Roles and Responsibilities for Information Management Policy

PRINT DISCLAIMER: Official version of this document is accessible in the online policy library at https://policyoffice.ku.edu/. Printed copies may not reflect the most recent updates.

DOCUMENT TYPE:

Policy

PURPOSE:

The proper stewardship and custodianship of University administrative information will facilitate access to data that supports the work of those with official educational or administrative responsibilities within the institution, consistent with legal, ethical, competitive, and practical considerations.

This document informs information stewards, managers, custodians, and users of data of their responsibilities.

Note:  Nothing in this document precludes or addresses the release of institutional data to external organizations or governmental agencies as required by legislation, regulation, or other legal vehicle.

This document serves two primary purposes:

  1. It outlines different categories of University administrative data in the central administrative functional areas of the University, noting stewardship responsibilities (to an individual or designee) in each area.
  2. It describes the responsibility of information stewards, managers, and custodians to coordinate and manage information for their respective administrative areas.

APPLIES TO:

This policy applies to faculty, staff, students, official University affiliates, and any other individuals who use University information resources under the administrative control of the Lawrence campus, including the Edwards campus and all other off-site units reporting to the Lawrence campus.

CAMPUS:

Edwards, Lawrence, Juniper Gardens, Parsons, Topeka, Yoder

POLICY STATEMENT:

The University of Kansas provides information resources to faculty, staff, students, official University affiliates, and others in support of the education, research, and public service mission of the University.

The University expects all stewards and custodians of its administrative information to manage, access, and utilize this information in a manner that is consistent with the University's need for security and confidentiality.  University of Kansas administrative functional areas must develop and maintain clear and consistent procedures for access to University administrative information, as appropriate.

Information Stewards

An information steward is an individual who has been designated by the Chancellor or the Chancellor’s designee to have policy level responsibility for determining how information will be created, managed, used, maintained, and stored within the information steward's functional area of responsibility.

An information steward is familiar with records issues, laws, and regulations and shall:

  • Determine the purpose and function of the information.
  • Determine the level of security based on the content of the information.
  • Determine the level of criticality of the information.
  • Determine accessibility rights to the information.
  • Determine the appropriate method of providing business continuity for critical information (e.g., information needed to continue service at an alternate site if needed).
  • Specify adequate records retention, in accordance with KU policies, and state and federal laws and regulations.
     

The attached Table 1, which shall be updated as needed by the Chancellor or the Chancellor’s designee, shows the administrative functional areas of the University and their respective information stewards.

Table 1: Administrative functional areas of the University and their respective information stewards:

 

Academic Program Data

  

Vice Provost, Academic Affairs
 

Alumni Affairs and Development Data

  

Chancellor’s Office
 

Budget Data

  

Vice Provost, Finance
 

Facilities Data

  

Vice Provost, Scholarly Support
 

Faculty Data

  

Vice Provost, Faculty Affairs
 

Financial Data

  

Vice Provost, Finance
 

Human Resources Data

  

Provost’s Office
 

Information Technology and Libraries Data

  

Vice Provost, Information Services
 

Planning Data

  

University Director, Institutional Research and Planning
 

Sponsored Research Administrative Data

  

Vice Provost, Research and Graduate Studies
 

Student Data

  

Vice Provost, Student Success


Information Managers

Individuals, usually department or program heads, who may also have operational responsibilities for the management of University administrative data at a unit, departmental, or university-wide level.  These managers assume the following data management responsibilities as applicable to their mission

  • Provide compliance with University policies, and state and federal laws and regulations relating to data integrity, security, and confidentiality by their staff or others authorized to access data. 
  • Establish any specialized operating procedures and guidelines needed to comply with University policies and state and federal laws and regulations relating to data integrity, security, and confidentiality by users of data for which they are responsible.
  •  Provide for the appropriate authorization of access to data for staff or other individuals in their areas of authority.  Assure that records are maintained for individuals with delegated access.
  • Oversee implementation of and maintenance of administrative systems to assure compliance with University policies, standards, direction, and best business practices.


Information Custodians

Information custodians are individuals who have operational responsibilities within a functional area for University administrative data.  Their operational responsibilities within that functional area may be at a unit, departmental, or university-wide level.  These individuals assume the following data custodian responsibilities as applicable to their mission

  • Implement and maintain operating processes, procedures, and guidelines to comply with University policies, and state and federal laws and regulations relating to data integrity, security, and confidentiality.
  • Determine responsible access, use, and disclosure of University data.
  • Grant access to data for staff or for individuals in their areas of authority.  Maintain records for individuals with access.
  • Provide for the release of University administrative data only to an individual who has a legitimate interest in the data (and only as permitted by state and federal law).
  • Coordinate implementation and/or maintenance of administrative systems to assure compliance with University standards, direction, and best business practices.
  • Coordinate and/or facilitate training and information resources for data users on compliance with University policies, standards, direction, and best business practices.
  • Recognize the consequences of improper custodianship of University data.

Granting Access to Others

Custodians of University administrative data may release this data only to individuals with a legitimate interest in the data (see: Definitions), and only to individuals who are either a) employees or volunteers of the University accessing data to perform assigned duties, or b) individuals under contract to the University accessing data to perform special tasks, such as outside attorneys, external auditors, or other consultants.

Note:  Access to University administrative data should be limited, whenever possible, to the data necessary to perform the task.  In addition, the individual with the legitimate interest must remain mindful of any applicable law or policy specifically related to the handling and/or disclosure of that data (e.g., educational records under the Family Educations Records Privacy Act).  Contracts with vendors or contractors who require access to University administrative data to perform a contracted service must contain appropriate provisions that require the vendor or contractor (and any subcontractors) to maintain the privacy and security of the University data.

Guidelines

You may access, manipulate, or change data only as required to fulfill your assigned duties.  Improper maintenance, disposal, or release of University administrative data exposes the University to significant risk (see the Information Custodians segment of this document).

Therefore, those who request, use, possess, or have access to University administrative data must agree to certain guidelines.  Below are examples of some of these guidelines in the form of general prohibitions that apply to all areas.  Information Stewards will issue detailed guidelines for each functional area of responsibility.

Note:  A steward, manager, or custodian, in addition to other data users, may be asked to sign an Access to University Data Agreement.

General Prohibitions

Note: These examples are illustrative, not exhaustive.

  • Do not change data about yourself for other than authorized business purposes or self-service applications designed to permit you to change your own data.  Do not use information (even if authorized to access it) to support actions by which individuals might profit (e.g., a change in salary, title or band level; a better grade in a course).  Do not disclose information about individuals without prior supervisory authorization.
  • Do not engage in what might be termed "administrative voyeurism," or engaging in activities (e.g., tracking the pattern of salary raises; determining the source and/or destination of telephone calls or Internet protocol addresses; exploring race and ethnicity indicators; looking up grades) without a legitimate business purpose.
  • Do not circumvent the nature or level of data access given to others by providing access or data sets that are broader than those available to them via their own approved levels of access (e.g., providing a university-wide data set of human resource information to a coworker who has approved access only to a single human resource department).
  • Do not facilitate another's unauthorized or illegal access to KU’s administrative systems or compromise the integrity of the systems data by sharing your passwords or other information.
  • Do not violate University policies or federal, state, or local laws or regulations in accessing, manipulating, or disclosing University administrative data.

CONSEQUENCES:

Faculty, staff, and student employees who violate this University policy may be subject to disciplinary action for misconduct and/or performance based on the administrative process appropriate to their employment.

Students who violate this University policy may be subject to proceedings for non-academic misconduct based on their student status.

Faculty, staff, student employees, and students may also be subject to the discontinuance of specified information technology services based on the policy violation.

CONTACT:

If you have questions about specific issues regarding the Roles and Responsibilities for Information Management Policy, contact the following administrative functional area of the University:

Subject

Contact

Clarification of Roles and Responsibilities document

Vice Provost, Information Services

Academic Program Data

Vice Provost, Academic Affairs

Alumni Affairs and Development Data

Chancellor’s Office

Budget Data

Vice Provost, Finance

Facilities Data

Vice Provost, Scholarly Support

Faculty Data

Vice Provost, Faculty Affairs

Financial Data

Vice Provost, Finance

Human Resources Data

Provost’s Office

Information Technology and Libraries Data

Office of the Chief Information Officer
1001 Sunnyside Avenue 
Lawrence, KS 66045
785-864-4999
kucio@ku.edu

Planning Data

University Director, Institutional Research and Planning

Sponsored Research Administrative Data

Vice Provost, Research and Graduate Studies

Student Data

Vice Provost, Student Success

APPROVED BY:

Chief Information Officer

APPROVED ON:

2009-09-19

EFFECTIVE ON:

2009-09-19

REVIEW CYCLE:

Annual (As Needed)

RELATED STATUTES, REGULATIONS, AND/OR POLICIES:

Information Management Program FAQ’s

KU Information Management Responsibility Hierarchy graphic

KU General Privacy Policy

Data Classification and Handling Policy

Student Records Policy

Information Technology Security Policy

Electronic Data Disposal Policy

Electronic Data Disposal Procedure

Data Removal from KU-Owned Computers

E-commerce Policy

Password Policy

Acceptable Use of Electronic Information Resources

Procedures for Investigative Contact by Law Enforcement

Electronic Mail (Email) Policy

Gramm-Leach-Bliley Student Financial Information Security Program

Clinic Policies and Procedures Regarding Privacy & Security of Patient Information

KU General Records Retention Schedule

Telecommunications Wiring Policy

Wireless Local Area Network Systems Policy

Wireless Guest Access Procedure

Virtual Private Network Policy (KU Anywhere)

Access to Financial System

Access to HR System

Access to Student System

Laws:

Family Educational Rights and Privacy Act (FERPA), 20 USC §1232g (1974)

Health Insurance Portability and Accountability Act (HIPAA), P.L. 104-191(1996)

Gramm-Leach-Bliley Financial Services Modernization Act (GLB) P.L. 106-102, 113 Stat. 1338 (1999)

Kansas Open Records Act, K.S.A. §45-215 et. seq.

Electronic Communications Privacy Act (ECPA), [ legal citation ]

Patriot Act, [ legal citation ]

Computer Fraud & Abuse Act, [legal citation ]

DEFINITIONS:

These definitions apply to these terms as they are used in this document.

Functional area, for purposes of this policy, the administrative functional areas of the University are identified as follows: alumni affairs and development, academic programs, budget, finance, facilities, human resources, information technologies, planning, sponsored research, and student services.  These areas may be updated by the Chancellor or Chancellor’s designee on the attached Table 1 as needed.

University affiliates are the people and organizations associated with the University through some form of formalized agreement.

University administrative information is the administrative functional area information, in any form, including that stored centrally as well as in colleges and departments.

Legitimate interest is a valid need for administrative functional area data that arises within the scope of University employment and/or in the performance of authorized duties related to educational (FERPA), business needs, or research purposes.

Information Stewards are those individuals who have been appointed by the Chancellor or the Chancellor’s designee to have policy level responsibility for determining how information will be created, managed, used, maintained, and stored within the information steward's functional area of responsibility.

Information Managers are those individuals, usually department or program heads, who may also have operational responsibilities for the management of University administrative data at a unit, departmental, or university-wide level.

Information Custodians are those individuals who have operational responsibilities within a functional area for University administrative data at a unit, departmental, or university-wide level.

CHANGE HISTORY:

03/25/2025: Migration to TeamDynamix from Drupal.
12/11/2024: Updated broken links.
01/18/2024: Updated contact section.
01/26/2022: Updated contact section.
07/17/2017: Fixed broken links.
07/20/2016: Updated to remove gendered pronouns.
01/30/2015: Updated formatting and revised policy.
06/19/2013: Policy uploaded into the Policy Library.

Was this helpful?
0 reviews
Print Article

Related Articles (13)

Acceptable Use of Electronic Information Resources
This policy outlines the expectations for the use of electronic information resources at the University of Kansas.
Data Classification and Handling Policy
Information is a valuable University asset and is critical to the mission of teaching, research, and service to Kansans.Determining how to protect and handle information depends on a consideration of the information’s type, importance, and usage.Classification is necessary to understand which security practices should be used to protect different types of information. The more protected the information needs to be, the more practices are required.
Electronic Data Disposal Policy
Data confidentiality is an issue of legal and ethical concern. The purpose of this policy is to provide for proper cleaning or destruction of sensitive/confidential data and licensed software on all computer systems, electronic devices and electronic media being disposed, recycled or transferred either as surplus property or to another user.
Electronic Data Disposal Procedure
The purpose of this procedure is to implement the University of Kansas Electronic Data Disposal Policy.
Electronic Mail Policy
To define appropriate use of electronic mail in the University
Gramm-Leach-Bliley Student Financial Information Security Program
This document outlines the University of Kansas, Lawrence, program to protect critical information and data and to comply with Federal Law[1] on student financial information. The goal of this document is to define the University's Gramm Leach Bliley (GLB) Student Financial Information Security Program, to provide an outline to assure ongoing compliance with federal regulations related to the Program and to enhance the University’s ability to respond to likely future privacy and security regulat
Information Technology Security Policy
This Information Security Policy (“Policy”) defines the security requirements that everyone who works or studies at KU Lawrence campus and all reporting units is expected to be familiar with and consistently follow. These security measures are set forth to avoid problems that affect the Confidentiality, Integrity, and Availability of information and systems at the University.
Investigative Contact by Law Enforcement, Policy and Procedures
To assist University faculty and staff in responding to investigative contact by law enforcement officials.
Password Policy
The purpose of this policy is to establish a standard for creation of strong passwords, the protection of those passwords, and the frequency of password change.
Privacy Policy, General
To set forth requirements regarding information entrusted to the University by the public and members of the KU community.
Telecommunications Wiring Policy
To establish principles and provisions to guide the University in the construction and ongoing management of its telecommunications cabling infrastructure.
Virtual Private Network (VPN) Service on the University of Kansas Data Network
This policy outlines the purpose and approved use of Virtual Private Networks on the University of Kansas network
Wireless Local Area Network (LAN) Systems Policy
This policy outlines a uniform set of components, installation practices, processes, procedures and operational criteria, in order to manage (802.11x) wireless LAN systems and to ensure that these resources are used in a secure and efficient fashion.