A data permissions request solution provides a process for identifying, tracking, and managing a user’s permission to use data within the University’s data domains, sub-domains, and collections. These are defined by assigned data stewards and trustees who oversee the evaluation process of granting permissions. Get started with the data permission request process here.
Data provide maximum value when shared with relevant stakeholders. In order to facilitate this process, the University of Rochester has developed expectations for data sharing, as well as a comprehensive data sharing process and frequently asked questions to help you maximize the benefits of data sharing and minimize risk.
In order to enable data sharing across the University, the Data Governance and Support Office has provided the following to help manage the expectations of both data provider and data user. The Data Governance Council has endorsed these expectations.
- Data users will be able to explain what data they need, why they need them, how they will use them, and who will use the data. They will limit the use of the data to the described purpose. The business purpose may be broad or limited, depending on the type or risk-level of data at issue. Data users will not use the data for other purposes without approval from the data steward.
- Data users will be able to identify who the data will be shared with. The universe of users may be broad or limited, depending on the type or risk-level of the data at issue. Data users will not share the data with others without approval from the data steward.
- Data stewards can expect that data will be handled following a minimum level of security and privacy guidelines, regardless of classification. For data characterized as “high-risk”, additional security and privacy requirements may apply.
- Communication between the data user and the data steward will be open and timely. If data are shared, expectations will be made clear prior to sharing. If data are not shared, explanations will be specific.
- In the case of disagreement over sharing data or the details of a specific data request, the data user and data steward will engage in the appropriate resolution process. The user and steward should discuss significant concerns or needs and make reasonable efforts to find an appropriate resolution before elevating the issue to the appropriate parties (supervisors, chairs, deans, etc.)
In order to encourage appropriate sharing and make the process of requesting data more efficient, the University has built a Data Permission Request Form to streamline the request process. This tool looks to connect potential data users with data stewards who are charged with the oversight and management of particular University data assets.
This process ensures permission requests are evaluated by data stewards or trustees who understand the implications of the data, not the technical resources who manage and understand the systems where the data resides. Properly evaluating and tracking data permissions can help mitigate the risks of unauthorized data use. This solution will also help data users efficiently identify what data exists and who to contact to request permission.
Any member of the university community who has an Active Directory (AD) account and needs to view or use institutional data. All institutional data are eligible to use this process. However, data stewards will decide on the timing by which their data requests will be part of this process.
Examples may include but are not limited to sponsored research awards and employee profile data. This process does not cover electronic medical records and data that are inputs to or outputs of individual research projects.
This data management role represents business processes that generate data and leads to the definition of business glossary terms. A steward is primarily concerned with language and the meaning of data. Each data domain, sub-domain, or term will have a steward.
A data steward is responsible for functional definitions, in collaboration with others, sharing knowledge of business processes, stakeholders, etc. Data stewards may be called to serve on data management teams.
- Data domains represent the topical data related to a specified sphere of University activity or knowledge. A data domain contains one or more data sub-domains.
- Data subdomains are a category of data connected to related business processes contained within a data domain. A data subdomain contains one or more logical data collections.
- Data collections are a set of data elements that support a business process that are contained within a data subdomain.
For technical issues with the function of the data permissions form, please contact the IT helpdesk via phone at (585) 275-2000 or via email at firstname.lastname@example.org.
For help with the process or with questions on the information requested on the form, contact the Data Governance and Support Office.
A step-by-step process is outlined below for how to fill out the data request web form. You can reference a downloadable version of this guidance with visuals on our Form Guide and our Submit Request Overview (Note: Net-ID required to access these guides).
After logging into the portal and logging in with your Active Directory username and password (make sure to select the appropriate domain (UR AD / URMC AD), you’ll follow the steps below to complete the form. If you are working remotely, you’ll need to use VPN or Duo to access the application.
- Confirm who is making the request: Because you are logged in, the form automatically assumes that you are the one asking for permission. If you are not, you have the opportunity to change the default to anyone at the University. Note: you must choose a named individual. Roles, departments, or schools cannot make requests; only people can make requests.
- Short description of what you are looking for: The Summary box allows you to type a short description of your request. Sentences like, “I need data on student admissions”, or, “Request for faculty output metrics” would fit here.
- Confirm what kind of data you want: In order to know who needs to grant permission, we need to know what kind of data you require. Permissions for data use are granted by the data stewards who are responsible for those data or the trustees who oversee that data domain or functional area. You’ll be asked to choose which domain(s) are relevant to your data request. For more information about data domains, visit our Data Domains definition page as well as our interactive Domain Explorer tool
- Confirm frequency of data use: How often will you need to have data updated? Is this a one-time request where you would like someone to give you a spreadsheet or file? Or are you creating a report that requires new information monthly?
- Explain business reason and question: This field allows you to explain why you need the data and what question you are trying to answer. Please note that both pieces of information should be included in your response. A business reason might be “I need to build a dashboard”, or, “I need to provide data to a vendor”. The question gets to the issue you are trying to understand: For example: What is the retention rate for STEM majors? How much grant money do we receive from NIH for cancer research? The stewards will use this information to know whether the data requested will actually help the data user with the relevant problem.
- Who is the target audience: This field allows you to specify who else might be using the data. For example: Is the business reason a dashboard? Who will use it? Are you creating a report? Who will be reading it? Remember, the recipient of any output from these data must also have permission to use the data even if their use is passive. This field asks for information on different levels. If you will be sharing the data with named individuals, you will be prompted to select them by name. Your name is automatically included by default. If the data will be used by an identifiable group of people, such as a divisions or departments, the Department option will allow you to choose the appropriate department or division. Or, if neither the Individual or Department option is appropriate, the Other options presents a text field where you can explain situations such as a conference presentation, a chart for a website, or a group of people not readily described by the university org chart.
- Accept the terms and conditions: This checkbox indicates that you have agreed to the“ground rules” for data sharing that are outlined on this data governance website, as well as any special conditions that have been placed on the specific data you need by the data steward. Restrictions may be tied to data security classification or guidelines for responsible data use.
- Attach supporting documentation: This optional field allows you to share more details with the data steward if you would like to provide additional information to help them understand your request.
- Create the request: When you click the “Create” button, the request is logged and sent to the appropriate data steward(s) who need to grant your permission.
You can reference downloadable guidance and visuals on how to manage requests from the portal (Note: Net-ID is required). Steps to navigate the portal are also outlined below.
- Navigate to the portal
- Log in with your Active Directory (AD) username and password. Make sure to select the appropriate domain (UR AD/URMC AD)
- Click on Requests > My Requests
- View requests by clicking on the “Reference” or “Summary” link
- Explore request management options. User actions may vary depending on the status of the request. If you need to provide more information regarding the request after submission, please use the comment box.
You can reference downloadable guidance and visuals on how to manage requests via email (Note: Net-ID is required). Steps to navigate this process via email is also outlined below.
- You’ll receive a confirmation email to your inbox. Open your confirmation email and click on the “customer portal” link.
- Log into the portal with your Active Directory (AD) username and password. Make sure to select the appropriate domain (UR AD/URMC AD).
- Explore management options. User actions may vary depending on the status of the request. If you need to provide more information regarding the request after submission, please use the comment box.
When you request permission to data,the data steward can verify that you have an appropriate business reason to use or view the data.
When you request access to data, a technical or analytical resource can provide you with the actual data in the format required/requested.
An analogy to describe the difference is when you are allowed to use a car (you have permission to drive it) versus being handed the keys (you have now been given access to it).
If you request permission for data but select the wrong domain, the Data Governance Support Office will reroute your request to the appropriate data steward.
If you request access to data and when you receive it, it turns out it is not the data you need, you will need to submit a new data permissions request specifying the appropriate data.
In the data permissions form, select the data domain of “other” and complete the form. Requests with unknown domains will be routed to the Data Governance and Support Office for approval. The office will help identify stewards who can effectively evaluate permission or will provide additional information. If the data exist, new domains may be created to accommodate the need going forward.
Data stewards are expected to respond within 5 business days. This does not mean the request is guaranteed to be resolved within 5 business days as additional information may be required or additional approvals may need to be sought.
You are expected to use University data in accordance with established data usage guidelines and following all security and privacy policies.
The process as outlined on this website should replace the process you currently use to request permission. Permission requests via email, phone, or other decentralized process are no longer recommended.
You can reference downloadable guidance and visuals on how to manage and approve requests (Note: Net-ID is required). Steps to navigate this process are also outlined below.
- The approver(s) will receive an email containing the subject line “Data Permission Request requires Approval”. Locate your request email in your mailbox and click on the “Customer Portal” link.
- Log in with your Active Directory (AD) username and password. Make sure to select the appropriate domain (UR AD/URMC AD).
- Explore approver management options.
If additional information or clarification is required before a decision can be made, use the comment box to start a dialogue with the requester.
If you are ready to make a decision, there are three options available, found on the right hand side of the screen under “Actions”:
- Approve Request: Choose this option if permission is granted. You may add an optional comment.
- Decline Request: Choose this option if permission is denied altogether. You will be required to provide a justification for the denial before finalizing the decision. The requester has the option to request a reconsideration afterwards if this option is chosen.
- Approve with Limitations: Choose this option if you need to add some restrictions to the approval. You will be required to provide a justification for the limitation and specify the restrictions before finalizing the decision. The requester has the option to request a reconsideration afterwards if this option is chosen.
- Examples of limitations: “The requester may have all data about the requested population of students, except birth date.” “The requester has permission to see historical data from years 2010-2019, but not live data from 2020 onward.”
Approve the request with the status Approved with Limitations and communicate to the requester which data they will not receive. The Data Governance Support Office will be notified so that they can identify, track, and evaluate the need for these missing data. Contact the Data Governance and Support Office if you need guidance.
The steward should deny the request and provide a rationale for the denial. The Data Governance Support Office will help identify data stewards who can effectively evaluate permission or will provide additional information to the requester.
If you have questions, feedback, or need additional support through this process, you can reach out to the Data Governance and Support Office for help.