Welcome UNC-CH Guest | The University of North Carolina at Chapel Hill
Help | | What's New

Viewing: Policy on Terms of Use for Administrative Systems

Table of Contents


Current Status: Active PolicyStat ID: 5273771

Policy on Terms of Use for Administrative Systems

University Policy

Title

University of North Carolina at Chapel Hill Policy on Terms of Use for Administrative Systems

Introduction

Purpose

This policy describes the terms required for use of ConnectCarolina, InfoPorte, associated reporting tools, and other University business applications (“Administrative Systems”). 

Scope of Applicability

University Constituents (including faculty, staff, authorized affiliates, and others) who are users of the University’s Administrative Systems. The policy does not apply to faculty, staff or affiliates who use only the “self-service” components of the ConnectCarolina System in order to access information or transact business regarding themselves (e.g., employee paystub access, student registration, viewing/modifying personal UNC Directory entry, etc.) and who have no other role requiring access to University Administrative Systems.

Policy

Policy Statement

UNC-Chapel Hill (the “University”) requires its faculty, staff and other constituents (including UNC System Office, UNC Healthcare, and other non-University affiliates) to access and use the Administrative Systems in a responsible manner and for legitimate business purposes only. (Any University system which requires users to acknowledge this policy as a condition of access authorization is considered an “Administrative System.”)

In accordance with the Enterprise Data Governance Policy and Acceptable Use Policy all users who access enterprise data or University systems in performance of their assigned duties, including, but not limited to, viewing, entering, downloading, copying, querying, storing, disclosing, or updating data or information must adhere to the following tenets:

  • Confidentiality: Respecting the confidentiality and privacy rights of individuals whose records they may access. Reporting any known or suspected breaches of University Information in a timely manner according to procedures defined in the Incident Management Policy and the Privacy of Protected Health Information Policy.
  • Ethics: Observing the ethical restrictions that apply to information to which they have access.
  • Policy Adherence: Abiding by applicable laws and University policies with respect to access, use, protection, proper disposal, storage, and disclosure of information.
  • Responsible Access: Accessing and using enterprise data only as required in their conduct of University business.

Specifically, for Administrative Systems, the following requirements apply:

Information Access and Sharing

Users are granted access to Administrative Systems based on their individual job responsibilities and University business need, and this access must be approved by the appropriate Major Organizational Unit or School/Division authority.

Users will only access information in Administrative Systems that they are authorized to use, and which is specifically necessary to perform their assigned duties, even if the system does not explicitly prevent other access. Likewise, users will neither share their access to Administrative Systems, nor information from these systems, with others who do not have authority to view this information. Sharing information from Administrative Systems is only authorized when the receiver has both the appropriate access authorization and a demonstrated business need for the information. Sharing passwords or allowing an individual to use Administrative Systems while signed on as someone else is prohibited.

Information accessed with appropriate authorization from an Administrative System may only be downloaded for authorized business use, and the downloader must have the appropriate authorization for use. Care must be taken to appropriately secure downloaded information,  including any printed, written, or stored information. 

Confidentiality

Federal and State laws require the University to protect certain records and information contained within the University’s Administrative Systems. Administrative Systems users are also required to comply with the provisions of the University’s policies, standards, and procedures at all times in their use of these systems including but not limited to confidentiality of personnel information, protected health information, personally identifiable information, and student records.

Accessing, using, storing or disclosing of information contained within Administrative Systems is forbidden other than for University business purposes by authorized individuals for appropriate and authorized purposes.  Users must ensure that they adhere to all applicable requirements for obtaining required approval for accessing, using, storing or disclosing the information (e.g. from Data Stewards or applicable committees), securing the information in transit, and for sharing the information only with authorized and approved recipients who need the information for University business purposes.

Information Security

When not connected directly to a University network, users must only access Administrative Systems using the University’s virtual private network (VPN) functionality or other mechanism approved for secure connectivity. Using remote access to connect to a machine that is connected to Administrative Systems without connecting first to the University’s approved VPN is prohibited. The only exception is when a user is accessing only his/her own information through “self-service” functions.

Users must not access Administrative Systems in a location that might permit University information to be compromised or viewed by unauthorized individuals. Specific care and sound judgment must be exercised at all times in using devices to access Administrative Systems in public locations.

Users must not access Administrative Systems on any unsecure wireless (“Wi-Fi”) network. Users may only use secure wireless networks that require authentication to the network by a password. The University provides a secure wireless network that is acceptable for connecting to Administrative Systems.

Violations

Users are required to report any known or suspected violations of this policy immediately to the Information Technology Services (ITS) Information Security Office by calling the UNC ITS Helpdesk (919-962-HELP).

All use of Administrative Systems is subject to random review at any time by ITS or the responsible University office to confirm that any individual use is in accord with this and other University policies. Users are expected to cooperate fully with any such review as a condition of use of the Administrative Systems.

Public Records

Public records requests for University information stored in Administrative Systems must be referred to and handled by the Public Records Office, Office of University Counsel, and/or the relevant University central office. Individual users outside of these offices are not permitted on their own to extract and provide information from Administrative Systems in response to public records requests unless specifically directed to do so by one of these offices in writing.

For more information about public records requests, refer to the University’s Public Records Office and Public Records Policy.

Acknowledgement

Every Administrative System user is required to read this policy. ITS requires users to acknowledge receipt of this policy, either by written signature or by electronic signature. All users must attest in writing that they have read and understood this policy before receiving access to Administrative Systems.

Roles and Responsibilities

Information Technology Services: receives reports of potential policy violations; conducts reviews of system use; maintains records of user receipt of this policy.

Major Organizational Unit/School/Division Authority: approves access for designated users.

Office of University Counsel and Public Records Office: receive referrals of public records requests.

University central offices: receives reports of potential policy violations; conducts reviews of system use; responds to public records requests.

User (of Administrative Systems): accesses information in accordance with this policy and as needed to perform their job responsibilities.

Definitions

Administrative System: Designated University systems containing University Enterprise Data including ConnectCarolina (and related systems), InfoPorte, and other systems used to conduct University business which require acknowledgement of this policy for access authorization.

ConnectCarolina System: the integrated administrative portal for University business processes related to student services, human resources, payroll and finance.

InfoPorte System: InfoPorte provides a consolidated view of financial, human resources, and student administrative information from various enterprise University systems. The purpose of InfoPorte is to allow a variety of users a simplified way to access the information they need to perform their job functions on a day-to-day basis.

University central office: an administrative office of the University whose information is accessible through ConnectCarolina (e.g., Office of Human Resources, Finance Division, Office of the University Registrar, etc.).

University Information: University-owned information, or information made or received in connection with the transaction of University business by an Affiliate of UNC-Chapel Hill. Data, information, or records maintained by the University in any medium or form.

User (of Administrative Systems): any faculty, staff or other affiliate granted access to the ConnectCarolina system or another Administrative System

Virtual Private Network (VPN): Virtual Private Network (VPN): A virtual network, built on top of existing physical networks, which provides a secure communications tunnel for data and other information transmitted between networks.

Wi-Fi: technology allowing wireless access to a private or public network.

Related Documents

External Regulations and Consequences

Family Educational Rights and Privacy Act, 20 U.S.C. § 1232g; 34 C.F.R. § 99.1 et seq.

North Carolina Identity Theft Protection Act of 2005, N.C. G.S. § 75-60 et seq.

Gramm-Leach-Bliley Act, 15 U.S.C. § 6801 et seq.; 16 C.F.R. § 313.1 et. seq. (privacy), 16 C.F.R § 314.1 et seq. (safeguarding)

Red Flags Rule, based on Sections 114 and 315 of the Fair and Accurate Credit Transactions Act of 2003, 15 U.S.C. § 1601 et seq. and 15 U.S.C. § 1681 et seq.

North Carolina Public Records Act, N.C.G.S. Chapter 132

North Carolina State Personnel Act, N.C.G.S. Chapter 126 

Health Insurance Portability and Accountability Act of 1996, 42 U.S.C. 1320d et seq.; 45 C.F.R. § 160 et seq. (general administrative requirements), 45 C.F.R. § 162 (administrative requirements), 45 C.F.R. § 164 et seq. (security and privacy)

HITECH Act (The Health Information Technology for Economic and Clinical Health Act)

Failure to adhere to this policy may have disciplinary consequences for employees, up to and including termination of employment. Students who fail to adhere to this policy may be referred to the UNC-Chapel Hill Office of Student Conduct. Contractors and vendors who fail to adhere to this policy may face termination of their business relationships with UNC-Chapel Hill.

Violation of this policy may also carry the risk of civil or criminal penalties.  

 

University Policies, Standards, and Procedures

Privacy Policy

Information Security Policy

Incident Management Policy

Information Classification Standard

Password Policy for General Users

Policy on the Transmission of Personal Health Information and Personally Identifying Information

Policies and Procedures Under the Family Educational Rights and Privacy Act of 1974

Access to Student Records

Personnel Records and Confidentiality of Personnel Information

Public Records Policy

Privacy of Protected Health Information Policy

HIPAA Sanctions Standard

Contact Information

Policy Contact

ITS_Policy@unc.edu

Other Contacts

Subject

Contact

Telephone

Email

Technical questions

ITS Service Desk or Business Systems Help Desk

919-962-HELP (4357)

 

Reporting an information security incident or violation

ITS HELP Desk

(Ask that your Remedy ticket be marked “critical” for the Information Security Office (ISO) and do not provide detail on the incident until called back by an ISO incident handler)

919-962-HELP (4357)

 

Use of Administrative System Human Resources data

Senior Director, Human Resources Information Management, Office of Human Resources

919-843-2300

hr@unc.edu

Use of Administrative System Finance data

Director and Finance Liaison, Enterprise Applications

919-962-7242

avcfinance@ unc.edu 

Use of Administrative System student data

University Registrar

919-962-3594

registrationservices@unc.edu

Records requests

Refer to the University’s Public Records policy

 

publicrecords@ unc.edu

Use of full or partial SSN

University Committee for the Protection of Personal Data (UCPPD)

 

privacy@unc.edu

 

Document History

  • Effective Date and title of Approver:  10/14/2014, Chief Information Officer
  • Revision and Review Dates, Change notes, title of Reviewer or Approver: 3/25/2015, Chief Information Officer
  • Previous versions titled: Policy on Faculty, Staff and Affiliate Terms of Use for UNC-Chapel Hill Administrative Systems
All revision dates: 9/18/2018, 3/25/2015
Attachments:

Approval Signatures

Step Description Approver Date
Publication Kim Stahl: Senior Policy and Process Lead 9/18/2018
Publication Matthew Teal: University Program Specialist 9/12/2018
Approval by Issuing Officer Christopher Kielt: Vice Chancellor 9/12/2018
Finalize feedback Kim Stahl: Senior Policy and Process Lead 9/12/2018
University Policy Review Committee Jennifer Deneal: Administrative Director 9/12/2018
Incorporate feedback Kim Stahl: Senior Policy and Process Lead 9/11/2018
Administrative Review Philip Garriss: Information Systems Auditor 9/11/2018
Administrative Review Matthew Teal: University Program Specialist 9/11/2018
Administrative Review Lee Bollinger: Associate University Counsel 9/10/2018
Review by Key Stakeholders Kim Stahl: Senior Policy and Process Lead 9/10/2018
Step Description Approver Date
Publication Kim Stahl: Senior Policy and Process Lead 9/18/2018
Publication Matthew Teal: University Program Specialist 9/12/2018
Approval by Issuing Officer Christopher Kielt: Vice Chancellor 9/12/2018
Finalize feedback Kim Stahl: Senior Policy and Process Lead 9/12/2018
University Policy Review Committee Jennifer Deneal: Administrative Director 9/12/2018
Incorporate feedback Kim Stahl: Senior Policy and Process Lead 9/11/2018
Administrative Review Philip Garriss: Information Systems Auditor 9/11/2018
Administrative Review Matthew Teal: University Program Specialist 9/11/2018
Administrative Review Lee Bollinger: Associate University Counsel 9/10/2018
Review by Key Stakeholders Kim Stahl: Senior Policy and Process Lead 9/10/2018
Older Version Approval Signatures