The Provision of PII Data on Faculty and Staff by Institutional Researchers
One of the primary responsibilities of offices of Institutional Research (IR) is responding to ad hoc requests for data on students, faculty, and staff at their institutions. Some of these ad hoc requests are for personally identifying information (PII), and judgements must be made about whether these data can be supplied to the requesters. There are general guidelines to help make these judgements such as the AIR Statement of Ethical Principles. More specifically, there are federal regulations (in the form of the Family Educational Rights and Privacy Act, or FERPA) that govern what data can be supplied to whom in the case of student data. However, faculty and staff data aren’t subject to the same regulations, and determining what can be supplied to whom can be unclear and confusing. For that reason, staff within the Office of Institutional Research at East Carolina University (ECU) set out to shed some light on this type of data provision. Drawing from a variety of resources as well as discussions with colleagues in Human Resources, we put together some guidelines for the provision of faculty and staff data, especially when requested at a personal level.
The Data Stewardship Committee at ECU recently approved a process by which all requests that come to IR for PII would be reviewed by the relevant data steward. The data steward for student educational record data is in the Registrar’s office; the data steward for faculty and staff demographic data is in our office of Human Resources. After being made aware of a request, the data steward can either approve or deny it. There is rarely any confusion about whether a request for student PII should be approved in part because staff within the Registrar’s office can apply FERPA guidelines in making these decisions. However, it wasn’t always clear how judgements should be made in the provision of faculty and staff data. In response to this situation, ECU IR staff consulted a variety of documents and engaged in discussion with our colleagues in Human Resources to create a list of data elements indicating which could be provided at a personal level and under what conditions. The following graphic depicts the resources utilized in creating this list.
One of the first considerations in creating this list was the classification levels of various university data elements as determined by committees within ECU’s Data Governance structure. The data classification standards include four levels as described in the graphic below.
It was readily apparent that PII data could fall into any of these levels except Public, but that the classification levels might provide guidance on who could receive such data. For example, Internal data is not specifically protected by statute or regulation but isn’t freely disseminated without appropriate authorization and then only to designated university workgroups, departments, or individuals within the university community (that is, there is some legitimate business reason for the data). Confidential/Sensitive and Highly Restricted data differ by the number of statutes/regulations that govern them as well as by the severity of the consequences of unauthorized provision. When reviewing faculty and staff data elements, deciding if a data element was Public or Highly Restricted was much more straight-forward than deciding between Internal and Confidential/Sensitive. Some data elements seemed to fall between these two.
The second consideration in determining what faculty and staff data elements could be released and to whom dealt with state regulations. ECU is one of the constituent universities of the University of North Carolina system and, as such, its employees (both faculty and staff) are considered employees of the state. In North Carolina, some data elements of state employees have been determined by the North Carolina State Legislature to be open to inspection (NC Gen Stat 126-23—2016). These data elements include: name, age, date of original employment, contract terms, current position, title, current salary, dates and amounts of salary increases or decreases, dates and types of position reclassifications, dates and general descriptions of reasons for promotion, dates and types of position changes due to disciplinary reasons, and office or station to which employee is currently assigned.
Another document that was consulted to determine what faculty and staff data elements were confidential and what data elements were less so was the Records Retention and Disposition Schedule for the UNC System. Within this document, disposition instructions are provided for various types of records. For our purposes, however, the more important inclusion was a lock symbol denoting which records may be confidential or may include confidential information. There is a long list of personnel records in the document, but some examples are as follows: Work Schedules and Voluntary Shared Leave are not considered confidential whereas Search Committee Records and Exit Interviews are considered confidential.
Finally, various individuals in our Human Resources office were interviewed to determine what PII data had been requested from them in the past and when (and under what conditions) they made a judgment to provide such data. One consideration they emphasized was whether there was a legitimate business need for the data (e.g., a supervisory/management link). We discovered in our conversations that various individuals across campus interpreted the North Carolina statute on public records differently; when in doubt, we went with the interpretation of our HR colleagues as the content experts.
In the end, IR (in conjunction with our HR colleagues) decided that faculty and staff data elements could be placed into one of three categories differentiated by whether the data could be provided at the level of the individual and under what conditions. Although not an exhaustive list of data elements relevant to faculty or staff, we evaluated 86 for their inclusion in one of the three categories. The categories and example data elements included in each are provided below.
(1) Data that can generally be provided at the level of the individual, e.g., academic rank, age, awards and honors, college/unit, FTE, hire date, salary, and years of state service.
(2) Data that may be provided with qualifications, e.g., reasons for, and type of, any change in position.
(3) Data that would not generally be provided at the individual level without specific authorization from, for example, senior leadership or university counsel, e.g., citizenship, exit interviews, gender, grievances, race/ethnicity, and residence.
Beverly King obtained her PhD in Developmental Psychology and was a faculty member for over a decade before moving into IR work. She has been directing Institutional Research offices for 15 years and has almost 20 years of service with the University of North Carolina system. She can be contacted via e-mail at firstname.lastname@example.org.
A pyramid with Level 4 at the narrowest point (top) arranged in descending order below:
- Level 4: Highly restricted. Data intended for very limited use & not disclosed except to those with explicit authorization, e.g., SSNs.
- Level 3: Confidential/Sensitive. Data intended for a very specific use & not disclosed except to those who have explicit authorization, e.g., student data not part of directory information.
- Level 2: Internal. Data that are not openly shared with the general public but are not specially required to be protected by statue or regulation, e.g., personal cell phone numbers.
- Level 1: Public. Data that are purposefully made available to the public, e.g., directory listings.