Overview/Purpose

This document describes the considerations around the use of sensitive student data at OSU. Federal statute requires stewardship and protection of these data, outlining specific requirements in terms of learner records and the requirements of safeguarding them.

 

Context/philosophy around our policies

Although there are various types of institutional data that need to be safeguarded, The Enrollment Management unit is especially tasked with the protection of all data maintained for future, current, and past students. This includes demographic information, academic records, medical data and financial information. The student record is comprised of data that is owned by the institution, but the student is the one allowed to control the access to the data. This means that the data is kept private and only shared with OSU employees who need it to perform the functions of their roles, or when express written consent is granted by the student.

 

Records Custodians

  • Oregon State University has defined a group of key campus leaders who are responsible for the custody of various types of data. Information about the various data/records custodians can be viewed at http://fa.oregonstate.edu/gen-manual/acceptable-use-university-information.

  • Custodians serve multiple roles. While they are tasked with protecting sensitive information, they are also the University’s resident experts on the use of data and how to best access it. Consulting with a records custodian can greatly improve the value of the information gained from the data being pulled because data custodians can best help deliver student data to help serve students better.

  • Data custodians often find that by asking a few questions about the type of data people are looking to utilize and the goals they are trying to accomplish, people can be steered toward the data that makes the most sense for their purposes.  For example, there are several types of GPAs recorded in Banner for a given student; not just one. Providing that context enriches the outcome of the decisions people make based on that data.

  • Data custodians help identify information that is restricted according to law or assess the risk associated with the use of data being sought while ensuring that the institution upholds its legal obligation to protect the individual.

 

Categories of Data

  • Aggregate data is data that is generally available to everyone and can be considered public information. Examples include:

    • enrollment counts

    • GPA/grade average/trend data

    • demographic breakdowns

    • other summary data that does not identify (nor allow to be identified) specific individuals or their data

  • Disaggregated data and identifiable data is data that is restricted to individuals who have a legitimate educational interest in accessing that data to perform the functions of one’s job. Examples include:

    • Data on specific students that is connected to them and maintained by the institution.  

    • Personally Identifiable Information (PII): Data that is unique/traceable to a specific person. These data are protected by state statute. Included are Driver’s License/ID card number, Social Security Number, and credit or debit card information.

    • Aggregated data for very small populations that might indirectly allow an individual to be identified.

  • Data that is intended to be transported or integrated to other computer systems generally requires the creation and approval of a Memorandum of Understanding (MOU) that defines the data to be used, how it will be used, and how often it is updated. The MOU must be reviewed/approved by the data custodians whose data are involved in the transfer, the data integrators and the University’s Chief Information Security Officer.

 

Sources of Data

    • Systems access: Employees of Oregon State University and certain affiliates may need access to university data systems on a regular basis.

      • Security Access Request form: used to request access to OSU systems including Banner, Data Warehouse, and related data sources.

      • CORE: OSU’s newest data visualization and reporting tool. Access is granted to OSU employees based on job class and role. http://core.oregonstate.edu

    • Other data sources:

      • The Office Institutional Research: The office’s mission is to produce timely statistics, qualitative information and analyses that support university strategic planning and decision-making. http://oregonstate.edu/admin/aa/ir/

      • Data Request form: Individuals performing research may need access to data on a one-time or case-by-case basis. This information can be requested by using the form linked here.

      • Public records request: If you do not work for the university and wish to request information, you may submit a public records request by accessing this website: http://leadership.oregonstate.edu/general-counsel/public-records-request

      • Subpoenas: If you have received a subpoena for records, please submit those to the University General Counsel: http://leadership.oregonstate.edu/general-counsel

      • Other policies/resources: There are a number of other policies and resources that may be relevant to your request for data.

        • Infosec web page

        • Policy for Acceptable Use of University Computing Resources

        • Legal and National Standards governing the release of student information

          • Section 483(a)(3)(E) of the Higher Education Act specifically restricts the use of the FAFSA data. It states in summary that data collected on the FAFSA form shall be used only for the application, award, and administration of aid awarded under federal student aid programs, state aid, or aid awarded by eligible institutions or such entities as the Department may designate.

            Other financial aid record disclosures to other offices or departments are prohibited unless the institution has determined that the individual employee requesting the data has a legitimate educational interest in the records. Institutions may define what constitutes a legitimate educational interest slightly different, but in all cases, an institution must use reasonable methods to ensure that school officials obtain access to only those education records in which they have legitimate educational use for the information as part of their official duties.


In accordance with OSU’s data governance policy outlined above, data stewards will only provide data related to newly collected gender identity and sexual identity when a clear business need has been demonstrated by an internal OSU support provider. Business needs must clearly define the purpose for obtaining either aggregate or student-level data and explain how the data will be used to provide better support for students. Additionally, requestors must adequately outline how possession of the data is necessary, versus allowing the data steward(s) to analyze data on behalf of the requestor. Data security must also be addressed if the requestor intends to possess the data versus having it analyzed by the data steward(s).