The Ohio State University’s Information Risk Management Program requires each college and business unit to manage information risks. As part of this program, the university has defined Information Security Control Requirements to better protect institutional data.
These data security standards catalyzed revisions to Ohio State’s Background Check policy. The revised policy will require anyone with access to restricted institutional data to have a background check on file. This revised policy will be in effect on June 1, 2016.
Specific changes to the Background Check policy include:
- requiring new student employees with access to restricted institutional data to have a background check completed upon hire or upon gaining access to the restricted institutional data,
- requiring all current faculty, staff and student employees who have access to restricted institutional data to have a background check on file, and
- updated and new resources for the university community, including background check standards and toolkit, updated online consent and fingerprint consent forms, updated FAQs, restricted institutional data checklist and a template that colleges and units can use to evaluate unit specific background check needs and processes. Updated and new resources will be posted on the HR website on June 1, 2016.
Any individuals who were previously grandfathered into the policy, have access to restricted data and no background check on file will need to have a background check completed.
College and units are not required to have all current faculty, staff and students employees with access to restricted data background checked by the policy effective date (June 1, 2016). Leaders will be allotted flexible timelines to execute background checks for current faculty, staff and student employees, as long as they have outlined their plan for reaching full compliance in their Risk Management Strategy. Contact your college or unit’s IT Director or Security Liaison for more information about your Risk Management Strategy.
However, below are suggested steps that HR Professionals can take to identify and implement background checks for current faculty, staff and student employees who have access to restricted institutional data.
- Review the Data Elements Classification List for a full list of restricted institutional data.
- Identify where and in what format the restricted data may be located within your college or unit. Examples include:
- Technology systems – both enterprise wide (PeopleSoft) and locally built systems
- Paper files – many historical personnel and student documentation may have included restricted data
- Determine who has access to the restricted data.
- Determine if access to this data is required.
- If a position does not require the data to fulfill responsibilities and you remove access, or if the data is on historical documents that can be purged, then a background check does not need to be completed.
- Determine if there is a background check on file for the remaining individuals who have and need access to restricted data.
- Notify the remaining individuals who need to have a background check completed. A template email communication is available, so please contact Gina Thorpe if you would like this template provided to you.
- Send a request to the OHR background check team for background checks to be completed for the remaining individuals.