Introduction
This section explains the importance of regulating access to information in a transparent and uniform way.
What are access levels?
Access levels are a way for organizations to control and understand who has access to information and how much information they should have depending on roles. A user is given as much access as they need in order to perform their job function.
Why do we have access levels?
Because departments frequently deal with sensitive/protected information, not all datasets are going to be available for public access and/or sharing across departments. As such, Salt Lake City should utilize an access level system that differentiates the ability for datasets to be shared. Sensitive information belonging to an organization needs to be protected. In addition, over access is dangerous because it increases liability of both the organization and employees. For security purposes, restricting access to information decreases the amount of information that is available for someone who has gained access to a data system without permission.
Level of access
Example of a numerical system (1, 2, 3, 4, 5)
- 1: Can be thought of as risk-free information that can be shared with anyone. Open data is the best example of this access level. This data can be shared publicly.
- 2: Should be redacted from publicly available datasets but poses relatively low risk to both city and potentially identified individuals. Phone numbers or public comments are examples of this category. This data is free to be shared internally to anyone with city credentials.
- 3: While not as dangerous as the higher access levels (4 and 5), this information should still be kept internal as it may contain confidential information about processes or systems. If leaked, it does not pose a massive risk to the city. However, necessary steps to reduce the proliferation of this information should be taken.
- 4: This would be what Personally Identifiable Information (PII) would be categorized as. Anything that has direct PII should only be shared when necessary and directly to someone who has permission to receive that information. Significant risk to identified people in dataset.
- 5: This level contains the most sensitive information. Only a select few should have access to this information. Access should be critical to perform the role of their position. Significant risk to City in this information.
Examples of each level
| Access Level | Example |
| 1 | Open data Sufficiently aggregated data Press releases Public websites |
| 2 | Employee Phone directory Drafts of reports Text fields (especially any public comments) |
| 3 | Security access logs Personnel records |
| 4 | Social security numbers Driver’s license numbers |
| 5 | Network information Critical Infrastructure |
How to use this section
Two options for determining the relevant level for a dataset – Per variable which is an element, feature, or factor that is liable to vary or change. Or at a dataset level which is a collection of related information.
- Per variable
Within your metadata documentation, you can assign each variable a numerical value that is correlated to the above scale (1-5). Refer to metadata section for how to set up metadata documentation.
- Dataset level
The entire dataset can be assigned a singular value. The rules that apply to that value are applied to the entire dataset.
If you determine that your data is rated as a 1, 4, or 5:
- Contact Data team at gis@slc.gov
- Include name/department, determined rating, and justification for that assessment. We will help determine the access level and/or connect you with the required team for further assistance.
Training and awareness
Awareness programs such as this document are used to educate about the access level system, their roles in data stewardship, and the importance of safeguarding sensitive information. Regularly reinforce best practices for data access and handling by reviewing relevant information and comparing access to the documentation.
Continuous monitoring and review
Regularly monitor access logs and audit trails ensure compliance with access policies and identify any unauthorized access attempts or data breaches. Keep and update records by leveraging your metadata document to conduct periodic reviews of access levels and permissions to accommodate changes in data sensitivity or organizational requirements.
Definitions
Data Stewards – Responsible for being a subject matter expert about the corresponding dataset. Also, they are expected to maintain the dataset when necessary.