Guidelines for Safeguarding Information

Data Protection: Roles and Responsibilities

There are four basic roles for proper data management and protection at Brown: data owner, manager of policies and procedures for access to that data, manager of the infrastructure and account access, and data user. Though the lines between these roles may blur or overlap, these key responsibilities must nonetheless must be fulfilled. What is most important is:

  • All Brown Sensitive Information should have an identified owner, and
  • Anyone who who has been entrusted with sensitive information has a responsibility to the data's owner for its proper use and protection.

The following chart breaks out these roles and defines their responsibilities. The listed example is for the handling of financial business information and illustrates one combination of roles and responsibilities.

Responsible Position
or Individual
Key Responsibilities
Example
(Financial Data)
Senior University Officials (or their designees)
  • Data owner for their functional area, responsible for its management and participating in establishing policies
  • Promotes data resource management for the good of the entire University
University Controller
Department Directors (University officials having direct operational-level responsibility for information management)
  • Manages access to their functional area's data
  • Provides input in policy implementation and resulting procedures, as well as training for those individuals who have access to "Brown sensitive information" in the course of their jobs
Assistant Controller
System Administrators (both local and central services)
  • Provides a secure infrastructure in support of the data, including, but not limited to: physical security, backup and recovery processes as well as secure transmission of the data
  • Grants access privileges to authorized system users, documenting those with access, and controlling level of access, ensuring that individuals have access only to that information for which they have been authorized, and that access is removed in a timely fashion when no longer needed
  • System Administrators and/or Departmental Computing Coordinators are accountable for data within their specific areas or departments
  • Computing and Information Services is responsible for centrally-held data
Technical Support / System Administrator
Every Data User who has access to University data as part of their assigned duties or in fulfillment of assigned roles or functions within the University community
  • Individuals who are given access to sensitive data have a position of special trust and as such are responsible for protecting the security and integrity of those data as detailed in the Confidentiality and Safeguarding Information Guidelines
  • If any user is aware of a possible weakness in the protection of data, he or she must report their concerns to the Information Security Group.
User of Financial Records System

With permission from the University of North Carolina at Greenboro for use of the ideas in their Data Classification Policy.

Related Documents

Guidelines for Safeguarding Information
Data Classification Chart
Confidentiality Agreement Template
Administrative Information Systems Confidentiality Agreement

Questions or comments to: ITPolicy@brown.edu

Effective Date: May 17, 2006

computing guidelines, standards & policies

» Acceptable Use
» Alumni Email Account Mgmt
» Attribute Release Policy
» Brown Restricted Information Policy
» Bulk Email Guidelines
» CIRT Authority
» Computing Account Management
» Computing Passwords
» Copyright Infringement Policy
» Copyright & Fair Use Resources
» Copyright & the Higher Education Opportunity Act (HEOA)
» Electronic Equipment Disposition
» Electronic Mail
» Google Apps for Education
» Multi-Function Network Devices
» Network Connection
» Telecomunication Services
» Web Publishing
» Wiki Usage
» Policy Home Page
» Policy Enforcement