Academic Policy 1900.20
Use of ISIS Data by Direct Access Users
The purpose of allowing direct access to information on or from ISIS (student information system) system is to provide management information including information to assist deans and vice chancellors in making data-driven decisions for their school/college or division. Direct access to ISIS data is not available for general use by faculty or staff. This policy addresses only the access privileges and handling procedures specific to ISIS data.
- The data contained on ISIS are private and confidential. Authorization to use these data
is given solely for job-related, educational purposes. Any use or disclosure of such
information that is not permitted by state or federal law or university policy is strictly
- The Office of Institutional Research (OIR) remains the official source of academic management
information (data, statistics) for the university. OIR will consult with departments,
colleges, and other units on established definitions and data parameters to ensure
the consistency of data generated for planning purposes. OIR will continue to be responsible
for official enrollment, instructor and course information for planning and program
Consistent with arrangements made with the OIR, any college, school or functional offices in charge of inputting data should handle requests to them for such data/information, particularly requests made by individuals not affiliated with the University.
- Recommending the granting of access to personnel within a school/college or division
(but outside functional offices and the OIR) rests with the dean or vice chancellor.
The dean or vice chancellor may recommend to the ISIS director a limited number of
individuals to have the broad access given to direct access users. ISIS information
will only be accessed, transmitted or disseminated on a need-to-know basis by and
for those individuals with a mission- and function-related need for the data for their
unit. ISIS data forwarded in response to a report request should include a statement
indicating that discretion should be used in further forwarding the information to
other parties e.g., "The following report contains potentially sensitive data provided
in response to a specific need-to-know request. Discretion should be used in forwarding
this information to additional parties."
- Direct access users have access to university-wide data in ISIS, but are obligated to
use only data specific to their needs. Sensitive data such as social security numbers,
student grades and grade point averages, and student financial information will not
be used except when essential to the project or as directed by authorized reporting
agencies, and should always be handled with particular care. Where possible, the University
Personal Identification number (UID) will be used instead of the social security number.
An example of unauthorized use of data would be for a college to generate mailings
sent to admitted or prospective students who have not indicated an interest in that
college, or mailings otherwise inconsistent with Office of Admissions policy.
- Under no circumstances may ISIS information be displayed, copied or emailed for purposes
unrelated to the user’s administrative duties or to individuals for personal knowledge
or gain. No employee of the university may generate lists of names from the ISIS database
to distribute to an unauthorized third party for purposes apart from the mission of
the university. An example of unacceptable distribution of ISIS data would be to provide
a local business with the names and addresses of incoming students for advertising
that business’ products or services.
- Non-aggregate student data will not be stored outside of ISIS unless the storing of such
data is necessary to the project or operations. Typically, non-aggregate student data
will be stored in secure locations that are certified as secure by the IT Services
security team. If it is necessary to store these data on laptops or desktops, measures
must be taken to secure the data including such measures as the following:
- the use of personal firewalls on the machines,
- hard drive encryption,
- security audits of such machines by IT Services at least once a year.
- Direct access users are responsible for protecting all data consistent with university policy. Users are required to read and be familiar with this ISIS policy and the following areas of national and university policy and to sign the form at the bottom of this policy statement signifying their agreement to comply with all applicable policies in order to be given direct access to ISIS data. Examples of such policies include but are not limited to the following.
Failure to comply with any provision of these policies may result in loss of access to ISIS data and/or disciplinary action, including the possibility of dismissal.
Reformatted for Web October 1, 2014