Policy on Handling of Brown Restricted Information: Data Protection Roles and Responsibilities
There are four basic roles for proper data management and protection at Brown: data owner, manager of policies and procedures for access to that data, manager of the infrastructure and account access, and data user. Though the lines between these roles may blur or overlap, these key responsibilities must nonetheless must be fulfilled. What is most important is:
- All Brown Restricted Information should have an identified owner, and
- Anyone who who has been entrusted with sensitive information has a responsibility to the data's owner for its proper use and protection.
The following chart breaks out these roles and defines their responsibilities. The listed example is for the handling of financial business information and illustrates one combination of roles and responsibilities.
Responsible Position
or Individual |
Key Responsibilities |
Example (Financial Data) |
| Senior University Officials (or their designees) | » Data owner for their functional area, responsible for its management and participating in establishing policies » Promotes data resource management for the good of the entire University |
University Controller |
| Department Directors (University officials having direct operational-level responsibility for information management) | » Manages access to their functional area's data » Provides input in policy implementation and resulting procedures, as well as training for those individuals who have access to "Brown sensitive information" in the course of their jobs |
Assistant Controller |
| System Administrators (both local and central services) | » Provides a secure infrastructure in support of the data, including, but not limited to: physical security, backup and recovery processes as well as secure transmission of the data » Grants access privileges to authorized system users, documenting those with access, and controlling level of access, ensuring that individuals have access only to that information for which they have been authorized, and that access is removed in a timely fashion when no longer needed » System Administrators and/or Departmental Computing Coordinators are accountable for data within their specific areas or departments » Computing and Information Services is responsible for centrally-held data |
Technical Support / System Administrator |
| Every Data User who has access to University data as part of their assigned duties or in fulfillment of assigned roles or functions within the University community | » Individuals who are given access to sensitive data have a position of special trust and as such are responsible for protecting the security and integrity of those data as detailed in the Confidentiality and Safeguarding Information Guidelines » If any user is aware of a possible weakness in the protection of data, he or she must report their concerns to IT Security. |
User of Financial Records System |
Related Documents
- Policy on Handling of Brown Restricted Information
- Information to Comply with the Policy on Handling Brown Restricted Information
- Records Retention Guidelines
- Responsible Conduct of Research
- Social Security Number – Usage and Protection Requirements
Questions or comments to: ITPolicy@brown.edu
Effective Date: April 2, 2012