Mercy College’s Data Policy is based on the belief that data is an institutional asset and that it is every employee’s responsibility to safeguard that asset and to ensure that data is valid when entered, accurately reported, protected and kept confidential as legal requirements and practice dictate. All employees should be fully aware that any misuse of Mercy College data, either intentionally or unintentionally, may lead to disciplinary action and/or legal action.
From the point of entry into various systems and records every effort must be taken to ensure that data is valid. Valid data means that data entry is edited against appropriate system tables, that data is transcribed accurately from physical records and that no data is knowingly entered into any system or record that is known to be incorrect or invalid.
Once data is entered into the system, it supports a variety of decision-making activities and purposes. Data that is extracted from the computer systems must be validated by the individual doing the extraction to ensure that it accurately represents the information that it is intended to convey. This applies to both internally and externally reported data. Data includes not only specific student or employee information but also institutional information such as expenses, revenue, departmental or divisional activities. All data that is provided as a part of reports or other distribution activities, must be identified as to date of extraction, data source, individual or department providing data and methodology of extraction or reporting. Data being reported externally must be provided by the data owner or validated as accurate by the data owner or Department of Institutional Research. Requests for information that is provided publicly through a newspaper or other means should be referred to the Director of Communications. The data owner is the department who is primarily responsible for the validity and data entry of certain data. For example, the Registrar is the data owner of all student registration information, Admissions is responsible for all application data and so on.
Since data is now available via self-service, through the Datamart and E-print, employees using these systems must take extra precautions to validate any data they extract or use from these systems. It is incumbent on the employee to understand the source and purpose of the data reported, to validate selection criteria as correct and to take whatever due diligence to ensure that data is clearly identified and explained. Data should be validated in terms of context or definition and timing in the administrative or academic cycle. Reports and extracts should include the reporting or extract date and/or timeframe that the data represents. Datamart training is required in order for Datamart security to be issued and can be obtained through the Computer Center class offerings. Vice-President approval is required in order to enroll in Datamart training.
In addition, since these self-service applications allow an employee to extract data into a spreadsheet, several other requirements exist. An employee who extracts data and modifies that data must clearly document the modification and the purpose. An employee who knowingly modifies data and presents it as fact without documentation is subject to disciplinary action. In addition, an employee who downloads data to a personal computer hard drive is now responsible to ensure the security and confidentiality of that data from other non-authorized personnel. It is recommended that no employee download confidential data to a personal computer unless use of that data is part of their specific job duties and the personal computer is secured through physical means such as cable and lock and electronic means such as passwords.
Employees who work with student data need to be aware of and follow all regulations regarding release of that information. Student information and confidentiality is covered under the Family Education Rights and Privacy Act (FERPA). In brief, FERPA requires that student information, both personal and academic, can only be released to the student or the student’s parents if the student is a dependent minor. Information cannot be released outside the institution unless either the student or the parent has provided their written approval for the release of the requested information. College faculty and staff should thoroughly familiarize themselves with FERPA and any additional institutional or departmental policies regarding the release of student information. FERPA regulations and information is available at http://www.ed.gov/offices/OM/fpco/ferpalist.html.
Printed reports with confidential or personal information should be destroyed by shredding when no longer needed. Original documents that are no longer required should be destroyed in accordance with department policy and legal retention requirements. As these requirements vary by department and type of document, each department should maintain their own policy regarding document retention.
To reiterate, all employees should be fully aware that any misuse of Mercy College data, either intentionally or unintentionally, may lead to disciplinary action and/or legal action.