DATA AND USER ACCESS POLICIES

Transcription

1 Contents UNIVERSITY OF CHICAGO ALUMNI & DEVELOPMENT DATABASE (GRIFFIN) DATA AND USER ACCESS POLICIES Approved by the Griffin Steering Committee 2/1/07 What is Griffin? Griffin Policies & Procedures Your Responsibilities as a User or Supervisor User Responsibilities Supervisor Responsibilities Misuse System Transparency General Approach Data, Privacy, and the Law (HIPAA and FERPA) Data Access in Griffin Data Viewing Privileges Retrieving Data for Mass Mailings Sharing Data with Vendors, Volunteers or Other Non-Employees Data Entry Privileges User Access in Griffin University Classification Granting User Access Rules of Application Exceptions to the Stated Policy Appendix A: Categories of System Users Appendix B: Privileges by User Category Appendix C: Basic Use Agreement for vendors What is Griffin? Griffin is the University of Chicago s campus-wide Development and Alumni database. It is a tool designed to assist Development and Alumni Relations staff, as well as campus administrative and academic offices, to build and track relationships and associated gifts from and with entities (individuals and organizations). Griffin Policies and Procedures The policies and procedures governing use of Griffin comply with the University s Eligibility and Acceptable Use Policy for Information Technology ; these policies will be referenced as 9/24/2008 2:47:00 PM Page 1

2 needed to manage Griffin access and use. Griffin s specific policies and procedures are communicated to users via documents (see below), and via the system s site help (which for ease of use, includes policy items embedded into site help text where applicable). Griffin Documents This document (Data and User Access Policies) sets forth the policies that govern a user s and supervisor s responsibilities when using the Griffin database and the information it contains. In addition, the various levels of data security and user access are covered. Griffin policy and procedure documents include, but are not limited to: Data and User Access Policies (this document) Prospect Management Policies and Protocol Site Help Statement of confidentiality (on Griffin login screen) Personnel Policy Statement Guiding Principles The following overarching themes are the hallmarks of Griffin s policies and procedures: Griffin is the official University-wide database of record for information about donors, prospective donors, and alumni. This database is one of the University s most valuable assets. Privileges to enter information or to maintain records in Griffin come with the responsibility to the integrity of the data therein. System transparency to appropriate fund-raising and alumni relations personnel across units is paramount. Underlying this principle is the belief that both the University and its donors are best served by a culture where information on fund-raising activities, strategies, and goals is shared. As is the case with ADDS, Griffin will follow a distributed data entry model. This means that users across campus will continue to contribute to and bear significant responsibility for the upkeep of data. Access to Griffin must be secure and reliable. In order to do their jobs effectively and efficiently, staff in development and alumni relations must be able to reliably and easily access information stored in Griffin. At the same time, alumni and donors have the right to assume that personal information kept on them by the University is stored and accessed securely. Your Responsibilities as a User or Supervisor User Responsibilities Confidentiality The following Statement of Confidentiality is displayed prominently on the log-on screen of Griffin so that users are reminded regularly of the seriousness of their responsibilities as a user of the system. 9/24/2008 2:47:00 PM Page 2

3 All information, data and reports obtained through the Griffin information system is exclusively for use by authorized University of Chicago staff. All data contained in this system is confidential. Staff authorized to access Griffin must comply with the policies and procedures established for its use. Negligent or intentional misuse is an extremely serious violation of the employee s employment responsibilities and shall result in disciplinary action, which may take the form of immediate dismissal. Personal Access Code and Password As a Griffin user you bear the responsibility for preserving complete confidentiality of your system password to ensure against its use by others. If you negligently or intentionally make your access codes available to others, you shall be held responsible for any resulting misuse of the system and data by others; you will also be subject to disciplinary action. If you suspect that someone else is using your log-on and password, it is your responsibility to notify your supervisor or the Griffin User Administration and Training department. Change in Job Status If you undergo a status change of any kind (e.g., position change, leave of absence) it is your responsibility to notify the Griffin User Administration and Training department so that your user privileges can be assessed and, if necessary, updated or temporarily disabled. Supervisor Responsibilities The responsibility for enforcement of all policies on system use and misuse, system access to information, and individual user system access and privileges resides with all supervisors of employees and sponsors of provisional users (see p. 9 for definition) who work with Griffin and its data. If you are a supervisor and/or sponsor, you will be required to sign the confidentiality statement to show your acceptance of the access, logon, and data use policies. Supervisors and all University employees are prohibited from asking a Griffin user for his/her password. As a supervisor, you must notify the Griffin User Administration and Training department on or prior to a user s last day of authorized use of Griffin so that all system access can be disabled. Misuse Misuse of Griffin includes: Accessing information from the system that is not relevant to the user s task; Making a user password available to unauthorized users; Generating false or misleading information; Deleting or altering information without authorization; Using information viewed or retrieved from the system for personal or any other unauthorized use Thoughtless or intentional misuse by a University employee or a provisional user of Griffin and/or the data it contains is an extremely serious violation of the user s responsibilities. Such misuse shall result in immediate revocation of privileges and, for University employees, 9/24/2008 2:47:00 PM Page 3

4 disciplinary action, which may take the form of immediate dismissal from University of Chicago employment or even criminal charges. System Transparency General Approach As indicated above, one of the goals for Griffin is transparency. For University fundraisers, this means that the system will promote sharing of information and knowledge within the University fundraising community about the relationship between the University and its constituency. At the same time, the University values the privacy of its alumni and donors and serves as a responsible steward of privileged and confidential information. Privileges to access data in Griffin, therefore, are carefully circumscribed so that staff gain access only on a need-to-know basis. Minimally, access to Griffin includes rights to basic biographical information (name, degrees, addresses, etc.; see Appendix B for details) on every entity in the database. On the other end of the spectrum, a small number of appropriately authorized and fully certified users have unlimited access (read, record, delete, query and report) to any and/or all of the following areas in Griffin: All biographic data for any entity All gifts from any donor All actions for any entity All prospects, strategies and solicitations from all units All event data All membership data All reports Creating new reports Most Griffin users fall somewhere in between, with privileges being assigned on a need-to-know basis. The Director of User Access and Training, in coordination with supervisors of alumni and development staff across the University, sets user privileges. Data, Privacy, and the Law HIPAA and FERPA It is important for users to recognize that some information stored in Griffin is protected by federal laws governing the handling of patient and student information. It is the responsibility of users to understand the applicability of the Health Insurance Portability & Accountability Act (HIPAA) and Family Educational Rights and Privacy Act (FERPA) to their work, and to handle this information accordingly. Health Insurance Portability and Accountability Act (HIPAA) The Health Insurance Portability and Accountability Act was created in 1996 to protect the privacy of an individual s personal health information. In Griffin, patients who are donors will be tracked as friends not patients. It is against policy for any user to enter contact information or notes on an individual s record, in text or code, that indicates they are a patient, unless the information is provided by the patient themselves. Furthermore, users entering any data pertaining to patient information must indicate the source of that information, e.g. who provided the information. Griffin will record the ID of the person who entered the data in Griffin. 9/24/2008 2:47:00 PM Page 4

5 Family Educational Rights and Privacy Act (FERPA) Family Educational Rights and Privacy Act of 1974 (FERPA) is a federal law that protects the privacy of student records*. It provides students and parents of minor students the right to review education records, the right to seek to amend those records, and to limit disclosure of information in the records. The law applies to all schools that receive funding from the US Department of Education. FERPA mandates that schools must have written permission from the student, or minor student s parent, before releasing information contained in the student s education record. The school may disclose, without consent, directory information such as student s name, address, telephone number, date and place of birth, honors and awards, and dates of attendance. If the student does not want this information publicly disclosed, the law stipulates he/she can opt-out in writing. Furthermore, unless otherwise indicated, FERPA is in force even after a student graduates, so it is important that Griffin users know that FERPA applies to alumni as well as students. Since student information will be available in Griffin upon matriculation, the system will provide a special handling flag of FERPA Protected to capture students and alumni who requested that their directory information be kept private. The FERPA Protected flag will remain in place until the student or alumnus/alumna requests that it be removed. Because the law does permit school officials with legitimate educational interest access to student records even where there has been a request for FERPA privacy access to this information will be made available to development and alumni relations staff. It is important to note, however, that in cases where a FERPA flag exists on a person s Griffin record, the use of the data on that record is allowed for development and alumni relations staff only and must not be shared under any circumstances with volunteers, vendors, or any other non-development and alumni relations staff or organizations. Reports written in Griffin specifically for use with vendors or volunteers will automatically exclude any entity record that is marked with a FERPA Protected flag. However, since most Griffin reports are intended for internal use only, users must always take special care to exclude any FERPA Protected records from reports and downloads that they could potentially share with any person outside of University development and alumni relations staff. *Note: Parent information received from the Admissions Office before a student matriculates is not covered by FERPA. Data Access in Griffin Access to data in Griffin is based on three major criteria: The type of data viewed, maintained and retrieved. The individuals who can view, maintain and retrieve the data. The relationship between the users and the data maintained on a given prospect. 9/24/2008 2:47:00 PM Page 5

6 Data Viewing Privileges Griffin stores a wide range of data, some of which is of general interest to all areas within the University. This data is general biographical information such as addresses and degrees, and can be viewed by all Development and Alumni Relations staff, as well as staff in related departments (e.g. Comptroller s Office, Career and Placement) and volunteers. Even alumni have access, though it is filtered through the online Alumni Directory, separate from Griffin. Other information - such as prospect and gift data - is more sensitive in nature and can be viewed only by those staff members who input or have a legitimate need to use this information as part of their jobs, and by a very few, select volunteers. Prospect data can be viewed by prospect managers and their managers and support staff across campus who research, cultivate, solicit and steward gifts from prospects, since this represents a legitimate need to use prospect information to do their job. Gift information can be viewed by users in Development and Alumni Relations and executive-level University administrative and financial offices who solicit, receive, process, research or report on gifts, since this represents a legitimate need to use gift information as part of their job. The same holds true whether the data is viewed online or in reports generated from Griffin. Retrieving Data for Mass Mailings Access to data in the form of outputs (reports, spreadsheets, etc.) will follow the same access rules as view privileges for online screens. With Griffin, a program assignment policy more liberal than what we had in ADDS is implemented so that every area or unit can readily maintain its relationships with alumni, donors and prospects. The ADDS concept of automatically removing unassigned records from a unit s output will not be implemented programmatically though the Griffin system, but will instead by emphasized in training and facilitated through the reporting and querying tools. With this new policy and approach, users must be diligent to avoid accidentally contacting individuals that have no relationship to their program. For example, if the College wants to send something to their constituency, they should be sure to only include those people who have a College affiliation. This policy shift has important implications for users and is covered in detail in Griffin training classes and documentation. Sharing Data with Vendors, Volunteers, or Other Non-Employees Donors express their regard and confidence in an institution through philanthropy and as proper stewards, we must assure them that information about their donations will be handled with respect and with confidentiality. Furthermore, we are obligated by federal law to respect the right to privacy indicated by students and alumni (see Family Educational Rights and Privacy Act earlier in this document). Vendors Sharing data with vendors is a necessary part of business. However, if a vendor mishandles data, they only lose a little business the University could lose credibility with its donors. It is imperative, therefore, that vendors be selected with care, that they have access to as little 9/24/2008 2:47:00 PM Page 6

7 information as necessary to do their job, that there is a clear understanding that the data provided to them through Griffin is only to be used to benefit the University of Chicago, and that it is to be treated as confidential and must be kept secure at all times. Additionally, FERPA-protected records must be kept confidential, even to vendors who are doing work for the University, so be sure to exclude FERPA-protected records from any file or report provided to vendors. Appendix C is a Basic Use Agreement that staff using vendors must fill out and have vendors sign before they receive Griffin data. Volunteers To provide maximum confidentiality to our donors, sharing prospect or gift information with volunteers should be avoided. As stewards of our donors gifts and personal information, we as staff must remember that even the most well-meaning volunteers don t sign confidentiality agreements, don t risk losing their jobs when they are indiscreet, and in fact are sometimes rewarded by the cachet of having knowledge of confidential information. However, fundraising volunteers may need gift or other prospect information to do their job for the University. If at all possible, try providing the volunteer with honor roll information, which is published and available to the public. Another option might be to provide volunteers suggested ask amounts or ranges. Finally, if a volunteer insists on having access to specific gift information, you may only do so with express written approval of your department head. Please impress upon the volunteer the privileged nature of this information Provide the volunteer with as little information as possible to get the job done Make sure you aren t giving the volunteer information on anonymous gifts Data Entry Privileges User access that governs the viewing of information is different from user access for updating information. For example, while individual names can be seen by all users, names can only be maintained (as in the case of marriage, for instance) by fully trained, certified users. In general we follow a distributed data entry model for Griffin. This means that users across campus are encouraged to enter and update certain types of data on constituent records. The maintenance of the biographical data is distributed to the six categories of users which have been identified in the user population. (Appendix A identifies specific departments within these categories.) Development Administration University Administration Development and Alumni Support Services Immediate Fundraising Family Alumni Offices Other University Users Examples of data for which entry and maintenance privileges are widely distributed include: Addresses home, business, , faculty exchange, seasonal, etc. Organization Relationships 9/24/2008 2:47:00 PM Page 7

8 Activities student, volunteer, sports, events Affiliations, Committees, Awards and Honors Career information Children Degrees from other institutions (not U of C degrees) Signer specific salutations for administrators, fundraisers, volunteers Interests Mailing lists honor rolls, publications, solicitations, directories Area specific names For data integrity and audit reasons, entry and update privileges for other types of data are more tightly controlled. Some types of biographical data, for instance, can be maintained only by staff certified at the appropriate level. This includes: Adding new records Changing the record name and record type Special Handling types Updating the marital status, former spouse Changing the gender code Maintaining a date of birth/date of death Deceasing an individual University of Chicago degree information ID screen that is home to Student ID numbers For data security reasons, the maintenance of prospect management data is limited to staff (and their assistants) who: Manage prospects Research and manage prospect information Acknowledge and steward gifts Contact alumni, friends and donors With these privileges a user can enter and maintain/update solicitations and actions, rate prospects, and track progress and interactions with their prospects. Finally, due to audit requirements, the entry of gift information is controlled centrally by Gift and Records Services. Exception: Each Development program that manages its own Telefund or outsources the task of phoning their constituent groups has the responsibility to enter their own phone pledges. User Access in Griffin University Classification The University has a number of employee classifications. Three major classifications of employees, Regular, Temporary, and Student, are users of the Griffin database. 9/24/2008 2:47:00 PM Page 8

9 Regular employees will normally have greater access to the database and its information because of the sensitivity and privacy of the information; temporary and student employees generally have less at stake than regular employees if they fail to follow policy, disclose confidential data, or otherwise compromise the data or the University. Temporary or student employees can, however, be given greater access if: the employee s manager can justify the exception, and if the Director of User Access and Training deems that the employee takes the confidentiality policies seriously, based on the employee s resume, recommendations, experience, and behavior during training. Provisional Users are not employees of the University of Chicago, but, because of the University s needs, require access to Griffin. This type of user can be an owner or employee of an organization doing work with or for NSIT, for example. Granting User Access Employees who require access to Griffin will complete an enrollment request located on the Griffin Enrollment and Registration website; alternatively, the employee s supervisor or supervisor s assistant can complete the enrollment request. A CNetID and password are required to access the site. Upon request for access, the new user s specific job-related needs will be assessed by the Director of User Access and Training, who will grant privileges based on those needs. The needs assessment will include Determining in which user category and department the user is employed (See Appendix A) The user type (employee classification) The user s job function (job description) Any training prerequisites Rules of Application Supervisors should be prepared to provide answers to the following questions. In what department/program does the user work? We have users in Development and Alumni Relations offices throughout campus. In addition, we have system users in divisional, academic and affiliated units and University administrative offices. All of these users do not need the same level of access to information in the database. Is the user in a sub-group of the larger department/program? Everyone in the department/program will not have the same access. For example, a user in the Latin American Studies program does not need the same access as a user in Social Science Major Gifts. What is the user s University employee classification? Is the person a regular employee, or a temporary or student employee, or a provisional user? 9/24/2008 2:47:00 PM Page 9

10 What is the user s role based on their title and job description within that department? An up-to-date description of a user s job is critical in matching view/maintain access to system screens and reports to the user s role at the University. For instance, whereas a staff member who puts together informational or publication mailing lists does not need access to gifts or prospect data, another staff member who is responsible for writing acknowledgements needs access to gift details and scanned images of gift documents. (See Appendix B) Exceptions to the Stated Policy From time to time there is a need to adjust the stated policies; thus, exceptions to assigned privileges may be granted. A manager must submit an or memo requesting that a user have specific privileges, with the justification for the exception. This is reviewed and, if necessary, brought to the attention of the AVP of Operations and/or the AVP or VP of University Development and Alumni Relations. If the exception is granted, the manager s request will be placed in the user s file and privileges applied to the user s system access. 9/24/2008 2:47:00 PM Page 10