sign-on codes into any

     of the applications systems.  The determination of whether or not a

     student or part-time (other than regular part-time) employee should

     have such access will be as follows:

a.   The need to know or use the information to do a specific job

      for an authorized user.

b.   The duties of the employee must be specifically assigned,

      and a determination made that the employee has a need to

      use certain confidential information.

c.   There must be adequate supervision of the employee at all

      times while accessing the system. The preceding criteria

      should be documented by each department when requesting

      student assistants.  The College Work-Study Department

      should include these criteria in the training session for

      departments and when assigning student assistants.

 

II.  Confidentiality Obligations of All Employees

 

1.  All information obtained through the system must be kept

     confidential, and may not be modified, copied, disclosed or made

     available to others, except as permitted under Federal and Florida

     law and as required for the performance of the employee's job,

     without the prior permission or instruction of the supervisor.

 

2.  Authorized system users and restricted access system users may

     not disclose their access code to anyone.

 

3.  Authorized system users and restricted access system users

     must follow all applicable security guidelines relating to use of the

     system. System users are obligated to make every reasonable effort

     to prevent the viewing of information by unauthorized parties.

4.  Data custodians and supervisors are expected to inform each

     authorized system user and restricted access system user of this

     policy and any specific requirements relating to the user's specific

     circumstances.

 

5.  Authorized system users and restricted access system users

     must be particularly aware of privacy issues when dealing with

     student and medical patient information. Unauthorized disclosure

     of such information is strictly prohibited, and may violate federal

     and state laws.

6.  Authorized system users and restricted access system users

     must sign a Computer Access Authorization Form (available from

     the appropriate data custodian) at the time of applying for an

     access code.  Information on appropriate data custodians is

     available from Information Technology Security/Control Department.