Carnegie Mellon University

Guidelines for Internal Data Sharing and Use

The purpose of these guidelines is to provide information to facilitate data sharing across Carnegie Mellon University.

Applies To

These guidelines apply to all students, faculty, staff, and any external parties who have access to institutional data.

Definitions

Data classification, in the context of information security, is the classification of data based on its level of sensitivity and the impact to the university should that data be disclosed, altered, or destroyed without authorization.

A data user is the individual or business entity that utilizes institutional data.

A data steward is a senior-level employee of the university who oversees the lifecycle of one or more sets of institutional data. See the Information Security Roles and Responsibilities for more information.

Institutional data is defined as all data owned or licensed by the university.

Guidelines

The following recommendations are encouraged in order to facilitate data sharing across the university:

The following are the expectations and responsibilities for Data Stewards concerning data sharing:

  • Data Stewards are expected to respond to data access requests in a timely manner.
  • Data Stewards are expected to indicate the reason for the rejection of any data access requests, providing transparency into the data access request process.
  • All data overseen by the data steward should have a data classification assigned, per the Guidelines for Data Classification.

The following are the expectations and responsibilities for data users concerning their utilization of the data:

  • Data users are expected to provide accurate and complete information to the data steward for the business need for the data and list how it will be used, stored, and maintained.
  • Data users are responsible for being informed about and complying with all applicable laws, regulations, standards, and guidelines concerning the data for which they are using.
  • Data users are responsible for not sharing data or information with other members of the University community unless they are authorized by a data steward to view that data or information.
  • Data users are expected to contact the data steward if there is a question concerning the use of the data.
  • Data users are expected to use the data that is appropriate for business needs.
  • Data users are responsible for alerting the data steward when the data is no longer needed.
  • Data users are expected to follow the Procedure for Responding to Unauthorized Release or Access of Data when necessary.

Revision History

Version

Date Published

Description

1.0

 2/14/22

Original publication