Data Access Policy Implemented

The university has adopted an official policy on Data Access that lays out Northeastern’s approach to data sharing and usage.

As stated in the introduction to this policy, Northeastern recognizes that it is important for the university community to have access to accurate and reliable university data to fulfill their job responsibilities. At the same time, Northeastern also recognizes the importance of protecting the university’s information assets and preserving the confidentiality and integrity of the data. The data access policy addresses this balance by establishing internal standards for access to university data.  These internal standards safeguard data privacy and protect institutional data against misuse or dissemination without proper authorization.

The Data Access Policy references the Data Classification guidelines, a part of the Policy on Confidentiality of University Records and Information.  Data Classification, our framework for categorizing data based on the data type, risk and need for confidentiality, provides the basis for access to data.  Individuals may access, use, or store Critical or High Risk (Levels 4 and 3) data only with authorization from the appropriate data custodian, based on demonstration of legitimate business use commensurate with their responsibilities, as well as training where appropriate or required. The policy states that requests for authorization should be directly related to business needs. Once access is granted, data users are entrusted to exercise care in using the university’s information.  This includes protecting data from unauthorized use, disclosure, alteration, or destruction, and handling data in accordance with the Data Classification Guidelines.

This policy was spearheaded and shepherded by the Data Governance Council and written by Data Administration (UDS) and the Data Stewardship Council.  UDS encourages everyone who works with data to take a few minutes to review this new policy and understand how it applies to your job, whether you are a data custodian, a data consumer, a data producer, or all three.