DukeCard Access Control and Data Practices for Access Information

Author: Office of Information Technology (OIT)

Version 1.0

Authority

Duke University Chief Information Officer (CIO)

Duke University Chief Information Security Officer (CISO)

Scope: Data Collection and Use Practices

In connection with its administration of the DukeCard program, Duke University collects data including the locations, dates, and times where DukeCards are used to access doors and buildings as well as when cards are used to “swipe” or “tap” in for attendance. This data is stored for 60 days before it is erased. Within that 60-day period, information may be used only in the following ways:

Category 1 - Operational support

  • Duke’s Office of Information Technology (OIT) may use card tracking information to troubleshoot problems with card access security equipment or problems with the ID cards themselves.  
  • The IT Security Office may access data as part of a cyber security investigation impacting Duke University or the Duke University Health System.

Category 2 - Security and public safety

  • Duke may be compelled to produce DukeCard access data in response to a subpoena or as otherwise required by law, as documented in Duke’s Acceptable Use Policy.
  • The Duke Police Department may directly access data as part of a police investigation or public safety event impacting Duke University or the Duke University Health System.

Category 3 - Space utilization or property issues (schools/departments)

  • A complete and compelling case from a department head must be made for why the data is needed. Any data involving personally identifiable information requires EVP approval. 
  • Requests pertaining to property security must be submitted through the DUPD (Category 2).

Category 4 – Service Improvements

  • A complete and compelling case from a department head must be made for why the data is needed. Any data involving personally identifiable information requires EVP approval. 

Category 5 – Student and Academic Affairs

  • Student Affairs may directly obtain the door access data in the event of a student safety or health and wellness concern.
  • The Office of Student Conduct in Student Affairs may directly obtain the card door access data in the event of a disciplinary matter after receiving appropriate authorization from the vice president for student affairs or his designee.
  • The Dean of Academic Affairs and Associate Vice Provost for Undergraduate Education in Trinity College and The Dean of the Pratt School of Engineering, or their designee, may request card swipe data in event that such data could inform the appropriateness of granting an academic exception/accommodation as requested by a student.  

Category 6 - Event attendance

  • Access information for attendance to training sessions or other events may be provided to the organizers, in cases when there has been advance notification to attendees.

Other usage

  • The DukeCard office may also review other requests for access card information.  Requests are reviewed by the IT Security Office (ITSO) for appropriateness before being submitted to the Executive Vice President for approval.  

DukeCards are also used for financial transactions. Individuals may request an accounting of their transactions by visiting the DukeCard eAccounts Portal.  Financial transactions are kept on record for 7 years and are not provided to Duke departments or others without the express approval of the Executive Vice President or his/her designee.

Data Request Process and Approvals

The Office of Information Technology DukeCard Office is the data custodian responsible for Duke Card access data and for adherence with these standards. Any requests for access to the data should be directed to dukecard_data_requests@duke.edu and include the following information:

  • Information requested (e.g. access date(s)/time(s), cardholder name, card number, Duke Unique ID number, etc.)
  • Who should receive the report
  • Business reason this information is needed and how it will be used
  • Aggregate or individual data (details by cardholder or a summary of access in a given time period)

Data access requires approval by Duke’s Executive Vice President (EVP).  All data access requests are received by the DukeCard office and sent to the CISO and CIO to begin the approval process. The EVP has delegated to the ITSO approval for certain data requests that are unambiguously within the narrow scope of the Data Collection Use and Practice. All other requests received by the CISO and CIO are review with the EVP.  

Updated: 13-Jul-18

In Compliance with:

Duke University Data Classification Standard

Duke University Acceptable Use Policy

 

 

Article number: KB0030032

Valid to: July 28, 2024