THE OFFICE OF AUDIT, COMPLIANCE & PRIVACY SERVICES
 
 
www.uvm.edu/compliance
 
Privacy Matters Newsletter
 
ACCESS CONTROLS: "Can" vs. "Should"
 
There are many laws, acts, statutes, rules, regulations, policies, and procedures that govern the way personal data is collected and used. In higher education, you may be bound by one, and likely by multiple, laws and regulations1. In addition to regulatory requirements, contracts and agreements increasingly include data protection or data security clauses. Aside from our regulatory and contractual obligations, members of the public, including students, faculty, staff, research subjects and others, entrust us with personal information, and have expectations that we will safeguard it. In short, if the data we collect and access is personal, we share a responsibility to safeguard it.

Technical vs. Administrative Safeguards for Access
 
Two kinds of safeguards protect personal data: technical and administrative. Technical safeguards refer to instances where technology has functionality to control access. Administrative safeguards are policies and procedures that are implemented to control access where the technology does not have enough coverage. With technology safeguards, access is pre-determined based on user roles. Users are then assigned a role that allows them to do their jobs. With administrative safeguards, access to information that cannot be controlled through technology is prohibited using written policies and procedures. Administrative safeguards also guide users in making access decisions in "need to know" contexts.

Technology First, Administrative Next
 
The concept of safeguarding using "technology first, administrative next" is neither unique nor new to UVM. UVM's policies and procedures already include administrative controls that prohibit access beyond what is required to perform a job-related function. While technology advances have improved technical safeguards over the years, data privacy rules have also grown more complex. Administrative controls allow UVM to ensure that policies and procedures provide clear rules for data access and use.

Can vs. Should
 
This is a simple but important concept. Just because a user "can" access information does not mean the user "should" access the information. Regardless of the specific regulation, all members of the University community who have access to regulated data are required to access only the data needed to perform an authorized function. Under FERPA, this means accessing student education records only for legitimate educational purposes in order to perform authorized duties on behalf of the University. In the HIPAA world, this means only accessing protected information for treatment, payment or healthcare operations to perform authorized duties on behalf of the University. Access to education or other personal records should not be used for any other purpose. Disregarding or circumventing technical or administrative controls is a violation. Period.

It is possible that with your user role, you "can" access certain data. Just because you can, does not mean you should. We all have a responsibility to protect the data entrusted to us. Want to know more? Details can be found in the policies and procedures footnoted here.

Please visit the following policies for contact information and for more details: Privacy Policy, Information Security Policy, Information Security Procedures, FERPA Rights Disclosure, GLBA Information Security Program, Computer, Communication, and Network Technology Acceptable Use. If you have any questions about this PRIVACYMATTERS, contact the Chief Privacy Officer at privacy@uvm.edu.

1 FERPA - The Family Educational Rights and Privacy Act; HIPAA - The Health Insurance Portability and Accountability Act; GLBA - The Gramm-Leach-Bliley Act; GDPR - The General Data Protection Regulations