Chapter 3344-8 Administrative data policy on Electronic Signatures

3344-8-01 Electronic signatures.

(A) Purpose

The purpose of this rule is to establish parameters for the use and acceptance of electronic signatures.

(B) Policy

(1) The university may use and accept electronic signatures for any transaction when such use and acceptance has been approved by the appropriate vice president. For example:

(a) Students may use electronic signatures to authorize all designated internal records and transactions. Examples include, but are not limited to:

(i) Registering for courses;

(ii) Accepting financial aid awards;

(iii) Paying student bills; and

(iv) Obtaining unofficial transcripts.

(b) Employees may use electronic signatures to authorize all designated internal documents. Examples include, but are not limited to:

(i) Submitting grades;

(ii) Viewing personal payroll data;

(iii) Approving time sheets;

(iv) Access to administrative computing systems and protected data.

(c) Authorized employees and agents may accept or use electronic signatures with external parties. Examples include, but are not limited to:

(i) Submitting purchase orders;

(ii) Executing grant agreements or other contracts;

(iii) Applying for admission to the university; and

(iv) Applying for employment with the university.

(2) Authorization to accept or use an electronic signature does not preclude the university's right or option to use or require a signature in non-electronic form.

(3) An electronic signature is legally binding to the fullest extent permitted by law.

(C) Implementation and security

(1) Electronic signatures may be implemented using various methodologies depending on the risks associated with the transaction, and all relevant state, federal, and university rules. The quality and security of the electronic signature method shall be commensurate with the risk and needed assurance of the authenticity of the signature.

(2) In approving the use or acceptance of electronic signatures, the appropriate vice president shall also approve the procedures and technologies for authentication, nonrepudiation, and integrity as proposed by the information services and technology department based upon by the nature of the transaction.

(3) Electronic signature documentation shall be maintained in accordance with the university record retention schedule or as specified in the approval of the appropriate vice president.

Effective: 4/10/2015
Promulgated Under: 111.15
Statutory Authority: 111.15
Rule Amplifies: 111.15

3344-8-02 Administrative data policy.

(A) Purpose

(1) Information maintained by Cleveland state university is a vital asset that shall be available to all employees who have a legitimate need for it. The university is the owner of all administrative data with individual units or departments having stewardship responsibilities for portions of that data. The university intends that the volume of freely accessible data be as great as possible while recognizing the university's responsibility toward the security of data.

(2) The university expressly forbids the use of administrative data for anything but the conduct of university business. Employees accessing data shall observe requirements for confidentiality and privacy, shall comply with protection and control procedures, and shall accurately present the data in any use.

(3) The university determines levels of access to administrative data according to principles drawn from various sources. State and federal law provides clear description of some types of information to which access shall be restricted.

(4) This policy is for the internal use of information for employees at Cleveland state university. External requests for information are handled in accordance with the Ohio Public Records Act.

(B) Policy

(1) Definition of administrative data

(a) The university's database consists of information critical to the success of the university as a whole. Data may be stored on paper or as digital text, graphics, images, sound, or video. This rule applies to data generated for or by the administrative functions of the university, including (but not limited to) finance, student and enrollment services, and human resources, and to data stores and systems which access such data, regardless of where it resides, including (but not limited to) servers, desktops, flash drives, cloud services and mobile devices.

(b) Some examples of administrative data include student course grades, employee salary information, vendor payments, and the university's annual fact book. Administrative data do not include personal electronic calendar information, faculty grade books, research data and similar material.

(c) Copies of official data are not official data where they are found on portable storage media, individual hard drives, department servers, or as files on other shared systems. These copies or downloads cannot be used as substitutes for official records kept by the authorized data custodians of the university. However, such information may be used to generate official reports on behalf of the university with the knowledge and permission of the data custodians. Such files and any resulting reports are covered by the same constraints of confidentiality and privacy as the official records.

(d) Prior to the development of a system that will download official records and manipulate them for subsequent update or application to official records, permission shall be obtained from the data custodian for such transfer.

(e) Data custodians shall also authorize any university administrative data captured independent of a university system.

(2) Data classifications and protection

(a) Sensitive information

"Sensitive information" is that data found upon review by the data trustees or general counsel to require restrictions on access. Sensitive information may not be subject to disclosure under the Public Records Act and is only available to CSU employees that have a business or educational need to access the data. Sensitive information is broadly defined as that which the university is legally obligated to protect. For example:

(i) Educational records, as defined by the Family Educational Rights and Privacy Act (FERPA.)

(ii) Health records, as defined by the Health Insurance Portability and Accountability Act (HIPAA.)

(iii) Financial and personnel information, as governed by the Fair Credit Reporting Act (FCRA.)

(iv) Financial information governed by payment card industry standards (PCI-DSS.)

(v) Examples (not all-encompassing):

(a) Class rosters, transcripts, schedules, attendance

(b) Lists of names, addresses, identity numbers, dates of birth

(c) Records of medical care, including psychological counseling

(d) Identification photographs, including archived copies of government issued identification

(e) Account numbers or images of any financial instrument, including credit cards

(f) Pre-employment or routine background check information

(b) Private information

"Private information" is data that the data trustees judge to require special procedures for access. Private information may be subject to disclosure under the Public Records Act and is made available to certain Cleveland state employees based on their job function. Private information is broadly defined as that which should be reasonably protected from inadvertent disclosure beyond authorized Cleveland state university employees. For example:

(i) Data not specifically protected by statute, regulation, or other legal obligation or mandate.

(ii) Shall be protected due to contractual, ethical, or privacy considerations.

(iii) Access, disclosure, or modification could cause financial loss or damage to CSU's property.

(iv) Examples (not all-encompassing)

(a) Directory information of students who have not requested FERPA privacy inclusion

(b) Instructional information such as tests, quizzes, and course shells in a learning management system (LMS)

(c) Proprietary information used to run the business of the university

(c) Public information

"Public information" is all data that is neither restricted, nor judged by data trustees to be sensitive or private. The accessible data volume should be as great as possible to enable those who need the information to have access. Data should be part of an open atmosphere and readily available. Public information is subject to disclosure to all Cleveland state employees as well as the general public under the Ohio Public Records Act. Public information is broadly defined as that which is intentionally displayed for anyone to use, including:

(i) Disclosure is routine, deliberate or required by contract or university policy.

(ii) Can be subject to use restrictions (copyright) but no harm done in disclosure.

(d) Protection of data

(i) Users shall comply with all reasonable protection and control procedures for administrative data to which they have been granted access. Sensitive and private data can never be stored on departmental computers or servers, cd's, thumb drives or any easily transportable medium. All sensitive data shall be stored on secured storage located within the university's data center.

(ii) It is never acceptable to store sensitive data such as grades, social security numbers, correspondence between student and faculty, classified research, etc., on externally hosted systems, including cloud-based storage systems (includes, but is not limited to, services such as dropbox, google drive, and microsoft onedrive), without a contract that is fully vetted for compliance with university policies. Vendors providing hosted services shall complete the hosting services security checklist.

(iii) Any contract that will provide a third party (e.g. contractors, consultants, service providers, vendors) with sensitive information, or access to Cleveland state university systems or applications that contain sensitive information shall, at a minimum, include the following provisions:

(a) Explicit acknowledgment that the contract allows the contractor access to confidential information

(b) A specific definition of the confidential information being provided

(c) A stipulation that the confidential information shall be held in strict confidence and accessed only for the explicit business purpose outlined in the contract

(d) A guarantee from the contractor that it shall ensure compliance with the protective conditions outlined in the contract

(e) A guarantee from the contractor that it shall protect the confidential information it gets according to commercially acceptable standards and no less rigorously than it protects its own customers' confidential information

(f) A provision allowing for the return or destruction of all confidential information obtained by the contractor on completion of the contract

(g) A stipulation allowing injunctive relief, without posting bond, to prevent or remedy breach of the contract's or contractor's confidentiality obligations

(h) A stipulation that a violation of the contract's protective conditions amounts to a material breach of contract and entitles the university to immediately end the contract without penalty

(i) A provision allowing auditing of the contractor's compliance with the contract's safeguard requirements

(j) A provision ensuring that the contract's protective requirements shall ending the agreement

(3) Data trustees, data custodians and data users

(a) "Data trustees" are senior management personnel (typically at the level of vice president, associate or vice provost, dean, or university director) who have planning and policy-making responsibilities for data in their operational area. The data trustees, as a group, are responsible for overseeing the establishment of data management policies and procedures.

(b) "Data custodians" are managers of functional areas (typically at the level of controller, registrar or director of admissions) who oversee the capture, maintenance, and dissemination of data for a particular operation. Data custodians are responsible for making security decisions regarding access to the data under their charge.

(c) "Data users" are individuals who access university data in order to perform their assigned duties or to fulfill their role in the university community. Data users are responsible for protecting their access privileges and for proper use of the university data they access.

(4) Responsibilities of data trustees, data custodians, and information services and technology

(a) Criteria for determining access

(i) Data custodians are ultimately responsible for assigning access to all types of data on an individual basis; however, general criteria for determining access to both sensitive and private information include the following:

(ii) Human resources/payroll data can be made available as follows:

(a) Personnel in the employee's supervisory chain of authority

(b) Human resources, payroll, and business contacts in departments shall have access to human resources/payroll data for employees in their departments.

(c) Authorized employees of the department of human resources, payroll department, budget office, controller's office, grant accounting, department of audits, the office of general counsel, the office for institutional equity, and the department of law enforcement and safety, shall have access to human resources/payroll data on a case-by-case basis as appropriate for them to perform their job responsibilities. Human resources/payroll data shall be provided on a case by case basis in response to judicial orders or lawfully issued subpoenas.

(d) Legally authorized law enforcement personnel, authorized federal or state agencies, members of duly appointed grievance committees, representatives of authorized accrediting organizations, and agencies processing claims made by the employee for workers' compensation, unemployment insurance or other employee benefits which shall have case-by-case access to the portions of the official personnel files which are appropriate for their business.

(e) To appropriate parties in a health or safety emergency.

(iii) Financial data can be made available as follows:

(a) President, vice presidents, provost, deans, department heads and other personnel with responsibility for the management and oversight of financial resources

(b) Business managers and business office staff in departments.

(c) Authorized employees of business and finance, office of general counsel, division of law enforcement and safety and the department of audits who have a business need to access the data

(iv) Student data can be made available in accordance with FERPA.

(b) Development of access policies and procedures

Each data custodian shall be individually responsible for establishing data access procedures that are unique to a specific information resource or set of data elements.

(c) Promotion of accurate interpretation and responsible use

(i) Data trustees shall develop policy to promote the accurate interpretation and responsible use of administrative data.

(ii) Data custodians are responsible for making known the rules and conditions that could affect the accurate presentation of data. Persons who access data are responsible for the accurate presentation of that data.

(iii) Data custodians shall support users in the use and interpretation of administrative data, primarily through documentation, but also in the form of consulting services.

(d) Determination of security requirements

The data custodians, in consultation with information services and technology, shall determine security requirements for administrative data and shall be responsible for monitoring and reviewing security implementation and authorized access.

(e) Establishment of disaster recovery procedures

(i) Information services and technology is ultimately responsible for defining and implementing policies and procedures to assure that data are backed up and recoverable. The data trustees shall play an active role in assisting information systems and technology (IS&T) in this responsibility.

(ii) With the data trustees' advice, IS&T shall develop a workable plan for resuming operations in the event of a disaster, including recovery of data and restoration of needed computer hardware and software.

(f) Responsibilities of information services and technology

(i) IS&T develops and applies standards for the management of institutional data and for ensuring that data are accessible to those who need it.

(ii) IS&T works with the data trustees to establish long-term direction for effectively using information resources to support university goals and objectives.

(iii) IS&T makes institutional data available to authorized users in a manner consistent with established data access rules and decisions.

It develops views of data as directed by the data custodians. IS&T and the data custodians ensure that the technical integrity of the data is maintained and that data security requirements are met.

(iv) IS&T and the data custodians ensure that the university community is aware of this policy and the requirements and restrictions it contains.

(5) Requests for access

(a) Sensitive or private data access

Access to sensitive or private data by university employees or employees of university-related foundations requires that a formal request be made to the appropriate data custodian.

(b) Exceptions

All requests for exceptions to data access policies shall be made in writing to the data custodian. Email requests are acceptable. The request shall specify the data desired and their intended use.

(c) Denial

The data custodian shall provide a written record of the reason(s) for denial of any access request. Email records are acceptable.

(6) Responsibilities of users

(a) Use of administrative data only in the conduct of university business

The university expressly forbids the disclosure of unpublished administrative data or the distribution of such data in any medium, except as required by an employee's job responsibilities and approved in advance by the employees supervisor and the respective data custodian. In this context, disclosure means giving the data to persons not previously authorized to have access to it. The university also forbids the access or use of any administrative data for one's own personal gain or profit, for the personal gain or profit of others, or to satisfy personal curiosity. Users agree to use the information only as described in the request for data access. Failure to do so could result in disciplinary or legal sanctions as set forth in university policy.

(b) Maintenance of confidentiality and privacy

Users shall respect the confidentiality and privacy of individuals whose records they access, observe any ethical restrictions that apply to data to which they have access, and abide by applicable laws and policies with respect to access, use, or disclosure of information. All data users having access to sensitive or private information shall formally acknowledge (by signed statement) their understanding of the level of access provided and their responsibility to maintain the confidentiality of data they access. Each data user shall be responsible for the consequences of any misuse. Users are expressly prohibited from releasing identifiable information to any third party.

(c) Accurate presentation of data

(i) Users shall be responsible for the accurate presentation of administrative data when presenting data on behalf of the university. Users shall be responsible for the consequences of any intentional misrepresentation of that data.

(ii) The office of institutional research (IR) serves as the comprehensive source for data about Cleveland state university. The primary goal of IR is to collect, comprehend, combine, and analyze institutional data pertaining to a range of operational activities. IR assists in the analysis and interpretation of these data to explain past patterns and predict future trends in university performance.

(iii) The office of institutional research shall be the university's clearinghouse for official reports to external agencies including federal and state governments.

(d) Management oversight

(i) All levels of management are responsible for ensuring that all data users within their area of accountability are aware of their responsibilities as defined in this policy. Specifically, managers are responsible for validating the access requirements of their staff according to their job functions, and for insuring a secure office environment. The head of each unit will authenticate the need for individual access to data and shall request and obtain authorization for access to data from the custodian of such data.

(ii) Administrative and academic unit heads are responsible for taking the necessary steps to ensure that data access is terminated for employees who transfer to another department within the university or leave employment of the university.

Effective: 9/11/2016
Promulgated Under: 111.15
Statutory Authority: 115.10
Rule Amplifies: 3344
Prior Effective Dates: 6/1/2015

3344-8-03 Records management and retention.

(A) Purpose

The purpose of this rule is to comply with Ohio public records laws which require Cleveland state university to provide for the efficient and economical creation, utilization, maintenance, retention, preservation, and disposition of records consistent with the university's legal obligations. This rule also requires the preservation of historical permanent institutional records by the university archives.

(B) Definitions

(1) "Active record" means any records that relate to current business matters and are required to carry out the daily activities of the department.

(2) "Disposal" means the removal of records from a department or office. It does not necessarily refer refer to record destruction, but rather the various processes of records retention, whether offsite storage, conversion, or destruction.

(3) "Electronic record" means any record that is created, generated, communicated, received, maintained or stored on any electronic media owned by the university or controlled by the university or a university employee. Examples include, but are not limited to: e-mail, word processing documents and spreadsheets, and databases.

(4) "Inactive record" means records that are no longer needed for the daily activities of an office but still have an ongoing value.

(5) "Non-record materials" are documents, devices or items in the university's custody that do not meet the definition of records because they are not needed to document the organization, functions, policies, decisions, procedures, operations, or other activities of the university. Examples include personal notes, duplicates of existing records, stocks of publications, and library or museum materials intended solely for reference or exhibition.

(6) "Permanent Record" means a record that has continued historical or other value to warrant retention beyond the time they are needed for administrative, legal or fiscal purposes.

(7) "Public records" are records kept by the university, unless exempted from the definition of "public record" under division (A)(1) of section 149.43 of the Revised Code.

(8) "Records" includes any document, device, or item, regardless of physical form or characteristic, including an electronic record, created or received by or coming under the jurisdiction of any public office of the state or its political subdivisions, which serves to document the organization, functions, policies, decisions, procedures, operations, or other activities of the university. Personal records of employees, and records of third parties that are in the custody of the university but do not serve to document the organization, functions, policies, decisions, procedures, operations, or other activities of the university are not records.

(9) "Records custodian" or "custodian" means the employee responsible for an identified record or category of records.

(10) "Records retention schedule" means a listing of various types of routine, administrative records common to university offices.

(11) "Transitory records" are records which are needed for a limited time to complete a routine action, are used in the preparation of final records, or are kept as information or convenience copies by offices or individuals who do not have primary responsibility for them. Examples include drafts of documents, phone messages, and emails related to scheduling meetings.

(12) "Unit leader" means a department chair, office director, or other administrator that directs the regular functions of a unit.

(C) Creation of records

University employees shall make such records as are necessary to adequately document the organization, functions, policies, decisions, procedures, operations, and essential transactions of the university. A record should be created in the medium that best serves its purpose; instant messages, text messages, or any other form of communication that is difficult to share and preserve should not be used in the creation of records.

(D) Maintenance of records

(1) The unit leader is responsible for ensuring that unit records, including electronic records, are maintained in such a way that they can be identified and retrieved when needed.

(2) Each unit shall develop a records inventory that describes the categories of records created or maintained by the unit. The unit leader shall identify a records custodian or custodians for each category of record. Employees other than the records custodian may maintain records so long as the records custodian is aware of the records and able to retrieve them.

(3) Records may be maintained in paper or electronic form, so long as they may be identified and retrieved by the custodian. Maintenance and disposal of electronic records shall be determined by the content of the records, not the medium. Digitized paper records (such as scanned documents) may be maintained in place of paper records at the discretion of the department chair or director. Electronic records must be stored on a university-maintained shared drive.

(4) The maintenance of non-record materials should be avoided.

(5) When an employee leaves a unit, or the university, the unit leader shall ensure that any records in the separating employee's possession are properly transferred to a new records custodian. The unit leader is responsible for contacting information services and technology to arrange for the transfer of email and other electronic records to a new custodian before the accounts are scheduled to be deleted.

(E) Retention and disposal of records

(1) University archives is responsible for the university's records retention program in cooperation with the office of general counsel and will:

(a) Assist university departments and offices in the proper identification and preservation of active, inactive, and archival records;

(b) Retain and preserve necessary information to meet the university's administrative, financial, legal and historical needs;

(c) Help control costs and increase efficiency and through the systematic maintenance and disposal of university records; and

(d) Help increase employee awareness on liability, privacy issues, regulatory compliance and efficiency issues, as well as university history

(2) University records shall be retained for such period as is required by retention schedules approved by the university's general counsel. University records other than transitory records may be disposed of only in accordance with disposition instructions approved by the university's general counsel. Transitory records are to be discarded when no longer useful.

(3) Removal, destruction, mutilation, alteration, transfer or other disposition of university records except as authorized by the university archivist is prohibited and may result in disciplinary action.

(4) In circumstances in which litigation is filed or threatened, the office of general counsel shall issue a litigation hold on certain records.

(a) The litigation hold overrides any records retention schedule that may otherwise apply to the relevant records until the hold has been lifted by the office of general counsel. E-mail and computer accounts of separated employees that have been placed on a litigation hold by the office of general counsel will be maintained by information services and technology until the hold is lifted.

(b) No employee who has been notified by the office of general counsel of a litigation hold may alter or delete any record that falls within the scope of that hold. Violation of the hold may result in disciplinary action, as well as personal liability for civil and/or criminal sanctions by the courts or law enforcement agencies.

(F) Public records requests

The office of general counsel is responsible for responding to requests for public records pursuant to the Ohio public records act. All records custodians shall cooperate with the office of general counsel to identify and provide all records responsive to a records request. Determination of whether a university record is a public record shall be made by the office of general counsel.

(G) Internal records request

Department records custodians shall cooperate with internal records requests. All requests for data shall be approved by the relevant data custodian, as set forth in rule 3344-8-02 of the Administrative Code.

(H) Roles and responsibilities

(1) University archivist. The university archivist is generally responsible for the retention and preservation of university's permanent records. The university archivist may develop administrative procedures and guidelines for the management and retention of records, including a standardized records inventory and a university record retention schedule. Such administrative procedures and guidelines shall be approved by the general counsel.

(2) General counsel. The university general counsel is responsible for responding to requests for public records and for issuing litigation holds. The general counsel may develop administrative procedures for responding to public records requests.

(3) Information services and technology. Information services and technology is responsible for maintaining all systems and applications and for retention policies related to those systems and applications.

(4) Unit leaders. Unit leaders have overall responsibility for the creation, maintenance and retention of records for their department or office. Unit leaders shall ensure the development of a records inventory, shall identify records custodians, and shall oversee adherence to the records retention schedule.

(5) Unit records custodians. Each unit records custodian is responsible for maintaining records over which they have custody in a way that allows for the identification and retrieval of records when needed. Unit records custodians must also cooperate with the office of general counsel with respect to public records requests and litigation holds, and must implement the records retention schedule for the records over which they have custody.

Effective: 4/9/2017
Promulgated Under: 111.15
Statutory Authority: 111.15
Rule Amplifies: 3344