Category | Administration and Management |
---|---|
Type | Procedure |
Approved by | Deputy Vice-Chancellor (Academic), 21 March 2014 |
Date Procedure Took Effect | 22 March 2014 |
Last approved revision | 18 October 2017 |
Sponsor | Director, Academic Services |
Responsible officer | Manager, Policy & Compliance |
Purpose
The purpose of this procedure is to support University compliance with the Privacy Act 2020 and the University's Privacy Policy, through:
- clearly defining responsibility for approving staff access to student information stored in the University's Student Management System, eVision
- providing guidance to those with authority to authorise this access, and
- detailing circumstances in which eVision access may be declined or removed.
Organisational scope
This Procedure applies University-wide, and covers direct access to student information held within eVision, including access to student information via Business Objects reports.
Those responsible for other student management systems used at the University are encouraged to reference this Procedure in developing appropriate access controls for their systems.
Definitions
- eVision
- The University's Student Management System, which requires log-in based authorisation to access.
- Business Objects reports
- Web-based University reports which require authorised access. For the purpose of this procedure this refers only to those reports which access student information.
- eVision access
- For the purpose of this procedure, refers to access to student information held in eVision, both directly via the eVision interface and/or through associated Business Objects reports.
- Authorised Departmental Administrator
- A staff member with eVision access who can provide student information to other staff members (without eVision access), based on those staff members' professional need to access such information.
- Student-staff member
- A person who is primarily enrolled as a student at the University, but who is also employed by the University. Staff members fall within this definition if they are enrolled for full-time study OR have a student EFT (equivalent full-time study) which is greater than their staff member FTE (full-time equivalent employment). Staff members engaged in incidental study are not included in this definition.
Content
1. General principles
- To support compliance with the Privacy Act 2020 and the University's Privacy Policy and Privacy Statement, it is the University's responsibility to ensure that, wherever possible, only staff members with a clear functional need to do so are able to access students' personal information.
- Operational responsibility for ensuring that only appropriate staff members are able to access student information in eVision resides with the relevant Head of Department.
- When assessing the need for a staff member to have access to eVision and/or associated Business Objects reports, the following question should be asked to inform the decision:
To enable the employee to carry out the functions of his or her University employment, does the employee clearly need regular access to students' personal information and academic records?- If the answer is 'yes', then access should be approved.
- If the answer is 'no', then access should not be approved.
- Requests to create, change or remove eVision access for particular staff members, including access to associated Business Objects reports, may be made by completing and submitting the online eVision Access Form.
- The Manager of Student Administration has delegated authority to make a final decision on eVision access based on the criteria laid out in this Procedure. Depending upon the sensitivity and nature of the information being accessed, additional approval may also be required from designated managers with overall responsibility for particular sets of data.
- Staff members with approval to access student information in eVision may only access and use such information in accordance with the Privacy Policy and Privacy Statement.
- Where a staff member's access to information in eVision includes access to functionality that allows changing or updating information held in eVision, such functionality may only be used where this is authorised through the appropriate authority and/or clearly part of the staff member's functional role.
2. Restrictions on access
- Staff members who, in order to undertake the responsibility of their positions, irregularly or infrequently need to access student personal information, should not be granted direct eVision access, but should instead access information via an Authorised Departmental Administrator.
- Student-staff members will not normally be granted eVision access. Where a student-staff member must access student information to carry out the functions of their employment, such information should be accessed via an Authorised Departmental Administrator.
- Notwithstanding clause 2(b), where it can be clearly demonstrated that a student-staff member cannot practically carry out the functions of their employment without eVision access, such access may be approved subject to the student-staff member signing a confidentiality agreement confirming that they have read and will adhere to the University's Privacy Policy and Privacy Statement. Requests for eVision access for student-staff members, or for roles normally filled by student-staff members, should be made in writing to the Director, Academic Services.
3. Removal of access
- Where a staff member ceases employment at the University, eVision access will be removed via an automated updated at the end of their last day of work. For a short notice departure, or where a staff member's access needs to be removed immediately, their manager should contact the SMS Support Office to request this.
- Where a staff member is continuing in employment at the University but no longer requires eVision access as part of their role, their manager should remove access using the online eVision Access Form.
- Any staff member who has not accessed eVision within the last six months may have their access removed.
- A staff member's eVision access may be temporarily or permanently removed by the University where:
- It is deemed that they no longer require access to student information
- they have been shown to have accessed or used student information in contravention of the University's Privacy Policy and Privacy Statement, or
- where the University deems that the staff member's continued access may pose an unacceptable risk to the privacy of students.
Related policies, procedures and forms
- Policy on Access to, and Use of, Personal Information
- Privacy Act 2020
- Privacy Policy
- Privacy Statement
- Information relating to the Public Records Act, the General Disposal Authority and other record keeping requirements
Contact for further information
If you have any queries regarding the content of this policy or need further clarification, please contact:
The Manager
Policy and Compliance
Email policy.compliance@otago.ac.nz