Student Information System Access Control Procedure

Date effective: 1990-08-13

Authorized by: Vice-Rector, Academic

STUDENT INFORMATION SYSTEM ACCESS CONTROL PROCEDURE

PURPOSE

1. The University's computerized Student Information System (SIS) is the principal tool for the support of academic administration. It includes all student records since 1974 as well as operating and reference information. Responsibility for the security and integrity of information contained in the system belongs to the Registrar.

2. The purpose of this procedure is to protect critical, sensitive and confidential data by insuring that only persons duly authorized by the Registrar or his delegate are entitled to access the SIS.

Types of Access

Passive = ability to read data.

Active = ability to enter, change, update or delete data.

Types of Information

General = Reference and operating information.

Confidential = Information pertaining to individuals.

WHO MAY REQUEST ACCESS TO THE SIS?

3. Access to the SIS via terminals is normally restricted to employees of the University. Any employee whose functions at the University require access will normally be given permission to read general, non-personal information maintained in the SIS.

4. Authority to read information pertaining to individual students is granted only to staff members involved in academic administration, student accounts receivable, student services or student counselling.

5. The ability to enter, update or delete data on the SIS is strictly controlled and limited to designated staff members charged with academic record keeping or the maintenance of computerized databases.

CONDITIONS FOR SIS ACCESS

6. Employees who request an access account (or access code) for the SIS, must:

  • a) agree to respect all pertinent university policies 3 and procedures 4 on electronic data processing security and the confidential nature of the information obtained;
  • b) occupy a position in which access to information contained in the SIS is considered necessary or useful;
  • c) have the approval of their immediate superior, of the dean of the faculty or director of the service in which they work and of the Registrar or the Registrar's delegate.

HOW TO REQUEST ACCESS TO THE SIS

7. Requests for access to the SIS must be made in writing, on the form entitled REQUEST FOR ACCESS TO SIS. This form:

  • a) identifies the applicant as an employee of the University;
  • b) specifies the type of information needed in connection with the applicant's duties;
  • c) provides the applicant's undertaking to observe all pertinent policies and procedures;
  • d) provides a record of approval of the applicant's superiors.

Requests may be initiated either by the employee or by the employee's supervisor, but both must sign the request. The form is to be sent to the SIS Administrator in the Office at the Registrar for approval.

8. SIS access accounts will be renewed periodically, as long as the incumbent occupies the position for which the account was issued and continues to need the same access privileges. If different access privileges become necessary, or if the user is transferring to another position within the University, a new request for access must be submitted. The access code of an employee leaving the University, will be cancelled without delay.

USE OF SIS ACCESS ACCOUNTS

9. Access accounts may be used only for the purpose for which they were issued. Any use for private purposes is prohibited. Employees are responsible for the security of their password and for all use of their access account. Accounts which remain inactive for prolonged periods may be suspended without warning or notice. A written or oral request to reinstate the access code shall be addressed to the SIS Administrator.

10. Abuse or negligence in handling the access account or in the use of the SIS will result in the withdrawal of access privileges, cancellation of the account and appropriate disciplinary measures.

EXCEPTION

11. No exception may be made to this procedure without the written approval of the Registrar.

Published August 13, 1990

(Office of the Registrar)

Appendix A

1. Policy 117 - Information Classification and Handling

2. Procedure 21-1- EDP Security.