Responsibility and Confidentiality
The Data Warehouse contains confidential and sensitive University data. In order to use its data, you must have proper authorization. Your authorization means that you have the authority to use the data and the responsibility to share stewardship of the data with the other users of the collection.
Once authorized, you can access the data that you need to do your job. All authorized users are cautioned, however, that they are entrusted to use the data they retrieve from the Warehouse with care. Confidential data should not be released to others except for those with a "legitimate need to know."
Please remember that you should never share BusinessObjects queries with other users with the data intact -- send the query without the data.
Querying Data with Security Restrictions
If you execute a query requesting data that you are not authorized to access, you will get results which may be incomplete because they are missing the data you are not allowed to access.
If your authorization is limited to a specific set of data, be sure when querying the data that your record selection conditions include your security restrictions. For example, if you are authorized to access just data for a particular department, one of your record selection conditions should state something like "If Organization= 'My Organization'," where My Organization is the code of your department. This will document why the query gets the results it does, and will also help your query run faster.
Data Stewardship Best Practices
One of the most effective ways for Penn to safeguard the privacy and security of student, faculty, staff and other information is to make sure that it is only shared with people who clearly need it to do their jobs. This seemingly simple safeguard is sometimes not so simple to implement. Penn's Office of Information and Security and Office of Audit, Compliance and Privacy have developed best practices to assist data stewards in ensuring appropriate data controls in IT systems. The best practices focus on procedures for granting, reviewing and terminating data user access as well as appropriate training for data users. Data stewards of all systems, and particularly large systems with sensitive information, should ensure that they are adhering to the controls found in these best practices. Any questions can be directed to Enterprise Information & Analytics or to the Office of Information Security.