Separation of Duties

Preliminary Campus Data Management and Communications Separation of Duties Recommendation

 

In order to reduce the risk of accidental disclosure of sensitive personal information, Georgia Tech has established a new guideline stipulating that the individual with permission to generate datasets containing sensitive data (data analyst) should be separate from the individual who communicates with large constituencies (communicator).

Guidance for those in data analyst roles:

Be aware that one’s ability to access databases containing sensitive information is contingent upon the responsible treatment of those datasets. As a reminder, all users with access to sensitive databases are expected to comply with Institute policy, including the Data Access Policy. http://policylibrary.gatech.edu/information-technology/data-access

The Data Access Policy states that any individual granted access to Institute data is responsible for the ethical usage of that data. It will be used only in accordance with the authority delegated to the data analyst to conduct Georgia Tech operations.

Institute employees with the ability to access sensitive Institute data should not directly share those datasets with employees who communicate to broad audiences. It is the responsibility of data analysts to determine the specific needs of communicators and provide the minimum amount of data necessary to satisfy the request. Communications professionals should not be provided datasets containing sensitive data such as non-directory FERPA protected data elements or the sensitive personal information of employees.

Guidance for those in communicator roles:

When partnering with employees who have access to sensitive datasets, the communicator may request curated information regarding target audiences, but should not take possession of any datasets containing sensitive information (e.g., non-directory FERPA data).

For example, if the communicator needs a list of email addresses for a particular segment of the student population, then the communicator may request the list of desired email addresses but should not accept possession of a file containing sensitive data such as personal/protected information of students or employees.

Data Categorization Resources:

Definition of sensitive student (non-directory) FERPA data:

http://catalog.gatech.edu/policies/ferpa/

Institute-wide data categorization information:

https://security.gatech.edu/DataCategorization

 

* Guidelines effective November 12, 2019.