Purpose

These guidelines aim to 

  • provide guidance to data owners/stewards on use of UCSB institutional data.
  • provide transparency to data consumers on appropriate use of UCSB institutional data.
  • provide direction on what data requests must be reviewed by the Data Privacy Committee.

Any requests from the public for institutional data must be treated as public requests under the California Public Records Act (see: Public Records).

Intended Audience

These guidelines are intended for UCSB employees and students.


Definitions

  • Data Consumer—Individual or a functional user/developer who requests access to data. They have responsibilities to follow the rules for use, sharing, and distribution of data, as defined by the Data Owner and/or Data Steward.
  • Data Owner—Grants or denies access based on valid business needs and applicable regulations. The Data Owner is accountable for the data, and is concerned with risk and appropriate access. They have obligations to keep the data clean and correct, and to make it available only as appropriate and for a valid business purpose.
  • Data Steward—Has knowledge of the system and business processes, and can provide advice based on data and system knowledge. The Data Owner may elect to designate a Data Steward to grant or deny data access requests. There could be an IT or business data steward based on the situation.
  • Data Custodian—Responsible for safe custody, transport, storage of data, implementation of business rules, and the technical operation of granting access to data.
  • Data Privacy Committee—campus-wide committee comprised of staff, faculty, and students. The Data Privacy Committee reviews data access requests that have a greater impact on personal privacy and should be subject to the Privacy Balancing Test.
  • Institutional data—data and information stored in administrative computing systems, including transactional data systems, systems containing historical snapshots, and decision support systems. Examples of institutional data include, but are not limited to, the financial, student, employee-sponsored research, and alumni information contained in UCSB’s major administrative computing systems.

Guidelines

  • Timely and appropriate access to institutional data should be provided to those persons with a University business-related need in the performance of their assigned duties. See “Review of Data Requests” below for more information.
  • The access of, and disclosure or distribution of, institutional data in any medium, except as required by an authorized user’s assigned duties, is expressly forbidden.
  • Data may not be re-used or shared for any other purpose other than originally approved, or for any other purpose than that was disclosed in the notice at the point of collection (if provided).
  • Perusal or use of any institutional data for personal interest or advantage or for non-University purposes is prohibited.
  • Violators of access conditions are subject to disciplinary action in accordance with University policies and collective bargaining agreements.
  • The level of protection, including access control, applied to institutional data must correspond to the requirements set forth in BFB-IS-3: Electronic Information Security.
  • Any unit or person extracting, collecting, and storing data becomes a Data Consumer for that data and are subject to the same responsibilities as defined in these guidelines and relevant policies.
  • Data access and use procedures should be transparent and consistent.

Data Privacy Laws

The concept of data privacy is relatively new and continues to change and evolve in effort to keep up with new technologies. In addition to UC Policies, there are a variety of state, federal and even foreign laws that govern data privacy. Data privacy laws are primarily concerned with keeping an individual’s personal data confidential as well as with empowering individuals to control and understand what data about them is being collected, who/what is collecting it, and how their personal data is used. Data privacy laws also allow individuals to participate in the process of the collection and use of their personal data, where possible, and to be notified of any breach or unauthorized access or use of their data.  

Sensitive Data

There are not infrequently times when conflict arises from competing goals and interests with respect to use of certain institutional data; for example, privacy versus transparency. Resolution of such conflicts requires nuanced analysis of legal, policy, reputational and other issues in determining the appropriate response to any particular data request. Such requests will be referred to the UCSB Data Privacy Committee for review. 

Requests for data using sensitive data such as self-reported ethnicity, gender identity, or sexual orientation; or immigration status, etc. as selection criteria are approved or denied in accordance with FERPA or other policies and only to campus officials demonstrating legitimate educational interest in those data. Note: These are representative examples of sensitive data but not an exhaustive list.

When reporting this type of data in the aggregate form for reporting purposes, the cell size should be 10 or greater. Cell sizes of less than 10 should be reported as “less than 10.” See "Small Cell Sizes" section below for more information.


Under Higher Education Act (HEA) regulations, Federal Application for Student Aid (FAFSA)-derived data and other student financial aid information are prohibited from being used for purposes other than the administration of aid programs (e.g. department scholarships). These data may only be provided in aggregate for any other purpose.

Data Access Procedures

The authorization process and type of data that may be provided vary according to the academic or administrative responsibilities of the sponsoring department. Please see the “Sensitive Data” section above for more information about data that have special conditions for release.

  • Data Consumers with access to student records data in any location or format should familiarize themselves with Family Educational Rights and Privacy Acts (FERPA). UCSB FERPA training is available through the UC Learning Center.

  • Data Consumers with access to employee records data in any location or format should familiarize themselves with federal and state laws as well as UC and UCSB policy regarding collection and reporting of employee information. When sharing employee data, the most common laws that may apply are the Information Practices Act, Americans with Disabilities Act and Confidentiality of Medical Information Act. The most common UC Policies that may apply are BFB-RMP-7 and PPSM-80

  • Access to data may be limited due to ongoing audit or litigation; such limits are outside of the control and authority of the Data Owner or Data Steward. 

UCSB Employees and Students
Institutional data are administered by a variety of data owners and data stewards. To obtain access to data, please reference the linked document and contact the following offices listed:

The Public

Any requests from the public for institutional data must be treated as public requests under the California Public Records Act (see: Public Records).

Review of Data Access Requests

Data requests will be reviewed by the appropriate data owner/data steward based on the following criteria:

Academic Unit

Data may be provided to campus officials who demonstrate a legitimate business purpose.

Administrative Unit

Data may be provided to other official University units at UCSB. Requests must demonstrate a legitimate business purpose for requesting the data.

Research Purposes

  • Data may be provided to researchers who demonstrate a legitimate research purpose for requesting the data. The requestor must submit proof of Institutional Review Board (IRB) approval, exemption determination, or non-human subjects determination, and a copy of their approved study protocol when making a request for student or employee data to be used in scholarly or campus research, including requests for personally identifiable information such as email, addresses, or phone numbers. However, disclosure of student or employee data is an independent institutional prerogative and IRB approval has no bearing on the decision of Institutional Research, Planning, and Assessment (IRPA), Registrar, or Human Resources (HR) as to the appropriateness and approval of the data request. Researchers are encouraged to consult the appropriate data owner/data steward (see chart above) as part of the IRB process.
  • In evaluating requests from researchers who wish to conduct research using employee data, aggregate data may be available depending upon the nature of the request, but if individual-specific information is being sought, the request will require review by Human Resources, Academic Personnel, or the Office of Equal Opportunity Discrimination Prevention, as appropriate. The Office of the Registrar and/or IRPA may modify, approve, or deny requests from researchers based on recommendations from these groups, except in circumstances where IRB approval was denied. If the research involves surveying, IRPA and the Office of the Registrar work with other campus offices to determine the institutional impact of surveying students. Requests for census sampling (i.e. surveying every person in a group) are generally not approved. In order to facilitate timely review of requests, proposals should include the desired sample size and justification for such based on the research design. Researchers are encouraged to consult the appropriate Data Owner/Data Steward (see chart above) as part of the IRB submission process.
  • In evaluating requests from researchers who wish to conduct research using employee data, aggregate data may be available depending upon the nature of the request, but if individual-specific information is being sought, the request will require review by Human Resources. Authorization for employee information is rarely given due to the sensitive nature of this information and its UC data classification level (P4).

Student Organizations

Individuals requesting student contact data for UCSB student organizations that are registered with the Office of Student Engagement and Leadership (SEAL) will be referred to the Bulk Mailing Policy.

Third-Party/Vendor Organizations

When a UCSB department or organization makes plans to utilize a non-UCSB entity (e.g., third-party organization or vendor) with a service or support effort that involves student or employee records, the UCSB department or organization and non-UCSB entity must receive authorization from the Office of the Registrar or HR to host or collect student or employee information. All Third-party suppliers with whom the University of California contracts for services or resources that connect to UC information resources must agree to the UC Appendix - Data Security and Privacy, which is negotiated between Procurement and the vendor.

Mass Email

Students: Individuals requesting student contact data in order to send mass email will be referred to the Bulk Mailing Policy and to the use of approved methods for broadcast messages and other strategies for contacting students.

Ending Data Access

When the need for requested data has ceased, it is the responsibility of the Data Consumer to notify the Data Owner and/or Data Steward that the on-going use of data has ended. The data Consumer will work with the Data Owner, Data Steward, and Data Custodian to securely remove access to systems and securely destroy copies of data as needed and in accordance with law and policy. 

Data Owners, Data Stewards, and Data Custodians should also develop procedures to periodically review approved access requests to determine their on-going need.

Responsibilities of Data Consumers

  • Authorized users may access institutional data only in the performance of their assigned duties.
    • They must respect the confidentiality and privacy of individuals whose records they access and abide by University policies, restrictions, and applicable laws with respect to access, use, security, or disclosure of information.
    • Authorized users must protect the integrity and, if appropriate, confidentiality of institutional data via logical and physical security controls, as specified by policy and user guidelines.
    • Misuse of institutional data may subject consumers to civil or criminal penalties and/or University discipline. To ensure compliance, all elements of the intended data uses must be stipulated in the request.
  • Authorized users who develop departmental information systems using institutional data, or store or cache institutional data become Data Custodians and are responsible for meeting the same security requirements and subject to the same responsibilities as Data Owners and Data Stewards. 
    • Departments who need assistance meeting the security requirements should consult the appropriate IT resource.
  • Responsibilities for data retention and destruction
  • Data can only be used for the specified purpose; cannot be re-used or shared for any other purpose.

Small Cell Sizes

  • UCSB considers tables containing aggregated data entries of fewer than 10 individuals to create a situation where an individual could be personally identified.
  • Data tables and reports containing cell sizes of fewer than 10 individuals should be carefully reviewed before public release to ensure that the individuals are not easily traceable and create a potential for the invasion of privacy. Data Consumers and Data Stewards are encouraged to consult with the Data Owner to determine if their data are appropriate for public release. Please consult the chart in the “Data Access Procedures” section to determine the data owner.
  • Depending on the data, the value used to determine small cell sizes may vary based on special circumstances. A different number may be determined by the Data Owner, Data Steward, or Data Privacy Committee based on the type of data requested and the business need.

Further Information

Contact information for these guidelines: https://dataservices.ucsb.edu/campus-data-governance

References and Related Policies

A. State of California statutes:

  1. California Information Practices Act of 1977, Civil Code Section 1798 et seq.
  2. California Penal Code, Section 502, relating to computer crime and other forms of unauthorized access to computers, computer systems, and data.
  3. California Public Records Act, Government Code Sections 6250-6270.
  4. California Proposition 209.

B. Federal statutes and regulations:

  1. Stored Wire and Electronic Communications and Transactional Records Access, U.S. Code, Title 18, Sections 2701 et seq.
  2. Family Educational and Privacy Rights, U.S. Code, Title 20, Section 1232g.
  3. Records Maintained on Individuals, U.S. Code, Title 5, Section 552a.
  4. Higher Education Act, Section 483.

C. UC Electronic Communications Policy.

D. UC Policies Applying to Campus Activities, Organizations, and Students, Section 130.00 et seq., Policies Applying to the Disclosure of Information from Student Records.

E. Guidelines for Administrators Regarding New Self-Identification Questions in UC Recruit and Data Privacy Compliance.

F. UC Business & Finance Bulletins:

  1. IS-2, Inventory, Classification, and Release of University Electronic Information.
  2. IS-3, Electronic Information Security.
  3. RMP-1, University Records Management Program.
  4. RMP-7, Privacy of and Access to Information Responsibilities.
  5. RMP-11, Student Applicant Records.

G. UCSB Policy and Guidelines:

  1. How to Respond to Information Requests
  2. Bulk Mailing
  3. Student Education Records – Disclosure of Information