P4842

ST. LOUIS BOARD OF EDUCATION POLICY
PERSONNEL
EMPLOYEE AND LABOR RELATIONS
Code of Ethics and Conduct

Owners, Custodians and Users of Data

The superintendent of schools shall define the responsibility and authority of the owners, custodians, and users of data or information.

Individuals classified as owners, custodians, and users of data or information are responsible for preserving the confidentiality and proper usage of data or information.

Policy adopted: June 26, 1990

Revised: January 12, 1999


R4842

ST. LOUIS BOARD OF EDUCATION REGULATION
PERSONNEL
EMPLOYEE AND LABOR RELATIONS

Code of Ethics and Conduct

Definitions and Responsibilities of Owners, Custodians, and Users of Data

Responsibility for data security involves three distinct roles.

1. Owner of data
2. Custodian of data
3. User of data

Owner of data

The owner of data is the head of the department or division which, as part of the department's administrative function, creates and maintains a set of data.

The responsibility and authority of the owner of data is as follows:

1. Creating and updating data;

2. Determining the value, importance, and sensitivity of data;

3. Specifying the level of security to be applied to data;

4. Authorizing access to data;

5. Assigning custody of the data;

6. Informing custodians of the requirements for access to data; and

7. Monitoring compliance with data security regulations.

The owner will be assisted in carrying out these responsibilities by the technology services division.

The owner is not directly accountable for the noncompliance of security regulations by custodians or users. However, the owner is expected to take reasonable steps to understand the conditions surrounding the custody and use of the data and to take appropriate action when data security problems are detected.

Custodian of data

The custodian of data is the head of the school, department, or division which has functional control over the hardware and software that are used in the production and maintenance of files, databases, and reports. For data that are stored and maintained on the mainframe computer's data storage media the custodian is the executive director of technology services. For data that are stored and maintained elsewhere, the custodian is the head of the school, department, or division in which the data reside.

The responsibility and authority of the custodian of data is as follows:

1. Implementing data owners' security requirements;

2. Monitoring compliance with data security regulations;

3. Maintaining a directory of data ownership;

4. Maintaining a directory of authorized data users;

5. Maintaining a dictionary and directory of data elements;

6. Administering access to data;

7. Providing physical and procedural safeguards to unwarranted access to data; and

8. Controlling the distribution of data in accordance with the data owners' requirements for security.

The custodian of data may be delegated by the owner to grant access to data, but the custodian may not reclassify the security level of the data without written permission of the owner.

User of data

The user of data is an individual who requires data to carry out his or her job functions and responsibilities.

The user of data is responsible for the following:

1. Compliance with all protocols, rules, and regulations that protect the security of data;

2. Avoiding unauthorized access to data;

3. Protecting the privacy of data access passwords and other individual or group assigned security procedures; and

4. Establishing procedures and practices which clearly communicate the data security regulations to subordinates.

The failure of a data user, custodian, or owner to strictly adhere to these responsibilities shall be grounds for disciplinary action against him or her, including dismissal.

Regulation approved: June 26, 1990

Revised: January 12, 1999

 
 
Home ] Article 0 ] Article 1 ] Article 2 ] Article 3 ] Article 4 ] Article 5 ] Article 6 ] Article 7 ] Article 8 ] Article 9 ] Updates ]