The University uses information about its students, faculty, staff, and facilities for a variety of internal planning and external reporting purposes. Most uses are routine – that is, reports and analyses generated as part of day-to-day running and evaluating the University’s operations.
Sometimes there are requests to use the information for non-routine purposes (e.g., for scholarly research) or in non-routine ways. Some examples of this would include the following:
- To contact the student, faculty, or staff in the dataset,
- Working with highly sensitive or directly identifiable data in ways that have not already been approved,
- To influence their behaviour either directly or indirectly,
- Linking records in ways that have not already been approved
The requester may wish to use particularly sensitive data (e.g., sexual orientation, ethnicity) or they may wish to share the data with third-party partners or to publish the findings in the public domain. For these non-routine requests, the University has a Common Review process to ensure that an appropriate level of review is given to the request for use of these data before permission is given. Central to this process is the Data Request Committee (DRC). The following are represented on the DRC:
- Executive administrators with policy-level responsibility for managing the university’s information
- Experts who work regularly with the data and who have insights into the limitations of the data and how best to analyze them
- Experts in privacy and information security
- One or more Research Ethics Board members
If they feel it is appropriate, the DRC may require feedback from parties that may be affected by the research – i.e., students, faculty, staff. It may also require review by an expert panel, to ensure that the appropriate analyses are conducted.
All this helps to ensure the responsible use of the data that the University collects.
If you have any questions about this process, you may contact the Institutional Research and Data Governance Office at firstname.lastname@example.org.
Please note: Access policies and procedures will be reviewed by the Data Governance Committee and are subject to change.