Work-Related Data

Information on University Use of Work-Related Data

In Resolution 2023-3, “On Endorsing Principles for Work-Related Data,” the Faculty Council asked for comment and assurance from the University administration on several points. To initiate that engagement, we sketch initial comments here.

We intend this webpage to summarize the more detailed and precise document here. We intend no difference in substance or meaning; but we consider the document with additional detail and precision to be canonical.

1. Transparency
  1. Explain what data are and are not collected.

Each system collects data specific to its function and purpose. By policy, most University systems at least collect access logs and system logs. Network traffic is logged. Such data are needed to monitor for, investigate, and address information security exposures, monitor and troubleshoot system operation, and manage systems. More than that would be specific to each system.

Though IT systems are instrumented accordingly to carry out those essential functions, and University IT staff and approved vendors may scan and access data to fulfill those functions, they are not permitted to seek out data when not germane to system operations and support. Any unavoidable access to such data is limited to the minimum amount necessary to perform such duties.

1. 1. For the data that are collected, explain how they may be used.

Data are collected and used primarily for their original purpose. Laws and policies constrain how data “may” be used and how it “must” be used. (See “Reading List” below).

As noted above, though University IT personnel and approved venders may scan and access data in order to fulfill essential operational and support functions, they are not permitted to seek out information not germane to those essential activities. Any unavoidable access is limited to the minimum amount necessary. Notwithstanding this exemption, University IT personnel are still subject to the prohibition against disclosure of personal or confidential information otherwise protected by applicable University policy and law.

1. 1. Notify faculty when significant changes are made to data practices that could be used to assess performance.

The updated Policy on Access to Individual User Accounts limits access to digital data to specific objectives which do not include routine reviews of job performance.

Systems operated by ITS do not log nor collect metadata for the purpose of assessing performance. Absent a legal requirement to do so, a request to use those data for the purpose of assessing performance would be a change from the original intent. ITS would deny and refer the request for data governance review.

The Office of Human Resources is the authority to direct questions about appropriate performance assessment. They have no plan for the University to use interaction data to evaluate performance.

If a person or unit wishes to include this type of data in faculty assessment criterion, they should follow appropriate protocols and reviews by institutional authorities to make that a formal criterion.

1. 1. Clarify whether data are stored on university systems or third-party systems,

Many “systems” are composed of both on-premise (maintained at the University) and third-party components. Systems are considered “University IT” whether they are owned and operated by the University or are licensed “cloud” applications doing the work of the University. In both cases, rigorous requirements apply to data protection and access control. Vendor contracts are rigorously reviewed as well.

1. 1. the expectations for how long most kinds of data are stored,

Data of all kinds are stored for durations that comply with the University Records Retention and Disposition Schedule. In practice that usually means they are stored while they have value for their original intended use plus some duration. If they are transferred to University Archives (though logs would almost never be archived in that way), how long they are retained becomes a curation decision.

1. 1. Information about who has access to data and in what circumstances.

Every “University IT” system is required to have “access controls.” This means every system is required to have suitable controls in place to limit access to University data only to people and processes that have been granted access based on their required functions; access controls also prevent access to those that have not been granted access.

The University is subject to public records laws. We must produce most public records. These laws apply to records created or received in connection with the transaction of University business, in whatever format, and are not scope restricted only to University-owned devices or University-sponsored services. This means that carrying out University business through personal email, personal phones, on personal computers does not change the ownership of any records created or received in connection with University business nor the University’s obligation to produce/release them.

Other University policies identify additional permitted access. (See <a href=”#readinglist”>Reading List</a> below for a sample of those policies.)

1. 1. Confirm and communicate procedures for decision making regarding data collection and sharing.

When large systems are established, the people building them work with stakeholders, which should include representatives of customer communities. Communication among members of the University community is essential for University operations, teaching, research, and public service endeavors.

Some units of the University are established to be responsible for some kinds of data use and sharing. The Public Records Office, University Archives, and Internal Audit, have permission to receive data to accomplish their mandates. The Office of University Counsel handles other types of data for litigation and other purposes. Each of these offices has established practices for data handling in compliance with applicable law and policy.

See policies below.

1. 1. Establish and communicate a clear chain of decision making regarding use of data.

The individual is the first stop when data in individual accounts is needed. In some circumstances that isn’t the right path, and a structure exists to address those situations.

Work activity data follow the same practice as any other data type. Questions that arise about appropriate data sharing and use can be vetted through the Data Governance Oversight Group. Metadata in systems is “IT data.” We anticipate publishing a formal Standard to clarify some of these questions and provide consistency between ITS and unit IT responses.

1. Prohibit Surveillance

1. 1. Ensure that data requests can only be made based upon accepted grounds with a documented rationale (e.g., for public records, public safety, network protection, or authorized legal matters).

Administrators and staff do not conduct active surveillance using UNC digital data. Data are sometimes requested retrospectively following established and longstanding procedures. Though business justification is part of that requirement, a role-based gate is used, and authorized requestors adhere to the Administrative Systems Terms of Use Policy, which has rigorous requirements when accessing University Data. Those requirements include care to access data in a limited way to meet the business need. Staff engaged in this work have documentation requirements and the ability to have requests reviewed.

1. 1. Confirm and communicate policies limiting the use of data for job performance decisions.

Please see remarks above regarding use of data for assessing faculty performance. The updated Policy on Access to Individual User Accounts limits access to digital data to specific reasons. Routine review of job performance is not among those reasons.

1. 1. Confirm that faculty retain intellectual freedom in public digital spaces and that any monitoring of social media is conducted to support public safety and will not be used to target specific groups or individuals or for political purposes.

Intellectual freedom requires that faculty and other employees have the freedom to express themselves on social media platforms. Staff asked to perform this sort of activity have avenues to report through their HR representative, EthicsPoint, and other options.

1. 1. When requests for data are made and/or social media monitoring is conducted, individuals involved should be notified when legally permissible.

The University endeavors to notify individuals when it is legally permissible and would not compromise the integrity of a suitably authorized investigation.

1. Privacy and Data Ownership
  1. Highlight the rights that faculty have over their own data.

The University approaches data protection from a “University Data” perspective. Whether data is owned by the University, faculty, or someone else, if it is in some form of University IT, or is being received, created, or used for the business of the University, then all data governance, protection, sharing, and use policies apply to it. The University will protect faculty data as rigorously as any other data, and establish access control and permissions, negotiate contracts with third parties to include data protection measures, and otherwise manage the data professionally.

1. 1. Make clear when data are “owned” by the University and when they are the intellectual property of faculty.

Faculty production of scholarly works, pedagogical materials, and other intellectual property is protected by all relevant copyright law, whether or not the works are stored on University servers, However, the guarantee of secrecy or privacy is limited by the applicable access policies.

This is a complex topic with multiple laws, regulations, contractual agreements, and other constraints.

1. 1. Make public any instances of sale or sharing of data by the University.

“Sale” of data and “sharing” data differ. In general, the University shares data only when we are required to do so—for example, to the federal government for financial aid purposes or other compliance purposes, to the UNC System Office for reporting purposes, to accrediting entities, etc.. When the University shares data with a third-party for of some service or function—for example, with Microsoft or Adobe—the terms and conditions are covered by contract which we negotiate to limit their secondary uses.

With respect to “sale” of data, any such activity would be processed with legal review and with support of appropriate administrative offices.

1. 1. Educate faculty on individual rights and appropriate processes related to the sale or use by others of their data.

Please see safecomputing.unc.edu for information of this kind.

1. 1. Confirm that data related to instructional materials (e.g., syllabi and assignments) constitute faculty intellectual property.

See comments on intellectual property with respect to “data”, above.

1. 1. Clarify faculty intellectual property rights for various categories of research (sponsored, individual, collaborative).

See comments on intellectual property with respect to “data”, above. This is a good topic for further engagement and discussion.

1. 1. Ensure that contracted third-parties have no or appropriately limited access to faculty data and that contracts delineating third party uses of faculty data are available for review upon request.

Other than required public records disclosure, and published information like the University Directory, the University has controls over sharing employee data. The University scrutinizes third parties for data security and protection measures and subjects the agreements to legal review when contracting for services involving employee data.

1. Promote Education
  1. Create easy access to documentation and policies for work-related data.

ITS intends to publish a formal Standard addressing many of the concerns identified here. All University policies are available on policies.unc.edu. See safecomputing.unc.edu and datagov.unc.edu for training and information on data protection.

If you have specific questions or would like for someone to talk with a group about data-related policies, feel free to email its_policy@unc.edu to set something up.

1. 1. Charge campus entities (e.g., Information Technology Services, The Office of Legal Counsel, University Archives, The Office of Ethics and Policy) with educating campus constituencies about data concerns and rights.

Thank you for asking! The Information Security Office provides security training, and activities. (have you subscribed to the “Data At Rest podcast?”) many ITS staff are available to speak to groups. ITS Communications provides articles in its own publications and through The Well and other campus outlets.

Your unit should have one or more Information Security Liaisons available to answer questions or find resources.

The Enterprise Data Coordinating Committee provides data-governance training and builds structure for University Data use. The Data Governance Oversight Group has resources on datagov.unc.edu and can help with questions about data (link at the bottom of each datagov.unc.edu page).

The Institutional Privacy Office provides data-related training for HIPAA Covered Units.

The Digital Accessibility Office and others offer training through Carolina Talent on topics related to data concerns and rights. The DAO is intensely interested in helping faculty to shape their course materials to be universally usable.

1. 1. Develop programs for providing and updating training related to data for units and faculty.

The groups mentioned above and others provide and at least occasionally update training. Suggestions for topics and assistance spreading the word about training are always welcomed!