University Human Resources guidelines
Effective 12/1/2023
Purpose/Scope
These guidelines define appropriate access to human resources (HR) systems and data, and establish expectations for granting, monitoring, and removing access to HR systems and data. Specifically, these guidelines govern when a university employee is granted access to other employees’ HR data; it does not apply to an employee’s ability to access their own HR data.
Definitions
Human Resources data. University data, records, and reports, electronic or otherwise, about university employees related to their university employment. HR data may be accessed by authorized users through Employee Self Service or other university systems. In addition, HR data may be extracted from the university’s HR system and provided to other employees in the form of a report, when the recipients have a business need for the data.
Human Resources systems. University systems that contain HR data such as Employee Self-Service, Compliance & Qualifications, Time & Attendance, OTAC, Data Warehouse, etc.
Policy
University systems are used to support the education, research, and public service missions of the institution. HR data is the property of the university and represents official university records. HR data is confidential based on university policy as well as federal and state law. Use of confidential HR systems and data is limited to those university employees who have a business need to access the confidential data. University employees with such access are responsible for its proper use and security, and must follow university policies governing the use of confidential data.
Access to HR Systems
Senior HR Leaders authorize individuals within their college/org to have access to certain HR systems and data through Employee Self Service. Only those employees who need direct access to HR systems and data to perform specific job responsibilities should be granted this access, and the level of access should be limited to the specific data and reports required to perform job duties. When a Senior HR Leader grants HR system access and security level as described below, they will be prompted to articulate the business reason that requires such access. Other HR systems allow access based on institutional role or supervisory role. Senior HR Leaders oversee those role assignments within their college/org and are responsible to ensure that roles are assigned accurately.
There are four levels of restricted HR system access, in addition to general system access. The access levels are detailed within Employee Self Service where they may be viewed when access is being granted. Each successive level includes access to information available at the next lower level.
Levels of HR System Access
Enables access to confidential applications including HR applications such as Workflow Administration, Transaction System/Reports, Grad Reappointment, Time Reporting, Accounting Change of Status, etc.
Includes:
- Specified reports including Bloodborne Pathogens (BBP), Biweekly, Faculty Status, and Graduate Assistant reports,
- View Inquiry – Current List of Available Categories Reports,
- Online Update – Performance Appraisals, Blood Risk Status.
Includes:
- Specified reports including Leave, Payroll, Time & Attendance, Name and Address Information,
- View Inquiry – Vacation/Sick Report, Family Medical Leave Act,
- Online Update – Employee Immigration Info, Employee Licenses/Certifications, Employee Degree Information.
Includes:
- Specified reports including some Executive Reports,
- Online Update – Health Care Compliance, Emergency Contact Info.
Includes:
- All reports including all Executive Reports,
- View Inquiry – Employee Salary letters,
- Data Access – Queries Application (providing access to university-wide data).
Through Employee Self Service, Senior HR Leaders also may assign administrative rights to other employees in their orgs using HR Application Access, which allows those employees to grant HR systems access to others up to Level 2 (with department access) or up to Level 4 (with org access). It is the responsibility of the Senior HR Leader to: 1) ensure that other employees with administrative rights understand these guidelines, and 2) provide oversight of their decisions.
University HR also authorizes access to HR data that is managed centrally, such as the HR data dashboards and Data Warehouse. Access requests must articulate the business need and are evaluated on that basis. For access to both the HR data dashboard suite and Data Warehouse, security groups are configured based on business need for the role. Additional security groups/roles are identified for the Data Warehouse given the availability of limited protected data.
The decision to grant access to HR systems and data will be based on the following criteria:
- The individual being granted access has a business need for direct access to HR data,
- The level of access should be limited to what is necessary to perform specific job responsibilities,
- Access to the data will enable more effective and efficient business operations, and
- The individual being granted access understands the confidential nature of the data, has demonstrated the ability to maintain confidentiality, and has signed the university’s Confidentiality Statement.
Positions that typically might be granted HR system access, and the typical level of access, include:
- Senior HR Leaders and HR Representatives – Level 4
- Business Officers – Level 4
- Vice Presidents – Level 4
- Faculty administrators such as Deans, Associate Deans and DEOs – Level 4
- HR associates and coordinators – Level 3
- Department administrators – Level 2
- Grant/financial administrators – Level 2
- Graduate assistant coordinator – Level 1
- Lab safety manager – Level 1
Responsibilities Related to HR System Access
Employees who are granted access to HR systems and data of other employees are guardians of this data. Those employees must use this information only for job-related purposes, and not for any personal reason of their own or others. Confidential information may be shared only with other university employees who have a business need to know the information to perform their own job responsibilities.
Confidentiality Statement
All university employees are required to annually sign a Confidentiality Statement attesting that they understand the confidential nature of the university’s HR systems and data, that they will access HR systems and data only for legitimate business purposes, and that accessing confidential HR systems and data for any other reason may be grounds for disciplinary action. The confidentiality statement must be signed annually to maintain access to HR systems and data.
Remote access to HR systems
Employees who access HR systems and data from an off-campus location should follow the guidelines for Secure Remote Work provided by ITS, including using a secure network, VPN, or remote desktop session.
Removal of access
When an individual leaves the role in which they were granted HR system access, or when their job responsibilities no longer require such access, their access should be removed. Access also may be temporarily or permanently removed if there is an allegation, investigation, and/or finding of misconduct or any behavior that creates risk to the university if the individual maintains access. Security levels are automatically removed when an employee is no longer employed in the org1 that granted access. Senior HR Leaders are otherwise responsible for ensuring that HR system access is removed in a timely manner when there is no longer a business need for an individual to retain access. Local exit processes should include the removal of HR system access as soon as the individual departs from the position that required access, or when job responsibilities change such that access is no longer required.
Auditing HR System Access
Senior HR Leaders are expected to audit HR system access for their college/org at least annually. Seniors may use either HR Reports--Security Reports or Unified Security--Access Level Report to review the individuals in their college/org who have HR system access.
University HR will annually audit HR data access that is managed centrally.
Misuse of HR Systems/Data
The following university policies govern the appropriate use of confidential university data, records, or systems, including HR systems and data.
- Ethics and Responsibilities for UI Staff, Policy Manual II-16.
- Acceptable Use of Information Technology Resources, Policy Manual II-19.
Accessing or using confidential HR data or systems for any purpose other than a job-related purpose is unauthorized. The use of HR data for solicitation of employees is prohibited. However, the university may use HR data to distribute employment-related information to employees.
Any violation of the standards outlined in these HR guidelines may be investigated as a possible violation of these and other relevant University policies, and may lead to disciplinary action including termination.