Data Warehouse Access and Security Policy

Effective Date: 9/21/1999

Purpose of the Data Warehouse

The purpose of the Data Warehouse is to enhance client service delivery by making accurate, integrated department information available to the department community when, how, and where it is needed. Department information is:

  • information that resides in automated information systems
  • information that is relevant to planning, managing, operating, auditing, and communicating department activities

Ownership of the Data Warehouse

The Data Warehouse is owned by the Department of Human Services, Office of the Executive Director.

Purpose of this Policy

The intent of this policy is to assure that the:

  • information in the Data Warehouse is protected from improper access and use.
  • department community is informed about confidentiality, privacy, and acceptable use of the Data Warehouse.

Privacy Issues and Legal Implications

The Data Warehouse contains private information about clients who are or have received services from the Department of Human Services. Private information is protected under the Privacy Act and the State Government Records Access and Management Act (GRAMA).

The Privacy Act is the Federal law that defends citizens from government misuse of data. Exchange of information on individual citizens by agencies occurs on the grounds that disclosures are "compatible" with the purpose for which the data was collected. The law specifically states that information cannot be used for purposes other than that for which it was originally collected. For example, exchanging information on individual citizens in the name of detecting waste, fraud, and abuse of benefits; or comparing tax returns with welfare roles; or using the records of people in drug treatment programs to search for possible criminals violates the context in which the original information was compiled.

The Government Records Access Management Act is a state law that deals with the management of government records1, who is entitled access to those records, and the exercise and enforcement of access rights. It attempts to balance the public's constitutional right of access to information concerning the conduct of the public's business, individual's constitutional right of privacy in relation to personal data gathered by government entities, and public policy interest in allowing a government to restrict access to certain records for the public good. Records governed by this act may be classified as public, private, controlled, protected, or limited:

  • Public records: Under this act, all records are public unless they fit within one of the categories exempt from pubic disclosure--private, controlled, protected, or limited. In addition, this act specifically identifies several kinds of records that are public. Any requester may inspect a public record.
  • Private records: Private records are records about individuals that contain personal information, such as medical or personal financial information. Private records are ordinarily available only to the subject of the record or to persons with written permission from the subject.
  • Controlled records: If a governmental entity reasonably believes that release of a medical, psychiatric, or psychological record to the individual who is the subject of that information would be detrimental to the subject's mental health or to the safety of any individual, or would constitute a violation of normal professional practice and medical ethics, the record may be classified "controlled." Controlled records ordinarily may be released only to a physician, psychologist, or social worker with a release from the subject, and that person may not disclose the information to the subject.
  • Protected records: Protected records are records that may be kept confidential to protect various interests, including:
  • Business interests in the case of information that would give competitors an advantage if disclosed
  • The public interest in the case of information where confidentiality is necessary to prevent persons from gaining an unfair advantage by means of information held by their government. Protected records are ordinarily available only to the person that submitted the record or to an individual who has written authorization from all individuals or entities whose interests are sought to be protected.
  • Limited records: Access to some government records is limited by the specific law that authorizes or requires the keeping of the record. (An example is the federal Medicaid statute.) If there is an applicable statute, federal regulation, or court rule, this act only applies to the extent that it does not conflict with that statute, regulation, or rule.

Data Warehouse Access Rules

In order to access information in the Data Warehouse, you must have proper authorization. Your authorization means that you have the authority to use the information and the responsibility to share stewardship of the information with the other users of the Data Warehouse.

Once authorized, you can access the information that you need to do your job. However, you are entrusted to use the information you retrieve from the Data Warehouse with care. Private information about clients, including information about their specific service, placement, custody, probation, and deliquency histories may only be exchanged with others when the exchange is compatible with the original purpose for which the data was collected, and the exchange is for legal, audit, or state operational or management purposes.

Employees or providers who may be authorized to access private information about clients

  • Those who work directly with clients in undertaking duties related to the operations and mission of the division for which they work (examples: case workers, observation and assessment workers, detention center workers).
  • Those who supervise staff who work directly with clients (examples: case worker supervisors, observation and assessment supervisors and directors, detention center supervisors and directors).
  • Those who are responsible for administering the Data Warehouse.

Employees or providers who may be authorized to access summarized information about clients

Procedures for Gaining Authorized Access

  • Complete and sign a Data Warehouse Access Request form.
  • Obtain your immediate supervisor's signature on the form.
  • Obtain approval from the State Office.
  • Submit the completed form to Data Warehouse Administration.
  • Data Warehouse Administration will notify you when access has been authorized.

Responsibilities

Department employees and providers have a responsibility to protect the confidentiality of private, controlled, and protected records.

Provide adequate control over information in your possession.

  • Lock away information when not in use.
  • Keep your password private.

Use the information only for the purpose for which the data was collected.

Comply with established security policies, including:

  • Administrative Rule R365-4 Information Technology Protection
  • State of Utah Information Technology Resources Acceptable Use Policy
  • Department of Human Services Information Technology Asset Security Policy 06-03
  • Department of Human Services Acceptable Use of State of Utah Information Technology Resources.

Direct any requests for information from external organizations to the Office of the Executive Director, Department of Human Services. For example, requests from other state departments, special interest groups.

Direct requests for information from inside the department to Data Warehouse Administration.

Corrective Actions

Any breach of this policy may result in immediate suspension of access to the Data Warehouse, corrective action in accordance with State Department of Human Resource Management Administrative Rule R477-11, provider contract termination, and prosecution for civil and criminal damages.

Indemnification

A provider of contracted services of the Department of Human Services must agree to indemnify, save harmless, and release the State of Utah, and all its officers, agents, volunteers, and employees from and against any and all loss, damages, injury, liability, suits, and proceedings which are caused in whole or in part by a provider's negligence or the negligence of the provider's officers, agents, volunteers, or employees, but not for claims arising from the State's sole negligence.

The definition of "record" is broad and includes anything that provides information in a documentary form. Letters, memos and reports on paper are obviously documents, but so are photographs, tape recordings, maps and information stored electronically, as on a computer disc. There are some objects, such as physical evidence, that are not records even though they may contain information. Water samples, for example, may provide information about the quality of the water from which the samples were taken, but the samples themselves are not records. The resulting laboratory reports are records. Personal notes and personally owned documents are not records.