Policy on Terms of Use for Administrative Systems

Title

University of North Carolina at Chapel Hill Policy on Terms of Use for Administrative Systems

Introduction

Purpose

This policy describes the terms required for people to use the University of North Carolina at Chapel Hill’s (“UNC-Chapel Hill” or “University”) administrative systems. These systems include: 

• ConnectCarolina,  
• InfoPorte, Tarheel Reports, Ram Reports, 
• Other reporting tools, and 
• Other kinds of University business applications. 

Scope

This policy applies to people who use the University’s Administrative Systems.  

This policy does not apply to:  

• People who use only the “self-service” parts of administrative systems to access information or transact business for themselves. For example:  
  • Employee paystub access,  
  • Student registration,  
  • Viewing or changing personal UNC Directory entry, or 
  • Similar activities  
• People who have no other role requiring access to University Administrative Systems.

Policy

Policy Statement

UNC-Chapel Hill (the “University”) requires its faculty, staff and other constituents (including UNC System Office, UNC Healthcare, and other non-University affiliates) to access and use the

Anyone who accesses and uses University Administrative Systems must use them responsibly and only for legitimate business purposes.  

People who access University data or systems to perform their work must follow the University Data Governance Policy Acceptable Use Policy and the following principles:   

• Confidentiality: Protecting the confidentiality and privacy of people whose records they may access. Reporting any known or suspected breaches of University Information in a timely way, following policy, particularly the Information Security Incident Management Policy and the Privacy of Protected Health Information Policy. 
• Ethics: Applying ethical considerations to the information they can access.  
• Compliance: Following applicable laws and University policies covering access, use, protection, proper disposal, storage, and disclosure of information. 
• Responsible Access: Only accessing and using University data as needed to conduct University business. 

Information Access and Sharing

People are granted access to Administrative Systems based on their individual job responsibilities and University business needs. This access must be approved by the proper Major Organizational Unit or School/Division authority. 

Users with access to Administrative Systems must:   

• Only access information in Administrative Systems you are authorized to use even if you can access other information.  
• Only use information necessary to perform your assigned duties, even if you are not prevented from other access or use. 
• Only share information from Administrative Systems when the receiver has both authorization and a demonstrated business need for the information.  
• Only download information from an Administrative System for authorized business use. The person downloading must have that authorization.  
• Take care to appropriately secure downloaded information, including any printed, written, or stored information. 

Users with access to Administrative Systems must not:  

• Use or access information beyond what is needed for your assigned duties, even if the system doesn’t prevent you from accessing other information. 
• Share your access to Administrative Systems, including password sharing. 
• Share information from these systems with anyone who isn’t authorized to view the information.  
• Allow an individual to use Administrative Systems while signed on as someone else.  
• Share information from Administrative Systems with someone who isn’t authorized and has business need for the information.  

Confidentiality

Federal and State laws require the University to protect certain records and information contained in the University’s Administrative Systems. People using Administrative Systems must always follow University policy using these systems. Take particular care with the confidentiality of personnel information, protected health information, personally identifiable information, and student records. 

Do not access, use, store or disclose information contained within Administrative Systems other than for authorized University business purposes. You must follow all applicable requirements to get necessary approval to access, use, store or disclose the information. (For example, getting authorization from Data Stewards or responsible groups.) Secure the information in transit and share the information only with authorized and approved recipients who need the information for University business purposes. 

Information Security

When not connected directly to a University network, only access Administrative Systems using the University’s virtual private network (VPN) or other mechanism approved for secure connectivity. Do not use an insecure way to connect to a machine connected to Administrative Systems. You may make an exception only to access your own information through “self-service” functions. 

Do not access Administrative Systems on any insecure wireless (“Wi-Fi”) network. Only use secure wireless networks that require authentication to the network by a password. The University provides a secure wireless network that is acceptable for connecting to Administrative Systems. 

You must not access Administrative Systems from a place that might allow University information to be compromised or viewed by unauthorized people. Use care and sound judgment at all times if accessing Administrative Systems from public places. 

Violations

You must report any possible violation of this policy immediately to the Information Technology Services (ITS) Information Security Office by calling the UNC ITS service desk (919-962-HELP). 

ITS and/or the University responsible for an Administrative System may review all use of Administrative Systems to confirm that any use follows this and all other relevant University policies. Users must cooperate fully with such reviews as a condition of Administrative System use. 

Public Records

Anyone using an Administrative System who receives a public records request for University information stored in Administrative Systems must refer the request to the Public Records Office, Office of University Counsel, or an authorized University central office. People outside of these offices are not allowed on their own to extract and provide information from Administrative Systems in response to public records requests unless specifically directed to do so by one of these offices in writing. 

For more information about public records requests, refer to the University’s Public Records Office and Public Records Policy. 

Acknowledgement

Every Administrative System user must read this policy. ITS requires you to acknowledge you received this policy through an electronic verification. Everyone using Administrative Systems must attest in writing (electronically) that they have read and understood this policy before receiving access to these systems. 

Roles and Responsibilities

• ITS: Receives reports of potential policy violations; conducts reviews of system use; keeps records of user receipt of this policy. 
• Major Organizational Unit/School/Division Authority: Approves access for designated users. 
• Office of University Counsel and Public Records Office: Receives referrals of public records requests. 
• University central offices: Receives reports of potential policy violations: Conducts reviews of system use; responds to public records requests. 
• User (of Administrative Systems): Accesses information following this policy as needed to perform their job responsibilities. 

Definitions

• Access: Includes viewing, entering, downloading, copying, querying, storing, disclosing, or updating data or information. 
• Administrative System: Any University system requiring people to acknowledge this policy to gain authorized access. Designated University systems holding University (Enterprise) Data including ConnectCarolina (and related systems), InfoPorte, and other systems used to conduct University business which require acknowledgement of this policy for access authorization. 
• ConnectCarolina System: the integrated administrative portal for University business processes related to student services, human resources, payroll, and finance. 
• University central office: an administrative office of the University whose information is accessible through ConnectCarolina (e.g., Office of Human Resources, Finance Division, Office of the University Registrar, etc.). 
• University Information: University-owned information, or information made or received in connection with the transaction of University business by someone affiliated with UNC-Chapel Hill. Data, information, or records kept by the University in any medium or form. 
• Virtual Private Network (VPN): A virtual network, built on top of existing physical networks, which provides a secure communications tunnel for data and other information transmitted between networks. 
• Wi-Fi: Technology allowing wireless access to a private or public network. 

Related Requirements

External Regulations and Consequences

• Family Educational Rights and Privacy Act, 20 U.S.C. § 1232g; 34 C.F.R. § 99.1 et seq.
• North Carolina Identity Theft Protection Act of 2005, N.C. G.S. § 75-60 et seq.
• Gramm-Leach-Bliley Act, 15 U.S.C. § 6801 et seq.; 16 C.F.R. § 313.1 et. seq. (privacy), 16 C.F.R § 314.1 et seq. (safeguarding)
• Red Flags Rule, based on Sections 114 and 315 of the Fair and Accurate Credit Transactions Act of 2003, 15 U.S.C. § 1601 et seq. and 15 U.S.C. § 1681 et seq.
• North Carolina Public Records Act, N.C.G.S. Chapter 132
• North Carolina State Personnel Act, N.C.G.S. Chapter 126 
• Health Insurance Portability and Accountability Act of 1996, 42 U.S.C. 1320d et seq.; 45 C.F.R. § 160 et seq. (general administrative requirements), 45 C.F.R. § 162 (administrative requirements), 45 C.F.R. § 164 et seq. (security and privacy)
• HITECH Act (The Health Information Technology for Economic and Clinical Health Act)

Failure to adhere to this policy may have disciplinary consequences for employees, up to and including termination of employment. Students who fail to adhere to this policy may be referred to the UNC-Chapel Hill Office of Student Conduct. Contractors and vendors who fail to adhere to this policy may face termination of their business relationships with UNC-Chapel Hill.

Violation of this policy may also carry the risk of civil or criminal penalties.

University Policies, Standards, and Procedures

• Privacy Policy
• Information Security Policy
• Information Security Incident Management Standard
• Information Classification Standard
• Passwords, Pass-phrases, and Other Authentication Methods Standard
• Transmission of Sensitive Information Standard
• Policies and Procedures Under the Family Educational Rights and Privacy Act of 1974
• Access to Student Records
• Personnel Records and Confidentiality of Personnel Information
• Public Records Policy
• Privacy of Protected Health Information Policy
• HIPAA (Health Insurance Portability and Accountability) Sanctions Standard

Contact Information

Policy Contact

ITS_Policy@unc.edu

Document History

• Effective Date and title of Approver:  10/14/2014, Chief Information Officer
• Revision and Review Dates, Change notes, title of Reviewer or Approver: 3/25/2015, Chief Information Officer
• Previous versions titled: Policy on Faculty, Staff and Affiliate Terms of Use for UNC-Chapel Hill Administrative Systems