Data Protection Roles & Responsibilities

There are four basic roles for proper data management and protection at Brown: data owner, manager of policies and procedures for access to that data, manager of the infrastructure and account access, and data user. Though the lines between these roles may blur or overlap, these key responsibilities must nonetheless must be fulfilled. What is most important is:

  • All Brown Restricted Information should have an identified owner, and
  • Anyone who who has been entrusted with sensitive information has a responsibility to the data's owner for its proper use and protection.

The following chart breaks out these roles and defines their responsibilities. The listed example is for the handling of financial business information and illustrates one combination of roles and responsibilities.

Responsible Position or Individual

Key Responsibilities

Example
(Financial Data)

Senior University Officials (or their designees) » Data owner for their functional area, responsible for its management and participating in establishing policies.
» Promotes data resource management for the good of the entire University.
University Controller
Department Directors (University officials having direct operational-level responsibility for information management) » Manages access to their functional area's data.
» Provides input in policy implementation and resulting procedures, as well as training for those individuals who have access to "Brown sensitive information" in the course of their jobs.
Assistant Controller
System Administrators (both local and central services) » Provides a secure infrastructure in support of the data, including, but not limited to: physical security, backup and recovery processes as well as secure transmission of the data.
» Grants access privileges to authorized system users, documenting those with access, and controlling level of access, ensuring that individuals have access only to that information for which they have been authorized, and that access is removed in a timely fashion when no longer needed.
» System Administrators and/or Departmental Computing Coordinators are accountable for data within their specific areas or departments.
» Computing and Information Services is responsible for centrally-held data.
Technical Support / System Administrator
Every Data User who has access to University data as part of their assigned duties or in fulfillment of assigned roles or functions within the University community » Individuals who are given access to restricted or confidential information have a position of special trust and as such are responsible for protecting the security and integrity of that data as detailed in the Policy on the Handling of Brown Restricted Information.
» If any user is aware of a possible weakness in the protection of data, he or she must report their concerns to IT Security.
User of Workday Financials System

Related Documents

Brown Restricted Information, Policy on the Handling of
Information to Comply with the Policy on Handling Brown Restricted Information
Records Retention Guidelines
Research Compliance Documents
Social Security Number – Usage and Protection Requirements

Questions or comments to: ITPolicy@brown.edu

Effective Date: April 2, 2012