Guidelines for Banner Data Security (FAQ)

These guidelines establish measures for the protection, access, and use of Drake University data electronically maintained in Banner. The following guidelines define the responsibilities of users who input and access Banner data. Individual division/department or academic unit guidelines may supplement but cannot override or replace the Guidelines for Banner Data Security.

By law, certain data is confidential and may not be released without proper authorization. Users MUST adhere to any applicable federal and state laws as well as Drake University’s policies and procedures concerning storage, retention, use, release, and destruction of data.

Data is a vital asset owned by Drake University. All institutional data, whether maintained in Banner or extracted from Banner and placed into other data systems, remains the property of Drake University. Access to data is approved in accordance with a user’s official Drake University responsibility, and data must be used only for legitimate Drake University business. Please note that data removed from Banner and manipulated as to content may not be regarded as official data and should thus be reported as non-official. Data removed from Banner and manipulated only as to appearance (i.e., data reported through another application but unaltered in definition or content) may be regarded as official.

As a general principle, Banner data (regardless of who collects or maintains it) is shared among those users whose work can be done more effectively by access to such information. Although Drake University must protect the security and confidentiality of data, the procedures allowing access to data must not interfere with the efficient conduct of University business.

Deans/department heads will ensure that, for their areas of accountability, each user is trained regarding user responsibilities. As a part of that training, each user will agree to abide by the stipulations in this document.

Deans/department heads will ensure a secure office environment with regard to all Drake University data systems. Deans/Department Heads will determine the data access requirements of their staff as it pertains to job functions before requesting user access to Banner (see Secured Access to Data).

All procedures and data systems owned and operated by Drake University are constructed to ensure that:     

1. The accuracy and completeness of all data is maintained.
2. System capabilities can be re-established after loss or damage by accident, malfunction, breach of security, or natural disaster.
3. Breaches of security can be controlled and promptly detected.

Access to Drake University Data

Below are the requirements and limitations for all Drake University schools/colleges and offices in obtaining permission for inquiry and update access to Banner. All users must understand that data security is every user’s responsibility.

Users are responsible for understanding all data elements that are used.  If a user does not understand the meaning of a data element, the user should consult user documentation, his/her supervisor or the appropriate Banner Data Custodian (see Banner Data Custodian section). Users MUST protect all Drake University data files from unauthorized use, disclosure, alteration, or destruction. Users are responsible for the security, privacy, and control of data within their control. The user is responsible for all transactions occurring during the use of his or her log-in. Users should not loan, share their password, or login with another user. If it is found that a user is loaning or sharing access, the user will be subject to disciplinary action, up to, and/or including termination.

Employee access to Banner will begin with a Banner Security Change Request. If a request for access is denied, the Dean/department head may appeal through the established procedure. Access will only be granted with the approval of the Dean/Department head and the Banner Data Custodian or because of the appeals process (see Appeals Procedure).  

Banner Security procedures and the web-based request for access process are maintained by Information Technology Services (ITS).

If a user is denied access to Banner data by a Banner Custodian or ITS, the user can address an appeal to the Banner Executive Steering Committee. The request for review should be emailed to the Banner Executive Steering Committee Chair (the Provost) and include the following information:

1. A description of the specific data access requested.
2. Justification for access to the data.
3. The name of the Banner Data Custodian(s) who denied access to the data.

The Banner executive steering committee will contact the Banner Data Custodian for a written explanation of why access was denied. The Banner executive steering committee will render an access decision, and the committee’s decision will be final. The Banner executive steering committee’s decision and justification will forwarded to the user, the Assistant Director, Enterprise Applications, and the appropriate Data Custodians.

View access enables the user to view, query, and analyze but not enter or change data.  

Update access provides inquiry, entry, and update capabilities. Entry/update capability is generally limited to users directly responsible for the collection and maintenance of the data.

If data is downloaded to a personal computer or other device, the data cannot be regarded as official if it is altered (changed in content or definition). Data removed from Banner and manipulated only as to appearance (i.e., data reported through another application but unaltered in definition or content) may be regarded as official.

Banner security classes are established based on general job responsibilities and specific access is assigned to each class. Each user is assigned a class or possibly several classes, depending on their particular need(s) as determined by their supervisor. This access is then reviewed and approved by the appropriate Banner Data Custodian(s). Security access is activated by starting a Banner Security Change Request. All new users are required to receive Banner Basic Training before any access to Banner is permitted. The basic training is delivered by an ITS Professional Services staff member.

A list of current classes, users and forms is maintained by ITS and is available on the What is Banner Security (FAQ) Knowledge Base article. This list is a dynamic document that is not produced in hard copy to ensure that everyone has access to the most current list.

Detailed instructions outlining the process of obtaining an initial Banner access and updating existing access are outlined in the Knowledge Base articles attached to this article.

Banner Data Owners possess authority and responsibility for the security, accuracy and confidentiality of data within their areas of accountability. While Data Owners may delegate responsibility to Data Custodians for the management of data (including granting inquiry, entry and update data privileges; maintaining and controlling Banner validation and rules tables, and defining business processes). Data Owners must review all denials for data access and affirm or override the denial decision prior to user notification.

Banner Data Custodians grant access to data within their charge for the use and support of an individual’s work responsibilities within security classes, roles and levels and as delegated by the Banner Data Owner.

Before granting access to data, the Banner Data Custodian must be confident that protection requirements have been satisfied and that, a “need to know” is clearly demonstrated. By approving user access to Banner data, the Banner Data Custodian consents to the use of that data within the normal business functions of administrative and academic offices.

Banner Data Custodians are responsible for the accuracy and completeness of data files in their areas. Misuse or inappropriate use by individuals will result in revocation of the user’s access privileges. If it is found that a user is loaning or sharing their access codes or is misusing Banner data, the user is subject to disciplinary action, up to/and or including termination.  Banner Data Custodians are also responsible for the maintenance and control of Banner validation and rules tables. These tables, and processes related to their use, define how business is conducted at Drake University.