Overview:

The Information Security Office uses a Qualtrics form to publish the Data Usage Form to campus. The form is used to record, assess, and approve of institutional data usage. You may refer to the 9.8.1 Data Classification Procedure on the University Policy and Procedures site for additional details on data classification and procedure.

The new Data Usage Form is accessed at the Data Usage Form Qualtrics page. The guidelines for completing the Data Use Risk Assessment are listed below.  If you have any further questions, please contact the ISO by email at informationsecurity@ilstu.edu.

Procedure:

     - Specify Where Data Will Be Used

After the introduction, the first question asked is Where will data be used?  Select the location or locations where the data will be used.  If it's online, choose App or Website.  If it is stored on a machine on campus, choose Campus Systems.  If the data is for a form or survey, choose that.   If the data will be used in more than one of these locations, select all the locations it will be used.

     - Submit Employee Information

The next page asks for your name, email address, and department information.

You are then asked if you are completing the Data Use Risk Assessment for yourself or another individual.

If you are filling out the Data usage Form for another person, you are asked to provide some information about the person that will actually be using the data.

     - Submit Company/Product Information

The next page asks more questions about the data being used.  You will be asked to explain what the purpose or need for the data is, and then select where the data is originating from, and where is it going.

Data Usage Forms are primarily used when new applications or services are being used.  Because of this, we need to know about the company and product that will be using the data.

The information we ask about includes the Company Name (or Hosting Company), Product name (or Hosting Site), Website address, the URL for the product or companies privacy policy, a contact name if we have one with the company, a contact email address, and any other information that may be relevant to the vendor or product. 

If the data is going to be used on an internal application created by App developers here at Illinois State University enter Illinois State University as the company name and a descriptive name for the Product Name. 

Most of this information is straight-forward.  The link to most Privacy Policies is located at the bottom of a companies web site.

To copy the URL for the Privacy Policy (or Statement), right-click on the link.  An option box will open up.  Select Copy Link, and then paste it into the text box.

     - Specify the Source, Destination, and Purpose for Data Collection

In the next section, you will be asked to determine the purpose or need of the data, where the source of data is being used, and the destination of data being used.

For the Source and Destination of the data being used, Campus System refers to any database or system owned and controlled by the university.

External Organization is any organization external to the University, such as the State of Illinois, or American Red Cross, or any other organization outside the University.

External Applications would be if the data is coming from or going to a web application, such as Mindtap, or RateMyProfessor.com, or anything along those lines.

     - Specify Data Used

The next section is where the types of data being used are selected.

Click on all the types of data that will be used with the Data Usage Form.   These are broad categories of data, the next steps will be where specific data types are selected.

Listed below are the specific data types for each of the categories shown above.  If you have a data type that is not listed, select 'Other' and a box will be displayed for you to add additional data types.

If there is more than 1 additional data type, click the 'Add Data Element' button for additional text boxes.  Please list only 1 data type for each text box.

Personal Data Types

Academic Data Types

Employee Data Types

Financial Data Types

Research Data Types

Technology Data Types

     - Submit Additional Files

After specifying all the data types used, you will have an option to add any files or attachments that are needed for your requested service. Multiple files will need to be placed together in a single .zip file before they can be uploaded.

     - Finalize and Submit the DUF

Once all the data fields have been filled out and you click Submit, this form will open a ticket for the Information Security Office. 

Once the ISO receives the ticket they will begin the review and you will be notified.  You will then be able to monitor the progress of the ticket as it moves through the ISO ticket queue.

 ***NOTE: Depending on when you submit this form, you may not get an email back until the next day, or if submitting on a Friday, next week as ISO employees will not have had a chance to begin processing your request.