Data Request Checklist

In the course of its activities, St Cloud State University generates vast amounts of various data. Individuals, departments, and other entities frequently request data. This brings together some of the considerations and resources related to data held by SCSU.

1. Where do I go to request data?

Data practices contact information is available at http://www.stcloudstate.edu/president/policies.aspx

For any system implementation questions, contact Phil Thorson.

Before you approach these contacts, please work through the rest of the checklist to have the necessary information gathered and preliminary questions addressed.

2. Will this data be stored in an internal database or another type of internal storage (e.g. email, spreadsheet)?

If Yes, please contact the Information Technology staff to review the security and practices related to the database.

If No, the assumption is that you are requesting data for one-time use and will destroy it soon after it has been received. You should still consider contacting the IT staff if you have any questions or concerns.

3. Will you be sharing the data with a third party?

  • Are you transferring data currently residing on a computer owned by St Cloud State University to a computer not owned by St Cloud State University?
  • Will you be involving a third party to assist you with Web site development or with implementing a system on behalf of St Cloud State University to collect and store data?
  • Will you be involving a third party to collect data that will later be transmitted for use by St Cloud State University?
  • Will a third party accept credit card payment on behalf of a St Cloud State University operation?

If you answered Yes to any of these questions, please work through the rest of the checklist and contact the Information Technology staff to start the review of the proposal. Additional reviews (e.g. by Business Services) may be required.

4. If engaging a third party, is there a technical contract or another MnSCU contract already in place? (e.g. a technical contract between the vendor and another institution)?

An existing MnSCU approved contract will generally properly address measures related to data security. If it exists, have it ready before approaching offices with the data request.

5. If engaging a third party and a standard MnSCU contract does not already exist, review the following:

  • Any entity who enters an agreement with SCSU must agree to be subject to the Minn. Data Practice Act, Minn. Stat. Ch. 13.
  • Who will have access to the data?
  • Where will data be stored (e.g. on whose premises, in which countries, etc)?
  • What security standards be implemented?
  • How will the data be transmitted?
  • What are the disaster recovery and business continuity plans?
  • What is the quality of data?
  • What is the privacy and compliance of the data and operation?
  • What are specific milestones, performance benchmarks, measurable results?
  • If the vendor is to do work at St Cloud State University, are they willing to purchase the necessary insurance (check with Business Services for current requirements)?
  • Will the vendor manage the project or will the university have to do that?
  • Is training on any new system included?
  • What are the hours of operations, support, and response to critical problems?
  • How is a critical problem defined?

6. What data elements are needed?

Prepare a list of each data field you will require and the format (e.g. text file, excel file) needed. Are SSN, ethnicity, and other sensitive elements desired? If yes, consider whether there is a critical need for these elements.

7. Review the terms of the agreement with any third parties annually or more frequently for compliance

8. Are you familiar with the Minnesota Data Privacy regulations?

If not, please visit https://www.revisor.mn.gov/statutes/?id=13.15 and familiarize yourself with pertinent regulations as well as the Minnesota State Colleges and Universities Examples of Data Classifications at http://www.its.mnscu.edu/security/breachnotification/documents/ExamplesofDataClassifications.pdf.

Other regulations such as electronic health records (HIPAA), credit card data (PCI-DSS), student records (FERPA), and others may apply.

9. If you still have questions or to complete your request with these considerations in mind, please contact the office that houses the data needed for your project.