Download PDF
Effective Date: March 1, 2011 Revised: May 1, 2026
Standards
Information Management, Privacy and Security

Data Access Management Standard

Purpose

University Data is information that is related to Boston University’s activities and is created, maintained, or processed by Boston University.  University Data is a vital asset that must be available to employees who have a legitimate administrative need for it. However, the use of University Data for anything other than approved University purposes is prohibited by Boston University policy and, in many instances, by law.

This document defines the roles and responsibilities with respect to managing access to University Data meeting the criteria defined in the Scope section.  Additional information and resources about data roles are outlined in Data Enablement’s Roles and Responsibilities.

Scope

This standard applies to access to University Data classified as Confidential or Restricted Use that is maintained by the University or a party acting on the University’s behalf, hereafter called “Subject Data”.

This standard does not apply to:

  • Data or records that are personal property of a member of the University community, research data, or data created and/or kept by individual employees or affiliates for their own use;
  • University Data that has been de-identified such that it may be classified as Internal or Public, as determined by the Data Trustee (see below);
  • Situations in which the University is legally compelled to provide access to information;
  • Data classified as Internal or Public. Access to these data types is determined at the discretion of the office that creates, maintains, or processes it; and
  • Data for which a more restrictive set of policies and procedures are used, such as HIPAA data.

Official Roles and Responsibilities

A. Data Executive

The Data Executive is the executive or head of a Boston University department that creates, maintains or processes Subject Data.  A Data Executive is responsible for approving access to Subject Data but may delegate such responsibility to Data Trustee(s).  The Data Executive is responsible for establishing the criteria for sharing Subject Data.

The Data Executive shall ensure that their department is reminded of this standard annually.

The Data Executive may designate at least two and no more than four Data Trustees to help approve access requests and conduct access reviews. The Data Executive is responsible for ensuring that the Data Trustees receive the relevant training provided by Information Security and Data Enablement.

B. University Leadership and Technology Providers

University Leadership is the management of any department that needs access to Subject Data or maintains records on behalf of a Data Executive.  Technology Providers are subsets of University Leadership whose units provide electronic applications and systems to enable the use and storage of Subject Data.

University Leadership is responsible for appointing Departmental Security Administrators as needed to fulfill the requirements of this standard.  University Leadership is responsible for ensuring their unit’s knowledge of and compliance with this standard.

University Leadership and Technology Providers are responsible for appointing Data Custodians (see Section F below) as needed to fulfill the requirements of this standard.  They are responsible for ensuring Custodians understand their responsibilities under this standard.

C. Data Trustee

Data Trustees are responsible for:

  • Ensuring and monitoring the accuracy, integrity, and privacy of Subject Data;
  • Granting or denying access to the Subject Data;
  • Performing regular audits to ensure approvals for access to Subject Data remain valid and appropriate.

Additional responsibilities related to governance of Subject Data as outlined in Data Enablement’s Roles and Responsibilities. Data Trustees are responsible for reviewing requests for access to Subject Data and responding within three business days.  The required elements of an approval are described in the Documentation of Approvals section.  Data Trustees should grant access to Subject Data only to individuals, Project developers or Project teams with a demonstrable legitimate administrative need for the Subject Data, in accordance with guidelines set by the Data Executive, and a plan for compliance with Boston University policy and applicable law. The Data Trustee should approve access to only the minimum amount of Subject Data for minimum amount of time that is necessary to meet the requester’s needs.  If applicable to the technology, the Data Trustee may specify types of access (read-only, read-write).

Data Trustees may create pre-approvals for certain roles to have access to data if they wish.  Birthright privileges are authorizations given to individuals when their account is first created or assigned a specific affiliation (“student”, “faculty”, e.g.) as defined in the Identity and Access Management Standard.  Access rights being granted automatically when an individual is assigned a specific affiliation is an example of a pre-approval.  Any constraints of the pre-approval should be clearly documented and communicated to the appropriate Data Custodian(s) (see Section F below) and Information Security.  These privileges should periodically be reviewed by Data Trustees and Information Security.

For requests by Project developers and Project teams, the Data Trustee must also confirm that the developers or team are coordinating with Information Security. Only Information Security may determine whether a solution complies with the Minimum Security Standards and such determination is in its sole discretion. The Data Trustee may request that Information Security confirm that this assessment has been completed and what risks were identified, if any. The Data Trustee shall not conduct their own assessment of the security of a proposed solution but may specify requirements, particularly regarding access controls.

After the Data Trustee has approved a requestor’s access to Subject Data, changes to the system or to the manner in which Subject Data will be presented must be reviewed by Information Security, but do not require Data Trustee re-approval unless Information Security requests it.

The Data Trustee should carry out audits, not less than one time per year, to ensure approvals for access to Subject Data remain valid and appropriate.

Data Trustees are responsible for reviewing requests for access to Subject Data, whether the data will remain in the original data source or be copied to a new repository.  Access to Subject Data copied to a new repository remains within the jurisdiction of the original Data Trustee.

D. Departmental Security Administrators (DSA)

The University Leadership of any department that needs access to Subject Data may designate up to four Departmental Security Administrators (DSAs). DSAs will act as liaisons between their Boston University department and Information Security and oversee data security responsibilities at the department level.  A new DSA’s manager should ensure the new DSA receives the appropriate training from Information Security.

DSA responsibilities include:

  • Identifying the department’s need to store or access centrally maintained Subject Data sources and applications;
  • Communicating requests for access to central financial and human resources systems (e.g., SAP), and student information systems (e.g., Campus Solutions). Before submitting a request for access, the DSA will confirm with the requestor’s manager that the requestor has a legitimate administrative reason for needing access to the Subject Data;
  • Conducting regular reviews (not less than one time per year, and to the extent possible) of access lists and requesting removal of access to Subject Data when no longer needed; and
  • Communicating with Information Security in the event of any unauthorized disclosure, modification, or loss of Subject Data.

E. Individuals

    Individuals may access, use or store Subject Data with authorization from the appropriate Data Trustee.  Requests for authorization should be made through the requester’s Data Security Administrator (DSA).

    Individuals who are authorized by a Data Trustee to access, use or store Subject Data must use the data only in a manner consistent with approved university purposes.  Individuals are not authorized to share Subject Data with others who do not have approval to access that same data until explicitly authorized as part of the request for access.  Individuals must access Subject Data using devices that comply with the Minimum Security Standards for the appropriate data type (see Data Classification Standard) and follow any instructions or restrictions imposed by the Data Trustee.  If an individual is authorized to provide information to an external vendor, the individual must work with Information Security to ensure the vendor will conform to the Minimum Security Standards.

    F. Data Custodian

    University Leadership or the Technology Provider of a mechanism to use or store Subject Data shall appoint Data Custodian(s).  Data Custodians are primarily responsible for maintaining the accuracy of access controls for Subject Data.  Managers of Custodians are responsible for transitioning the responsibilities as staff turns over.

    Data Custodian responsibilities include:

    • Assisting individuals, Project developers and Project teams with identifying how to best access the Subject Data required for their work;
    • Providing access to Subject Data, as approved by the Data Trustee and retaining a record of such approval;
    • Where possible, ensuring any changes to Subject Data access is properly logged for audit purposes;
    • Removing access to Subject Data when requested by a DSA, Data Trustee, Data Executive, or the person to whom a requestor reports; and
    • Supporting regular reviews of access lists by Data Trustees and DSAs and removing access to Subject Data when no longer needed.
    • Additional responsibilities related to governance of Subject Data as outlined in Data Enablement’s Roles and Responsibilities.

    G. Information Services & Technology

    Information Services & Technology (IS&T) plays a central role in supporting Boston University’s Data Classification efforts by coordinating and enabling key functions across its sub-services.

    Shared Responsibilities:

    • Collaborating to ensure and monitor compliance with this standard and assist in addressing identified gaps or inconsistencies;
    • Collaborating with University Leadership, Data Executives, and other data roles to align data classification standards with strategic objectives and regulatory requirements;
    • Providing guidance, tools, and resources to departments to assist with data classification decisions, risk assessments, and classification reviews;
    • Providing training to Data Security Administrators on the request process for adding, maintaining and removing access in Campus Solutions and SAP;
    • Assisting individuals, project developers and project teams with submitting requests for access to Subject Data.

    Information Security

    Information Security leads the development and enforcement of data protection standards and compliance monitoring, ensuring that classified data is properly secured.

    Information Security’s responsibilities include:

    • Maintaining and publishing data management and protection standards;
    • Assisting with documentation and routing of access requests from DSAs;
    • Performing risk assessments of third-party vendors who will use or store Subject Data and assisting with contracting to help mitigate these risks;
    • Responding to any reports of unauthorized disclosure, modification, or loss of Subject Data.

    Data Enablement

    The Data Enablement team provides guidance, tools, and training to help departments accurately classify and manage their data assets in alignment with Boston University policies.

    Data Enablement responsibilities include:

    • Conducting an annual audit of the list of Data Executives, Trustees, DSAs and other data roles to ensure the appropriate individuals have been identified;
    • Facilitating coordination among Data Executives, Data Trustees, Departmental Security Administrators, and other stakeholders to promote consistent and accurate data classification practices across departments;
    • Ensuring effective communication and training materials and programs are in place to raise awareness and understanding of data classification policies among all University employees and affiliates;
    • Supporting the integration of data classification requirements into university data management systems, workflows, and information technology platforms;
    • Advising on data governance best practices and emerging trends in data protection to inform policy enhancements and institutional risk management;
    • With advice from the Office of the General Counsel, work with Information Security to communicate changes in law that impact responsibilities of the Data Executives, Data Trustees, DSAs and/or Data Custodians;
    • Assisting in the development and implementation of data stewardship programs that promote accountability for data quality, classification accuracy, and appropriate use across units;
    • Developing and maintaining resources related to the administration of Data Governance, including details on roles and responsibilities.

    H. Application Development

      Application Development implements technical solutions that incorporate data classification requirements into systems and applications, promoting secure and appropriate data handling throughout its lifecycle.

      Developers, both within and outside IS&T, may create new ways to use or store Subject Data (each, a “Project”). Upon request, the Data Trustee may grant Project teams access to Subject Data for the purpose of such Project.  This authorization does not empower individual Project developers or members of the Project teams to grant access to Subject Data to individuals outside the project team on a temporary or permanent basis. Individual end users of the Subject Data must be approved as described above in Subsection (E) unless otherwise approved by the Data Trustee.

      Developers and engineers offering solutions that include Artificial Intelligence and/or Large Language Models must ensure that these solutions do not provide Subject Data to individuals who have not been explicitly authorized to access it in other contexts.

      If a third party will create, maintain, or process Subject Data on behalf of the University in connection with a Project, this must be specified in the Project developer’s or Project team’s request to the Data Trustee. The Project developer or Project team must require that the third party demonstrate compliance with the Minimum Security Standards for the data type and agree to follow restrictions imposed by the Data Trustee.

      Standards

      Documentation of Approvals

      Where reasonable to implement, approvals of requests to access Subject Data should capture the following information:

      • The name and title of the Data Trustee or Executive approving the request
      • The date of approval
      • The individuals or Project developer or team authorized to access the Subject Data
      • The university purpose for which the access has been approved
      • Any explicit permissions or restrictions on how the data may be accessed or used
      • Whether the requester is authorized to make a copy of the Subject Data
      • The period for which such access is authorized. Access to development projects should be for a limited duration.

      Access Request Appeals

      The requestor may appeal a Data Trustee’s denial of access to Subject Data to the Data Executive.

      Identifying Data Executive or Trustees

      If you need assistance identifying a Data Executive or Data Trustee, please contact your DSA or Information Security.  A list of Data Trustees is maintained on the IS&T Website (“TechWeb”).

      Exceptions

      Information Security is authorized to grant exceptions to the requirements set forth in this document. Any exception granted will require a thorough review of the situation and the implementation of appropriate compensating controls.

      In addition, Information Security may publish directives aimed at clarifying the intent of a standard to aid in the interpretation of this standard.

      Important

      Failure to comply with the Data Protection Standards may result in harm to individuals, organizations or Boston University. The unauthorized or unacceptable use of University Data, including the failure to comply with these standards, constitutes a violation of university policy and may subject the User to revocation of the privilege to use University Data or Information Technology or disciplinary action, up to and including termination of employment.

      Version History

       

      Notes Approver Date
      Initial Publication of Data Management Guide Information Security and Business Continuity Governance Committee January 2011
      Reviewed, No Changes Information Security and Business Continuity Governance Committee July 2013
      Reviewed, No Changes Information Security and Business Continuity Governance Committee July 2018
      Updated and renamed Data Access Management Policy Information Security and Business Continuity Governance Committee April 2019
      Reviewed, No Changes Common Services and Information Security Governance Committee April 2020
      Updated Definitions Common Services and Information Security Governance Committee April 2021
      Reviewed, No Changes Common Services and Information Security Governance Committee April 2022
      Updated Definitions Common Services and Information Security Governance Committee April 2023
      Reviewed, No Changes Common Services and Information Security Governance Committee April 2024
      Updated and renamed Data Access Management Standard IS&T Policy and Standards Review Committee May 2026

      Appendix A: Reference Image for Role Relationships

      To assist with understanding the relationship between the roles defined in Official Roles and Responsibilities, the following diagram has been provided.

      Chart of Data Access Management Standards