University Human Resources guidelines

Effective 12/1/2023

Purpose/Scope

These guidelines define appropriate access to human resources (HR) systems and data, and establish expectations for granting, monitoring, and removing access to HR systems and data. Specifically, these guidelines govern when a university employee is granted access to other employees’ HR data; it does not apply to an employee’s ability to access their own HR data.

Definitions

Human Resources data. University data, records, and reports, electronic or otherwise, about university employees related to their university employment. HR data may be accessed by authorized users through Employee Self Service or other university systems. In addition, HR data may be extracted from the university’s HR system and provided to other employees in the form of a report, when the recipients have a business need for the data.

Human Resources systems. University systems that contain HR data such as Employee Self-Service, Compliance & Qualifications, Time & Attendance, OTAC, Data Warehouse, etc.  

Policy

University systems are used to support the education, research, and public service missions of the institution. HR data is the property of the university and represents official university records. HR data is confidential based on university policy as well as federal and state law. Use of confidential HR systems and data is limited to those university employees who have a business need to access the confidential data. University employees with such access are responsible for its proper use and security, and must follow university policies governing the use of confidential data.

Access to HR Systems

Senior HR Leaders authorize individuals within their college/org to have access to certain HR systems and data through Employee Self Service. Only those employees who need direct access to HR systems and data to perform specific job responsibilities should be granted this access, and the level of access should be limited to the specific data and reports required to perform job duties. When a Senior HR Leader grants HR system access and security level as described below, they will be prompted to articulate the business reason that requires such access. Other HR systems allow access based on institutional role or supervisory role. Senior HR Leaders oversee those role assignments within their college/org and are responsible to ensure that roles are assigned accurately.

There are four levels of restricted HR system access, in addition to general system access. The access levels are detailed within Employee Self Service where they may be viewed when access is being granted. Each successive level includes access to information available at the next lower level.

Through Employee Self Service, Senior HR Leaders also may assign administrative rights to other employees in their orgs using HR Application Access, which allows those employees to grant HR systems access to others up to Level 2 (with department access) or up to Level 4 (with org access). It is the responsibility of the Senior HR Leader to: 1) ensure that other employees with administrative rights understand these guidelines, and 2) provide oversight of their decisions.

University HR also authorizes access to HR data that is managed centrally, such as the HR data dashboards and Data Warehouse. Access requests must articulate the business need and are evaluated on that basis. For access to both the HR data dashboard suite and Data Warehouse, security groups are configured based on business need for the role.  Additional security groups/roles are identified for the Data Warehouse given the availability of limited protected data.

The decision to grant access to HR systems and data will be based on the following criteria:

• The individual being granted access has a business need for direct access to HR data,
• The level of access should be limited to what is necessary to perform specific job responsibilities,
• Access to the data will enable more effective and efficient business operations, and
• The individual being granted access understands the confidential nature of the data, has demonstrated the ability to maintain confidentiality, and has signed the university’s Confidentiality Statement.

Responsibilities Related to HR System Access

Employees who are granted access to HR systems and data of other employees are guardians of this data. Those employees must use this information only for job-related purposes, and not for any personal reason of their own or others. Confidential information may be shared only with other university employees who have a business need to know the information to perform their own job responsibilities.

Confidentiality Statement

All university employees are required to annually sign a Confidentiality Statement attesting that they understand the confidential nature of the university’s HR systems and data, that they will access HR systems and data only for legitimate business purposes, and that accessing confidential HR systems and data for any other reason may be grounds for disciplinary action. The confidentiality statement must be signed annually to maintain access to HR systems and data.

Remote access to HR systems

Employees who access HR systems and data from an off-campus location should follow the guidelines for Secure Remote Work provided by ITS, including using a secure network, VPN, or remote desktop session.

Removal of access

When an individual leaves the role in which they were granted HR system access, or when their job responsibilities no longer require such access, their access should be removed. Access also may be temporarily or permanently removed if there is an allegation, investigation, and/or finding of misconduct or any behavior that creates risk to the university if the individual maintains access. Security levels are automatically removed when an employee is no longer employed in the org¹ that granted access. Senior HR Leaders are otherwise responsible for ensuring that HR system access is removed in a timely manner when there is no longer a business need for an individual to retain access. Local exit processes should include the removal of HR system access as soon as the individual departs from the position that required access, or when job responsibilities change such that access is no longer required.

Auditing HR System Access

Senior HR Leaders are expected to audit HR system access for their college/org at least annually. Seniors may use either HR Reports--Security Reports or Unified Security--Access Level Report to review the individuals in their college/org who have HR system access.

University HR will annually audit HR data access that is managed centrally.

Misuse of HR Systems/Data

The following university policies govern the appropriate use of confidential university data, records, or systems, including HR systems and data.

• Ethics and Responsibilities for UI Staff, Policy Manual II-16.
• Acceptable Use of Information Technology Resources, Policy Manual II-19.

Accessing or using confidential HR data or systems for any purpose other than a job-related purpose is unauthorized. The use of HR data for solicitation of employees is prohibited. However, the university may use HR data to distribute employment-related information to employees.

Any violation of the standards outlined in these HR guidelines may be investigated as a possible violation of these and other relevant University policies, and may lead to disciplinary action including termination.

¹ In UI Healthcare, for this purpose the org includes both UI Hospitals & Clinics and the Carver College of Medicine.