This procedure outlines when and how University community members may share student data typically accessed through our PeopleSoft information system aka DukeHub—at unit (detailed) record or summary (aggregate) level—with internal audiences such as faculty, researchers, and administrators. It applies to all University data providers, including individual employees and units (e.g., central offices, colleges, departments, centers). Duke student data may not be shared with external audiences without explicit, written permission from the Office of University Registrar.

Data sharing decisions must be based on an individual’s status as a School Official and their business need. A School Official is a person employed by the University in an administrative, supervisory, academic, research, or support staff position, including public safety and health care personnel; a person or company with whom the University has contracted (such as an attorney, auditor, or collection agent); a person serving on the Board of Trustees or a student serving on an official committee or assisting another school official in performing his or her tasks. School officials may only access and use education records as necessary to conduct official University business or for which they have legitimate educational interest.

Before sharing administrative data internally, verify that the requester is a School Official with a business need for the data. If unsure, consult the appropriate data steward or the requester’s department.

Steps for Sharing Data with Internal Audiences:
  • Confirm Audience & Purpose
    • Ensure the requester is internal and acting as a School Official with a clear business need. If not, use the external sharing procedure.
  • Validate Business Need
    • Review the requester’s role and responsibilities. Confirm the data supports their job duties.
  • Assess Further Sharing Intent
    • Confirm that the data will only be shared internally.
    • Ensure that this is communicated to the person(s) with whom the data is shared. They are also encouraged to follow the internal sharing procedure.
    • If that data will be used for research, IRB documentation may be required especially if data involves people. Refer to the Campus IRB policy page for further information.
  • Limit to Minimum Necessary Data
    • Share only what's required—prefer summary data or de-identified records when possible. Consider data classification and sensitivity.
  • Document the Request