Roles and Responsibilities for Information Management Policy
The proper stewardship and custodianship of University administrative information will facilitate access to data that supports the work of those with official educational or administrative responsibilities within the institution, consistent with legal, ethical, competitive, and practical considerations.
This document informs information stewards, managers, custodians, and users of data of their responsibilities.
Note: Nothing in this document precludes or addresses the release of institutional data to external organizations or governmental agencies as required by legislation, regulation, or other legal vehicle.
This document serves two primary purposes:
1. It outlines different categories of University administrative data in the central administrative functional areas of the University, noting stewardship responsibilities (to an individual or designee) in each area.
2. It describes the responsibility of information stewards, managers, and custodians to coordinate and manage information for their respective administrative areas.
This policy applies to faculty, staff, students, official University affiliates, and any other individuals who use University information resources under the administrative control of the Lawrence campus, including the Edwards campus and all other off-site units reporting to the Lawrence campus.
The University of Kansas provides information resources to faculty, staff, students, official University affiliates, and others in support of the education, research, and public service mission of the University.
The University expects all stewards and custodians of its administrative information to manage, access, and utilize this information in a manner that is consistent with the University's need for security and confidentiality. University of Kansas administrative functional areas must develop and maintain clear and consistent procedures for access to University administrative information, as appropriate.
Information Stewards:
An information steward is an individual who has been designated by the Chancellor or the Chancellor’s designee to have policy level responsibility for determining how information will be created, managed, used, maintained, and stored within the information steward's functional area of responsibility.
An information steward is familiar with records issues, laws, and regulations and shall:
- Determine the purpose and function of the information.
- Determine the level of security based on the content of the information.
- Determine the level of criticality of the information.
- Determine accessibility rights to the information.
- Determine the appropriate method of providing business continuity for critical information (e.g., information needed to continue service at an alternate site if needed).
- Specify adequate records retention, in accordance with KU policies, and state and federal laws and regulations.
The attached Table 1, which shall be updated as needed by the Chancellor or the Chancellor’s designee, shows the administrative functional areas of the University and their respective information stewards.
Table 1: Administrative functional areas of the University and their respective information stewards:
Academic Program Data |
Vice Provost, Academic Affairs |
Alumni Affairs and Development Data |
Chancellor’s Office |
Budget Data |
Vice Provost, Finance |
Facilities Data |
Vice Provost, Scholarly Support |
Faculty Data |
Vice Provost, Faculty Affairs |
Financial Data |
Vice Provost, Finance |
Human Resources Data |
Provost’s Office |
Information Technology and Libraries Data |
Vice Provost, Information Services |
Planning Data |
University Director, Institutional Research and Planning |
Sponsored Research Administrative Data |
Vice Provost, Research and Graduate Studies |
Student Data |
Vice Provost, Student Success |
Information Managers:
Individuals, usually department or program heads, who may also have operational responsibilities for the management of University administrative data at a unit, departmental, or university-wide level. These managers assume the following data management responsibilities as applicable to their mission
- Provide compliance with University policies, and state and federal laws and regulations relating to data integrity, security, and confidentiality by their staff or others authorized to access data.
- Establish any specialized operating procedures and guidelines needed to comply with University policies and state and federal laws and regulations relating to data integrity, security, and confidentiality by users of data for which they are responsible.
- Provide for the appropriate authorization of access to data for staff or other individuals in their areas of authority. Assure that records are maintained for individuals with delegated access.
- Oversee implementation of and maintenance of administrative systems to assure compliance with University policies, standards, direction, and best business practices.
Information Custodians:
Information custodians are individuals who have operational responsibilities within a functional area for University administrative data. Their operational responsibilities within that functional area may be at a unit, departmental, or university-wide level. These individuals assume the following data custodian responsibilities as applicable to their mission.
- Implement and maintain operating processes, procedures, and guidelines to comply with University policies, and state and federal laws and regulations relating to data integrity, security, and confidentiality.
- Determine responsible access, use, and disclosure of University data.
- Grant access to data for staff or for individuals in their areas of authority. Maintain records for individuals with access.
- Provide for the release of University administrative data only to an individual who has a legitimate interest in the data (and only as permitted by state and federal law).
- Coordinate implementation and/or maintenance of administrative systems to assure compliance with University standards, direction, and best business practices.
- Coordinate and/or facilitate training and information resources for data users on compliance with University policies, standards, direction, and best business practices.
- Recognize the consequences of improper custodianship of University data.
Granting Access to Others
Custodians of University administrative data may release this data only to individuals with a legitimate interest in the data (see: Definitions), and only to individuals who are either a) employees or volunteers of the University accessing data to perform assigned duties, or b) individuals under contract to the University accessing data to perform special tasks, such as outside attorneys, external auditors, or other consultants.
Note: Access to University administrative data should be limited, whenever possible, to the data necessary to perform the task. In addition, the individual with the legitimate interest must remain mindful of any applicable law or policy specifically related to the handling and/or disclosure of that data (e.g., educational records under the Family Educations Records Privacy Act). Contracts with vendors or contractors who require access to University administrative data to perform a contracted service must contain appropriate provisions that require the vendor or contractor (and any subcontractors) to maintain the privacy and security of the University data.
Guidelines
You may access, manipulate, or change data only as required to fulfill your assigned duties. Improper maintenance, disposal, or release of University administrative data exposes the University to significant risk (see the Information Custodians segment of this document).
Therefore, those who request, use, possess, or have access to University administrative data must agree to certain guidelines. Below are examples of some of these guidelines in the form of general prohibitions that apply to all areas. Information Stewards will issue detailed guidelines for each functional area of responsibility.
Note: A steward, manager, or custodian, in addition to other data users, may be asked to sign an Access to University Data Agreement.
General Prohibitions
Note: These examples are illustrative, not exhaustive.
- Do not change data about yourself for other than authorized business purposes or self-service applications designed to permit you to change your own data. Do not use information (even if authorized to access it) to support actions by which individuals might profit (e.g., a change in salary, title or band level; a better grade in a course). Do not disclose information about individuals without prior supervisory authorization.
- Do not engage in what might be termed "administrative voyeurism," or engaging in activities (e.g., tracking the pattern of salary raises; determining the source and/or destination of telephone calls or Internet protocol addresses; exploring race and ethnicity indicators; looking up grades) without a legitimate business purpose.
- Do not circumvent the nature or level of data access given to others by providing access or data sets that are broader than those available to them via their own approved levels of access (e.g., providing a university-wide data set of human resource information to a coworker who has approved access only to a single human resource department).
- Do not facilitate another's unauthorized or illegal access to KU’s administrative systems or compromise the integrity of the systems data by sharing your passwords or other information.
- Do not violate University policies or federal, state, or local laws or regulations in accessing, manipulating, or disclosing University administrative data.
Faculty, staff, and student employees who violate this University policy may be subject to disciplinary action for misconduct and/or performance based on the administrative process appropriate to their employment.
Students who violate this University policy may be subject to proceedings for non-academic misconduct based on their student status.
Faculty, staff, student employees, and students may also be subject to the discontinuance of specified information technology services based on the policy violation.
If you have questions about specific issues regarding the Roles and Responsibilities for Information Management Policy, contact the following administrative functional area of the University:
Subject |
Contact |
Clarification of Roles and Responsibilities document |
Vice Provost, Information Services |
Academic Program Data |
Vice Provost, Academic Affairs |
Alumni Affairs and Development Data |
Chancellor’s Office |
Budget Data |
Vice Provost, Finance |
Facilities Data |
Vice Provost, Scholarly Support |
Faculty Data |
Vice Provost, Faculty Affairs |
Financial Data |
Vice Provost, Finance |
Human Resources Data |
Provost’s Office |
Information Technology and Libraries Data |
Office of the Chief Information Officer |
Planning Data |
University Director, Institutional Research and Planning |
Sponsored Research Administrative Data |
Vice Provost, Research and Graduate Studies |
Student Data |
Vice Provost, Student Success |
These definitions apply to these terms as they are used in this document.
Functional area, for purposes of this policy, the administrative functional areas of the University are identified as follows: alumni affairs and development, academic programs, budget, finance, facilities, human resources, information technologies, planning, sponsored research, and student services. These areas may be updated by the Chancellor or Chancellor’s designee on the attached Table 1 as needed.
University affiliates are the people and organizations associated with the University through some form of formalized agreement.
University administrative information is the administrative functional area information, in any form, including that stored centrally as well as in colleges and departments.
Legitimate interest is a valid need for administrative functional area data that arises within the scope of University employment and/or in the performance of authorized duties related to educational (FERPA), business needs, or research purposes.
Information Stewards are those individuals who have been appointed by the Chancellor or the Chancellor’s designee to have policy level responsibility for determining how information will be created, managed, used, maintained, and stored within the information steward's functional area of responsibility.
Information Managers are those individuals, usually department or program heads, who may also have operational responsibilities for the management of University administrative data at a unit, departmental, or university-wide level.
Information Custodians are those individuals who have operational responsibilities within a functional area for University administrative data at a unit, departmental, or university-wide level.
01/18/2024: Updated contact section.
01/26/2022: Updated contact section.
07/17/2017: Fixed broken links.
07/20/2016: Updated to remove gendered pronouns.
01/30/2015: Updated formatting and revised policy.
06/19/2013: Policy uploaded into the Policy Library.