- Does the MSU Institutional Data Policy (IDP) override or obviate other, more specific policies or guidelines relating to institutional data, such as policies or guidelines that individual university units may have in place?
- Does the IDP address ownership of data held by MSU?
- Does the IDP apply to volunteers and agents or contractors of MSU who might work with institutional data?
- Does the IDP apply to things like graphics, images, still photographs, movies and videos, animations and other non-text or non-numeric content?
- If a data container such as a report or record contains a mixture of institutional data that have been made public data, institutional data that have not been made public data, and/or confidential data, what rules apply to it?
- What is the geographic scope of the IDPy? Does it apply to locations outside the main East Lansing, Michigan, campus?
- MSU is a public university. Doesn’t this mean that all data at MSU are in the public domain?
- Does the IDP affect the sharing of institutional data among university offices?
- Does the IDP mean that MSU faculty may not use MSU student data or other confidential data in research protocols?
- To whom should suspected violations of the IDP be reported?
1. Does the MSU Institutional Data Policy (IDP) override or obviate other, more specific policies or guidelines relating to institutional data, such as policies or guidelines that individual university units may have in place?
No, it does not. MSU frequently is required by law, by industry practices, or by business contracts to protect certain types of data. Examples include personal health information under HIPAA, student education records under FERPA, and payment card data under Payment Card Industry Data Security Standards. MSU has policies and practices that reflect these obligations. These targeted policies and practices provide more specific guidance about handling these types of data.
Similarly, university units that work actively with confidential data may find it useful to have unit-specific guidelines and work practices to help their employees understand the data protection expectations which they must meet. Unit-level guidelines should be consistent, overall, with the IDP.
2. Does the IDP address ownership of data held by MSU?
The IDP does not address the ownership of institutional data or any other forms of content collected or created at MSU. This policy sets minimum standards for responsible use of institutional data at MSU.
3. Does the IDP apply to volunteers and agents or contractors of MSU who might work with institutional data?
Yes, indirectly. The IDP can only hold members of the university community — faculty, staff and students — directly responsible for compliance. Section IV.C.4 of the IDP makes it clear, however, that those who are subject to this policy need to take appropriate action to provide for the proper use, storage, and disposal of institutional data by others working with those data under their supervision. This includes informing them of the IDP and any restrictions on the data. In some circumstances, it may also include placing contractual restrictions on the further dissemination of the data by those with whom the data are shared.
4. Does the IDP apply to things like graphics, images, still photographs, movies and videos, animations and other non-text or non-numeric content?
Yes, the use of the word data in the policy is intended to include content in all forms and formats.
5. If a data container such as a report or record contains a mixture of institutional data that have been made public data, institutional data that have not been made public data, and/or confidential data, what rules apply to it?
Whenever data types are mixed, the rules that apply are those applicable to the most restricted type of data in the mixture. For example, any combination of institutional data that contains confidential data must be treated as confidential data.
6. What is the geographic scope of the IDP? Does it apply to locations outside the main East Lansing, Michigan, campus?
The IDP applies to all MSU institutional data, no matter where they are or are used, from what location they may be accessed, or in what device they are held.
7. MSU is a public university. Doesn’t this mean that all data at MSU are in the public domain?
No. The university is subject to a variety of legal and other obligations to restrict the disclosure of certain data and records. See Appendix I to the IDP. The university also is subject to various reporting and disclosure requirements relating to specific data and documents. Section V.A of the policy makes clear that the IDP is not intended to impede the release of data or records when that is legally required. The existence of such requirements does not justify the lax or careless treatment of institutional data.
8. Does the IDP affect the sharing of institutional data among university offices?
No, provided that the institutional data is shared with members of the university community who have a university purpose for receiving it. Please note that members of the university community are expected to cooperate with the Freedom of Information Office in responding to Freedom of Information Act requests and with the Office of General Counsel and other university offices in complying with court orders, subpoenas, and other legal mandates for the release of institutional data.
9. Does the IDP mean that MSU faculty may not use MSU student data or other confidential data in research protocols?
No, the PIDP does not preclude the use of confidential data types in properly conducted research. Any research conducted by MSU investigators that involves human subjects or their data must be approved by a responsible Institutional Review Board (IRB). The IRB review will take security risks and risk mitigation steps into account.
10. To whom should suspected violations of the IDP be reported?
Employees (including student employees) may report suspected violations to their immediate supervisor or to the lead administrator of their employing unit. Undergraduate students also may report suspected violations to the Office of the Associate Provost for Undergraduate Education and Dean of Undergraduate Studies; graduate students also may report suspected violations to the Office of the Associate Provost for Graduate Education and Dean of the Graduate School. Individuals may also report their concerns via the Fiscal Misconduct Hotline. Suspected violations of this Policy should be reported as soon as possible.